Christoph Werle

Network virtualization architecture: proposal and initial prototype

The tussle between reliability and functionality of the Internet is firmly biased on the side of reliability. New enabling technologies fail to achieve traction across the majority of ISPs. We believe that the greatest challenge is not in finding solutions and improvements to the Internets many problems, but in how to actually deploy those solutions and re-balance the tussle between reliability and functionality. Network virtualization provides a promising approach to enable the coexistence of innovation and reliability. We describe a network virtualization architecture as a technology for enabling Internet innovation. This architecture is motivated from both business and technical perspectives and comprises four main players. In order to gain insight about its viability, we also evaluate some of its components based on experimental results from a prototype implementation.

A Node Architecture for 1000 Future Networks

One possible key technology for the future Internet is network virtualization. It allows to run numerous virtual networks in parallel, each of which can be adapted towards different requirements, intended use, or applications used. When consequently using network virtualization, it allows not only to have very specialized networks but also allows to run new protocols and services in different networks. This can give opportunities for rapid service deployment, especially for services based on new protocols. Currently a lot of research is concerned with network virtualization or related aspects like management or signaling of network virtualization. This paper however is different, since it looks on network virtualization from another angle. We describe our Node Architecture for the Future Internet, which uses network virtualization as a fundamental concept. It has the goal to give users access to a vast number of virtual networks and exploit the possibilities of network virtualization.

Network Virtualization from a Signaling Perspective

The use of network virtualization promises additional flexibility and opens up many opportunities for deploying future network architectures. But the increased flexibility creates additional costs with respect to management and control as well as new issues that need to be addressed. In this paper, we describe a framework that allows for dynamic setup of virtual networks and we point out required mechanisms, interfaces, and protocols. Additionally, we take into account runtime aspects by examining control interfaces and signaling protocols necessary for the management of virtual networks and the attachment of end users.

Selecting Concurrent Network Architectures at Runtime

The current Internet architecture nicely structures functionality into layers of protocols. While this reduces complexity, many tweaks have emerged because of the architectures limited flexibility. Cross Layer Functionality corrodes the layer boundaries, intermediate layers had to be introduced for protocols like MPLS and IPsec, and middleboxes - like in case of NAT - further complicate the interaction of protocols. To overcome these problems, many publications have proposed modular solutions or protocol composition, allowing software engineering ideas to improve protocol design. Other publications state that instead of choosing a single common network architecture for the Future Internet, it might be advantageous to run multiple different architectures in parallel. We combine both approaches and make it possible to rapidly create and run different network architectures in parallel. While this allows for simplified Future Internet development, it requires the network architecture to be dynamically chosen. This paper not only presents a node architecture enabling the parallel operation of different network architectures but also introduces algorithms for their selection at runtime.

Building virtual networks across multiple domains

This paper presents a platform for virtual network (VN) provisioning across multiple domains. The platform decomposes VN provisioning into multiple steps to address the implications of limited information disclosure on resource discovery and allocation. A new VN embedding algorithm with simultaneous node and link mapping allows to assign resources within each domain. For inter-domain virtual link setup, we design and realize a signaling protocol that also integrates resource reservations for providing virtual links with Quality-of-Service guarantees. Experimental results show that small VNs can be provisioned within a few seconds.

Decision process for automated selection of security protocols

Todaypsilas Internet has a growing number of protocols and mechanisms to protect data in transmission. One can choose from IP Security (IPsec), Transport Layer Security (TLS), and many other protocols. However, available security protocols and mechanisms are not widely used due to usability issues [1], [2] and because users often underestimate the risk their data is exposed to. An approach to solve this problem consists of automated selection and configuration of available security protocols in a user-transparent way. In this paper, we present a method for automatically choosing the right security protocol based on Security, Quality of Service, and Energy Consumption aspects. We describe the necessary aspects, value functions, and a hierarchical, flexible, and efficient decision process.

Can internet users protect themselves? Challenges and techniques of automated protection of HTTP communication

HTTPS enables secure access to web content and web-based services. Although supported by many content and service providers, HTTPS is oftentimes not enabled by default, as pointed out in an open letter sent to Google by security experts. In this article, we discuss if and how web users can protect themselves by using HTTPS instead of HTTP. We show that many websites allow for accessing content by HTTPS instead of HTTP. However, HTTPS access must be manually configured or requested by the user, or is impossible at all, e.g., for embedded objects. For this reason, we explore how to protect users transparently by automatically using HTTPS whenever possible. In order to enable this approach, one needs to determine whether using HTTPS yields the same content as using HTTP, even in the presence of dynamic websites incorporating advertisements and news. We show that this decision is possible for entire websites like amazon.com in short time by combining a fast content comparison algorithm, result caching, and observations on the structure of the website. Besides the concrete HTTP use case considered in this article, our results are of independent interest for any setting in which content can be accessed by various means. Finally, we present and discuss different approaches for implementing automated protection of HTTP connections.

Authenticated Setup of Virtual Links with Quality-of-Service Guarantees

While virtual networks have been subjected to detailed analysis, prototypes are usually constructed and instantiated manually or by means of control protocols that mostly neglect security considerations. In this work, we present our proposal for a Virtual Link Setup Protocol (VLSP) that is designed as a modular extension to a standardized and extensible state-of-the-art signaling protocol suite. We use these signaling protocols to combine an authenticated and on-demand setup of virtual links with the establishment of Quality-of-Service guarantees in the underlying substrate. The solution presented in this paper is not limited to a specific set of virtualization techniques or tunneling mechanisms. We describe the design and implementation of VLSP and evaluate its signaling performance, as well as the overhead that is associated with the instantiation of the virtual links.

Control Plane Issues in the 4WARD Network Virtualization Architecture

Network virtualization technologies offer a lot of opportunities and advantages but create also new issues that need to be solved. In this paper, we discuss control mechanisms, interfaces, and protocols required in order to allow for dynamic setup of virtual networks. Finally, we describe some runtime aspects by examining control interfaces and signaling protocols necessary for the management of virtual networks.

Towards large-scale network virtualization

Most existing virtual network (VN) provisioning approaches assume a single administrative domain and therefore, VN deployments are limited to the geographic footprint of the substrate provider. To enable wide-area VN provisioning, network virtualization architectures need to address the intricacies of inter-domain aspects, i.e., how to provision VNs with limited control and knowledge of any aspect of the physical infrastructure. To this end, we present a framework for large-scale VN provisioning. We decompose VN provisioning into multiple steps to overcome the implications of limited information on resource discovery and allocation. We present a new resource selection algorithm with simultaneous node and link mapping to assign resources within each domain. We use a signaling protocol that integrates resource reservations for virtual link setup with Quality-of-Service guarantees. Our experimental results show that small VNs can be provisioned within a few seconds.