Leonardo Richter Bays

Piecing together the NFV provisioning puzzle: Efficient placement and chaining of virtual network functions

Network Function Virtualization (NFV) is a promising network architecture concept, in which virtualization technologies are employed to manage networking functions via software as opposed to having to rely on hardware to handle these functions. By shifting dedicated, hardware-based network function processing to software running on commoditized hardware, NFV has the potential to make the provisioning of network functions more flexible and cost-effective, to mention just a few anticipated benefits. Despite consistent initial efforts to make NFV a reality, little has been done towards efficiently placing virtual network functions and deploying service function chains (SFC). With respect to this particular research problem, it is important to make sure resource allocation is carefully performed and orchestrated, preventing over- or under-provisioning of resources and keeping end-to-end delays comparable to those observed in traditional middlebox-based networks. In this paper, we formalize the network function placement and chaining problem and propose an Integer Linear Programming (ILP) model to solve it. Additionally, in order to cope with large infrastructures, we propose a heuristic procedure for efficiently guiding the ILP solver towards feasible, near-optimal solutions. Results show that the proposed model leads to a reduction of up to 25% in end-to-end delays (in comparison to chainings observed in traditional infrastructures) and an acceptable resource over-provisioning limited to 4%. Further, we demonstrate that our heuristic approach is able to find solutions that are very close to optimality while delivering results in a timely manner.

Virtual network security: threats, countermeasures, and challenges

Network virtualization has become increasingly prominent in recent years. It enables the creation of network infrastructures that are specifically tailored to the needs of distinct network applications and supports the instantiation of favorable environments for the development and evaluation of new architectures and protocols. Despite the wide applicability of network virtualization, the shared use of routing devices and communication channels leads to a series of security-related concerns. It is necessary to provide protection to virtual network infrastructures in order to enable their use in real, large scale environments. In this paper, we present an overview of the state of the art concerning virtual network security. We discuss the main challenges related to this kind of environment, some of the major threats, as well as solutions proposed in the literature that aim to deal with different security aspects.

DoS-resilient virtual networks through multipath embedding and opportunistic recovery

Network virtualization can potentially limit the impact of attacks by isolating traffic from different networks. However, routers and links are still vulnerable to attacks on the underlying network. Specifically, should a physical link be compromised, all embedded virtual links will be affected. Previous work protects virtual networks by setting aside backup resources. Although effective, this solution tends to be expensive as backup resources usually remain idle. In this paper, we present a novel virtual network allocation approach which explores the trade-off between resilience to attacks and efficiency in resource utilization. Our approach is composed of two complementary strategies, one preventive and the other reactive. The former embeds virtual links into multiple substrate paths, while the latter attempts to reallocate any capacity affected by an underlying DoS attack. Both strategies are modeled as optimization problems. Numerical results show the level of resilience to attacks and the low cost demanded by our approach.

A heuristic-based algorithm for privacy-oriented virtual network embedding

Network virtualization has become increasingly popular in recent years. It has the potential to allow timely handling of network infrastructure requests and, after instantiated, their lifecycle. In addition, it enables improved physical resource utilization. However, the use of network virtualization in large-scale, real environments depends on the ability to adequately map virtual routers and links to physical resources, as well as to protect virtual networks against security threats. With respect to security, confidentiality and privacy mechanisms have become essential in light of recent discoveries related to pervasive electronic surveillance. In this paper we propose a heuristic method for virtual network embedding with security support. The method features precise modeling of overhead costs of security mechanisms and handles incoming requests in an online manner. Additionally, we present a detailed performance comparison between the proposed heuristic and an optimization model based on the same problem. The obtained results demonstrate that the heuristic method is able to find feasible mappings in the order of seconds even when dealing with large network infrastructures, while the optimization model is limited to smaller networks.

Observing the BitTorrent universe through Telescopes

Recent analysis of the latest peer-to-peer trends worldwide indicates that BitTorrent is the most popular file sharing protocol, taking more than half of the P2P traffic in some geographical locations. Despite several studies about the dynamics of the “BitTorrent universe”, there exists no methodology to systematically observe it. This is mainly due to the challenges that need to be faced in order to observe the BitTorrent universe, the specificity of existing studies, and the ad hoc nature of the monitoring methods employed so far. In this paper, we propose a novel monitoring architecture (called TorrentU) that allows the systematic observation of large numbers of BitTorrent networks. Complementary monitoring strategies are flexibly combined to allow varying degrees of network/geographic coverage, information accuracy and richness of detail. To show the concept and technical feasibility of TorrentU, we implemented a prototype with the key parts of the architecture, and evaluated it through a case study with a rich set of monitoring campaigns running on PlanetLab nodes.

No more backups: Toward efficient embedding of survivable virtual networks

Although network virtualization can improve security by isolating traffic from different networks, routers and links are still vulnerable to attacks on the underlying network. High capacity physical links, in particular, constitute good targets since they may be important for a large number of virtual networks. Previous work protects virtual networks by setting aside backup resources. Although effective, this solution increases the cost to infrastructure providers. In this paper, we present a virtual network embedding approach which enables resilience to attacks and efficiency in resource utilization. Our approach is two-folded: while a preventive strategy embeds virtual links into multiple substrate paths, a reactive strategy attempts to reallocate any capacity affected by an underlying DoS attack. Since the embedding problem is NP-Hard, we devise a Simulated Annealing meta-heuristic to solve it efficiently. Results show our solution can provide resilience to attacks at a lower cost.

Characterizing the impact of network substrate topologies on virtual network embedding

Network virtualization is a mechanism that allows the coexistence of multiple virtual networks on top of a single physical substrate. One of the research challenges addressed recently in the literature is the efficient mapping of virtual resources on physical infrastructures. Although this challenge has received considerable attention, state-of-the-art approaches present, in general, a high rejection rate, i.e., the ratio between the number of denied virtual network requests and the total amount of requests is considerably high. In this work, we investigate the relationship between the quality of virtual network mappings and the topological structures of the underlying substrates. Exact solutions of an online embedding model are evaluated under different classes of network topologies. The obtained results demonstrate that the employment of physical topologies that contain regions with high connectivity significantly contributes to the reduction of rejection rates and, therefore, to improved resource usage.

Opportunistic resilience embedding (ORE)

Network Virtualization promotes the development of new architectures and protocols by enabling the creation of multiple virtual networks on top of the same physical substrate. One of its main advantages is the use of isolation to limit the scope of attacks - that is, avoiding traffic from one virtual network to interfere with the others. However, virtual networks are still vulnerable to disruptions on the underlying network. Particularly, high capacity physical links constitute good targets since they may be important for a large number of virtual networks.Previous work protects virtual networks by setting aside backup resources. Although effective, this kind of solution tends to be expensive, as backup resources increase the cost to infrastructure providers and usually remain idle. This paper presents ORE (opportunistic resilience embedding), a novel embedding approach for protecting virtual links against substrate network disruptions. OREs design is two-fold: while a proactive strategy embeds each virtual link into multiple substrate paths in order to mitigate the initial impact of a disruption, a reactive one attempts to recover any capacity affected by an underlying disruption. Both strategies are modeled as optimization problems. Additionally, since the embedding problem is NP -Hard, ORE uses a simulated annealing-based meta-heuristic to solve it efficiently. Numerical results show that ORE can provide resilience to disruptions at a lower cost.

Virtual network embedding in software-defined networks

Research on network virtualization has been active for a number of years, during which a number of virtual network embedding (VNE) approaches have been proposed. These approaches, however, neglect important operational requirements imposed by the underlying virtualization platforms. In the case of SDN/OpenFlow-based virtualization, a crucial example of an operational requirement is the availability of enough memory space for storing flow rules in OpenFlow devices. In this paper, we advocate that VNE must be performed with some knowledge of the underlying physical networks, otherwise the deployment may suffer from unpredictable or even unsatisfactory performance. Considering SDN/OpenFlow-based physical networks as an important virtualization scenario, we propose an approach based on VNE and OpenFlow coordination for proper deployment of virtual networks (VNs). The proposed approach unfolds in the following main contributions: (i) a virtual infrastructure abstraction that allows a service provider to represent the details of his/her VN requirements in a comprehensive manner; (ii) a privacy-aware compiler that is able to preprocess this detailed VN request in order to obfuscate sensitive information and derive computable operational requirements; and (iii) a model for embedding requested VNs ensuring their feasibility at the physical level. The results obtained through our evaluation demonstrate that taking such operational requirements into account, as well as accurately assessing them, is of paramount importance to ensure the correct behavior of VNs hosted on top of the virtualization platform.

How physical network topologies affect virtual network embedding quality: A characterization study based on ISP and datacenter networks

Abstract Network virtualization is a mechanism that allows the coexistence of multiple virtual networks on top of a single physical substrate. Due to its well-known potential benefits (e.g., lower CAPEX/OPEX expenditures), it has been embraced by the IT sector, specially by Internet Service Providers (ISPs) and cloud computing/datacenter companies. One of the research challenges addressed recently in the literature is the efficient mapping of virtual resources on physical infrastructures. Although this challenge has received considerable attention, state-of-the-art approaches present, in general, a high rejection rate, i.e., the ratio between the number of denied virtual network requests and the total amount of requests is considerably high. In this work, we investigate the relationship between the quality of virtual network mappings and the topological structures of the underlying substrates. Exact solutions of an online embedding model are evaluated under different classes of ISP and datacenter network topologies. The obtained results demonstrate that the employment of physical topologies that contain regions with high connectivity significantly contributes to the reduction of rejection rates and, therefore, to improved resource usage. Additionally, through an extensive analysis of denied requests, we assess the main rejection causes related to both ISP and datacenter networks and provide strong evidence of each one. In summary, through the embedding of virtual requests, available resources in ISP networks tend to be more partitioned in comparison to datacenter networks. Such differences on partitioning levels lead to a different percentage of rejection causes in each topology class.