Ralph Koning

Linux containers networking: Performance and scalability of kernel modules

Linux container virtualisation is gaining momentum as lightweight technology to support cloud and distributed computing. Applications relying on container architectures might at times rely on inter-container communication, and container networking solutions are emerging to address this need. Containers can be networked together as part of an overlay network, or with actual links from the container to the network via kernel modules. Most overlay solutions are not quite production ready yet; on the other hand kernel modules that can link a container to the network are much more mature. We benchmarked three kernel modules: veth, macvlan and ipvlan, to quantify their respective raw TCP and UDP performance and scalability. Our results show that the macvlan kernel module outperforms all other solutions in raw performance. All kernel modules seem to provide sufficient scalability to be deployed effectively in multi-containers environments.

Interactive analysis of SDN-driven defence against distributed denial of service attacks

The Secure Autonomous Response Networks (SARNET) framework introduces a mechanism to respond autonomously to security attacks in Software Defined Networks (SDN). Still the range of responses possible and their effectiveness need to be properly evaluated such that the decision making process and the self-learning capability of such systems are optimized. To this purpose we developed a touch-table driven interactive SARNET prototype, named VNET, and we demonstrated its use through real-time monitoring and control of real and virtualised networks. By observing users interacting with the system at SC15 in Austin, we concluded that in a SDN it is possible to achieve high effectiveness of responses by carefully choosing a relatively minor number of actions.

OIntEd: online ontology instance editor enabling a new approach to ontology development

Ontology development involves people with different background knowledge and expertise. It is an elaborate process, where sophisticated tools for experienced knowledge engineers are available. However, domain experts need simple tools that they can use to focus on ontology instantiation. In this paper, we propose a methodology with a separation of concern between domain experts and knowledge engineers. This separation allows domain experts to focus on information processing and ontology instantiation while providing immediate feedback to the knowledge engineers on usability of the ontology being developed. We have designed and implemented OINTED, an adaptive online ontology instance editor that supports this methodology. We present usage examples of OINTED that highlight three main features: the intuitive visualization of concepts, instances, and relationships within an ontology; the seamless integration in pre‐existing problem solving environment; and the assistance in ontology evolution. OINTED complements existing tools suited for knowledge engineers by enabling immediate feedback and a shorter ontology development life cycle. Copyright

Planning Data Intensive Workflows on Inter-domain Resources Using the Network Service Interface (NSI)

The recent emergence of advanced network infrastructures for e-Science enables tuning of network performance at the application level. The Network Service Interface (NSI) has been created as a result of collaborative development of network and application engineers primarily associated with the Research and Education (R&E) community. The NSI allows workflow systems not only to check available service points for a workflow engine to schedule executions, but also to reserve and provision network connections among those service points. However, the current NSI services are proposed mainly from the network resource management perspective, which concerns little about the programming model of applications. In this paper we extend our previous system called NEtWork QoS Planner (NEWQoSPlanner) by adding inter domain network resource selection and provisioning using NSI. We will discuss how NEWQoSPlanner invokes network services to achieve dynamic resource optimization for workflows, and how to apply such planner in heterogeneous infrastructures.

An agent based planner for including network QoS in scientific workflows

Advanced network infrastructure plays an important role in the e-Science environment to provide high quality connections between largely distributed data sensors, and computing and storage elements. However, the quality of the network services has so far rarely been considered in composing and executing scientific workflows. Currently, scientific applications tune the execution quality of workflows neglecting network resources, and by selecting only optimal software services and computing resources. One reason is that IP-based networks provide few possibilities for workflow systems to manage the service quality, and limit or prevent bandwidth reservation or network paths selection. We see nonetheless a strong need from scientific applications, and network operators, to include the network quality management in the workflow systems. Novel network infrastructures open up new possibilities in network tuning at the application level. In this position paper, we discuss our vision on this issue and propose an agent based solution to include network resources in the loop of workflow composition, scheduling and execution when advanced network services are available. We present the first prototype of our approach in the context of the CineGrid project.

CoreFlow: Enriching Bro security events using network traffic monitoring data

Attacks against network infrastructures can be detected by Intrusion Detection Systems (IDS). Still reaction to these events are often limited by the lack of larger contextual information in which they occurred. In this paper we present CoreFlow, a framework for the correlation and enrichment of IDS data with network flow information. CoreFlow ingests data from the Bro IDS and augments this with flow data from the devices in the network. By doing this the network providers are able to reconstruct more precisely the route followed by the malicious flows. This enables them to devise tailored countermeasures, e.g. blocking close to the source of the attack. We tested the initial CoreFlow prototype in the ESnet network, using inputs from 3 Bro systems and more than 50 routers.

Network resource selection for data transfer processes in scientific workflows

Quality of the service (QoS) plays an important role in the life-cycle of scientific workflows for composing and executing applications. However, the quality of network services has so far rarely been considered in composing and executing scientific workflows. Currently, scientific applications tune the execution quality neglecting network resources, and by selecting only optimal software services and computing resources. One reason is that IP-based networks provide few possibilities for workflow systems to manage the service quality, and limit or prevent bandwidth reservation or network paths selection. We see nonetheless a strong need from scientific applications, and network operators, to include the network quality management in the workflow systems. In this paper, we discuss our ongoing research on this issue and present a semantic based solution to searching network resources with awareness of QoS requirements. The solution aims at complementing existing workflow systems on selecting network resources in the context of workflow composition, scheduling and execution when advanced network services are available. Our research is conducted in the context of the CineGrid project.

An Architecture Including Network QoS in Scientific Workflows

The quality of the network services has so far rarely been considered in composing and executing scientific workflows. Currently, scientific applications tune the execution quality of workflows neglecting network resources, and by selecting only optimal software services and computing resources. One reason is that IP-based networks provide few possibilities for workflow systems to manage the service quality, and limit or prevent bandwidth reservation or network paths selection. We see nonetheless a strong need from scientific applications, and network operators, to include the network quality management in the workflow systems. In this position paper, we discuss our vision on this issue and propose an agent based solution to include network resources in the loop of workflow composition, scheduling and execution when advanced network services are available. Our approach is conducted in the context of the CineGrid project.

Measuring the efficiency of SDN mitigations against attacks on computer infrastructures

Abstract Software Defined Networks (SDN) and Network Function Virtualisation (NFV) provide the basis for autonomous response and mitigation against attacks on networked computer infrastructures. We propose a new framework that uses SDNs and NFV to achieve this goal: Secure Autonomous Response Network (SARNET). In a SARNET, an agent running a control loop constantly assesses the security state of the network by means of observables. The agent reacts to and resolves security problems, while learning from its previous decisions. Two main metrics govern the decision process in a SARNET: impact and efficiency; these metrics can be used to compare and evaluate countermeasures and are the building blocks for self-learning SARNETs that exhibit autonomous response. In this paper we present the software implementation of the SARNET framework, evaluate it in a real-life network and discuss the tradeoffs between parameters used by the SARNET agent and the efficiency of its actions.

Measuring the effectiveness of SDN mitigations against cyber attacks

To address increasing problems caused by cyber attacks, we leverage Software Defined networks and Network Function Virtualisation governed by a SARNET-agent to enable autonomous response and attack mitigation. A Secure Autonomous Response Network (SARNET) uses a control loop to constantly assess the security state of the network by means of observables. Using a prototype we introduce the metrics impact and effectiveness and show how they can be used to compare and evaluate countermeasures. These metrics become building blocks for self learning SARNET which exhibit true autonomous response.