Gabriele Lospoto

Rethinking virtual private networks in the software-defined era

Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPNs) have seen an unparalleled increasing adoption in the last decade. Although their flexibility as transport technology and their effectiveness for traffic engineering are well recognized, VPNs are difficult to set up and manage, due to the complexity of configurations, to the number of involved protocols, and to the limited control and predictability of network behaviors. On the other hand, Software-Defined Networking (SDN) is a consolidated, yet still emerging paradigm by which the control plane logic of a network device is implemented by an arbitrarily programmed software that runs outside the device itself. We conjugate the effectiveness of traditional VPNs with the programmability of SDN, proposing a novel and improved realization of MPLS VPNs based on SDN. With our approach, provisioning and setup of VPNs are accomplished by using a simple and flexible configuration language. Management and troubleshooting are facilitated because only a minimal set of technologies (notably, just MPLS) is retained. Control and predictability of network behaviors are enhanced by the centralized coordination enforced by the SDN controller. Besides illustrating our proposed approach and specifying the configuration language, we describe a prototype implementation of a controller and the outcome of tests we conducted in several configuration scenarios.

How to handle ARP in a software-defined network

The Address Resolution Protocol (ARP) enables communication between IP-speaking nodes in a local network by reconstructing the hardware (MAC) address associated with the IP address of an interface. This is not needed in a Software-Defined Network (SDN), because each device can forward packets without the need to learn this association. We tackle the interoperability problem arising between standard network devices (end systems, routers), that rely on ARP, and SDN datapaths, that do not handle ARP packets natively. In particular, we propose a general approach to handle ARP in a SDN, that is applicable in several network scenarios, is transparent for existing devices, and can coexist with any packet forwarding logic implemented in the controller. Our approach reduces ARP traffic by confining it to the edge of SDNs and requires a minimal set of flow entries in the datapaths. We argument about its applicability and confirm it with experiments performed on SDN datapaths from a range of different vendors.

On the practical applicability of SDN research

Software-Defined Networking (SDN) is a de-facto established approach that separates the packet switching functions of a device from its operational logic, which is controlled by a piece of software. Due to its potential for realizing new network architectures and services, a whole thread of scientific literature is devoted to SDN and its most adopted incarnation, OpenFlow. However, limited attention has been put in verifying the viability of the proposed approaches on currently available hardware. We address this deficiency through the following contributions: i) a critical review of the literature about SDN in terms of applicability issues stemming from publicly documented limitations of OpenFlow implementations; ii) a methodology for verifying the support of SDN-related functions in a network device, comprising an OpenFlow compliance test as well as custom targeted tests; iii) an application of the methodology to devices from 7 different vendors, unveiling extensive anomalous behaviors affecting even the most basic features; iv) a discussion of this outcome in terms of relevance of the discovered anomalies and of their implications on the applicability of state-of-the-art contributions on SDN. Besides taking a snapshot of the viability of research results, with this paper we intend to highlight aspects that operators should consider when picking SDN devices.

Supporting end-to-end connectivity in federated networks using SDN

Federated networking is a promising approach to resource sharing that supports cost-effective services involving multiple parties. Research in this field largely focused on architectures and cost models, making limited progress on the technological side. On the other hand, the widely adopted Software-Defined Networking (SDN) model found its most successful application in data centers, exhibiting very little penetration in other scenarios. We leverage the unexplored potential of SDN on the edge of a network to introduce an approach that supports end-to-end connectivity among different federated partners. Our approach is based on simple Network Address and Port Translation (NAPT), making it applicable in standard IP networks. It is also very flexible, because it exploits SDN, and scalable, because address translations are performed on Customer Premises Equipment, where SDN is being progressively supported by device vendors. We define various alternative NAPT strategies and evaluate their effectiveness with simulations as well as emulated scenarios.

Making MPLS VPNs manageable through the adoption of SDN

Virtual Private Networks (VPNs) implemented by Multi Protocol Label Switching (MPLS) tunnels appear in the service offer of many Internet Service Providers (ISPs). Due to the number of technologies that they involve and to the intricacy of their interactions, provisioning, setup, and maintenance of VPNs is a cumbersome task, whose complexity is usually mitigated by using advanced network management systems. We cut these difficulties at their roots by taking advantage of Software Defined Networking (SDN). We showcase the design and a prototype implementation of an SDN controller that, starting from a centralized specification of VPN settings expressed in a high-level simple and flexible language, automatically fills flow tables to implement the requested VPNs. Our implementation of VPNs with SDN promptly reacts to network dynamics (e.g., newly appeared links) and simplifies management a lot by dropping many unneeded technologies.

Intra-domain routing with pathlets

Abstract Internal routing inside the network of an Internet Service Provider (ISP) affects the performance of lots of services that the ISP offers to its customers and is therefore critical to adhere to Service Level Agreements (SLAs), achieve a top-quality offer, and earn revenue. Existing technologies (most notably, MPLS) offer limited (e.g., with RSVP-TE), tricky (e.g., with OSPF metrics), or no control on internal routing paths. Recent research results address these shortcomings, but miss a few elements that would enable their application in an ISP’s network. We introduce a new control plane, based on pathlet routing (Godfrey et al., 2009) [2], designed to operate in the network of an ISP and offering several nice features: it enables steering of network paths at different levels of granularity; it is scalable and robust; it supports independent configuration of specific network regions and differentiation of Quality of Service (QoS) levels; it can nicely coexist with other control planes and is independent of the data plane used in the ISP’s network. Besides formally introducing the messages and algorithms of our control plane, we propose an experimental scalability assessment and comparison with OSPF, conducted in the simulation framework OMNeT++.

Intra-Domain Pathlet Routing

Internal routing inside an ISP network is the foundation for lots of services that generate revenue from the ISPs customers. A fine-grained control of paths taken by network traffic once it enters the ISPs network is therefore a crucial means to achieve a top-quality offer and, equally important, to enforce SLAs. Many widespread network technologies and approaches (most notably, MPLS) offer limited (e.g., with RSVP-TE), tricky (e.g., with OSPF metrics), or no control on internal routing paths. On the other hand, recent advances in the research community are a good starting point to address this shortcoming, but miss elements that would enable their applicability in an ISPs network. We extend pathlet routing by introducing a new control plane for internal routing that pursues the following qualities: it is designed to operate in the internal network of an ISP; it enables fine-grained management of network paths with suitable configuration primitives; it is scalable because routing changes are only propagated to the network portion that is affected by the changes; it supports independent configuration of specific network portions without the need to know the configuration of the whole network; it is robust thanks to the adoption of multipath routing; it supports the enforcement of QoS levels; it is independent of the specific data plane used in the ISPs network; it can be incrementally deployed and it can nicely coexist with other control planes. Besides formally introducing the dissemination mechanisms and algorithms of our control plane, we propose an experimental validation in the simulation framework OMNeT++ that we use to assess the effectiveness and scalability of our approach.

SDNetkit: A testbed for experimenting SDN in multi-domain networks.

Mininet is the de-facto standard simulation environment for experimenting with SDN enabled networks based on the OpenFlow protocol. Although Mininet is powerful and not resource hungry, it has a strong limitation: it is not possible to use it for networks in which both OpenFlow and standard distributed routing protocols (e.g. Open Short Path First, OSPF) simultaneously run. In this paper we present SDNetkit, an enhanced release of the widely used Netkit network emulator that overcomes the limitation imposed by Mininet. We improved Netkit by adding all needed software to run OpenFlow based networks (e.g. OpenVSwitch and the Ryu framework). We show two use cases in which OpenFlow and standard protocols coexist. In particular, we address interoperability problems by presenting one use case in which OpenFlow nodes interact with standard ones (e.g. OSPF routers) in multi-domain networks, as well as one use case in which the OpenFlow protocol and OSPF run on the same machine, discussing some problems related to specific configurations. We believe that having the possibility to experiment SDN also in presence of interoperability scenarios results in opening to new research perspectives.

Leveraging SDN to monitor critical infrastructure networks in a smarter way

In critical infrastructures, communication networks are used to exchange vital data among elements of Industrial Control Systems (ICSes). Due to the criticality of such systems and the increase of the cybersecurity risks in these contexts, best practices recommend the adoption of Intrusion Detection Systems (IDSes) as monitoring facilities. The choice of the positions of IDSes is crucial to monitor as many streams of data traffic as possible. This is especially true for the traffic patterns of ICS networks, mostly confined in many subnetworks, which are geographically distributed and largely autonomous. We introduce a methodology and a software architecture that allow an ICS operator to use the spare bandwidth that might be available in over-provisioned networks to forward replicas of traffic streams towards a single IDS placed at an arbitrary location. We leverage certain characteristics of ICS networks, like stability of topology and bandwidth needs predictability, and make use of the Software-Defined Networking (SDN) paradigm. We fulfill strict requirements about packet loss, for both functional and security aspects. Finally, we evaluate our approach on network topologies derived from real networks.