Vasileios Kotronis

OpenFlow: A security analysis

Software Defined Networking (SDN) has been proposed as a drastic shift in the networking paradigm, by decoupling network control from the data plane and making the switching infrastructure truly programmable. The key enabler of SDN, OpenFlow, has seen widespread deployment on production networks and its adoption is constantly increasing. Although openness and programmability are primary features of OpenFlow, security is of core importance for real-world deployment. In this work, we perform a security analysis of OpenFlow using STRIDE and attack tree modeling methods, and we evaluate our approach on an emulated network testbed. The evaluation assumes an attacker model with access to the network data plane. Finally, we propose appropriate counter-measures that can potentially mitigate the security issues associated with OpenFlow networks. Our analysis and evaluation approach are not exhaustive, but are intended to be adaptable and extensible to new versions and deployment contexts of OpenFlow.

Design and implementation of the OFELIA FP7 facility: The European OpenFlow testbed

The growth of the Internet in terms of number of devices, the number of networks associated to each device and the mobility of devices and users makes the operation and management of the Internet network infrastructure a very complex challenge. In order to address this challenge, innovative solutions and ideas must be tested and evaluated in real network environments and not only based on simulations or laboratory setups. OFELIA is an European FP7 project and its main objective is to address the aforementioned challenge by building and operating a multi-layer, multi-technology and geographically distributed Future Internet testbed facility, where the network itself is precisely controlled and programmed by the experimenter using the emerging OpenFlow technology. This paper reports on the work done during the first half of the project, the lessons learned as well as the key advantages of the OFELIA facility for developing and testing new networking ideas. An overview on the challenges that have been faced on the design and implementation of the testbed facility is described, including the OFELIA Control Framework testbed management software. In addition, early operational experience of the facility since it was opened to the general public, providing five different testbeds or islands, is described.

Stitching Inter-Domain Paths over IXPs

Modern Internet applications, from HD video-conferencing to health monitoring and remote control of power-plants, pose stringent demands on network latency, bandwidth and availability. An approach to support such applications and provide inter-domain guarantees, enabling new avenues for innovation, is using centralized inter-domain routing brokers. These entities centralize routing control for mission-critical traffic across domains, working in parallel to BGP. In this work, we propose using IXPs as natural points for stitching inter-domain paths under the control of inter-domain routing brokers. To evaluate the potential of this approach, we first map the global substrate of inter-IXP pathlets that IXP members could offer, based on measurements for 229 IXPs worldwide. We show that using IXPs as stitching points has two useful properties. Up to 91% of the total IPv4 address space can be served by such inter-domain routing brokers when working in concert with just a handful of large IXPs and their associated ISP members. Second, path diversity on the inter-IXP graph increases by up to 29 times, as compared to current BGP valley-free routing. To exploit the rich path diversity, we introduce algorithms that inter-domain routing brokers can use to embed paths, subject to bandwidth and latency constraints. We show that our algorithms scale to the sizes of the measured graphs and can serve diverse simulated path request mixes. Our work highlights a novel direction for SDN innovation across domains, based on logically centralized control and programmable IXP fabrics.

Routing centralization across domains via SDN

The Border Gateway Protocol (BGP) was designed almost three decades ago and has many limitations relating to its fully distributed nature, policy enforcement capabilities, scalability, security and complexity. For example, the control plane can take several minutes to converge after a routing change; this may be unacceptable for real-time network services. Despite many research proposals for incremental improvements and clean-slate redesigns of how inter-domain routing should work, BGP is likely one of the most ossified protocols of the Internet architecture and it has not retrofitted the proposed ideas. In this work, we propose a radical, incrementally deployable Internet routing paradigm in which the control plane of multiple networks is logically centralized. This follows the Software Defined Networking (SDN) paradigm, although at the inter-domain level involving multiple Autonomous Systems (AS). Multi-domain SDN centralization can be realized by outsourcing routing functions to an external contractor, which provides inter-domain routing services facilitated through a multi-AS network controller. The proposed model promises to become a vehicle for evolving BGP and uses the birds eye view over several networks to benefit aspects of inter-domain routing, such as convergence properties, policy conflict resolution, inter-domain troubleshooting, and collaborative security. In addition to the proposed paradigm, we introduce a publicly available emulation platform built on top of Mininet and the Quagga routing software, for experimenting on hybrid BGP-SDN AS-level networks. As a proof of concept, we focus specifically on exploiting multi-domain centralization to improve BGPs slow convergence. We build and make publicly available a first multi-AS controller tailored to this use case and demonstrate experimentally that SDN centralization helps to linearly reduce BGP convergence times and churn rates with expanding SDN deployments.

A Comparative Look into Public IXP Datasets

Internet eXchange Points (IXPs) are core components of the Internet infrastructure where Internet Service Providers (ISPs) meet and exchange traffic. During the last few years, the number and size of IXPs have increased rapidly, driving the flattening and shortening of Internet paths. However, understanding the present status of the IXP ecosystem and its potential role in shaping the future Internet requires rigorous data about IXPs, their presence, status, participants, etc. In this work, we do the first cross-comparison of three well-known publicly available IXP databases, namely of PeeringDB, Euro-IX, and PCH. A key challenge we address is linking IXP identifiers across databases maintained by different organizations. We find different AS-centric versus IXP-centric views provided by the databases as a result of their data collection approaches. In addition, we highlight differences and similarities w.r.t. IXP participants, geographical coverage, and co-location facilities. As a side-product of our linkage heuristics, we make publicly available the union of the three databases, which includes 40.2% more IXPs and 66.3% more IXP participants than the commonly-used PeeringDB. We also publish our analysis code to foster reproducibility of our experiments and shed preliminary insights into the accuracy of the union dataset.

A novel framework for modeling and mitigating distributed link flooding attacks

Distributed link-flooding attacks constitute a new class of attacks with the potential to segment large areas of the Internet. Their distributed nature makes detection and mitigation very hard. This work proposes a novel framework for the analytical modeling and optimal mitigation of such attacks. The detection is modeled as a problem of relational algebra, representing the association of potential attackers (bots) to potential targets. The analysis seeks to optimally dissolve all but the malevolent associations. The framework is implemented at the level of online Traffic Engineering (TE), which is naturally triggered on link-flooding events. The key idea is to continuously re-route traffic in a manner that makes persistent participation to link-flooding events highly improbable for any benign source. Thus, bots are forced to adopt a suspicious behavior to remain effective, revealing their presence. The load-balancing objective of TE is not affected at all. Extensive simulations on various topologies validate our analytical findings.

Evaluating the effect of centralization on routing convergence on a hybrid BGP-SDN emulation framework

A lot of applications depend on reliable and stable Internet connectivity. These characteristics are crucial for missioncritical services such as telemedical applications. An important factor that can affect connection availability is the convergence time of BGP, the de-facto inter-domain routing (IDR) protocol in the Internet. After a routing change, it may take several minutes until the network converges and BGP routing becomes stable again [13]. Kotronis et al. [8,9] propose a novel Internet routing approach based on SDN principles that combines several Autonomous Systems (AS) into groups, called clusters, and introduces a logically centralized routing decision process for the cluster participants. One of the goals of this concept is to stabilize the IDR system and bring down its convergence time. However, testing whether such approaches can improve on BGP problems requires hybrid SDN and BGP experimentation tools that can emulate multiple ASes. Presently, there is a lack of an easy to use public tool for this purpose. This work fills this gap by building a suitable emulation framework and evaluating the effect that a proof-of-concept IDR controller has on IDR convergence time.

OpenCache: Leveraging SDN to demonstrate a customisable and configurable cache

Efficient content delivery is a constantly evolving challenge on the modern Internet. Reducing the impact of duplicate deliveries of identical content is a key factor in reducing congestion and transit costs for smaller networks. This work leverages SDN concepts and mechanisms in order to transparently store and deliver content from a local cache to the client, thus lightening the load on the WAN and relieving the necessity for urgent network capacity upgrades. An open interface to the cache presents owners with new possibilities for cache control and maintenance. This demonstration showcases a prototype implementation in action on a large-scale OpenFlow testbed deployed across Europe.

Policy-compliant path diversity and bisection bandwidth

How many links can be cut before a network is bisected? What is the maximal bandwidth that can be pushed between two nodes of a network? These questions are closely related to network resilience, path choice for multipath routing or bisection bandwidth estimations in data centers. The answer is quantified using metrics such as the number of edge-disjoint paths between two network nodes and the cumulative bandwidth that can flow over these paths. In practice though, such calculations are far from simple due to the restrictive effect of network policies on path selection. Policies are set by network administrators to conform to service level agreements, protect valuable resources or optimize network performance. In this work, we introduce a general methodology for estimating lower and upper bounds for the policy-compliant path diversity and bisection bandwidth between two nodes of a network, effectively quantifying the effect of policies on these metrics. Exact values can be obtained if certain conditions hold. The approach is based on regular languages and can be applied in a variety of use cases.

ARTEMIS: Neutralizing BGP Hijacking within a Minute

Border gateway protocol (BGP) prefix hijacking is a critical threat to Internet organizations and users. Despite the availability of several defense approaches (ranging from RPKI to popular third-party services), none of them solves the problem adequately in practice. In fact, they suffer from: (i) lack of detection comprehensiveness, allowing sophisticated attackers to evade detection; (ii) limited accuracy, especially in the case of third-party detection; (iii) delayed verification and mitigation of incidents, reaching up to days; and (iv) lack of privacy and of flexibility in post-hijack counteractions, on the side of network operators. In this paper, we propose ARTEMIS, a defense approach (a) based on accurate and fast detection operated by the autonomous system itself, leveraging the pervasiveness of publicly available BGP monitoring services and their recent shift towards real-time streaming and thus (b) enabling flexible and fast mitigation of hijacking events. Compared to the previous work, our approach combines characteristics desirable to network operators, such as comprehensiveness, accuracy, speed, privacy, and flexibility. Finally, we show through real-world experiments that with the ARTEMIS approach, prefix hijacking can be neutralized within a minute.