Separating VNF and Network Control for Hardware‐Acceleration of SDN/NFV Architecture

A hardware‐acceleration architecture that separates virtual network functions (VNFs) and network control (called HSN) is proposed to solve the mismatch between the simple flow steering requirements and strong packet processing abilities of software‐defined networking (SDN) forwarding elements (FEs) in SDN/network function virtualization (NFV) architecture, while improving the efficiency of NFV infrastructure and the performance of network‐intensive functions. HSN makes full use of FEs and accelerates VNFs through two mechanisms: (1) separation of traffic steering and packet processing in the FEs; (2) separation of SDN and NFV control in the FEs. Our HSN prototype, built on NetFPGA‐10G, demonstrates that the processing performance can be greatly improved with only a small modification of the traditional SDN/NFV architecture.     

软件定义网络安全研究

软件定义网络（SDN）采用控制和转发的分离架构,使研究者可以通过软件实现任意的网络控制逻辑,而不需对网络设备本身进行修改,具备极强的灵活性,已经在路由决策、网络虚拟化、无线接入、云计算数据中心网络等领域得到研究和应用,成为一项热点技术。但SDN在蓬勃发展的同时,也引入了新的安全风险,带来新的安全问题。另一方面,SDN也给传统安全技术以冲击,带来创新的网络安全应用发展的机会。鉴于此,结合SDN网络架构的特点综述了SDN安全的研究现状,包括SDN安全风险分析和安全技术及应用,并思考了SDN对信息安全的意义。     

Toward manageable middleboxes in software‐defined networking

Software‐defined networking (SDN) acts as a centralized management unit, especially in a network with devices that operate under the transport layer of the OSI model. However, when a network with layer 7 middleboxes (MBs) is considered, current SDNs exhibit limitations. As such, to achieve a real‐centralized management unit, a new architecture is required that decouples the data and control planes of all network devices. In this report, we propose such a complementary architecture to the current SDN in which SDN‐enabled MBs are included along with contemporary SDN‐enabled switches. The management unit of this architecture improves network performance and reduces routing cost by considering the status of the MBs during flow forwarding. This unit consists of the following two parts: an SDN controller (SDNC) and a middlebox controller (MBC). The latter selects the best MBs for each flow and the former determines the best path according to its routing algorithm and provides information via the MBC. The results show that the proposed architecture improved performance because the utilization of all network devices including MBs is manageable.     

Routing algorithm design of satellite network architecture based on SDN and ICN

In view of the problems of low routing efficiency, complex control process, and difficult network management in big data environment in the traditional integrated space‐terrestrial network, in the paper, we propose a satellite network architecture called software‐defined information centric satellite networking (SDICSN) based on software‐defined networking (SDN) and information‐centric networking (ICN), and we design a virtual node matrix routing algorithm (VNMR) under the SDICSN architecture. The SDICSN architecture realizes the flexibility of network management and business deployment through the features of the separation of forwarding and controlling by the SDN architecture and improves the response speed of requests in the network by the centric of “content” as the ICN idea. According to the periodicity and predictability of the satellite network, the VNMR algorithm obtains the routing matrix through the relative orientation of the source and destination nodes, thus reducing the spatial complexity of the input matrix of the Dijkstra algorithm and then reducing the time complexity of the routing algorithm. For forwarding information base (FIB), the mechanism of combination of event driven and polling can be quickly updated in real time. Finally, the advantages of the SDICSN architecture in routing efficiency, request delay, and request aggregation are verified by simulation.     

Packet‐level‐based traffic aggregation to optimize NDN content delivery

In recent years, named data networking (NDN) has been accepted as the most popular future paradigm and attracted much attention, of which the routing model contains interest forwarding and content delivery. However, interest forwarding is far from the bottleneck of routing optimization; instead, the study on content delivery can greatly promote routing performance. Although many proposals on content delivery have been investigated, they have not considered packet‐level caching and deep traffic aggregation, which goes against the performance optimization of content delivery. In this paper, we propose a packet‐level‐based traffic aggregation (PLTA) scheme to optimize NDN content delivery. At first, the packet format is devised, and data plane development kit (DPDK) is used to ensure same size for each packet. Then, the whole delivery scheme with traffic aggregation consideration is presented. The simulation is driven by the real YouTube dataset over Deltacom, NSFNET, and CERNET topologies, and the experimental results demonstrate that the proposed PLTA has better delivery performance than three baselines in terms of cache hit ratio, delivery delay, network load, and energy efficiency.     

An SDN‐based scalable routing and resource management model for service provider networks

Volume of the Internet traffic has increased significantly in recent years. Service providers (SPs) are now striving to make resource management and considering dynamically changing large volume of network traffic. In this context, software defined networking (SDN) has been alluring the attention of SPs, as it provides virtualization, programmability, ease of management, and so on. Yet severe scalability issues are one of the key challenges of the SDN due to its centralized architecture. First of all, SDN controller may become the bottleneck as the number of flows and switches increase. It is because routing and admission control decisions are made per flow basis by the controller. Second, there is a signaling overhead between the controller and switches since the controller makes decisions on behalf of them. In line with the aforementioned explanations, this paper proposes an SDN‐based scalable routing and resource management model (SRRM) for SPs. The proposed model is twofold. SRRM performs routing, admission control, and signaling operations (RASOs) in a scalable manner. Additionally, resource management has also been accomplished to increase link use. To achieve high degree of scalability and resource use, pre‐established paths (PEPs) between each edge node in the domain are provided. The proposed controller performs RASOs based on PEPs. The controller also balances the load of PEPs and adjusts their path capacities dynamically to increase resource use. Experimental results show that SRRM can successfully perform RASOs in a scalable way and also increase link use even under heavy traffic loads.     

IDNet: Beyond All‐IP Network

Recently, new network systems have begun to emerge (for instance, 5G, IoT, and ICN) that require capabilities beyond that provided by existing IP networking. To fulfill the requirements, some new networking technologies are being proposed. The promising approach of the new networking technology is to try to overcome the architectural limitations of IP networking by adopting an identifier (ID)‐based networking concept in which communication objects are identified independently from a specific location and mechanism. However, we note that existing ID‐based networking proposals only partially meet the requirements of emerging and future networks. This paper proposes a new ID‐based networking architecture and mechanisms, named IDNet, to meet all of the requirements of emerging and future networks. IDNet is designed with four major functional blocks — routing, forwarding, mapping system, and application interface. For the proof of concept, we develop numeric models for IDNet and implement a prototype of IDNet.     

SDN‐DMM for intelligent mobility management in heterogeneous mobile IP networks

Mobility management applied to the traditional architecture of the Internet has become a great challenge because of the exponential growth in the number of devices that can connect to the network. This article proposes a Software‐Defined Networking (SDN)‐based architecture, called SDN‐DMM (SDN‐Distributed Mobility Management), that deals with the distributed mode of mobility management in heterogeneous access networks in a simplified and efficient way, ensuring mainly the continuity of IP sessions. Intent‐based mobility management with an IP mapping schema for mobile node identification offers optimized routing without tunneling techniques, hence, an efficient use of the network infrastructure. The simplified mobility control API reduces both signaling and handover latency costs and provides a better scalability and performance in comparison with traditional and SDN‐based DMM approaches. An analytical evaluation of such costs demonstrated the better performance of SDN‐DMM, and a proof of concept of the proposal was implemented in a real environment.     

Emulating Software Defined Network using Mininet-ns3-WIFI Integration for Wireless Networks

SDN enables a new networking paradigm probable to improve system efficiency where complex networks are easily managed and controlled. SDN allows network virtualization and advance programmability for customizing the behaviour of networking devices with user defined features even at run time. SDN separates network control and data planes. Intelligently controlled network management and operation, such that routing is eliminated from forwarding elements (switches) while shifting the routing logic in a centralized module named SDN Controller. Mininet is Linux based network emulator which is cost effective for implementing SDN having in built support of OpenFlow switches. This paper presents practical implementation of Mininet with ns-3 using Wi-Fi. Previous results reported in literature were limited upto 512 nodes in Mininet. Tests are conducted in Mininet by varying number of nodes in two distinct scenarios based on scalability and resource capabilities of the host system. We presented a low cost and reliable method allowing scalability with authenticity of results in real time environment. Simulation results show a marked improvement in time required for creating a topology designed for 3 nodes with powerful resources i.e. only 0.077 sec and 4.512 sec with limited resources, however with 2047 nodes required time is 1623.547 sec for powerful resources and 4615.115 sec with less capable resources respectively.

     

自治系统内IP子网和SDN子网的互联机制

SDN网络与传统IP网络的互联机制是当前学术界的研究热点,但现有解决方案并不能适用于所有应用场景。为此提出了一个基于OSPF协议的IMISA架构,在一个包含 SDN 子网（基于OpenFlow）和IP子网的自治系统范围内,通过给SDN控制器添加一个OSPF路由模块,利用OSPF协议交换各自的网络信息,最终实现了2种网络的互联。     

TILAK: A token‐based prevention approach for topology discovery threats in SDN

Software‐defined networks (SDNs) decouple the data plane from the control plane. Thus, it provides logically centralized visibility of the entire networking infrastructure to the controller. It enables the applications running on top of the control plane to innovate through network management and programmability. To envision the centralized control and visibility, the controller needs to discover the networking topology of the entire SDN infrastructure. However, discovering and maintaining a global view of the underlying network topology is a challenging task because of (i) frequently changing network topology caused by migration of the virtual machines in the data centers, mobile, end hosts and change in the number of data plane switches because of technical faults or network upgrade; (ii) lack of authentication mechanisms and scarcity in SDN standards; and (iii) availability of security solutions during topology discovery process. To this end, the aim of this paper is threefold. First, we investigate the working methodologies used to achieve global view by different SDN controllers, specifically, POX, Ryu, OpenDaylight, Floodlight, Beacon, ONOS, and HPEVAN. Second, we identify vulnerabilities that affect the topology discovery process in the above controller implementation. In particular, we provide a detailed analysis of the threats namely link layer discovery protocol (LLDP) poisoning, LLDP flooding, and LLDP replay attack concerning these controllers. Finally, to countermeasure the identified risks, we propose a novel mechanism called TILAK which generates random MAC destination addresses for LLDP packets and use this randomness to create a flow entry for the LLDP packets. It is a periodic process to prevent LLDP packet‐based attacks that are caused only because of lack of verification of source authentication and integrity of LLDP packets. The implementation results for TILAK confirm that it covers targeted threats with lower resource penalty.     

一种基于GEO卫星网络的IP组网方案的设计及仿真

当前,大部分支持IP的卫星系统只是提供了一个连接地面路由器的物理通道,难以满足带宽接入、多媒体服务以及星地网络一体化等新的需求.为此,提出了一个分组传输和交换均基于IP的GEO卫星系统,采用三层路由交换的组网方案,实现了同一交换域内用户信息的链路层快速转发,以及不同交换域间用户IP信息的网络层路由交换处理.最后,研究了最简单的RIP路由协议在此GEO卫星网络中的适应性,利用OPNET仿真软件对其进行了建模仿真及结果分析.     

软件定义网络中基于密码标识的报文转发验证机制

针对软件定义网络(SDN)中缺乏安全高效的数据来源验证机制问题,该文提出基于密码标识的报文转发验证机制。首先,建立基于密码标识的报文转发验证模型,将密码标识作为IP报文进出网络的通行证。其次,设计SDN批量匿名认证协议,将SDN控制器的验证功能下放给SDN交换机,由SDN交换机进行用户身份验证和密码标识验证,快速过滤伪造、篡改等非法报文,提高SDN控制器统一认证与管理效率,同时可为用户提供条件隐私保护。提出基于密码标识的任意节点报文抽样验证方案,任何攻击者无法通过推断采样来绕过报文检测,确保报文的真实性的同时降低其处理延迟。最后,进行安全性分析和性能评估。结果表明该机制能快速检测报文伪造和篡改及抵抗ID分析攻击,但同时引入了大约9.6%的转发延迟和低于10%的通信开销。     

Software‐defined networking approach for enhanced evolved packet core network

The evolved packet core (EPC) network is the mobile network standardized by the 3rd Generation Partnership Project and represents the recent evolution of mobile networks providing high‐speed data rates and on‐demand connectivity services. Software‐defined networking (SDN) is recently gaining momentum in network research as a new generation networking technique. An SDN‐based EPC is expected to introduce gains to the EPC control plane architecture in terms of simplified, and perhaps even software‐based, vendor independent infrastructure nodes. In this paper, we propose a novel SDN‐based EPC architecture along with the protocol‐level detailed implementation and provide a mechanism for identifying information fields exchanged between SDN‐EPC entities that maintains correct functionality with minimal impact on the conventional design. Furthermore, we present the first comprehensive network performance evaluation for the SDN‐based EPC versus the conventional EPC and provide a comparative analysis of 2 networks performances identifying potential bottlenecks and performance issues. The evaluation focuses on 2 network control operations, namely, the S1‐handover and registration operations, taking into account several factors, and assessing performance metrics such as end‐to‐end delay (E2ED) for completion of the respective control operation, and EPC nodes utilization figures.     

A consistent QoS routing strategy for video streaming services in SDN networks

The software‐defined networking (SDN) paradigm proposes to decouple the control plane (decision‐making process) and the data plane (packet forwarding) to overcome the limitations of traditional network infrastructures, which are known to be difficult to manage, especially at scale. Although there are previous works focusing on the problem of quality of service (QoS) routing in SDN networks, only few solutions have taken into consideration the network consistency, which reflects the adequacy between the decisions made and the decisions that should be taken. Therefore, we propose a network architecture that guarantees the consistency of the decisions to be taken in an SDN network. A consistent QoS routing strategy is then introduced in a way that avoids any quality degradation of prioritized traffic while optimizing resources usage. Thus, we proposed a traffic dispersion heuristic in order to achieve this goal. We compared our approach with several existing framework in terms of best‐effort flows average throughput, average video bitrate, and video quality of experience (QoE). The emulation results, which are performed using the Mininet environment, clearly demonstrate the effectiveness of the proposed approach that outperforms existing frameworks.     

SDI: a multi-domain SDN mechanism for fine-grained inter-domain routing

Software-defined networking (SDN) scheme decouples network control plane and data plane, which can improve the flexibility of traffic management in networks. OpenFlow is a promising implementation instance of SDN scheme and has been applied to enterprise networks and data center networks in practice. However, it has less effort to spread SDN control scheme over the Internet to conquer the ossification of inter-domain routing. In this paper, we further innovate to the SDN inter-domain routing inspired by the OpenFlow protocol. We apply SDN flow-based routing control to inter-domain routing and propose a fine-granularity inter-domain routing mechanism, named SDI (Software Defined Inter-domain routing). It enables inter-domain routing to support the flexible routing policy by matching multiple fields of IP packet header. We also propose a method to reduce redundant flow entries for inter-domain settings. And, we implement a prototype and deploy it on a multi-domain testbed.     

Resource optimization algorithm of combination of NFV and SDN for application of multiple services

Various services of internet of things (IoT) require flexible network deployment to guarantee different quality of service (QoS).Aiming at the problem of IoT service function chain deployment,network function virtualization (NFV) and software defined networking (SDN) were combined to optimize resources.Considering forwarding cost and traffic load balance,a joint optimization model of virtual network function placement and service function chain routing was given and was proved to be NP-Hard.In order to solve this model,two heuristic algorithms were proposed.One was the service chain deployment algorithm of first routing then placing (FRTP) and the other was the placing followed by routing (PFBR) based on node priority.Simulation results demonstrate that FRTP and PFBR algorithm can significantly balance network traffic load while alleviating congestion and improving the acceptance ratio of the chain requests compared with other algorithms.     

Simple,efficient location‐based routing for data center network using IP address hierarchy

Increasing demand and sophistication of applications deployed on data centers resulted in various designs for data center networks (DCNs). One of the major challenges in the design of DCNs is the design of routing protocol that scales to support millions of servers that a typical DCN hosts. Many alternative routing protocols are proposed to overcome the scalability problem of conventional routing protocols such as Open Shortest Path First and Routing Information Protocol. These alternative protocols that use topology characteristics of DCN are broadly classified as source routing and location‐based routing. In the process of fixing the scalability problem, these protocols introduced additional complexities such as large network control overhead and reprogramming of network elements. The extra control overhead in these protocols is the result of their effort to determine the relative location of the end hosts in a given topology. Further, existing location‐based routing is not entirely location based and covers only the latter half of a route. In our work, we present a new location‐based routing based on IP address hierarchy that (a) does not need any additional network control plane and management planes, (b) deployable on proven network technologies, and (c) covers entire path of the route. We establish the correlation between topology design and address assignments that helps determining the location of an end host directly from the address assigned to it. We demonstrate our proposed location‐based routing on an existing proven architecture for DCN, BCube‐IP and on our proposed architecture 4‐4, 1‐4. We give proper justification for proposing 4‐4, 1‐4, a better design for our proposed location‐based routing. Copyright © 2016 John Wiley & Sons, Ltd.     

SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking

In software‐defined networking (SDN), TCP SYN flooding attack is considered as one of the most effective attacks to perform control plane and target server saturation. In this attack, an attacker generates a large number of malicious SYN requests, and because of the absence of the forwarding rules, the data plane switches have to forward these SYN messages to the controller. This excessive forwarding causes congestion over the communication channel between a data plane and control plane, and it also exhausts computational resources at both the planes. In this paper, we propose a novel countermeasure called SYN‐Guard to detect and prevent SYN flooding in SDN networks. We fully implement SYN‐Guard on the SDN controller to validate the incoming TCP connection requests. The controller installs forwarding rules for the SYN requests that successfully clear the validation test of SYN‐Guard. The host of the fake SYN request is detected, and SYN‐Guard prevents it from sending any further SYN requests to the data plane switch. The performance evaluation done using the simulation results shows that SYN‐Guard exhibits low side effect for genuine TCP requests, and when compared with standard SDN and state‐of‐art proposals, it reduces the average response time up to 21% during an ongoing SYN flooding attack.     

Nature‐inspired meta‐heuristic algorithms for solving the load balancing problem in the software‐defined network

The growth of the networks has difficult network management. Recently, a concept called software‐defined network (SDN) has been proposed to address this issue, which makes network management more adaptable. Control and forwarding planes are separated in SDN. The control plane is a centralized logical controller that controls the network. The forwarding plane that consists of transfer devices is responsible for transmitting packets. Because the network resources are limited, optimizing the use of resources in the networks is an important issue. Load balancing improves the balanced distribution of loads across multiple resources in order to maximize the reliability and network resources efficiency. SDN controllers can create an optimal load balancing compared to traditional networks because they have a network global view. The load‐balancing problem can be solved using many different nature‐inspired meta‐heuristic techniques because it has the NP‐complete nature. Hence, for solving load balancing problem in SDN, nature‐inspired meta‐heuristic techniques are important methods. However, to the best of our knowledge, there is not a survey or systematic review on studying these matters. Accordingly, in the area of the load balancing in the SDN, this paper reviews systematically the nature‐inspired meta‐heuristic techniques. Also, this study demonstrates advantages and disadvantages regarded of the chosen nature‐inspired meta‐heuristic techniques and considers their algorithms metrics. Moreover, to apply better load balancing techniques in the future, the important challenges of these techniques have been investigated.