Xitao Wen

OSA: an optical switching architecture for data center networks with unprecedented flexibility

A detailed examination of evolving traffic characteristics, operator requirements, and network technology trends suggests a move away from nonblocking interconnects in data center networks (DCNs). As a result, recent efforts have advocated oversubscribed networks with the capability to adapt to traffic requirements on-demand. In this paper, we present the design, implementation, and evaluation of OSA, a novel Optical Switching Architecture for DCNs. Leveraging runtime reconfigurable optical devices, OSA dynamically changes its topology and link capacities, thereby achieving unprecedented flexibility to adapt to dynamic traffic patterns. Extensive analytical simulations using both real and synthetic traffic patterns demonstrate that OSA can deliver high bisection bandwidth (60%-100% of the nonblocking architecture). Implementation and evaluation of a small-scale functional prototype further demonstrate the feasibility of OSA.

Towards a secure controller platform for openflow applications

The OpenFlow (OF) paradigm embraces third-party development efforts, and therefore suffers from potential trust issue on OF applications (apps). The abuse of such trust could lead to various types of attacks impacting the entire network. In this paper, we propose PermOF, a fine-grained permission system, as the first line of defense, in order to apply minimum privilege on apps. We summarize a set of 18 permissions to be enforced at the API entry of the controller. To accommodate the isolation requirements, we propose a customized isolation mechanism, which achieves comprehensive resource isolation and access control.

WaveCube: A scalable, fault-tolerant, high-performance optical data center architecture

Optical data center networks (DCNs) are becoming increasingly attractive due to their technological strengths compared to traditional electrical networks. However, prior optical DCNs are either hard to scale, vulnerable to single point of failure, or provide limited network bisection bandwidth for many practical DCN workloads. To this end, we present WaveCube, a scalable, fault-tolerant, high-performance optical DCN architecture. To scale, WaveCube removes MEMS1, a potential bottleneck, from its design. Wave-Cube is fault-tolerant since it does not have single point of failure and there are multiple node-disjoint parallel paths between any pair of Top-of-Rack (ToR) switches. WaveCube delivers high performance by exploiting multi-pathing and dynamic link bandwidth along the path. Our extensive evaluation results show that WaveCube outperforms previous optical DCNs by up to 400% and delivers network bisection bandwidth that is 70%-85% of an ideal non-blocking network under both realistic and synthetic traffic patterns. WaveCubes performance degrades gracefully under failures - it drops 20% even with 20% links cut. WaveCube also holds promise in practice - its wiring complexity is orders of magnitude lower than Fattree, BCube and c-Through at large scale, and its power consumption is 35% of them.

VirtualKnotter: Online virtual machine shuffling for congestion resolving in virtualized datacenter

Abstract Our measurements on production datacenter traffic together with recently-reported results (Kandula et al.) [1] suggest that datacenter networks suffer from long-lived congestion caused by core network oversubscription and unbalanced workload placement. In contrast to traditional traffic engineering approaches that optimize flow routing, in this paper, we explore the opportunity to address the continuous congestion via optimizing VM placement in virtualized datacenters. To this end, we present VirtualKnotter to reduce congestion with controllable VM migration traffic as well as low migration time, which includes an online VM placement algorithm and an efficient VM migration scheduling algorithm. Our evaluation with both real and synthetic traffic patterns shows that VirtualKnotter performs close to the baseline algorithm in terms of link unitization, with only 5–10% migration traffic of the baseline algorithm. Furthermore, VirtualKnotter decreases link congestion time by 53% for the production datacenter traffic.

Compiling minimum incremental update for modular SDN languages

Measurement results show that updating rules on switches poses major latency overhead during the course of the policy update. However, current SDN policy compilers do not handle policy updates well and generate large amount of redundant rule updates, most of which modify only the priority field. Our analysis shows that the lack of knowledge on the rule dependency and the consecutively distributed priority numbers are the fundamental problems behind the redundancy. In this paper, we propose to tackle the problems through 1) an extended policy compiler that builds rule dependency along with the compilation, and 2) an online optimization algorithm that maintains a scattered priority distribution. Our preliminary evaluation demonstrates that our proposed patch can eliminate nearly all the priority updates.

VirtualKnotter: Online Virtual Machine Shuffling for Congestion Resolving in Virtualized Datacenter

Our measurements on production data center traffic together with recently reported results suggest that data center networks suffer from long-lived congestion caused by core network over subscription and unbalanced workload placement. In contrast to traditional traffic engineering approaches that optimize flow routing, in this paper, we explore the opportunity to address the continuous congestion via optimizing VM placement in virtualized data centers. To this end, we present Virtual Knotter, an efficient online VM placement algorithm to reduce congestion with controllable VM migration traffic as well as low time complexity. Our evaluation with both real and synthetic traffic patterns shows that Virtual Knotter performs close to the baseline algorithm in terms of link unitization, with only 5%-10% migration traffic of the baseline algorithm. Furthermore, Virtual Knotter decreases link congestion time by 53% for the production data center traffic.

Is every flow on the right track?: Inspect SDN forwarding with RuleScope

Software-Defined Networking (SDN) promises un-precedentedly flexible network management but it is susceptible to forwarding faults. Such faults originate from data-plane rules with missing faults and priority faults. Yet existing fault detection ignores priority faults because they are not discovered on commercial switches until recently. In this paper, we present RuleScope, a more comprehensive solution for inspecting SDN forwarding. RuleScope offers a series of accurate and efficient algorithms for detecting and troubleshooting rule faults. They inspect forwarding behavior using customized probe packets to exercise data-plane rules. The detection algorithm exposes not only missing faults but also priority faults. Beyond simply detecting rule faults, the troubleshooting algorithms uncover actual data-plane flow tables. They help track real-time forwarding status and benefit reliable network monitoring. We explore various techniques for enhancing algorithm efficiency without sacrificing inspection accuracy. Experiments with our prototype on the Ryu SDN controller and Pica8 P-3297 switch show that RuleScope achieves accurate and efficient forwarding inspection with limited bandwidth and packet-switching overhead.

Virtual browser: a virtualized browser to sandbox third-party JavaScripts with enhanced security

Third party JavaScripts not only offer much richer features to the web and its applications but also introduce new threats. These scripts cannot be completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all existing approaches without native sandbox support can secure only a subset of third party JavaScripts, and they are vulnerable to attacks encoded in non-standard HTML/-JavaScript (browser quirks) as these approaches will parse third party JavaScripts independently at server side without considering client-side non-standard parsing quirks. At the same time, native sandboxes are vulnerable to attacks based on unknown native JavaScript engine bugs. In this paper, we propose Virtual Browser, a full browser-level virtualized environment within existing browsers for executing untrusted third party code. Our approach supports more complete JavaScript language features including those hard-to-secure functions, such as with and eval. Since Virtual Browser does not rely on native browser parsing behavior, there is no possibility of attacks being executed through browser quirks. Moreover, given the third-party Javascripts are running in Virtual Browser instead of native browsers, it is harder for the attackers to exploit unknown vulnerabilities in the native JavaScript engine. In our design, we first completely isolate Virtual Browser from the native browser components and then introduce communication by adding data flows carefully examined for security. The evaluation of the Virtual Browser prototype shows that our execution speed is the same as Microsoft Web Sandbox[5], a state of the art runtime web-level sandbox. In addition, Virtual Browser is more secure and supports more complete JavaScript for third party JavaScript development.

RuleTris: Minimizing Rule Update Latency for TCAM-Based SDN Switches

Software-dehned network (SDN) is deemed to enable more dynamic management of data center networks that promptly respond to network events with changes in network policies. Although the SDN controller architecture is increasingly optimized for swift policy updates, the data plane, especially the prevailing TCAM-based flow tables on physical SDN switches, remains unoptimized for fast rule updates, and is gradually becoming the primary bottleneck along the policy update pipeline. In this paper, we present RuleTris, the hrst SDN update optimization framework that minimizes rule update latency for TCAM-based switches. RuleTris employs the dependency graph (DAG) as the key abstraction to minimize the update latency. RuleTris efhciently obtains the DAGs with novel dependency preserving algorithms that incrementally build rule dependency along with the compilation process. Then, in the guidance of the DAG, RuleTris optimizes the rule updates in TCAM to avoid unnecessary entry moves, which are the main cause of TCAM update inefhciency. We prove that RuleTris generates TCAM updates with the minimum number of TCAM entry moves. In evaluation, RuleTris achieves a median of <;12ms and 90-percentile of <;15ms the end-to-end per-rule update latency on our hardware prototype, outperforming the state-of-the-art composition compiler CoVisor by ~20 times.

SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets

The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications (apps). Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this paper, we present SDNShield, a permission control system that helps network administrators to express and enforce only the minimum required privileges to individual controller apps. SDNShield achieves this goal through (i) fine-grained SDN permission abstractions that allow accurate representation of app behavior boundary, (ii) automatic security policy reconciliation that incorporates security policies specified by administrators into the requested app permissions, and (iii) a lightweight thread-based controller architecture for controller/app isolation and reliable permission enforcement. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.