一种基于数据平面可编程的软件定义网络报文转发验证机制

针对软件定义网络(SDN)中OpenFlow协议匹配字段固定且数量有限,数据流转发缺少有效的转发验证机制等问题,该文提出一种基于数据平面可编程的软件定义网络报文转发验证机制。通过为数据报文添加自定义密码标识,将P4转发设备加入基于OpenFlow的软件定义网络,在不影响数据流正常转发的基础上,对网络业务流精确控制和采样。控制器验证采样业务报文完整性,并针对异常报文下发流规则至OpenFlow转发设备,对恶意篡改、伪造等异常数据流进行转发控制。最后,构建基于开源BMv2的P4转发设备和基于OpenFlow的Open vSwitch转发设备的转发验证原型,并构建仿真网络进行实验。实验结果表明,该机制能够有效检测业务报文篡改、伪造等转发异常行为,与同类验证机制相比,在安全验证处理开销保持不变的情况下,能够实现更细粒度的业务流精确控制采样和更低的转发时延。     

一种新的高速报文解析结构研究

随着新协议的不断涌现和网络速率的迅猛增长,报文解析结构在解析灵活度和解析速率上面临挑战。该文结合流水线设计和二叉trie树查表思想,提出一种应用于路由转发的报文协议解析结构(Parsing PipelineArchitecture for Forwarding,PPAF),通过构建协议二叉trie树来支持报文协议解析的灵活度,利用硬件多级流水查表提升报文协议解析处理速率,采用节点映射算法解决协议二叉trie树节点到流水线映射过程中存储资源不均衡的问题。基于NetFPGA平台的仿真结果表明,相对于现有的高速解析结构,PPAF在处理速率和资源占用上取得较好的均衡的同时,能够提供基于接口的独立灵活解析能力。     

软件定义网络中基于密码标识的报文转发验证机制

针对软件定义网络(SDN)中缺乏安全高效的数据来源验证机制问题,该文提出基于密码标识的报文转发验证机制。首先,建立基于密码标识的报文转发验证模型,将密码标识作为IP报文进出网络的通行证。其次,设计SDN批量匿名认证协议,将SDN控制器的验证功能下放给SDN交换机,由SDN交换机进行用户身份验证和密码标识验证,快速过滤伪造、篡改等非法报文,提高SDN控制器统一认证与管理效率,同时可为用户提供条件隐私保护。提出基于密码标识的任意节点报文抽样验证方案,任何攻击者无法通过推断采样来绕过报文检测,确保报文的真实性的同时降低其处理延迟。最后,进行安全性分析和性能评估。结果表明该机制能快速检测报文伪造和篡改及抵抗ID分析攻击,但同时引入了大约9.6%的转发延迟和低于10%的通信开销。     

软件定义网络抗拒绝服务攻击的流表溢出防护

针对拒绝服务攻击导致软件定义网络交换机有限的流表空间溢出、正常的网络报文无法被安装流表规则、报文转发时延、丢包等情况，提出了抗拒绝服务攻击的软件定义网络流表溢出防护技术Flood Mitigation，采用基于流表可用空间的限速流规则安装管理，限制出现拒绝服务攻击的交换机端口的流规则最大安装速度和占用的流表空间数量，避免了流表溢出。此外，采用基于可用流表空间的路径选择，在多条转发路径的交换机间均衡流表利用率，避免转发网络报文过程中出现网络新流汇聚导致的再次拒绝服务攻击。实验结果表明，Flood Mitigation在防止交换机流表溢出、避免网络报文丢失、降低控制器资源消耗、确保网络报文转发时延等方面能够有效地缓解拒绝服务攻击的危害。     

基于网络编码的感知无线网多中继机制

多中继感知协作通信技术是无线通信领域中,利用时空分集提升网络吞吐量的热门研究方向。该文首次提出了感知无线网中分布式译码转发后的中继冗余问题,并在理论与仿真上证明了现有传输协议不仅不足以支持多中继感知通信,而且由于其衍生了大量冗余而降低了网络吞吐量。针对该问题,该文提出了在缓存队列中结合随机网络编码的中继机制,从而有效地避免了中继冗余,使得多中继感知的吞吐量接近理想上界,减少缓存空间的占用,仿真结果表明该文提出的机制是一种高效实用的感知中继传输机制。     

对软件定义网络数据面抽象的重新思考

提出了一种基于标签的更加灵活的SDN交换机数据面抽象——LabelCast.LabelCast利用标签交换机制解决SDN交换机中的复杂规则匹配问题,采用Cast程序扩展机制解决交换机转发面的功能可编程问题.LabelCast不但可以简化SDN数据面规则匹配复杂性,还可以通过在数据面加载应用的处理程序支持可编程的数据面功能扩展.     

华为发布协议无感知转发技术取得SDN技术重大突破

华为在软件定义网络（SDN）转发面技术上取得重大突破,首次在业界提出新的软件定义网络（SDN）转发面技术,命名为协议无感知转发（POF）,即转发硬件设备对数据报文协议和处理转发流程没有感知,网络行为完全由控制面负责定义。该技术作为对ONF OpenFlow协议的增强,拓展目前OpenFlow的应用场景,为实现真正灵活的可编程软件定义网络奠定基础。同时,华为还将于下周在美国举办的开放网络峰会上展示基于软件定义网络协议无感知转发（SDN POF）技术的设备原型样机。     

主动测量SDN性能的机制

提出了一种能够主动测量SDN中任何两点间的端到端路径性能的机制,设计了OpenFlow测量协议OFMP,实现了无需改变交换机转发规则就能测量两点间特定流的多种性能参数的原型系统OFMd。实验结果表明,OFMd只需发送一个测试报文就能快速高效地获取多种端到端路径性能参数。     

解决FAST TCP缓存溢出相关问题的改进pacing technique算法和α参数调整算法

分析FAST TCP在缓存溢出发生时的性能,发现在缓存溢出场景中,收敛中的FAST TCP流经历严重的报文段丢失。相反,已经收敛了的FAST TCP流维持着高吞吐量和低报文段丢失概率。这种不公平是由FAST TCP缩减其窗口时的零传输率导致的。通过修改FAST TCP pacing算法,可以解决此问题。文中提出的α-adjusting算法,通过动态调整FAST TCP协议中的α参数来避免频繁的缓存溢出。通过分析ns2仿真结果,证明该算法在公平性和稳定性方面可获得令人满意的性能。     

基于OVS的SDN移动自组网络架构设计及实现

在SDN移动自组网络中,控制转发策略集中于控制器中,使得基于流表匹配的数据转发变得简单高效。但是,由于移动自组网环境复杂多变、无线信号不稳定和网络拓扑多变等原因,容易出现数据层面失去控制器控制和流表学习老化等问题,这严重制约网络性能。针对以上问题,设计了一种基于Open v Switch的SDN移动自组网络架构,架构包含状态处理与应用感知等核心功能。状态处理服务实现控制器与交换机连接状态的跟踪检测、Open Flow协议的状态匹配字段拓展和数据包在不同状态场景下进行感知处理等功能,应用感知服务实现转发策略在数据层面被灵活调度的功能。在Open v Switch和Ryu开源控制器上进行协议开发和原型系统搭建。实验结果表明,控制器连发生接故障后,业务恢复时延低于100 ms,流表项可以及时更新,这可以保障网络吞吐量的稳定性。因此,设计的架构有效减小控制器失连故障对通信的影响,增强了基于SDN的移动自组网络的稳定性和可靠性。     

Edge-first-based cooperative caching strategy in information centric networking

In order to optimize the replica placement in information centric networking,an edge-first-based cooperative caching strategy (ECCS) was proposed.According to the strategy,cache decision was made during the interest forwarding stage.The decision result and statistic information would been forwarded to upstream routers step by step.Utilizing the information,upstream nodes could update their cache information table immediately to achieve cooperative caching.The experimental results indicate ECCS can achieve salient performance gain in terms of server load reduction ratio,average hop reduction ratio,average cache hit ratio,compared with current strategies.     

Packet‐level‐based traffic aggregation to optimize NDN content delivery

In recent years, named data networking (NDN) has been accepted as the most popular future paradigm and attracted much attention, of which the routing model contains interest forwarding and content delivery. However, interest forwarding is far from the bottleneck of routing optimization; instead, the study on content delivery can greatly promote routing performance. Although many proposals on content delivery have been investigated, they have not considered packet‐level caching and deep traffic aggregation, which goes against the performance optimization of content delivery. In this paper, we propose a packet‐level‐based traffic aggregation (PLTA) scheme to optimize NDN content delivery. At first, the packet format is devised, and data plane development kit (DPDK) is used to ensure same size for each packet. Then, the whole delivery scheme with traffic aggregation consideration is presented. The simulation is driven by the real YouTube dataset over Deltacom, NSFNET, and CERNET topologies, and the experimental results demonstrate that the proposed PLTA has better delivery performance than three baselines in terms of cache hit ratio, delivery delay, network load, and energy efficiency.     

Traffic locality characteristics in a parallel forwarding system

Due to the widening gap between the performance of microprocessors and that of memory, using caches in a system to take advantage of locality in its workload has become a standard approach to improve overall system performance. At the same time, many performance problems finally reduce to cache performance issues. Locality in system workload is the fact that makes caching possible. In this paper, we first use the reuse distance model to characterize temporal locality in Internet traffic. We develop a model that closely matches the empirical data. We then extend the work to investigate temporal locality in the workload of multi‐processor forwarding systems by comparing locality under different packet scheduling schemes. Our simulations show that for systems with hash‐based schedulers, caching can be an effective way to improve forwarding performance. Based on flow‐level traffic characteristics, we further discuss the relationship between load‐balancing and hash‐scheduling, which yields insights into system design. Copyright © 2003 John Wiley & Sons, Ltd.     

源端控制的OpenFlow数据面

为了实现流表的多元快速查找,OpenFlow交换机一般采用TCAM存储和查找流表,从而带来了扩展性、成本和能耗的问题。尽管可以采取流表压缩、引入RAM存储器等方法,但仍无法彻底解决使用TCAM造成的局限性。针对这个问题提出了源端控制的OpenFlow数据面模型,即SCOF（source-controlled OpenFlow）。它以一种源路由地址—向量地址（VA）作为数据分组的交换标签,VA完全定义了通信路径。SCOF的数据转发设备是向量交换机,它不需要存储和查找流表,只根据VA即可完成数据分组转发。SCOF模型降低了交换机硬件复杂度,简化了流表更新过程,克服了OpenFlow的扩展性问题。     

Dynamic Probabilistic Caching Algorithm with Content Priorities for Content‐Centric Networks

This paper presents a caching algorithm that offers better reconstructed data quality to the requesters than a probabilistic caching scheme while maintaining comparable network performance. It decides whether an incoming data packet must be cached based on the dynamic caching probability, which is adjusted according to the priorities of content carried by the data packet, the uncertainty of content popularities, and the records of cache events in the router. The adaptation of caching probability depends on the priorities of content, the multiplication factor adaptation, and the addition factor adaptation. The multiplication factor adaptation is computed from an instantaneous cache‐hit ratio, whereas the addition factor adaptation relies on a multiplication factor, popularities of requested contents, a cache‐hit ratio, and a cache‐miss ratio. We evaluate the performance of the caching algorithm by comparing it with previous caching schemes in network simulation. The simulation results indicate that our proposed caching algorithm surpasses previous schemes in terms of data quality and is comparable in terms of network performance.     

等价多路径间基于LRU Cache和计数统计的 流量分配调度算法

为了减少网络拥塞并充分利用链路带宽,当在转发节点与目的子网间存在有多条等价路径(ECMPs)时,流量负载应该在ECMPs间均衡分配,并且属于同一个TCP流的IP分组应该按照相同顺序到达目的主机.本文提出了一种基于LRU(Least Recently Used Algorithm) Cache和计数统计的算法.该算法通过为每条ECMP分配一个计数器,利用计数统计从而考虑到了IP分组的长度差异.使用相对计数以及对某些情况增加约束条件解决了计数器溢出问题.UDP分组只需要作为调节负载均衡的流量.更进一步,对于去往同一目的子网的不同主机的TCP流的时延差异被转化为cache中的表项失效的时间长度差.仿真实验表明,当ECMPs间的时延差不显著的情况下,只需要很小的存储空间,且每次cache查找只需要一个时钟周期,负载均衡接近最优,此时只有2%的分组出现乱序.     

CCN中基于业务类型的多样化内容分发机制

针对内容中心网络(Content Centric Networking,CCN)如何提供差异化的业务需求服务的问题,采用区分服务的思想,从内容传输和缓存决策的角度出发,提出了一种基于业务类型的多样化内容分发机制.该机制依据不同的业务请求特征,分别设计了持久推送、并行预测和逐包请求的数据分发模式,对应提出了透明转发、边缘概率缓存和渐进式推进的沿途存储策略,实现了内容传递对于业务类型的感知和匹配.仿真结果表明,该机制减小了内容请求时延,提高了缓存命中率,以少量额外的控制开销提升了CCN网络整体的内容分发性能.     

High-speed IP routing with binary decision diagrams based hardware address lookup engine

With a rapid increase in the data transmission link rates and an immense continuous growth in the Internet traffic, the demand for routers that perform Internet protocol packet forwarding at high speed and throughput is ever increasing. The key issue in the router performance is the IP address lookup mechanism based on the longest prefix matching scheme. Earlier work on fast Internet protocol version 4 (IPv4) routing table lookup includes, software mechanisms based on tree traversal or binary search methods, and hardware schemes based on content addressable memory (CAM), memory lookups and the CPU caching. These schemes depend on the memory access technology which limits their performance. The paper presents a binary decision diagrams (BDDs) based optimized combinational logic for an efficient implementation of a fast address lookup scheme in reconfigurable hardware. The results show that the BDD hardware engine gives a throughput of up to 175.7 million lookups per second (Ml/s) for a large AADS routing table with 33 796 prefixes, a throughput of up to 168.6 Ml/s for an MAE-West routing table with 29 487 prefixes, and a throughput of up to 229.3 Ml/s for the Pacbell routing table with 6822 prefixes. Besides the performance of the scheme, routing table update and the scalability to Internet protocol version 6 (IPv6) issues are discussed.     

OpenFlow table lookup scheme integrating multiple-cell Hash table with TCAM

In OpenFlow networks,switches accept flow rules through standardized interfaces,and perform flow-based packet processing.To facilitate the lookup of flow tables,TCAM has been widely used in OpenFlow switches.However,TCAM is expensive and consumes a large amount of power.A hybrid lookup scheme integrating multiple-cell Hash table with TCAM was proposed for flow table matching to simultaneously reduce the cost and power consumption of lookup structure without sacrificing the lookup performance.By theoretical analysis and extensive experiments,optimal capacity configuration of Hash table and TCAM was achieved with the optimized cost of flow table lookup.The experiment results also show that the proposed lookup scheme can save over 90% cost and the power consumption of flow table matching can be reduced significantly compared with the pure TCAM scheme while keeping the similar lookup performance.