Emerging distributed applications, such as big data analytics, generate a large number of flows t hat concurrently transport data across data center networks. To improve their performance, it is required to account fo...
详细信息
ISBN:
(纸本)9781665405225
Emerging distributed applications, such as big data analytics, generate a large number of flows t hat concurrently transport data across data center networks. To improve their performance, it is required to account for the behavior of such a collection of flows, i.e., c oflows, ra ther th an in dividual ones. State-of-the-art solutions achieve near-optimal completion time by continuously reordering unfinished c oflows at th e end-host and using network priorities. This paper shows that dynamically changing flow priorities at the end-host, without considering in-flight p ackets, c an cause high degrees of packet reordering, thus imposing pressure on the congestion control and potentially harming network performance in the presence of switches with shallow buffers. We present pCoflow, a n ew s olution t hat i ntegrates e nd-host b ased coflow ordering with in-network scheduling based on packet history. Our evaluation shows that pCoflow improves in coflow completion time upon state-of-the-art solutions by up to 34% for varying loads.
According to a 2019 Radware report, guarding sensitive data is the highest priority area for investment in cyber security. This is no surprise given the high number of reported data breach incidents annually, and the ...
详细信息
According to a 2019 Radware report, guarding sensitive data is the highest priority area for investment in cyber security. This is no surprise given the high number of reported data breach incidents annually, and the implication of these on the individuals or organisations targeted. data exfiltration is a key stage in this form of cyber-attack, and the use of the Domain Name System protocol for data exfiltration is popular due to the essential nature of the protocol for network communication. This paper presents a DNS data exfiltration Protection (DNSxP) security architecture leveraging Software-Defined Networking and dataplane Programmability. The solution is developed based on analysis of different malicious use cases for transmitting data over the DNS protocol. By performing coarse-grained packet filtering and analysis in the dataplane, clear benign or malicious traffic can be identified quickly, while suspicious traffic is passed to additional security controls at the SDN controller for classification. As the results demonstrate, this approach offers the combined benefit of reducing data loss during an exfiltration attack and reducing network resource consumption.
Industrial networks are introducing Internet of Things (IoT) technologies in their manufacturing processes in order to enhance existing methods and obtain smarter, greener and more effective processes. Global predicti...
详细信息
Industrial networks are introducing Internet of Things (IoT) technologies in their manufacturing processes in order to enhance existing methods and obtain smarter, greener and more effective processes. Global predictions forecast a massive widespread of IoT technology in industrial sectors in the near future. However, these innovations face several challenges, such as achieving short response times in case of time-critical applications. Concepts like in-network computing or edge computing can provide adequate communication quality for these industrial environments, and data plane programming has been proved as a useful mechanism for their implementation. Specifically, P4 language is used for the definition of the behavior of programmable switches and network elements. This paper presents a solution for industrial IoT (IIoT) network communications to reduce response times using in-network computing through data plane programming and P4. Our solution processes Message Queuing Telemetry Transport (MQTT) packets sent by a sensor in the dataplane and generates an alarm in case of exceeding a threshold in the measured value. The implementation has been tested in an experimental facility, using a Netronome SmartNIC as a P4 programmable network device. Response times are reduced by 74% while processing, and delay introduced by the P4 network processing is insignificant.
Publish/subscribe is a flexible communication pattern for loosely coupled distributed applications. The content-based variant matches each published notification against active subscriptions to determine a set of inte...
详细信息
ISBN:
(纸本)9781728181592
Publish/subscribe is a flexible communication pattern for loosely coupled distributed applications. The content-based variant matches each published notification against active subscriptions to determine a set of interested subscribers to which the notification is to be delivered. Since the recipient set can be different for each notification, it is challenging to find and install profitable forwarding rules on the network switches. In this paper, we present novel notification forwarding schemes implemented in P4 that use virtual trees (VTs) installed on switches and additional forwarding information encoded in notification packets that is used to connect VTs, to extend VT branches, or to cut off VT subtrees. For deriving beneficial VTs, we consider (i) topological properties of the physical network, (ii) publisher/subscriber relationships, and (iii) notification statistics. We present a generic algorithm for encoding distribution trees and evaluate our forwarding schemes in a data center network. The results show that our schemes perform well and save network bandwidth by reducing the notification header length.
We currently see a shift from fixed-function network devices with limited configurability towards network devices with a fully programmable processing pipeline. A prominent example of this development is P4 that provi...
详细信息
ISBN:
(纸本)9783948377021
We currently see a shift from fixed-function network devices with limited configurability towards network devices with a fully programmable processing pipeline. A prominent example of this development is P4 that provides a language and reference architecture model to design and program network devices. The core element of this reference model is the programmable match-action table that defines the processing steps for the network packets. In this paper, we demonstrate that these tables, which we use to create our own modeling framework, are the key driver of device performance. P4-programmable devices come in a wide variety regarding their underlying hardware architecture, such as CPU-based systems or ASICs, as representatives of both ends of the spectrum. CPU-based P4 target platforms offer limited performance but are easily extensible. ASIC P4 targets have dedicated P4 processing pipelines with limited programmability but offer highly optimized performance. To reflect these fundamental differences, our modeling framework incorporates different approaches to accurately model and predict the performance of P4-enabled devices.
P4 introduces a standardized, universal way for data plane programming. Secure and resilient communication typically involves the processing of payload data and specialized cryptographic hash functions. We observe tha...
详细信息
ISBN:
(纸本)9781728143873
P4 introduces a standardized, universal way for data plane programming. Secure and resilient communication typically involves the processing of payload data and specialized cryptographic hash functions. We observe that current P4 targets lack the support for both. Therefore, applications and protocols, which require message authentication codes or hashing structures that are resilient against attacks such as denial-of-service, cannot be implemented. To enable authentication and resilience, we make the case for extending P4 targets with cryptographic hash functions. We propose an extension of the P4 Portable Switch Architecture for cryptographic hashes and discuss our prototype implementations for three different P4 target platforms: CPU, NPU, and FPGA. To assess the practical applicability, we conduct a performance evaluation and analyze the resource consumption. Our prototype implementations show that cryptographic hashing can be integrated efficiently. We cannot identify a single hash function delivering satisfying performance on all investigated platforms. Therefore, we recommend a set of hash functions to optimize target-specific performance.
Network operators are facing great challenges in terms of cost and complexity in order to incorporate new communication technologies (e.g., 4G, 5G, fiber) and to keep up with increasing demands of new network services...
详细信息
Network operators are facing great challenges in terms of cost and complexity in order to incorporate new communication technologies (e.g., 4G, 5G, fiber) and to keep up with increasing demands of new network services to address emerging use cases. Softwarizing the network operations using SoftwareDefined Networking (SDN) and Network Function Virtualization (NFV) paradigms can simplify control and management of networks and provide network services in a cost effective way. SDN decouples control and data traffic processing in the network and centralizes the control traffic processing to simplify the network management, but may face scalability issues due to the same reasons. NFV decouples hardware and software of network appliances for cost effective operations of network services, but faces performance degradation issues due to data traffic processing in software. In order to address scalability and performance issues in SDN/NFV, we propose in the first part of the thesis, a modular network control and management architecture, in which the SDN controller delegates part of its responsibilities to specific network functions instantiated in network devices at strategic locations in the infrastructure. We have chosen to focus on a modern application using an IP multicast service for live video streaming applications (e.g., Facebook Live or Periscope) that illustrates well the SDN scalability problems. Our solution exploits benefits of the NFV paradigm to address the scalability issue of centralized SDN control plane by offloading processing of multicast service specific control traffic to Multicast Network Functions (MNFs) implemented in software and executed in NFV environment at the edge of the network. Our approach provides smart, flexible and scalable group management and leverages centralized control of SDN for Lazy Load Balance Multicast (L2BM) traffic engineering policy in software defined ISP networks. Evaluation of this approach is tricky, as real world SDN tes
暂无评论