Diogo M. F. Mattos

OMNI: OpenFlow MaNagement Infrastructure

Managing computer networks is challenging because of the numerous monitoring variables and the difficulty to autonomously configure network parameters. This paper presents the OpenFlow MaNagement Infrastructure (OMNI), which helps the administrator to control and manage OpenFlow networks by providing remote management based on a web interface. OMNI provides flow monitoring and dynamic flow configuration through a service-oriented architecture. OMNI also offers an Application Programming Interface (API) for collecting data and configuring the OpenFlow network. We propose a multi-agent system based on OMNI API that reduces packet loss rates. We evaluate both the OMNI management applications and the multi-agent system performance using a testbed. Our results show that the multi-agent system detects and reacts to a packet-loss condition in less than three monitoring intervals.

FITS: A flexible virtual network testbed architecture

In this paper, we present the design and implementation of FITS (Future Internet Testbed with Security), an open, shared, and general-purpose testbed for the Future Internet. FITS defines an innovative architecture that allows users running experiments with new mechanisms and protocols using both Xen and OpenFlow on the same network infrastructure. FITS integrates several recognized state-of-the-art features such as plane separation, zero-loss network migration, and smartcard-driven security access, to cite a few. The current physical testbed is composed of nodes placed at several Brazilian and European institutions interconnected by encrypted tunnels. Besides presenting the FITS architecture and its features, we also discuss deployment challenges and how we have overcome them.

AuthFlow: authentication and access control mechanism for software defined networking

Software-defined networking (SDN) is being widely adopted by enterprise networks, whereas providing security features in these next generation networks is a challenge. In this article, we present the main security threats in software-defined networking and we propose AuthFlow, an authentication and access control mechanism based on host credentials. The main contributions of our proposal are threefold: (i) a host authentication mechanism just above the MAC layer in an OpenFlow network, which guarantees a low overhead and ensures a fine-grained access control; (ii) a credential-based authentication to perform an access control according to the privilege level of each host, through mapping the host credentials to the set of flows that belongs to the host; (iii) a new framework for control applications, enabling software-defined network controllers to use the host identity as a new flow field to define forwarding rules. A prototype of the proposed mechanism was implemented on top of POX controller. The results show that AuthFlow denies the access of hosts either without valid credentials or with revoked authorization. Finally, we show that our scheme allows, for each host, different levels of access to network resources according to its credential.

Experimenting Content-Centric Networks in the future internet testbed environment

Future Internet Testbed with Security (FITS) is a testbed for experimenting Next-Generation Internet proposals that provides two virtualization schemes based on Xen and on OpenFlow. Experimenting new protocol proposals for the Future Internet requires a realistic condition environment for packet forwarding. FITS nodes are spread in Brazilian and European universities. In this paper, we present FITS and we use it to test a Content Centric Network (CCN), which is one of the main proposals for the Future Internet. The experiment creates a virtual network on the testbed with CCNx stack and measure the file transfer performance under real Internet traffic conditions. The results show that CCN presents an overhead of 19% when compared with the conventional TCP/IP stack. Nevertheless, CCN outperforms TCP as the number of consumers increases and CCN download time is approximately 25% smaller than TCP on the Internet.

An elastic intrusion detection system for software networks

Internal users are the main causes of anomalous and suspicious behaviors in a communication network. Even when traditional security middleboxes are present, internal attacks may lead the network to outages or to leakage of sensitive information. In this article, we propose BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer and on the global network view of the software-defined networks (SDN) which is provided by the OpenFlow. BroFlow main contributions are (i) dynamic and elastic resource provision of traffic-analyzing machines under demand; (ii) real-time detection of DoS attacks through simple algorithms implemented in a policy language for network events; (iii) immediate reaction to DoS attacks, dropping malicious flows close of their sources, and (iv) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, which is shared by multi-tenants, with a minimum number of sensors. We developed a prototype of the proposed system, and we evaluated it in a virtual environment of the Future Internet Testbed with Security (FITS). An evaluation of the system under attack shows that BroFlow guarantees the forwarding of legitimate packets at the maximal link rate, reducing up to 90 % of the maximal network delay caused by the attack. BroFlow reaches 50 % of bandwidth gain when compared with conventional firewalls approaches, even when the attackers are legitimate tenants acting in collusion. In addition, the system reduces the sensors number, while keeping full coverage of network flows.

XenFlow: Seamless migration primitive and quality of service for virtual networks

Next generation networks offer virtual networks on demand, each one with its own features and Quality of Service (QoS) requirements. Besides, live-migration provides a flexible and seamless topology remapping primitive for virtual networks, but it is usually limited to a local area network. In this paper, we propose XenFlow, a hybrid virtualization system, based on Xen and OpenFlow. XenFlow main goals are threefold. First, it provides a flexible virtual network migration primitive, as it deploys a Software Defined Networking between virtual machines, based on OpenFlow. Second, it provides a strong isolation of virtual networks, avoiding denial of service caused by interference of other virtual networks. Third, XenFlow offers inter-network and intra-network QoS provisioning by a consistent resource controller. We developed a prototype and our results show that the proposed system performs better than native mechanism of Xen virtual machine migration. XenFlow allows virtual router migration between different local area networks without creating tunnels or losing packets. Our experiments also show that resource usage controller meets QoS requirements and outperforms other techniques while it redistributes idle network resources.

A two-phase multipathing scheme based on genetic algorithm for data center networking

Data centers for cloud computing should allocate services with different traffic patterns, provide high data transfer capacity and link fault tolerance. Data center network topologies provide physical connection redundancy, which forwarding mechanisms avail to generate multiple paths. In this paper, we divide multipathing into two phases: (i) Configuration phase based on genetic algorithms to minimize path lengths and maximize link usage diversity; (ii) Path selection phase based on heuristics to minimize path reuse. The proposed multipathing scheme implements minimal modification in infrastructure. Our proposal only requires common network devices features and it avoids any tenant modification. We develop a flow simulator to evaluate multipathing techniques. The simulations model flow behaviors in different data center scenarios and compares the proposed scheme with multipathing techniques in literature. The results show the proposed scheme enhances transmission rates, even in the highest network utilization scenarios.

Reverse Update: A Consistent Policy Update Scheme for Software-Defined Networking

Policy and path updates are common causes of network instability, leading to service disruptions or vulnerable intermediate states. In this letter, we propose the reverse update, an update scheme for software-defined networking that guarantees to preserve properties of flows during the transition time. We prove through a formal model that the proposal achieves consistent policy updates, in which in-transit packets are always handled in the next forwarding hops by the same or a more recent policy. The main contributions are: 1) a relaxation of the concept of per-packet-consistency in the data plane of software-defined networking; and 2) a policy update scheme, proved to be consistent and efficient. A software-defined networking simulator was developed and validated. The results of our simulations show that the proposed reverse update scheme is faster and has lower overhead than the current two-phase update proposed in the literature.

Evaluating virtual router performance for a pluralist future internet

Internet Service Providers resist innovating in the network core, fearing that deploying a new protocol or service compromises the network operation and their profit, as a consequence. Therefore, a new Internet model, called Future Internet, which enables core innovation, must accommodate new protocols and services with the current scenario, isolating each protocol stack from others. Virtualization is the key technique that provides concurrent protocol stack capability to the Future Internet elements. In this paper, we evaluate the performance of three widespread virtualization tools, Xen, VMware, and OpenVZ, considering their use for router virtualization. We conduct experiments with benchmarking tools to measure the overhead introduced by virtualization in terms of memory, processor, network, and disk performance of virtual routers running on commodity hardware. We also evaluate the effects of the increasing number of virtual machines on Xen network virtualization mechanism. Our results show that Xen best fits virtual router requirements. Moreover, Xen fairly shares the network access among virtual routers, but needs further enhancement when multiple virtual machines simultaneously forward traffic.

A resilient distributed controller for software defined networking

Control plane distribution on Software Defined Networking enhances security, performance and scalability of the network. In this paper, we propose an efficient architecture for distribution of controllers. The main contributions of the proposed architecture are: i) A controller distributed areas to ensure security, performance and scalability of the network; ii) A single database maintained by a designated controller to provide consistency to the control plane; iii) An optimized heuristic for locating controllers to reduce latency in the control plane; iv) A resilient mechanism of choosing the designated controller to ensure the proper functioning of the network, even when there are failures. A prototype of the proposal was implemented and the placement heuristic was analyzed in real topologies. The results show that connectivity is maintained even in failure scenarios. Finally, we show that the placement optimization reduces the average latency of controllers. Our proposed heuristic achieves a fair distribution of controllers and outperforms the network resilience of other heuristics up to two times better.