Daniel S. Marcon

DoS-resilient virtual networks through multipath embedding and opportunistic recovery

Network virtualization can potentially limit the impact of attacks by isolating traffic from different networks. However, routers and links are still vulnerable to attacks on the underlying network. Specifically, should a physical link be compromised, all embedded virtual links will be affected. Previous work protects virtual networks by setting aside backup resources. Although effective, this solution tends to be expensive as backup resources usually remain idle. In this paper, we present a novel virtual network allocation approach which explores the trade-off between resilience to attacks and efficiency in resource utilization. Our approach is composed of two complementary strategies, one preventive and the other reactive. The former embeds virtual links into multiple substrate paths, while the latter attempts to reallocate any capacity affected by an underlying DoS attack. Both strategies are modeled as optimization problems. Numerical results show the level of resilience to attacks and the low cost demanded by our approach.

No more backups: Toward efficient embedding of survivable virtual networks

Although network virtualization can improve security by isolating traffic from different networks, routers and links are still vulnerable to attacks on the underlying network. High capacity physical links, in particular, constitute good targets since they may be important for a large number of virtual networks. Previous work protects virtual networks by setting aside backup resources. Although effective, this solution increases the cost to infrastructure providers. In this paper, we present a virtual network embedding approach which enables resilience to attacks and efficiency in resource utilization. Our approach is two-folded: while a preventive strategy embeds virtual links into multiple substrate paths, a reactive strategy attempts to reallocate any capacity affected by an underlying DoS attack. Since the embedding problem is NP-Hard, we devise a Simulated Annealing meta-heuristic to solve it efficiently. Results show our solution can provide resilience to attacks at a lower cost.

Workflow specification and scheduling with security constraints in hybrid clouds

Hybrid cloud management must deal with resources from both public and private clouds, as well as their interaction. When workflows are executed in a hybrid cloud, dependencies among their components bring new factors to be considered during specification, scheduling, and virtual machine provisioning. In this paper, we describe three components, namely workflow code, scheduler, and resource allocator, which enable the specification and execution of workflows in hybrid clouds in the context of the AltoStratus middleware. We present a case study that shows the interaction among these components, and their applicability in practice.

Opportunistic resilience embedding (ORE)

Network Virtualization promotes the development of new architectures and protocols by enabling the creation of multiple virtual networks on top of the same physical substrate. One of its main advantages is the use of isolation to limit the scope of attacks - that is, avoiding traffic from one virtual network to interfere with the others. However, virtual networks are still vulnerable to disruptions on the underlying network. Particularly, high capacity physical links constitute good targets since they may be important for a large number of virtual networks.Previous work protects virtual networks by setting aside backup resources. Although effective, this kind of solution tends to be expensive, as backup resources increase the cost to infrastructure providers and usually remain idle. This paper presents ORE (opportunistic resilience embedding), a novel embedding approach for protecting virtual links against substrate network disruptions. OREs design is two-fold: while a proactive strategy embeds each virtual link into multiple substrate paths in order to mitigate the initial impact of a disruption, a reactive one attempts to recover any capacity affected by an underlying disruption. Both strategies are modeled as optimization problems. Additionally, since the embedding problem is NP -Hard, ORE uses a simulated annealing-based meta-heuristic to solve it efficiently. Numerical results show that ORE can provide resilience to disruptions at a lower cost.

PredCloud: Providing predictable network performance in large-scale OpenFlow-enabled cloud platforms through trust-based allocation of resources

Cloud computing allows tenants to run a wide range of applications without any upfront capital investment. However, providers lack mechanisms to provide fair and predictable bandwidth sharing among allocated applications, enabling selfish and malicious tenants to cause performance interference in the network (and denial of service in an extreme case). Such interference results in poor and unpredictable network performance for well-behaved applications. Recent research has proposed techniques that (i) cannot protect tenants against interference; (ii) result in under utilization of resources; or (iii) add substantial management overhead. In this paper, we describe a resource allocation strategy that aims at providing predictable network performance (i.e., minimizing performance interference) with bandwidth guarantees for tenant applications, while maintaining high network utilization and low management overhead. These benefits are achieved by grouping applications from mutually trusting users into logically isolated domains (virtual infrastructures - VIs) with bandwidth guarantees, while also considering the amount of traffic generated by applications. Despite the benefits, grouping may lead to fragmentation (i.e., available resources are dispersed among VIs and some requests may be unnecessarily declined). Therefore, we also study the associated trade-off (grouping to increase isolation versus resource fragmentation). To illustrate the feasibility of grouping applications inside VIs, we develop PredCloud, a system that implements the proposed strategy on SDN/OpenFlow-enabled networks. Through an extensive evaluation, we show that PredCloud significantly reduces performance interference and application exposure to attacks, while maintaining low resource fragmentation. Furthermore, provider revenue can be increased by efficiently managing and charging network resources.

Predictor: Providing fine-grained management and predictability in multi-tenant datacenter networks

Software-Defined Networking (SDN) can simplify traffic management in large-scale datacenter networks (DCNs). On one hand, it provides a robust method to address the challenge of performance interference (bandwidth sharing unfairness) in DCNs. On the other, its pragmatic implementation based on OpenFlow introduces scalability challenges, as it (a) adds latency for new flows (the controller must process hundreds of thousands of requests per second and install appropriate rules in switches); and (b) requires large flow tables in devices (DCNs can have more than 16 million distinct flows per second with different requirements and duration). To employ OpenFlow-based SDN in DCNs, recent work has proposed techniques that require hardware customization to keep up with the high dynamic traffic patterns of these networks. We make two key observations: providers do not need to control each flow individually (e.g., VM-to-VM), since they charge tenants based on the amount of resources consumed by applications; and congestion control in the intra-cloud network is expected to be proportional to the tenants payment. Based on these insights, we introduce Predictor, a novel system for DCNs that enables fine-grained network management for providers, minimizes flow table size by controlling flows at application-layer and reduces flow setup time by proactively installing rules in switches. It also enables tenants to request and receive predictable network performance for both intra- and inter-application communication, with work-conserving bandwidth sharing. Evaluation results show that Predictor provides significant improvements against DevoFlow (reducing flow table size up to 87%) and offers predictable and guaranteed network performance for tenants.

Achieving minimum bandwidth guarantees and work-conservation in large-scale, SDN-based datacenter networks

Abstract Performance interference has been a well-known problem in datacenters and one that remains a constant topic of discussion in the literature. Software-Defined Networking (SDN) may enable the development of a robust solution for interference, as it allows dynamic control over resources through programmable interfaces and flow-based management. However, to date, the scalability of existing SDN-based approaches is limited, because of the number of entries required in flow tables and delays introduced. In this paper, we propose Predictor, a scheme to scalably address performance interference in SDN-based datacenter networks (DCNs), providing minimum bandwidth guarantees for applications and work-conservation for providers. Two novel SDN-based algorithms are proposed to address performance interference. Scalability is improved in Predictor as follows: first, it minimizes flow table size by controlling flows at application-level ; second, it reduces flow setup time by proactively installing rules in switches. We conducted an extensive evaluation, in which we verify that Predictor provides ( i ) guaranteed and predictable network performance for applications and their tenants; ( ii ) work-conserving sharing for providers; and ( iii ) significant improvements over DevoFlow (the state-of-the-art SDN-based proposal for DCNs), reducing flow table size (up to 94%) and having similar controller load and flow setup time.

IoNCloud: Exploring application affinity to improve utilization and predictability in datacenters

The intra-cloud network is typically shared in a best-effort manner, which causes tenant applications to have no actual bandwidth guarantees. Recent proposals address this issue either by statically reserving a slice of the physical infrastructure for each application or by providing proportional sharing among flows. The former approach results in overprovisioned network resources, while the latter requires substantial management overhead. In this paper, we introduce a resource allocation strategy that aims at providing an efficient way to predictably share bandwidth among applications and at minimizing resource underutilization while maintaining low management overhead. To demonstrate the benefits of the strategy, we develop IoNCloud, a system that implements the proposed allocation scheme. IoNCloud employs the abstraction of attraction/repulsion among applications according to their temporal bandwidth demands in order to group them in virtual networks. In doing so, we explore the trade-off between high resource utilization (which is desired by providers to achieve economies of scale) and strict network guarantees (necessary for tenants to run jobs predictably). Evaluation results show that IoNCloud can (a) provide predictable network sharing; and (b) reduce allocated bandwidth, resource underutilization and management overhead when compared against state-of-the-art proposals.