Yaniv Ben-Itzhak

EnforSDN: Network policies enforcement with SDN

Network services, such as security, load-balancing, and monitoring, are an indisputable part of modern networking infrastructure and are traditionally realized as specialized appliances or middleboxes. Middleboxes complicate the management, the deployment, and the operations of the entire network. Moreover, they induce network performance issues and scalability limitations by requiring huge amounts of traffic to be, often sub-optimally redirected, and sometimes redundantly processed. Recent trends of server virtualization and Network Function Virtualization (NFV) exacerbate these scalability and performance issues. In this paper, we present EnforSDN - a new management approach that exploits SDN principles to decouple the policy resolution layer from the policy enforcement layer in network service appliances. Our approach improves the enforcement management, network utilization and communication latency, without compromising the policy and the functionality of the network. Using emulated SDN-based data center environment, we demonstrate higher throughput and lower latency achieved with EnforSDN, as compared to a baseline SDN network. In addition, we show that EnforSDN reduces the overall network appliances load, as well as the forwarding tables size.

Networking Architecture for Seamless Cloud Interoperability

Seamless cloud interoperability is highly desired but not yet easily attainable in the current cloud solutions market. This work tackles one aspect of achieving cloud interoperability, namely, inter-cloud networking. We list the requirements and propose an inter-cloud networking architecture for a case of independent clouds owned by different entities and powered by different cloud management and network virtualization technologies. Then we validate the proposed architecture by describing an example of working implementation for Open Stack cloud powered by Open Daylight Open DOVE SDN solution. Finally, we compare our architecture to the existing solutions.

NoEncap: overlay network virtualization with no encapsulation overheads

Overlay network virtualization quickly gains traction in todays multi-tenant data centers due to its ability to provide independent virtual networks, at scale, along with complete isolation from the underlying physical network. Despite the benefits, performance degradation due to the imposed perpacket encapsulation overhead is a serious impediment. Mitigation approaches are mostly hardware based and thus depend on costly networking gear upgrades and suffer from lesser flexibility and longer times to market, compared to software solutions. Software optimizations proposed so far are limited in scope, applicability, and interoperability. In this paper we present NoEncap, a software-only opt mization, capable of eliminating almost completely the overheads, while fully preserving the benefits of an overlay-based network virtualization.

Composite-Path Switching

Hybrid switching combines a high-bandwidth optical circuit switch in parallel with a low-bandwidth electronic packet switch. It presents an appealing solution for scaling datacenter architectures. Unfortunately, it does not fit many traffic patterns produced by typical datacenter applications, and in particular the skewed traffic patterns that involve highly intensive one-to-many and many-to-one communications. In this paper, we introduce composite-path switching by allowing for composite circuit/packet paths between the two switches. We show how this enables the datacenter network to deal with skewed traffic patterns, and offer a practical scheduling algorithm that can directly extend any hybrid-switching scheduling algorithm. Through extensive evaluations using modern datacenter workloads, we show how our solution outperforms two recently proposed state-of-the-art scheduling techniques, both in completion time and in circuit utilization.

Combining optics and SDN to enable true hybrid integration of electronic and photonic switching solutions

We present two hybrid fabrics integrating optical and electronic switches with SDN, and a novel approach improving the scaling of fast optical switches. C-Share reroute flows through optical switches increasing network performance. E-WDM exploits the optical switch transparency by emulating wavelength switching in electronic switches.

Cluster-Based Load Balancing for Better Network Security

In the big-data era, the amount of traffic is rapidly increasing. Therefore, scaling methods are commonly used. For instance, an appliance composed of several instances (scaled-out method), and a load-balancer that distributes incoming traffic among them. While the most common way of load balancing is based on round robin, some approaches optimize the load across instances according to the appliance-specific functionality. For instance, load-balancing for scaled-out proxy-server that increases the cache hit ratio. In this paper, we present a novel load-balancing approach for machine-learning based security appliances. Our proposed load-balancer uses clustering method while keeping balanced load across all of the network security appliances instances. We demonstrate that our approach is scalable and improves the machine-learning performance of the instances, as compared to traditional load-balancers.

Utilizing Optical Circuits in Hybrid Packet/Circuit Data-Center Networks

Existing Data Center Networks (DCNs) continue to evolve to keep up with application requirements in terms of bandwidth, latency, agility, etc. According to the updated release of the Cisco Global Cloud Index [1], by 2019, more than 86% of traffic workloads will be processed by cloud DCs. Traditional DCNs, which are based on electrical packet switching (EPS) with hierarchical, tree-like topologies can no longer support future cloud traffic requirements in terms of dynamicity, bandwidth and latency. Hence, existing DCNs can be enhanced with OCS (Optical Circuit Switching), which provides high bandwidth, low latency and low power consumption [2], giving rise to hybrid OCS-EPS topologies. In this research, we assess a virtualized, hybrid, flat DCN topology consisting of a single layer of high radix ToR (Top of Rack) switches, interconnected with each other and through an OCS plane. The benefit of such flat topology is twofold: 1) In terms of bandwidth, over-subscription is reduced, and bisection bandwidth is increased; and 2) In terms of latency, the diameter (longest path) of topology is reduced. Moreover, we present new algorithms and orchestration functionality to detect and offload suitable flows (e.g. elephant flows) from the EPS to the OCS plane. Our DC architecture consists of hybrid EPS-OCS DCN, an Openflow(OF) based control plane, and an orchestration layer. Our orchestration layer decouples the elephant flows detection from the rerouting decision logic in the DCN. Specifically, the elephant flows detection is done by flow tagging in the hypervisor, while the flow rerouting is executed at the EPSs, which are connected directly to the OCS. Hence, it provides a more efficient, scalable, and easy to configure architecture as compared to existing hybrid solutions. The orchestrator monitors the ToR switches by sFlow and detects high volume traffic between two ToRs, exceeding a given bandwidth threshold. Such traffic may consist of either few elephant flows or many mice flows. To further increase the optical circuit utilization, we introduce two types of optical circuits: 1) private circuit, presented in existing solutions, is utilized only by flows that originate and end at the ToR switches connected to the circuit endpoints. 2) shared circuit, is part of our novel approach. It can be used also by flows that are transmitted through ToR switches connected to the circuit endpoints, but originate and/or end at other ToRs. Moreover, the orchestrator may dynamically decide to configure private or shared optical circuits, according to various criteria including current network utilization, traffic flows nature, tenants SLAs, etc. Configuring or changing the optical circuit type requires installing a single OpenFlow rule for each ToR connected to the circuit endpoints; hence, enabling low overhead and fast network configuration. To assess the benefit of such optical circuit configurations, we implement the proposed algorithms and test them over an emulated data and control plane environment. We evaluate the network performance for various network traffic scenarios for both private and shared optical circuits, and compare them to an EPS-only baseline topology with the same total link bandwidth. Our preliminary results show that the shared optical circuits introduce an improvement of 5% to 10% as compared to the commonly used private circuits. The research is partially supported by the European Communitys Seventh Framework Programme (FP7/2001-2013) under grant agreement no. 619572 (COSIGN Project).