Niels L. M. van Adrichem

OpenNetMon: Network monitoring in OpenFlow Software-Defined Networks

We present OpenNetMon, an approach and open-source software implementation to monitor per-flow metrics, especially throughput, delay and packet loss, in OpenFlow networks. Currently, ISPs over-provision capacity in order to meet QoS demands from customers. Software-Defined Networking and OpenFlow allow for better network control and flexibility in the pursuit of operating networks as efficiently as possible. Where OpenFlow provides interfaces to implement fine-grained Traffic Engineering (TE), OpenNetMon provides the monitoring necessary to determine whether end-to-end QoS parameters are actually met and delivers the input for TE approaches to compute appropriate paths. OpenNetMon polls edge switches, i.e. switches with flow end-points attached, at an adaptive rate that increases when flow rates differ between samples and decreases when flows stabilize to minimize the number of queries. The adaptive rate reduces network and switch CPU overhead while optimizing measurement accuracy. We show that not only local links serving variable bit-rate video streams, but also aggregated WAN links benefit from an adaptive polling rate to obtain accurate measurements. Furthermore, we verify throughput, delay and packet loss measurements for bursty scenarios in our experiment testbed.

Fast Recovery in Software-Defined Networks

Although Software-Defined Networking and its implementation OpenFlow facilitate managing networks and enable dynamic network configuration, recovering from network failures in a timely manner remains non-trivial. The process of (a) detecting the failure, (b) communicating it to the controller and (c) recomputing the new shortest paths may result in an unacceptably long recovery time. In this paper, we demonstrate that current solutions, employing both reactive restoration or proactive protection, indeed suffer long delays. We introduce a failover scheme with per-link Bidirectional Forwarding Detection sessions and preconfigured primary and secondary paths computed by an OpenFlow controller. Our implementation reduces the recovery time by an order of magnitude compared to related work, which is confirmed by experimental evaluation in a variety of topologies. Furthermore, the recovery time is shown to be constant irrespective of path length and network size.

Globally accessible names in named data networking

Information Centric Networking (ICN) paradigms aim at optimizing computer networks for information distribution. Named Data Networking (NDN) and its implementation CCNx propose a promising globally implementable ICN. Routing on names, however, may result in extremely large global routing tables. In this paper, we propose to confine the global routing table size by decoupling context-related names, such as domain names, from names routable within the network. By aggregating routable names to their topological location, the size of global routing tables decreases to the number of Autonomous Systems. Furthermore, mapping context-related names back to location-aggregated names using a directory service eases the process of sharing information on the ICN. The robustness of the network is further increased by employing dynamic multihoming without changing application names.

NDNFlow: Software-defined Named Data Networking

In this paper, we introduce NDNFlow: an open-source software implementation of a Named Data Networking based forwarding scheme in OpenFlow-controlled Software-Defined Networks (SDNs). By setting up an application-specific communication channel and controller layer parallel to the application agnostic OpenFlow protocol, we obtain a mechanism to deploy specific optimizations into a network without requiring a full network upgrade or OpenFlow protocol change. Our open-source software implementation consists of both an NDN-specific controller module and an NDN client plug-in. NDNFlow allows OpenFlow networks with NDN capabilities to exploit the benefits of NDN, by enabling the use of intermediate caches, identifying flows of content and eventually performing traffic engineering based on these principles.

An SDN-based architecture for Network-as-a-Service

Network-as-a-Service (NaaS) is a cloud-based service model that offers on-demand network connectivity and the provisioning and management of network services. However, the actual orchestration of dynamically allocating underlying resources to customer requirements is not trivial. In this paper, we propose an SDN-based approach to support the NaaS model. We implement a proof-of-concept (PoC) on a physical testbed and validate it through experimental performance evaluation.

Backup rules in Software-Defined Networks

The past century of telecommunications has shown that failures in networks are prevalent. Failure recovery processes are therefore needed. Failure recovery is mainly influenced by (1) detection of the failure, and (2) circumvention of the detected failure. However, especially in SDNs where controllers recompute network state reactively, this leads to high delays. Hence, next to primary rules, backup rules should be installed in the switches to quickly detour traffic once a failure occurs. In this work, we propose algorithms for computing an all-to-all primary and backup network forwarding configuration that is capable of circumventing link and node failures. After initial recovery, we recompute network configuration to guarantee protection from future failures. Our algorithms use packet-labeling to guarantee correct and shortest detour forwarding and are able to discriminate between link and node failures. The computational complexity of our solution is comparable to that of all-to-all shortest paths computations. Our experimental evaluation shows that network configuration complexity decreases significantly compared to classic disjoint paths computations. Finally, we provide a proof-of-concept OpenFlow controller in which our proposed configuration is implemented, demonstrating that it readily can be applied in production networks.

Providing bandwidth guarantees with OpenFlow

Quality of Service (QoS) control is an important concept in computer networking, as it is related to end-user experience. While providing QoS guarantees over the Internet has long been deemed too complicated, the emergence of Software Defined Networking (SDN), and OpenFlow as its most popular standard, may facilitate QoS control. In this paper, we consider how to enable bandwidth guarantees with OpenFlow. Our design allows QoS flows to send more than their guaranteed rates, as long as they do not hinder other guaranteed and/or best-effort flows. Furthermore, our design uses OpenFlows meter table to aggregate traffic. Our traffic aggregation functionality only adds overhead to the first switch, but no other complexity is incurred at the subsequent switches.

DNSSEC Misconfigurations: How Incorrectly Configured Security Leads to Unreachability

DNSSEC offers protection against spoofing of DNS data by providing authentication of its origin, ensuring integrity and giving a way to authenticate denial of existence by using public-key cryptography. Where the relevance of securing a technology as crucial to the Internet as DNS is obvious, the DNSSEC implementation increases the complexity of the deployed DNS infrastructure, which may manifest in misconfiguration. A misconfiguration not only leads to silently losing the expected security, but might result in Internet users being unable to access the network, creating an undesired unreachability problem. In this paper, we measure and analyze the misconfigurations for domains in four zones (.bg, .br, .co and .se). Furthermore, we classify these misconfigurations into several categories and provide an explanation for their possible causes. Finally, we evaluate the effects of misconfigurations on the reachability of a zones network. Our results show that, although progress has been made in the implementation of DNSSEC, over 4% of evaluated domains show misconfigurations. Of these misconfigured domains, almost 75% were unreachable from a DNSSEC aware resolver. This illustrates that although the authorities of a domain may think their DNS is secured, it is in fact not. Worse still, misconfigured domains are at risk of being unreachable from the clients who care about and implement DNSSEC verification while the publisher may remain unaware of the error and its consequences.