Simon Jouet

The Glasgow Raspberry Pi Cloud: A Scale Model for Cloud Computing Infrastructures

Data Centers (DC) used to support Cloud services often consist of tens of thousands of networked machines under a single roof. The significant capital outlay required to replicate such infrastructures constitutes a major obstacle to practical implementation and evaluation of research in this domain. Currently, most research into Cloud computing relies on either limited software simulation, or the use of a testbed environments with a handful of machines. The recent introduction of the Raspberry Pi, a low-cost, low-power single-board computer, has made the construction of a miniature Cloud DCs more affordable. In this paper, we present the Glasgow Raspberry Pi Cloud (PiCloud), a scale model of a DC composed of clusters of Raspberry Pi devices. The PiCloud emulates every layer of a Cloud stack, ranging from resource virtualisation to network behaviour, providing a full-featured Cloud Computing research and educational environment.

A survey of strategies for communication networks to protect against large-scale natural disasters

Recent natural disasters have revealed that emergency networks presently cannot disseminate the necessary disaster information, making it difficult to deploy and coordinate relief operations. These disasters have reinforced the knowledge that telecommunication networks constitute a critical infrastructure of our society, and the urgency in establishing protection mechanisms against disaster-based disruptions. Hence, it is important to have emergency networks able to maintain sustainable communication in disaster areas. Moreover, the network architecture should be designed so that network connectivity is maintained among nodes outside of the impacted area, while ensuring that services for costumers not in the affected area suffer minimal impact. As a first step towards achieving disaster resilience, the RECODIS project was formed, and its Working Group 1 members conducted a comprehensive literature survey on “strategies for communication networks to protect against large-scale natural disasters,” which is summarized in this article.

Container-based network function virtualization for software-defined networks

Todays enterprise networks almost ubiquitously deploy middlebox services to improve in-network security and performance. Although virtualization of middleboxes attracts a significant attention, studies show that such implementations are still proprietary and deployed in a static manner at the boundaries of organisations, hindering open innovation. In this paper, we present an open framework to create, deploy and manage virtual network functions (NF)s in OpenFlow-enabled networks. We exploit container-based NFs to achieve low performance overhead, fast deployment and high reusability missing from todays NFV deployments. Through an SDN northbound API, NFs can be instantiated, traffic can be steered through the desired policy chain and applications can raise notifications. We demonstrate the systems operation through the development of exemplar NFs from common Operating System utility binaries, and we show that container-based NFV improves function instantiation time by up to 68% over existing hypervisor-based alternatives, and scales to one hundred co-located NFs while incurring sub-millisecond latency.

Arbitrary packet matching in OpenFlow

OpenFlow has emerged as the de facto control protocol to implement Software-Defined Networking (SDN). In its current form, the protocol specifies a set of fields on which it matches packets to perform actions, such as forwarding, discarding or modifying specific protocol header fields at a switch. The number of match fields has increased with every version of the protocol to extend matching capabilities, however, it is still not flexible enough to match on arbitrary packet fields which limits innovation and new protocol development with OpenFlow. In this paper, we argue that a fully flexible match structure is superior to continuously extending the number of fields to match upon. We use Berkeley Packet Filters (BPF) for packet classification to provide a protocol-independent, flexible alternative to todays OpenFlow fixed match fields. We have implemented a prototype system and evaluated the performance of the proposed match scheme, with a focus on the time it takes to execute and the memory required to store different match filter specifications. Our prototype implementation demonstrates that line-rate arbitrary packet classification can be achieved with complex BPF programs.

Technology-related disasters: A survey towards disaster-resilient Software Defined Networks.

Resilience against disaster scenarios is essential to network operators, not only because of the potential economic impact of a disaster but also because communication networks form the basis of crisis management. COST RECODIS aims at studying measures, rules, techniques and prediction mechanisms for different disaster scenarios. This paper gives an overview of different solutions in the context of technology-related disasters. After a general overview, the paper focuses on resilient Software Defined Networks.

Measurement-based TCP parameter tuning in cloud data centers

TCP congestion control has been a native part of all modern Operating System implementations where parameters are initialized assuming an underlying high Bandwidth Delay Product (BDP) environment. However, the significantly lower BDP in Data Centre (DC) networks makes such conservative transport-layer parameters together with deep-buffered switches and bursty traffic a factor of performance degradation, eventually leading to throughput incast collapse. In this paper, we propose a Software Defined Networking (SDN) approach to tune TCP initial window and retransmission timers for newly created flows based on a network-wide view created by aggregating known characteristics and temporal measurements at a central controller. Through simulation, we show the detrimental effect static TCP parameters have on mice flows and demonstrate the benefits of network-aware per-flow tuning. We show that the average latency under bursty traffic can be improved by a factor of eight, and that flow start and completion times can be improved by a factor of two and five, respectively.

OTCP: SDN-managed congestion control for data center networks

TCP suffers from incast collapse in data center networks when used with partition aggregate workloads due to inadequate congestion control parameters. This causes poor application performance by under-utilizing the network, and can be one of the limiting factors in low-latency, high-throughput environments. To resolve this, we present Omniscient TCP (OTCP), a Software Defined Networking (SDN) approach to compute environment-specific congestion control parameters based on centrally available network properties. Through experimental evaluation in Mininet, we show up to 12x and 31x reduction in Flow Completion Time (FCT) at the mean and 95th percentile, an 8x FCT improvement on highly congested networks when combined with DCTCP [1], as well as improved fairness and reduced end-to-end latency.

Distributed, multi-level network anomaly detection for datacentre networks

Over the past decade, numerous systems have been proposed to detect and subsequently prevent or mitigate security vulnerabilities. However, many existing intrusion or anomaly detection solutions are limited to a subset of the traffic due to scalability issues, hence failing to operate at line-rate on large, high-speed datacentre networks. In this paper, we present a two-level solution for anomaly detection leveraging independent execution and message passing semantics. We employ these constructs within a network-wide distributed anomaly detection framework that allows for greater detection accuracy and bandwidth cost saving through attack path reconstruction. Experimental results using real operational traffic traces and known network attacks generated through the Pytbull IDS evaluation framework, show that our approach is capable of detecting anomalies in a timely manner while allowing reconstruction of the attack path, hence further enabling the composition of advanced mitigation strategies. The resulting system shows high detection accuracy when compared to similar techniques, at least 20% better at detecting anomalies, and enables full path reconstruction even at small-to-moderate attack traffic intensities (as a fraction of the total traffic), saving up to 75% of bandwidth due to early attack detection.

Distributed network anomaly detection on an event processing framework

Network Intrusion Detection Systems (NIDS) are an integral part of modern data centres to ensure high availability and compliance with Service Level Agreements (SLAs). Currently, NIDS are deployed on high-performance, high-cost middleboxes that are responsible for monitoring a limited section of the network. The fast increasing size and aggregate throughput of modern data centre networks have come to challenge the current approach to anomaly detection to satisfy the fast growing compute demand. In this paper, we propose a novel approach to distributed intrusion detection systems based on the architecture of recently proposed event processing frameworks. We have designed and implemented a prototype system using Apache Storm to show the benefits of the proposed approach as well as the architectural differences with traditional systems. Our system distributes modules across the available devices within the network fabric and uses a centralised controller for orchestration, management and correlation. Following the Software Defined Networking (SDN) paradigm, the controller maintains a complete view of the network but distributes the processing logic for quick event processing while performing complex event correlation centrally. We have evaluated the proposed system using publicly available data centre traces and demonstrated that the system can scale with the network topology while providing high performance and minimal impact on packet latency.

BPFabric: Data Plane Programmability for Software Defined Networks

In its current form, OpenFlow, the de facto implementation of SDN, separates the networks control and data planes allowing a central controller to alter the match-action pipeline using a limited set of fields and actions. To support new protocols, forwarding logic, telemetry, monitoring or even middlebox-like functions the currently available programmability in SDN is insufficient. In this paper, we introduce BPFabric, a platform, protocol, and language-independent architecture to centrally program and monitor the data plane. BPFabric leverages eBPF, a platform and protocol independent instruction set to define the packet processing and forwarding functionality of the data plane. We introduce a control plane API that allows data plane functions to be deployed on-the-fly, reporting events of interest and exposing network internal state to the centralised controller. We present a raw socket and DPDK implementation of the design, the former for large-scale experimentation using environment such as Mininet and the latter for high-performance low-latency deployments. We show through examples that functions unrealisable in OpenFlow can leverage this flexibility while achieving similar or better performance to todays static design.