Dissertations / Theses on the topic 'Software Defined Networking (SDN) / OpenFlow'

Il paradigma “Software-Defined Networking” (SDN) ha suscitato recentemente interesse grazie allo sviluppo e all'implementazione di uno standard tecnologico come OpenFlow. Con il modello SDN viene proposta una rete programmabile tramite la separazione dell’unità di controllo e l'unità di instradamento, rendendo quindi i nodi di rete (come ad es. router o switch) esclusivamente hardware che inoltra pacchetti di dati secondo le regole dettate dal controller. OpenFlow rappresenta lo standard dominante nella tecnologia SDN in grado di far comunicare l'unità controller e l'hardware di uno o più nodi di rete. L'utilizzo di OpenFlow consente maggiore dinamicità e agevolazione nella personalizzazione della rete attraverso un'interfaccia utente, includendo svariate funzioni quali la modifica e l’automatizzazione delle regole di instradamento, la creazione di una rete virtuale dotata di nodi logici o la possibilità di monitorare il traffico accrescendo la sicurezza della propria rete.

Software-Defined Networking är ett sätt att implementera ett nätverk som helt styrs från en central plats. Målet med SDN är att vara ett flexibelt nätverk som snabbt kan förändras för att klara av dagens massiva dataströmmar. För att SDN ska kunna fungera krävs det att ett protokoll används för att sköta kommunikationen mellan den centrala kontrollpunkten och nätverksutrustningen i nätverket. OpenFlow är ett sådant protokoll. OpenFlow protokollet är väl etablerat och används i många av dagens SDN-nätverk. Ett alternativ till detta är OpFlex, ett protokoll som är nytt på dagens marknad men har stöd från en mängd stora tillverkare i datavärlden. Målet med denna rapport är att jämföra dessa protokoll både teoretisk och även praktiskt via experiment i laborationsmiljö för att identifiera likheter och skillnader mellan protokollen. För att kunna jämföra dem utfördes först en omfattande litteraturstudie där information samlades in och sammanställdes om protokollen. Efter detta sattes en laborationsmiljö upp för att testa hur protokollen arbetar. Efter experimenten sammanställdes litteraturstudien och laborationsresultaten och protokollen bedömdes på olika områden. Slutligen lyftes olika situationer fram där respektive protokoll skulle lämpas att väljas över det andra.
Software-Defined Networking is a way to implement a fully-managed network from a central location. The goal of SDN is to be a flexible network that can quickly adapt to new configurations to handle today’s massive data streams. In order for SDN to work, a protocol is required to manage communication between the central control point and the network equipment within the network. OpenFlow is such a protocol, The OpenFlow protocol is very well established and used in many of today’s SDN networks. An alternative to OpenFlow is OpFlex, a protocol that is relatively new on today’s market, but has the support of many major manufacturers within networking and computers. The aim of this thesis is to compare these protocols both theoretically and practically through experiments in a laboratory environment to identify similarities and differences between these protocols. In order to be able to compare them, a comprehensive literature study was first conducted where information about the protocols was collected and compiled. After this, a laboratory environment was set up to test how the protocols work. After the experiments, the literature study and the laboratory results were compiled the protocols were assessed in different areas. Finally, different situations were raised where each protocol would be suitable to be chosen over the other.

The unprecedented growth of the Internet has brought about such an enormous impact on our daily life that it is regarded as indispensable in modern era. At the same time, the underlying Internet architecture is still underpinned by principles designed several decades ago. Although IP networking has been proven very successful, it has been considered as the cause to network ossification creating barriers to entry for new network innovations. To support new demands and requirements of the current and the future Internet, solutions for new and improved Internet architectures should be sought. Software-defined networking (SDN), a new modularized network architecture that separates the control plane from the data plane, has emerged as a promising candidate for the future Internet. SDN can be described as flow-based networking, which provides finer granularity while maintaining backward compatibility with traditional IP networking. In this work, our goal is to investigate how to incorporate flow-based networking into open router platforms in an SDN context. We investigate performance and reliability aspects related to SDN data plane operation in software on open source PC-based routers. Our research methodology is based on design, implementation, and experimental evaluation. The experimental platform consists of PC-based routers running open source software in combination with commodity-off-the-shelf (COTS) hardware components. When it comes to performance aspects, we demonstrate that by offloading the lookup from a CPU to a network interface card, the overall performance is improved significantly. For enhanced reliability, we investigate bidirectional forwarding detection (BFD) as a component to realize redundancy with fast failover. We demonstrate that BFD becomes unreliable under high traffic load and propose a solution to this problem by allocating dedicated system resources for BFD control messages. In line with this solution, we extend our architecture for next-generation PC-based routers with OpenFlow support by devising a strategy to efficiently map packet forwarding and application processing tasks onto the multi-core architecture on the PC-based router. This extension would make it possible to integrate BFD effectively into the router platform. Our work demonstrates the potentials of open router platforms for SDN. Our prototypes offer not only high performance with good reliability but also flexibility to adopt new software extensions. Such platforms will play a vital role in advancing towards the future Internet.

QC 20140416

The aim of this thesis is to develop a load balancing tool for OpenFlow networks. Software-defined networking (SDN) principles are introduced (OpenFlow protocol used as an example) and compared to the legacy routing and switching technology. Openflow is the first protocol/API enabling communication between the control and infrastructure planes of the software-defined networking model. Key features of the protocol are described and several OpenFlow controllers are introduced. Current best practices in computer networks load balancing are discussed as well. The load balancing application development process is described including the test laboratory setups - Mininet (SW) and OFELIA (HW). The application test results are evaluated and possible further enhancements to the program are discussed.

Abstract Traditional communication networks consist of large sets of vendor-specific manually configurable devices. These devices are hardwired with specific control logic or algorithms used for different network functions. The resulting networks comprise distributed control plane architectures that are complex in nature, difficult to integrate and operate, and are least efficient in terms of resource usage. However, the rapid increase in data traffic requires the integrated use of diverse access technologies and autonomic network operations with increased resource efficiency. Therefore, the concepts of Software Defined Networking (SDN) are proposed that decouple the network control plane from the data-forwarding plane and logically centralize the control plane. The SDN control plane can integrate a diverse set of devices, and tune them at run-time through vendor-agnostic programmable Application Programming Interfaces (APIs). This thesis proposes software defined cognitive networking to enable intelligent use of network resources. Different radio access technologies, including cognitive radios, are integrated through a common control platform to increase the overall network performance. The architectural framework of software defined cognitive networking is presented alongside the experimental performance evaluation. Since SDN enables applications to change the network behavior and centralizes the network control plane to oversee the whole network, it is highly important to investigate SDN in terms of security. Therefore, this thesis finds the potential security vulnerabilities in SDN, studies the proposed security platforms and architectures for those vulnerabilities, and presents future directions for unresolved security vulnerabilities. Furthermore, this thesis also investigates the potential security challenges and their solutions for the enabling technologies of 5G, such as SDN, cloud technologies, and virtual network functions, and provides key insights into increasing the security of 5G networks
Tiivistelmä Perinteiset tietoliikenneverkot pohjautuvat usein laajoille manuaalisesti konfiguroitaville valmistajakohtaisille ratkaisuille. Niissä käytetään laitekohtaista kontrollilogiikkaa tai verkon eri toiminnallisuuksien algoritmeja. Tämän johdosta verkon hajautettu kontrollitaso muodostuu monimutkaiseksi, jota on vaikea integroida ja operoida, eikä se ole kovin joustava resurssien käytön suhteen. Tietoliikenteen määrän kasvaessa tulee entistä tärkeämmäksi integroida useita verkkoteknologioita ja autonomisia verkon toiminnallisuuksia tehokkaan resurssinhallinnan saavuttamiseksi. Ohjelmisto-ohjatut verkkoratkaisut (SDN, Software Defined Networking) tarjoavat keinon hallita erikseen verkon kontrolliliikennettä eroteltuna dataliikenteestä keskitetysti. Tämä kontrollitaso voi integroida erilaisia verkkolaitteita ja ohjata niitä ajonaikaisesti valmistajariippumattoman sovellusohjelmointirajapinnan kautta. Tässä työssä on tutkittu älykästä ohjelmisto-ohjattavaa verkkoratkaisua, jonka avulla eri radioverkkoteknologiat (mukaan lukien konginitiiviradio) voidaan integroida yhteisen kontrollialustan kautta lisäämään verkon kokonaissuorituskykyä. Työssä esitetään kognitiivinen ohjelmisto-ohjattu verkon arkkitehtuuriratkaisu sekä sen suorituskyvyn arviointi mittauksiin pohjautuen. Koska ohjelmisto-ohjattu verkko pohjautuu koko verkon keskitettyyn kontrollilogiikkaan, on tietoturvan merkitys korostunut entisestään. Tässä työssä on sen vuoksi tutkittu juuri tällaisen verkkoratkaisun mahdollisia tietoturvauhkia sekä niiden torjumiseen soveltuvia ratkaisuvaihtoehtoja sekä esitetään tulevaisuuden kehityssuuntia vielä ratkaisemattomille uhkille. Lisäksi työssä on tutkittu laajemmin tulevien 5G verkkojen tietoturvauhkia ja niiden ratkaisuja, liittyen ohjelmisto-ohjattuihin verkkoratkaisuin, pilviteknologioihin ja virtualisoiduille verkkotoiminnallisuuksille. Työ tarjoaa myös näkemyksen siitä, miten verkon tietoturvaa voidaan kokonaisuudessaan lisätä 5G verkoissa

La tesi analizza un emergente paradigma di rete, Software Defined Network, evidenziandone i punti di forza e mettendone quindi in luce i conseguenti vantaggi, le potenzialità, le limitazioni, l’attuabilità e i benefici, nonché eventuali punti di debolezza.

Redes Definidas por Software (Software-Defined Networking – SDN) é um paradigma emergente que sem dúvida facilita a inovação e simplifica o gerenciamento da rede. SDN provém esses recursos baseado em quatro princípios fundamentais: (i) os planos de controle e encaminhamento da rede são claramente desacoplados, (ii) as decisões de encaminhamento são baseadas em fluxo ao invés de baseadas em destino, (iii) a lógica de encaminhamento é abstraída do hardware para uma camada de software e (iv) um elemento, chamado controlador, é introduzido para coordenar as decisões de encaminhamento. Atualmente muito se tem discutido acerca do uso de SDN em benefício do gerenciamento de redes – onde SDN é considerado uma ferramenta de gerenciamento –, ao invés de se discutir quais são os novos desafios de gerenciamento que esse paradigma introduz. No contexto de SDN, atividades de gerenciamento como monitoramento, visualização e configuração podem ser consideravelmente diferentes das mesmas realizadas em redes tradicionais, merecendo a devida atenção. Por exemplo, um controlador SDN pode ser customizado por administradores de rede de acordo com suas necessidades. Essas customizações podem impactar em consumo de recursos e desempenho no encaminhamento de tráfego. Tal impacto é difícil de se avaliar porque solucões de gerenciamento de redes tradicionais nao foram projetadas para lidar com o contexto de SDN. Como consequencia, uma solução de gerenciamento de SDN deve ser capaz de ajudar o administrador a entender e controlar como o comportamento do controlador SDN afeta a rede. Considerando esse contexto, nós inicialmente desenvolvemos uma análise do tráfego de controle em SDN visando melhor entender o impacto da comunicação entre controlador e dispositivos de encaminhamento. Em seguida, nós propomos uma abordagem interativa para gerenciamento de SDN através do monitoramento, visualização e configuração da rede incluindo o administrador em um ciclo de atividades de gerenciamento, onde metricas específicas de SDN são monitoradas, processadas e mostradas em visualizações interativas. Assim, o administrador da rede é capaz de configurar/ reconfigurar parâmetros de SDN de acordo com seu/sua necessidade. Para demonstrar a viabilidade da nossa abordagem, nós desenvolvemos um protótipo chamado SDN Interactive Manager. Os resultados obtidos através do protótipo apresentaram que a nossa abordagem é capaz de auxiliar o administrador a melhor entender o impacto da configuração de parâmetros relativos a SDN no desempenho da rede como um todo.
Software-Defined Networking (SDN) is an emerging paradigm that arguably facilitates network innovation and simplifies network management. SDN enables these features based on four fundamental principles: (i) network control and forwarding planes are clearly decoupled, (ii) forwarding decisions are flow-based instead of destination-based, (iii) the network forwarding logic is abstracted from a hardware to a programmable software layer, and (iv) an element, called controller, is introduced to coordinate network-wide forwarding decisions. Nowadays, much has been discussed about using SDN principles to improve network management – where SDN is taken as a management tool –, instead of discussing which are the new management challenges that this network paradigm introduces. In the context of SDN, management activities, such as monitoring, visualization, and configuration can be considerably different from traditional networks, thus deserving proper attention. For example, an SDN controller can be customized by network administrators according to their needs. Such customizations might pose an impact on resource consumption and traffic forwarding performance, which is difficult to assess because traditional network management solutions were not designed to cope with the context of SDN. As a consequence, an SDN-tailored management solution must be able to help the administrator to understand and control how the SDN controller behavior affects the network. Considering this context, we initially performed an analysis of control traffic in SDN aiming to better understand the impact of the communication between the controller and forwarding devices. Afterwards, we propose an interactive approach to SDN management through monitoring, visualization, and configuration that includes the administrator in the management loop, where SDN-specific metrics are monitored, processed, and displayed in interactive visualizations. Thus, the administrator is able to make decisions and configure/reconfigure SDN-related parameters according to his/her needs. To show the feasibility of our approach a prototype has been developed, called SDN Interactive Manager. The results obtained with this prototype show that our approach can help the administrator to better understand the impact of configuring SDN-related parameters on the overall network performance.

It goes without saying that cellular users of today have an insatiable appetite for bandwidth and data. Data-intensive applications, such as video on demand, online gaming and video conferencing, have gained prominence. This, coupled with recent innovations in the mobile network such as LTE/4G, poses a unique challenge to network operators in how to extract the most value from their deployments all the while reducing their Total Cost of Operations(TCO). To this end, a number of enhancements have been proposed to the ”conventional” LTE mobile network. Most of these recognize the monolithic and non-elastic nature of the mobile backend and propose complimenting core functionality with concepts borrowed from Software Defined Networking (SDN). In this thesis we shall attempt to explore some existing options within the LTE standard to mitigate large traffic churns. We will then review some SDN-enabled alternatives, and attempt to derive a proof based critique on their merits and drawbacks.

Campus Area Networks (CANs) are a subset of enterprise networks, comprised of a network core connecting multiple Local Area Networks (LANs) across a college campus. Traditionally, hosts connect to the CAN via a single point of attachment; however, the past decade has seen the employment of mobile computing rise dramatically. Mobile devices must obtain new Internet Protocol (IP) addresses at each LAN as they migrate, wasting address space and disrupting host services. To prevent these issues, modern CANs should support IP mobility: allowing devices to keep a single IP address as they migrate between LANs with low-latency handoffs. Traditional approaches to mobility may be difficult to deploy and often lead to inefficient routing, but Software-Defined Networking (SDN) provides an intriguing alternative. This thesis identifies necessary requirements for a software-defined IP mobility system and then proposes one such system, the Software-Defined Mobile Campus Area Network (SD-MCAN) architecture. SD-MCAN employs an OpenFlow-based hybrid, label-switched routing scheme to efficiently route traffic flows between mobile hosts on the CAN. The proposed architecture is then implemented as an application on the existing POX controller and evaluated on virtual and hardware testbeds. Experimental results show that SD-MCAN can process handoffs with less than 90 ms latency, suggesting that the system can support data-intensive services on mobile host devices. Finally, the POX prototype is open-sourced to aid in future research.

Les attaques cybernétiques causent une perte importante non seulement pour les utilisateurs finaux, mais aussi pour les fournisseurs de services Internet (FAI). Récemment, les clients des FAI ont été la cible numéro un de cyber-attaques telles que les attaques par déni de service distribué (DDoS). Ces attaques sont favorisées par la disponibilité généralisée outils pour lancer les attaques. Il y a donc un besoin crucial de contrer ces attaques par des mécanismes de défense efficaces. Les chercheurs ont consacré d’énormes efforts à la protection du réseau contre les cyber-attaques. Les méthodes de défense contiennent d’abord un processus de détection, complété par l’atténuation. Le manque d’automatisation dans tout le cycle de détection à l’atténuation augmente les dégâts causés par les cyber-attaques. Cela provoque des configurations manuelles de périphériques l’administrateur pour atténuer les attaques affectent la disponibilité du réseau. Par conséquent, il est nécessaire de compléter la boucle de sécurité avec un mécanisme efficace pour automatiser l’atténuation. Dans cette thèse, nous proposons un cadre d’atténuation autonome pour atténuer les attaques réseau qui visent les ressources du réseau, comme par les attaques exemple DDoS. Notre cadre fournit une atténuation collaborative entre le FAI et ses clients. Nous utilisons la technologie SDN (Software-Defined Networking) pour déployer le cadre d’atténuation. Le but de notre cadre peut se résumer comme suit : d’abord, les clients détectent les attaques et partagent les informations sur les menaces avec son fournisseur de services Internet pour effectuer l’atténuation à la demande. Nous développons davantage le système pour améliorer l’aspect gestion du cadre au niveau l’ISP. Ce système effectue l’extraction d’alertes, l’adaptation et les configurations d’appareils. Nous développons un langage de politique pour définir la politique de haut niveau qui se traduit par des règles OpenFlow. Enfin, nous montrons l’applicabilité du cadre par la simulation ainsi que la validation des tests. Nous avons évalué différentes métriques QoS et QoE (qualité de l’expérience utilisateur) dans les réseaux SDN. L’application du cadre démontre son efficacité non seulement en atténuant les attaques pour la victime, mais aussi en réduisant les dommages causés au trafic autres clients du FAI
Cyber attacks cause significant loss not only to end-users, but also Internet Service Providers (ISP). Recently, customers of the ISP have been the number one target of the cyber attacks such as Distributed Denial of Service attacks (DDoS). These attacks are encouraged by the widespread availability of tools to launch the attacks. So, there is a crucial need to counter these attacks (DDoS, botnet attacks, etc.) by effective defense mechanisms. Researchers have devoted huge efforts on protecting the network from cyber attacks. Defense methodologies first contains a detection process, completed by mitigation. Lack of automation in the whole cycle of detection to mitigation increase the damage caused by cyber attacks. It requires manual configurations of devices by the administrator to mitigate the attacks which cause the network downtime. Therefore, it is necessary to close the security loop with an efficient mechanism to automate the mitigation process. In this thesis, we propose an autonomic mitigation framework to mitigate attacks that target the network resources. Our framework provides a collaborative mitigation strategy between the ISP and its customers. The implementation relies on Software-Defined Networking (SDN) technology to deploy the mitigation framework. The contribution of our framework can be summarized as follows: first the customers detect the attacks and share the threat information with its ISP to perform the on-demand mitigation. We further develop the system to improve the management aspect of the framework at the ISP side. This system performs the alert extraction, adaptation and device configurations. We develop a policy language to define the high level policy which is translated into OpenFlow rules. Finally, we show the applicability of the framework through simulation as well as testbed validation. We evaluate different QoS and QoE (quality of user experience) metrics in SDN networks. The application of the framework demonstrates its effectiveness in not only mitigating attacks for the victim, but also reducing the damage caused to traffic of other customers of the ISP

This thesis covers utilization of software defined networks for lawful interception purposes. Based on specific implementation of lawful interception system SLIS developed by Sec6Net group, suggests improvements aiming at more precise identification of intercepted users and better effectivity of system resources. First aim is achieved by implementation of a new module for dynamic identification component while the other one alters configuration mechanism for probes and OpenFlow switches.

Software-defined networking (SDN) is an emerging architecture in computer networking that was introduced to fulfill the demand of current Internet-based services and applications. New features introduced in the SDN architecture open the space for attackers to disrupt the SDN-based networks using new types of Denial-of-Service (DoS) attacks. In this study, first, we present a new DoS attack, namely the control channel DoS attack. Second, we present another new DoS attack to overwhelm the flow table of the SDN switches, namely the flow rule overwhelming attack. Finally, we propose novel strategies to detect and mitigate DoS attacks against the SDN architecture.

Les attaques cybernétiques causent une perte importante non seulement pour les utilisateurs finaux, mais aussi pour les fournisseurs de services Internet (FAI). Récemment, les clients des FAI ont été la cible numéro un de cyber-attaques telles que les attaques par déni de service distribué (DDoS). Ces attaques sont favorisées par la disponibilité généralisée outils pour lancer les attaques. Il y a donc un besoin crucial de contrer ces attaques par des mécanismes de défense efficaces. Les chercheurs ont consacré d’énormes efforts à la protection du réseau contre les cyber-attaques. Les méthodes de défense contiennent d’abord un processus de détection, complété par l’atténuation. Le manque d’automatisation dans tout le cycle de détection à l’atténuation augmente les dégâts causés par les cyber-attaques. Cela provoque des configurations manuelles de périphériques l’administrateur pour atténuer les attaques affectent la disponibilité du réseau. Par conséquent, il est nécessaire de compléter la boucle de sécurité avec un mécanisme efficace pour automatiser l’atténuation. Dans cette thèse, nous proposons un cadre d’atténuation autonome pour atténuer les attaques réseau qui visent les ressources du réseau, comme par les attaques exemple DDoS. Notre cadre fournit une atténuation collaborative entre le FAI et ses clients. Nous utilisons la technologie SDN (Software-Defined Networking) pour déployer le cadre d’atténuation. Le but de notre cadre peut se résumer comme suit : d’abord, les clients détectent les attaques et partagent les informations sur les menaces avec son fournisseur de services Internet pour effectuer l’atténuation à la demande. Nous développons davantage le système pour améliorer l’aspect gestion du cadre au niveau l’ISP. Ce système effectue l’extraction d’alertes, l’adaptation et les configurations d’appareils. Nous développons un langage de politique pour définir la politique de haut niveau qui se traduit par des règles OpenFlow. Enfin, nous montrons l’applicabilité du cadre par la simulation ainsi que la validation des tests. Nous avons évalué différentes métriques QoS et QoE (qualité de l’expérience utilisateur) dans les réseaux SDN. L’application du cadre démontre son efficacité non seulement en atténuant les attaques pour la victime, mais aussi en réduisant les dommages causés au trafic autres clients du FAI
Cyber attacks cause significant loss not only to end-users, but also Internet Service Providers (ISP). Recently, customers of the ISP have been the number one target of the cyber attacks such as Distributed Denial of Service attacks (DDoS). These attacks are encouraged by the widespread availability of tools to launch the attacks. So, there is a crucial need to counter these attacks (DDoS, botnet attacks, etc.) by effective defense mechanisms. Researchers have devoted huge efforts on protecting the network from cyber attacks. Defense methodologies first contains a detection process, completed by mitigation. Lack of automation in the whole cycle of detection to mitigation increase the damage caused by cyber attacks. It requires manual configurations of devices by the administrator to mitigate the attacks which cause the network downtime. Therefore, it is necessary to close the security loop with an efficient mechanism to automate the mitigation process. In this thesis, we propose an autonomic mitigation framework to mitigate attacks that target the network resources. Our framework provides a collaborative mitigation strategy between the ISP and its customers. The implementation relies on Software-Defined Networking (SDN) technology to deploy the mitigation framework. The contribution of our framework can be summarized as follows: first the customers detect the attacks and share the threat information with its ISP to perform the on-demand mitigation. We further develop the system to improve the management aspect of the framework at the ISP side. This system performs the alert extraction, adaptation and device configurations. We develop a policy language to define the high level policy which is translated into OpenFlow rules. Finally, we show the applicability of the framework through simulation as well as testbed validation. We evaluate different QoS and QoE (quality of user experience) metrics in SDN networks. The application of the framework demonstrates its effectiveness in not only mitigating attacks for the victim, but also reducing the damage caused to traffic of other customers of the ISP

This study aims to examine the effects of transforming a monolithic server system into a microservice architecture, focusing on the increased latency introduced by using a microservice orchestrator. The microservice orchestrator was implemented using an OpenFlow switch controlled by the Beacon and Ryu OpenFlow controllers. These controllers, along with the round robin, random assign and a server-aware load balancing algorithm, were all compared in order to find the combination resulting in the lowest latency and highest achieved server balance in varying network environments. We show that the OpenFlow switch enforces a client-aware load balancing policy and that only the initial request is handled by the controller, effectively reducing the importance of choosing the optimal OpenFlow controller. In addition, the round robin load balancer was preferred when dealing with homogeneous requests, and a server-aware load balancer was required for heterogeneous requests. For most requests, the system would only slow down by a few microseconds using the proposed architecture. However, for 0.001\% of all requests, the slowdown was much more significant, with each of those requests being at least 100 times slower than when using a monolithic server architecture.

Software-Defined Networking (SDN) is a network architecture that differs from traditionalnetwork planes. SDN has tree layers: infrastructure, controller, and application. Thegoal of SDN is to simplify management of larger networks by centralizing control into thecontroller layer instead of having it in the infrastructure. Given the known advantages ofSDN networks, and the flexibility of cloud computing. We are interested if this combinationof SDN and cloud services affects network performance, and what affect the cloud providersphysical location have on the network performance. These points are important whenSDN becomes more popular in enterprise networks. This seems like a logical next step inSDN, centralizing branch networks into one cloud-based SDN controller. These questionswere created with a literature studies and answered with an experimentation method. Theexperiments consist of two network topologies both locally hosted SDN (baseline) and cloudhosted SDN. The topology used Zodiac FX switches and Linux hosts. The following metricswas measured: throughput, latency, jitter, packet loss, and time to add new hosts. Theconclusion is that SDN as a cloud service is possible and does not significantly affect networkperformance. One limitation with this thesis was the hardware, resulting in big fluctuationin throughput and packet loss.

Le grand nombre d’appareils connectés combiné au volume croissant de trafic ont poussé les réseaux dans leurs derniers retranchements. Pour résoudre ce problème, l’approche “Software-Defined Networking” (SDN) qui découple le plan de contrôle du plan de données a été proposée. OpenFlow est un nouveau protocole qui réalise le concept SDN. Pour traiter ces flux, OpenFlow utilise des listes de règles sur les commutateurs. Ces règles sont utilisées pour déterminer les actions dans le réseau. Ceci permet de simplifier la mise en place de services réseaux complexes mais soulève la question de savoir quelles règles définir et où les placer dans le réseau afin d’en respecter ses contraintes. Dans cette thèse, nous nous concentrons sur le problème de placement de règles dans OpenFlow (ORPP) et proposons une abstraction de type boite noire afin de masquer la gestion du réseau. Tout d'abord, nous formalisons le problème de placement de règles et faisons une étude des solutions existantes. Les solutions existantes sont cependant inefficaces car elles reposent majoritairement sur le concept du plus court chemin. Nous proposons de relaxer le problème en autorisant l’utilisation de chemins arbitraires et proposons deux algorithmes complémentaires : OFFICER et aOFFICER. L'idée générale d’OFFICER et aOFFICER est d’utiliser les chemins les plus efficaces pour le trafic de haute importance et autoriser le trafic de plus basse importance à suivre des détours. Ces deux propositions sont évaluées en utilisant des traces de trafic. Finalement, nous appliquons le principe de la boite noire pour améliorer les performances d'un service de diffusion de contenus dans les réseaux cellulaires
The massive number of connected devices combined with an increasing traffic push network operators to their limit by limiting their profitability. To tackle this problem, Software-Defined Networking (SDN), which decouples network control logic from forwarding devices, has been proposed. An important part of the SDN concepts is implemented by the OpenFlow protocol that abstracts network communications as flows and processes them using a prioritized list of rules on the network forwarding elements. While the abstraction offered by OpenFlow allows to implement many applications, it raises the new problem of how to define the rules and where to place them in the network while respecting all requirements, which we refer as the OpenFlow Rules Placement Problem (ORPP). In this thesis, we focus on the ORPP and hide the complexity of network management by proposing a black box abstraction. First, we formalize that problem, classify and discuss existing solutions. We discover that most of the solutions enforce the routing policy when placing rules, which is not memory efficient in some cases. Second, by trading routing for better resource efficiency, we propose OFFICER and aOFFICER, two frameworks that select OpenFlow rules satisfying policies and network constraints, while minimizing overheads. The main idea of OFFICER an aOFFICER is to give high priority for large flows to be installed on efficient paths, and let other flows follow default paths. These proposals are evaluated and compared to existing solutions in realistic scenarios. Finally, we study a use case of the black box abstraction, in which we improve the performance of content delivery services in cellular networks

Revolutionary mobile technologies, such as high-speed packet access 3G (HSPA+) and LTE, have significantly increased mobile data rate over the radio link. While most of the world looks at this revolution as a blessing to their day-to-day life, a little-known fact is that these improvements over the radio access link results in demanding tremendous improvements in bandwidth on the backhaul network. Having said this, today's Internet Service Providers (ISPs) and Mobile Network Operators (MNOs) are intemperately impacted as a result of this excessive smartphone usage. The operational costs (OPEX) associated with traditional backhaul methods are rising faster than the revenue generated by the new data services. Building a mobile backhaul network is very different from building a commercial data network. A mobile backhaul network requires (i) QoS-based traffic with strict requirements on delay and jitter (ii) high availability/reliability. While most ISPs and MNOs have promised advantages of redundancy and resilience to guarantee high availability, there is still the specter of failure in today's networks. The problems of network failures in today's networks can be quickly but clearly ascertained. The underlying observation is that ISPs and MNOs are still exposed to rapid fluctuations and/or unpredicted breakdowns in traffic; it goes without saying that even the largest operators can be affected. But what if, these operators could now put in place designs and mechanisms to improve network survivability to avoid such occurrences? What if mobile network operators can come up with low-cost backhaul solutions together with ensuring the required availability and reliability in the networks? With this problem statement in-hand, the overarching theme of this dissertation is within the following scopes: (i) to provide low-cost backhaul solutions; the motivation here being able to build networks without over-provisioning and then to bring-in new resources (link capacity/bandwidth) on occasions of unexpected traffic surges as well as on network failure conditions for particularly ensuring premium services (ii) to provide uninterrupted communications even at times of network failure conditions, but without redundancy. Here a slightly greater emphasis is laid on tackling the 'last-mile' link failures. The scope of this dissertation is therefore to propose, design and model novel network architectures for improving effective network survivability and network capacity, at the same time by eliminating network-wide redundancy, adopted within the context of mobile backhaul networks. Motivated by this, we study the problem of how to share the available resources of a backhaul network among its competitors, with whom a Service Level Agreement (SLA) has been concluded. Thus, we present a systematic study of our proposed solutions focusing on a variety of empirical resource sharing heuristics and optimization frameworks. With this background, our work extends towards a novel fault restoration framework which can cost-effectively provide protection and restoration for the operators, enabling them with a parameterized objective function to choose desired paths based on traffic patterns of their end-customers. We then illustrate the survivability of backhaul networks with reduced amount of physical redundancy, by effectively managing geographically distributed backhaul network equipments which belong to different MNOs using 'logically-centralized' physically-distributed controllers, while meeting strict constraints on network availability and reliability

Submitted by Milena Rubi (milenarubi@ufscar.br) on 2017-10-09T14:35:22Z No. of bitstreams: 1 FRATE_Marcelo-2017.pdf: 8466810 bytes, checksum: 9438c26c84ebe90cd741672c8c04d726 (MD5)
Approved for entry into archive by Milena Rubi (milenarubi@ufscar.br) on 2017-10-09T14:35:33Z (GMT) No. of bitstreams: 1 FRATE_Marcelo-2017.pdf: 8466810 bytes, checksum: 9438c26c84ebe90cd741672c8c04d726 (MD5)
Approved for entry into archive by Milena Rubi (milenarubi@ufscar.br) on 2017-10-09T14:35:45Z (GMT) No. of bitstreams: 1 FRATE_Marcelo-2017.pdf: 8466810 bytes, checksum: 9438c26c84ebe90cd741672c8c04d726 (MD5)
Made available in DSpace on 2017-10-09T14:35:53Z (GMT). No. of bitstreams: 1 FRATE_Marcelo-2017.pdf: 8466810 bytes, checksum: 9438c26c84ebe90cd741672c8c04d726 (MD5) Previous issue date: 2017-02-23
Não recebi financiamento
Since the emergence of the Software-Defined Networking (SDN), and, more precisely, since the development of an open interface in 2008 called OpenFlow protocol, it is being observed that this new networking paradigm is deeply remodeling the IP-protocol- based networks. It means that new mechanisms of provision services are being possible, which ensures scalability and reduces costs. Although this new paradigm has been created to centralize the control logic, there is the possibility of decentralizing it through the parceling of control tasks between two or more controllers. In this scenario, the subdivision of administrative domain in smaller subdomains in order to have each of them being controlled by one single controller has been an alternative to ensure scalability in SDN. The OpenFlow protocol allows communication among switches and controllers to another controller. However, the protocol does not define how this communication between one controller to other should be done. It is mandatory, therefore, the development of protocol independent solutions able to distribute this logic inside the same administrative domain. New proposals have been arisen, but their applications either use equal controllers or demand the development of new controllers specifically designed. This master’s research aims to offer the fundamentals to the development of an architecture here so called Orch Flow, able to receive application demands and organize them in a way it provides requested services through an OpenFlow network designed with two or more different implementation controllers. The OrchFlow architecture that is being proposed accomplishes its task through handling multiple OpenFlow controllers hierarchically and providing network access through three distinct modes: Proactive, Reactive and Hybrid.
Desde o surgimento das Redes Definidas por Software e mais especificamente à partir de 2008 com o desenvolvimento de uma interface aberta, o protocolo OpenFlow, é possível observar que este novo paradigma de redes está revolucionando as redes baseadas no protocolo IP, possibilitando a criação de novos mecanismos de aprovisionamento de serviços, garantindo a escalabilidade e reduzindo custos. Embora este novo paradigma tenha sido criado para a centralização da lógica de controle, existe a possibilidade de descentralizá-la através da divisão das tarefas de controle entre dois ou mais controladores. Neste cenário, subdividir o domínio administrativo em subdomínios menores e fazer com que cada subdomínio seja controlado por um controlador tem sido uma alternativa para garantir escalabilidade em Software-Defined Networking (SDN). O protocolo OpenFlow permite a comunicação entre switches e controladores, entretanto ele não define como deve ser feita a comunicação de um controlador para outro controlador. Faz-se necessário, portanto, o desenvolvimento de soluções independentes do protocolo, capazes de distribuir essa lógica dentro de um mesmo domínio administrativo. Neste cenário, novas propostas vão surgindo, porém as aplicações desenvolvidas ou fazem uso de controladores iguais ou são criados novos controladores especificamente para essa finalidade. Esta pesquisa de mestrado tem como objetivo o desenvolvimento de uma arquitetura, aqui denominada de OrchFlow, capaz de receber solicitações de aplicações, orquestrando as requisições a fim de prover os serviços solicitados numa rede OpenFlow com dois ou mais controladores de implementações diferentes. A arquitetura OrchFlow, desenvolvida para esta pesquisa de mestrado, realiza essa tarefa através da orquestração de múltiplos controladores OpenFlow atuando de forma hierárquica, provendo o acesso à infraestrutura da rede através de três modos distintos: o Proativo, o Reativo e o Híbrido.

L'Internet, le réseaux des réseaux, est indispensable à notre vie moderne et mondialisée et en tant que ressource publique il repose sur l'inter opérabilité et la confiance. Les logiciels libres et open source jouent un rôle majeur pour son développement. Les points d'échange Internet (IXP) où tous les opérateurs de type et de taille différents peuvent s'échanger du trafic sont essentiels en tant que lieux d'échange neutres et indépendants. Le service fondamental offert par un IXP est une fabrique de commutation de niveau 2 partagée. Aujourd'hui les IXP sont obligés d'utiliser des technologies propriétaires pour leur fabrique de commutations. Bien qu'une fabrique de commutations de niveau 2 se doit d'être une fonctionnalité de base, les solutions actuelles ne répondent pas correctement aux exigences des IXPs. Cette situation est principalement dûe au fait que les plans de contrôle et de données sont intriqués sans possibilités de programmer finement le plan de commutation. Avant toute mise en œuvre, il est primordial de tester chaque équipement afin de vérifier qu'il répond aux attentes mais les solutions de tests permettant de valider les équipements réseaux sont toutes non open source, commerciales et ne répondent pas aux besoins techniques d'indépendance et de neutralité. Le "Software Defined Networking" (SDN), nouveau paradigme découplant les plans de contrôle et de données utilise le protocole OpenFlow qui permet de programmer le plan de commutation Ethernet haute performance. Contrairement à tous les projets de recherches qui centralisent la totalité du plan de contrôle au dessus d'OpenFlow, altérant la stabilité des échanges, nous proposons d'utiliser OpenFlow pour gérer le plan de contrôle spécifique à la fabrique de commutation. L'objectif principal de cette thèse est de proposer "Umbrella", fabrique de commutation simple et pragmatique répondant à toutes les exigences des IXPs et en premier lieu à la garantie d'indépendance et de neutralité des échanges. Dans la première partie, nous présentons l'architecture "Umbrella" en détail avec l'ensemble des tests et validations démontrant la claire séparation du plan de contrôle et du plan de données pour augmenter la robustesse, la flexibilité et la fiabilité des IXPs. Pour une exigence d'autonomie des tests nécessaires pour les IXPs permettant l'examen de la mise en œuvre d'Umbrella et sa validation, nous avons développé l'"Open Source Network Tester" (OSNT), un système entièrement open source "hardware" de génération et de capture de trafic. OSNT est le socle pour l"OpenFLow Operations Per Second Turbo" (OFLOPS Turbo), la plate-forme d'évaluation de commutation OpenFlow. Le dernier chapitre présente le déploiement de l'architecture "Umbrella" en production sur un point d'échange régional. Les outils de test que nous avons développés ont été utilisés pour vérifier les équipements déployés en production. Ce point d'échange, stable depuis maintenant un an, est entièrement géré et contrôlé par une seule application Web remplaçant tous les systèmes complexes et propriétaires de gestion utilisés précédemment
In almost everything we do, we use the Internet. The Internet is indispensable for our today's lifestyle and to our globalized financial economy. The global Internet traffic is growing exponentially. IXPs are the heart of Internet. They are highly valuable for the Internet as neutral exchange places where all type and size of autonomous systems can "peer" together. The IXPs traffic explode. The 2013 global Internet traffic is equivalent with the largest european IXP today. The fundamental service offer by IXP is a shared layer2 switching fabric. Although it seems a basic functionality, today solutions never address their basic requirements properly. Today networks solutions are inflexible as proprietary closed implementation of a distributed control plane tight together with the data plane. Actual network functions are unmanageable and have no flexibility. We can understand how IXPs operators are desperate reading the EURO-IX "whishlist" of the requirements who need to be implemented in core Ethernet switching equipments. The network vendor solutions for IXPs based on MPLS are imperfect readjustment. SDN is an emerging paradigm decoupling the control and data planes, on opening high performance forwarding plane with OpenFlow. The aims of this thesis is to propose an IXP pragmatic Openflow switching fabric, addressing the critical requirements and bringing more flexibility. Transparency is better for neutrality. IXPs needs a straightforward more transparent layer2 fabric where IXP participants can exchange independently their traffic. Few SDN solutions have been presented already but all of them are proposing fuzzy layer2 and 3 separation. For a better stability not all control planes functions can be decoupled from the data plane. As other goal statement, networking testing tools are essential for qualifying networking equipment. Most of them are software based and enable to perform at high speed with accuracy. Moreover network hardware monitoring and testing being critical for computer networks, current solutions are both extremely expensive and inflexible. The experience in deploying Openflow in production networks has highlight so far significant limitations in the support of the protocol by hardware switches. We presents Umbrella, a new SDN-enabled IXP fabric architecture, that aims at strengthening the separation of control and data plane to increase both robustness, flexibility and reliability of the exchange. Umbrella abolish broadcasting with a pseudo wire and segment routing approach. We demonstrated for an IXP fabric not all the control plane can be decoupled from the date plane. We demonstrate Umbrella can scale and recycle legacy non OpenFlow core switch to reduce migration cost. Into the testing tools lacuna we launch the Open Source Network Tester (OSNT), a fully open-source traffic generator and capture system. Additionally, our approach has demonstrated lower-cost than comparable commercial systems while achieving comparable levels of precision and accuracy; all within an open-source framework extensible with new features to support new applications, while permitting validation and review of the implementation. And we presents the integration of OpenFLow Operations Per Second (OFLOPS), an OpenFlow switch evaluation platform, with the OSNT platform, a hardware-accelerated traffic generation and capturing platform. What is better justification than a real deployment ? We demonstrated the real flexibility and benefit of the Umbrella architecture persuading ten Internet Operators to migrate the entire Toulouse IXP. The hardware testing tools we have developed have been used to qualify the hardware who have been deployed in production. The TouIX is running stable from a year. It is fully managed and monitored through a single web application removing all the legacy complex management systems

Telecom operators networks' management and control remains partitioned by technology, equipment supplier and networking layer. In some segments, the network operations are highly costly due to the need of the individual, and even manual, configuration of the network equipment by highly specialized personnel. In multi-vendor networks, expensive and never ending integration processes between Network Management Systems (NMSs) and the rest of systems (OSSs, BSSs) is a common situation, due to lack of adoption of standard interfaces in the management systems of the different equipment suppliers. Moreover, the increasing impact of the new traffic flows introduced by the deployment of massive Data Centers (DCs) is also imposing new challenges that traditional networking is not ready to overcome. The Fifth Generation of Mobile Technology (5G) is also introducing stringent network requirements such as the need of connecting to the network billions of new devices in IoT paradigm, new ultra-low latency applications (i.e., remote surgery) and vehicular communications. All these new services, together with enhanced broadband network access, are supposed to be delivered over the same network infrastructure. In this PhD Thesis, an holistic view of Network and Cloud Computing resources, based on the recent innovations introduced by Software Defined Networking (SDN), is proposed as the solution for designing an end-to-end multi-layer, multi-technology and multi-domain cloud and transport network management architecture, capable to offer end-to-end services from the DC networks to customers access networks and the virtualization of network resources, allowing new ways of slicing the network resources for the forthcoming 5G deployments. The first contribution of this PhD Thesis deals with the design and validation of SDN based network orchestration architectures capable to improve the current solutions for the management and control of multi-layer, multi-domain backbone transport networks. These problems have been assessed and progressively solved by different control and management architectures which has been designed and evaluated in real evaluation environments. One of the major findings of this work has been the need of developed a common information model for transport network's management, capable to describe the resources and services of multilayer networks. In this line, the Control Orchestration Protocol (COP) has been proposed as a first contriution towards an standard management interface based on the main principles driven by SDN. Furthermore, this PhD Thesis introduces a novel architecture capable to coordinate the management of IT computing resources together with inter- and intra-DC networks. The provisioning and migration of virtual machines together with the dynamic reconfiguration of the network has been successfully demonstrated in a feasible timescale. Moreover, a resource optimization engine is introduced in the architecture to introduce optimization algorithms capable to solve allocation problems such the optimal deployment of Virtual Machine Graphs over different DCs locations minimizing the inter-DC network resources allocation. A baseline blocking probability results over different network loads are also presented. The third major contribution is the result of the previous two. With a converged cloud and network infrastructure controlled and operated jointly, the holistic view of the network allows the on-demand provisioning of network slices consisting of dedicated network and cloud resources over a distributed DC infrastructure interconnected by an optical transport network. The last chapters of this thesis discuss the management and orchestration of 5G slices based over the control and management components designed in the previous chapters. The design of one of the first network slicing architectures and the deployment of a 5G network slice in a real Testbed, is one of the major contributions of this PhD Thesis.
La gestión y el control de las redes de los operadores de red (Telcos), todavía hoy, está segmentado por tecnología, por proveedor de equipamiento y por capa de red. En algunos segmentos (por ejemplo en IP) la operación de la red es tremendamente costosa, ya que en muchos casos aún se requiere con guración individual, e incluso manual, de los equipos por parte de personal altamente especializado. En redes con múltiples proveedores, los procesos de integración entre los sistemas de gestión de red (NMS) y el resto de sistemas (p. ej., OSS/BSS) son habitualmente largos y extremadamente costosos debido a la falta de adopción de interfaces estándar por parte de los diferentes proveedores de red. Además, el impacto creciente en las redes de transporte de los nuevos flujos de tráfico introducidos por el despliegue masivo de Data Centers (DC), introduce nuevos desafíos que las arquitecturas de gestión y control de las redes tradicionales no están preparadas para afrontar. La quinta generación de tecnología móvil (5G) introduce nuevos requisitos de red, como la necesidad de conectar a la red billones de dispositivos nuevos (Internet de las cosas - IoT), aplicaciones de ultra baja latencia (p. ej., cirugía a distancia) y las comunicaciones vehiculares. Todos estos servicios, junto con un acceso mejorado a la red de banda ancha, deberán ser proporcionados a través de la misma infraestructura de red. Esta tesis doctoral propone una visión holística de los recursos de red y cloud, basada en los principios introducidos por Software Defined Networking (SDN), como la solución para el diseño de una arquitectura de gestión extremo a extremo (E2E) para escenarios de red multi-capa y multi-dominio, capaz de ofrecer servicios de E2E, desde las redes intra-DC hasta las redes de acceso, y ofrecer ademas virtualización de los recursos de la red, permitiendo nuevas formas de segmentación en las redes de transporte y la infrastructura de cloud, para los próximos despliegues de 5G. La primera contribución de esta tesis consiste en la validación de arquitecturas de orquestración de red, basadas en SDN, para la gestión y control de redes de transporte troncales multi-dominio y multi-capa. Estos problemas (gestion de redes multi-capa y multi-dominio), han sido evaluados de manera incremental, mediante el diseño y la evaluación experimental, en entornos de pruebas reales, de diferentes arquitecturas de control y gestión. Uno de los principales hallazgos de este trabajo ha sido la necesidad de un modelo de información común para las interfaces de gestión entre entidades de control SDN. En esta línea, el Protocolo de Control Orchestration (COP) ha sido propuesto como interfaz de gestión de red estándar para redes SDN de transporte multi-capa. Además, en esta tesis presentamos una arquitectura capaz de coordinar la gestión de los recursos IT y red. La provisión y la migración de máquinas virtuales junto con la reconfiguración dinámica de la red, han sido demostradas con éxito en una escala de tiempo factible. Además, la arquitectura incorpora una plataforma para la ejecución de algoritmos de optimización de recursos capaces de resolver diferentes problemas de asignación, como el despliegue óptimo de Grafos de Máquinas Virtuales (VMG) en diferentes DCs que minimizan la asignación de recursos de red. Esta tesis propone una solución para este problema, que ha sido evaluada en terminos de probabilidad de bloqueo para diferentes cargas de red. La tercera contribución es el resultado de las dos anteriores. La arquitectura integrada de red y cloud presentada permite la creación bajo demanda de "network slices", que consisten en sub-conjuntos de recursos de red y cloud dedicados para diferentes clientes sobre una infraestructura común. El diseño de una de las primeras arquitecturas de "network slicing" y el despliegue de un "slice" de red 5G totalmente operativo en un Testbed real, es una de las principales contribuciones de esta tesis.
La gestió i el control de les xarxes dels operadors de telecomunicacions (Telcos), encara avui, està segmentat per tecnologia, per proveïdors d’equipament i per capes de xarxa. En alguns segments (Per exemple en IP) l’operació de la xarxa és tremendament costosa, ja que en molts casos encara es requereix de configuració individual, i fins i tot manual, dels equips per part de personal altament especialitzat. En xarxes amb múltiples proveïdors, els processos d’integració entre els Sistemes de gestió de xarxa (NMS) i la resta de sistemes (per exemple, Sistemes de suport d’operacions - OSS i Sistemes de suport de negocis - BSS) són habitualment interminables i extremadament costosos a causa de la falta d’adopció d’interfícies estàndard per part dels diferents proveïdors de xarxa. A més, l’impacte creixent en les xarxes de transport dels nous fluxos de trànsit introduïts pel desplegament massius de Data Centers (DC), introdueix nous desafiaments que les arquitectures de gestió i control de les xarxes tradicionals que no estan llestes per afrontar. Per acabar de descriure el context, la cinquena generació de tecnologia mòbil (5G) també presenta nous requisits de xarxa altament exigents, com la necessitat de connectar a la xarxa milers de milions de dispositius nous, dins el context de l’Internet de les coses (IOT), o les noves aplicacions d’ultra baixa latència (com ara la cirurgia a distància) i les comunicacions vehiculars. Se suposa que tots aquests nous serveis, juntament amb l’accés millorat a la xarxa de banda ampla, es lliuraran a través de la mateixa infraestructura de xarxa. Aquesta tesi doctoral proposa una visió holística dels recursos de xarxa i cloud, basada en els principis introduïts per Software Defined Networking (SDN), com la solució per al disseny de una arquitectura de gestió extrem a extrem per a escenaris de xarxa multi-capa, multi-domini i consistents en múltiples tecnologies de transport. Aquesta arquitectura de gestió i control de xarxes transport i recursos IT, ha de ser capaç d’oferir serveis d’extrem a extrem, des de les xarxes intra-DC fins a les xarxes d’accés dels clients i oferir a més virtualització dels recursos de la xarxa, obrint la porta a noves formes de segmentació a les xarxes de transport i la infrastructura de cloud, pels propers desplegaments de 5G. La primera contribució d’aquesta tesi doctoral consisteix en la validació de diferents arquitectures d’orquestració de xarxa basades en SDN capaces de millorar les solucions existents per a la gestió i control de xarxes de transport troncals multi-domini i multicapa. Aquests problemes (gestió de xarxes multicapa i multi-domini), han estat avaluats de manera incremental, mitjançant el disseny i l’avaluació experimental, en entorns de proves reals, de diferents arquitectures de control i gestió. Un dels principals troballes d’aquest treball ha estat la necessitat de dissenyar un model d’informació comú per a les interfícies de gestió de xarxes, capaç de descriure els recursos i serveis de la xarxes transport multicapa. En aquesta línia, el Protocol de Control Orchestration (COP, en les seves sigles en anglès) ha estat proposat en aquesta Tesi, com una primera contribució cap a una interfície de gestió de xarxa estàndard basada en els principis bàsics de SDN. A més, en aquesta tesi presentem una arquitectura innovadora capaç de coordinar la gestió de els recursos IT juntament amb les xarxes inter i intra-DC. L’aprovisionament i la migració de màquines virtuals juntament amb la reconfiguració dinàmica de la xarxa, ha estat demostrat amb èxit en una escala de temps factible. A més, l’arquitectura incorpora una plataforma per a l’execució d’algorismes d’optimització de recursos, capaços de resoldre diferents problemes d’assignació, com el desplegament òptim de Grafs de Màquines Virtuals (VMG) en diferents ubicacions de DC que minimitzen la assignació de recursos de xarxa entre DC. També es presenta una solució bàsica per a aquest problema, així com els resultats de probabilitat de bloqueig per a diferents càrregues de xarxa. La tercera contribució principal és el resultat dels dos anteriors. Amb una infraestructura de xarxa i cloud convergent, controlada i operada de manera conjunta, la visió holística de la xarxa permet l’aprovisionament sota demanda de "network slices" que consisteixen en subconjunts de recursos d’xarxa i cloud, dedicats per a diferents clients, sobre una infraestructura de Data Centers distribuïda i interconnectada per una xarxa de transport òptica. Els últims capítols d’aquesta tesi tracten sobre la gestió i organització de "network slices" per a xarxes 5G en funció dels components de control i administració dissenyats i desenvolupats en els capítols anteriors. El disseny d’una de les primeres arquitectures de "network slicing" i el desplegament d’un "slice" de xarxa 5G totalment operatiu en un Testbed real, és una de les principals contribucions d’aquesta tesi.

In un periodo in cui tutto si evolve rapidamente, il settore delle telecomunicazioni sta assistendo alla crescita esponenziale del numero di dispositivi mobili costantemente connessi alla rete; ciò richiede la necessità di un nuovo modo di gestire le reti. La nuova visione che sta maturando in questi ultimi tempi è quella di adottare un modello di rete dinamico, flessibile e soprattutto affidabile e che non richieda grossi sforzi di manutenzione o l’installazione di ulteriori hardware da parte degli operatori. Una rete con queste caratteristiche può essere sviluppata grazie ad un modello architetturale innovativo come il Software Defined Networking (SDN) e ad un nuovo modo di sfruttare le funzionalità degli apparati di rete come la Network Function Virtualization (NFV), la quale è a sua volta un processo di virtualizzazione delle funzionalità di rete svolte da apparati di telecomunicazione fisici. Questi due concetti sono strettamente legati tra loro e possono comportare particolari vantaggi se applicati contemporaneamente, ma sono di per sè indipendenti. Software Defined Networking (SDN) è un’ architettura utilizzata per la realizzazione di reti di telecomunicazione nelle quali il piano di controllo della rete e quello del trasporto dei dati sono separati logicamente. La Network Function Virtualization (NFV) è il processo di virtualizzazione delle funzionalità di rete svolte da apparati di telecomunicazione fisici. Un ultimo aspetto da trattare riguarda la comunicazione del controller SDN di alto e basso livello. La comunicazione di alto livello, ovvero quella con i software applicativi è consentita grazie alle NBI (North-Bound Interfaces), mentre quella di basso livello, ovvero con i dispositivi hardware è consentita grazie alle SBI (South-Bound Interfaces). Queste due interfacce riescono a soddisfare le richieste del controller SDN grazie all' applicazione del paradigma Intent NBI, di tipo dichiarativo, non prescrittivo e indipendente dal fornitore.

Detta projekt har haft som mål att skapa ett redundant SDN-nätverk som ska ligga som grund för ett fiktivt företag. Företeaget ska kunna använda nätverket som vi bygger upp för att vidareutveckla detta och anpassa det efter verksamhetens behov. Nätverket byggs upp med mininet som används för att simulera en nätverksmiljö. Det fiktiva företaget ska sedan bara kunna lyfta ut nätverket från mininet ut till ett riktigt nätverk. Nätverkets funktioner, såsom protokollen STP och LACP implementeras med hjälp av programmeringsspråket python.
The goal for this project is to setup a redundant Software Defined Network for a fictive company. The company should be able to use the network for future network extension. The network will be built in mininet. Mininet is a software that is used to simulate a real network environment. The company should also be able to take the simulated network in mininet and implement it in to a real network. The protocols STP and LACP are implemented in the network by means of the programming language python.

Questa tesi è una rassegna sul tema del Software-Defined Networking (SDN):un paradigma emergente nel campo delle reti di calcolatori che consente di controllare, tramite un software centralizzato a livello logico, il comportamento dell’intera rete. In particolore è stato approfondito il protocollo OpenFlow ovvero l'interfaccia aperta e standardizzata per la comunicazione tra piano di controllo e piano di inoltro che è divenuto uno standard “de facto” nell'ambito della tecnologia SDN.

There has been a growing demand to manage bandwidth as the network traffic increases. Network applications such as real time video streaming, voice over IP and video conferencing in IP networks has risen rapidly over the recently and is projected to continue in the future. These applications consume a lot of bandwidth resulting in increasing pressure on the networks. In dealing with such challenges, modern networks must be designed to be application sensitive and be able to offer Quality of Service (QoS) based on application requirements. Network paradigms such as Software Defined Networking (SDN) allows for direct network programmability to change the network behavior to suit the application needs in order to provide solutions to the challenge. In this dissertation, the objective is to research if SDN can provide scalable QoS requirements to a set of dynamic traffic flows. Methods are implemented to attain scalable bandwidth management to provide high QoS with SDN. Differentiated Services Code Point (DSCP) values and DSCP remarking with Meters are used to implement high QoS requirements such that bandwidth guarantee is provided to a selected set of traffic flows. The theoretical methodology is implemented for achieving QoS, experiments are conducted to validate and illustrate that QoS can be implemented in SDN, but it is unable to implement High QoS due to the lack of implementation for Meters with DSCP remarking. The research work presented in this dissertation aims at the identification and addressing the critical aspects related to the SDN based QoS provisioning using flow aggregation techniques. Several tests and demonstrations will be conducted by utilizing virtualization methods. The tests are aimed at supporting the proposed ideas and aims at creating an improved understanding of the practical SDN use cases and the challenges that emerge in virtualized environments. DiffServ Assured Forwarding is chosen as a QoS architecture for implementation. The bandwidth management scalability in SDN is proved based on throughput analysis by considering two conditions i.e 1) Per-flow QoS operation and 2) QoS by using DiffServ operation in the SDN environment with Ryu controller. The result shows that better performance QoS and bandwidth management is achieved using the QoS by DiffServ operation in SDN rather than the per-flow QoS operation.

Suite à l'introduction de divers services Internet, les réseaux informatiques ont été reconnus ‏comme ayant joué un rôle essentiel dans la vie moderne au cours du dernier demi-siècle. Le ‏développement rapide et la convergence des technologies informatiques et de communication ‏créent le besoin de connecter divers périphériques avec différents systèmes d'exploitation ‏et protocoles. Il en résulte de nombreux défis pour fournir une intégration transparente ‏d'une grande quantité de dispositifs physiques ou d'entités hétérogènes. Ainsi, les réseaux ‏définis par logiciel (Software Defined Networks, SDN) en tant que paradigme émergent ont ‏le potentiel de révolutionner la gestion des réseaux en centralisant le contrôle et la visibilité ‏globale sur l'ensemble du réseau. Cependant, les problèmes de sécurité demeurent une préoccupation ‏importante et empêchent l'adoption généralisée du SDN.‏‏ Pour identifier les menaces, nous avons effectué une analyse en 3 dimensions pour évaluer ‏la sécurité de SDN. Dans cette analyse, nous avons repris 9 principes de sécurité pour ‏le contrôleur SDN et vérifié la sécurité des contrôleurs SDN actuels avec ces principes. ‏Nous avons constaté que les contrôleurs SDN, ONOS et OpenContrail sont relativement plus ‏sécurisés que les autres selon notre méthodologie d'analyse. Nous avons également trouvé ‏le besoin urgent d'atténuer le problème d'injection d'applications malveillantes. Par conséquent, ‏nous avons proposé une couche d'amélioration de la sécurité (Security-enhancing layer, couche SE) ‏pour protéger l'interaction entre le plan de contrôle et le plan d’application. ‏‏Cette couche SE est indépendante du contrôleur et peut fonctionner avec OpenDaylight, ONOS, ‏Floodlight, Ryu et POX, avec une faible complexité de déploiement. Aucune modification de ‏leurs codes sources n'est requise dans leur mise en œuvre alors que la sécurité globale du ‏contrôleur SDN est améliorée. Le prototype I, Controller SEPA, protège le contrôleur ‏SDN avec l'authentification de l'application réseau, l'autorisation, l'isolation des ‏applications et le blindage de l'information avec un coût additionnel négligeable de moins ‏de 0,1% à 0,3%. Nous avons développé le prototype II de la couche SE, appelé Controller DAC, ‏qui rend dynamique le contrôle d'accès. Le controller DAC peut détecter l'utilisation ‏abusive de l'API en comptabilisant les opérations de l'application réseau avec un coût ‏additionnel inférieure à 0,5%.‏‏ Grâce à cette couche SE, la sécurité globale du contrôleur SDN est améliorée mais avec un ‏coût additionnel inférieure à 0,5%. De plus, nous avons tenté de fournir un framework de ‏déploiement d'application réseau sécurisé pour le contrôleur SDN avec un orchestrateur. ‏Tout d'abord, nous avons sécurisé le contrôleur SDN en utilisant la file d'attente de ‏messages pour remplacer les interfaces populaires actuelles, y compris les RESTful APIs ‏et les APIs internes, à l'aide d'une interface orientée événement décomposable. Avec cette ‏nouvelle interface northbound, l'orchestrateur peut déployer les applications réseau dans ‏le bac à sable(sanbox) avec contrôle des ressources et contrôle d'accès. Cette approche ‏peut efficacement protéger contre les menaces, qui incluent les attaques d'épuisement des ‏ressources (Resource exhaustion attacks) et le traitement des données sur le contrôleur SDN ‏actuel. Nous avons également implémenté une application réseau déployée par l'orchestrateur ‏pour détecter une attaque spécifique à OpenFlow, appelée attaque par contournement de priorité, ‏pour évaluer l'utilité de l'interface norttbound. À long terme, le temps de traitement d'un ‏message packet_in dans cette interface est inférieur à cinq millisecondes mais l'application ‏réseau peut être complètement découplée et isolée du contrôleur SDN.‏‏
The rapid development and convergence of computing technologies and communications ‏create the need to connect diverse devices with different operating systems and protocols.‏ This resulted in numerous challenges to provide seamless integration of a large amount of ‏heterogeneous physical devices or entities. Hence, Software-defined Networks (SDN), as an ‏emerging paradigm, has the potential to revolutionize the legacy network management and‏ accelerate the network innovation by centralizing the control and visibility over the network. ‏However, security issues remain a significant concern and impede SDN from being widely‏ adopted.‏‏To identity the threats that inherent to SDN, we conducted a deep analysis in 3 dimensions‏ to evaluate the security of the proposed architecture. In this analysis, we summarized 9‏security principles for the SDN controller and checked the security of the current well-known‏ SDN controllers with those principles. We found that the SDN controllers, namely ONOS ‏and OpenContrail, are relatively two more secure controllers according to our conducted ‏methodology. We also found the urgent need to integrate the mechanisms such as connection ‏verification, application-based access control, and data-to-control traffic control for securely ‏implementing a SDN controller. In this thesis, we focus on the app-to-control threats, which ‏could be partially mitigated by the application-based access control. As the malicious network ‏application can be injected to the SDN controller through external APIs, i.e., RESTful APIs, or ‏internal APIs, including OSGi bundles, Java APIs, Python APIs etc. In this thesis, we discuss ‏how to protect the SDN controller against the malicious operations caused by the network‏ application injection both through the external APIs and the internal APIs. ‏We proposed a security-enhancing layer (SE-layer) to protect the interaction between the‏ control plane and the application plane in an efficient way with the fine-grained access control, ‏especially hardening the SDN controller against the attacks from the external APIs. This‏ SE-layer is implemented in the RESTful-based northbound interfaces in the SDN controller‏ and hence it is controller-independent for working with most popular controllers, such as‏ OpenDaylight, ONOS, Floodlight, Ryu and POX, with low deployment complexity. No‏ modifications of the source codes are required in their implementations while the overall security ‏of the SDN controller is enhanced. Our developed prototype I, Controller SEPA, protects well‏ the SDN controller with network application authentication, authorization, application isolation,‏ and information shielding with negligible latency from less than 0.1% to 0.3% for protecting‏ SDN controller against the attacks via external APIs, i.e, RESTful APIs. We developed also‏ the SE-layer prototype II, called Controller DAC, which makes dynamic the access control.‏ Controller DAC can detect the API abuse from the external APIs by accounting the network‏ application operation with latency less than 0.5%. Thanks to this SE-layer, the overall security of the SDN controller is improved but with a latency of less than 0.5%. However, the SE-layer can isolate the network application to communicate the controller only through the RESTful APIs. However, the RESTful APIs is ‏insufficient in the use cases which needs the real-time service to deliver the OpenFlow messages. ‏Therefore, we proposed a security-enhancing architecture for securing the network application‏ deployment through the internal APIs in SDN, with a new SDN architecture dubbed SENAD. In‏ SENAD, we split the SDN controller in: (1) a data plane controller (DPC), and (2) an application ‏plane controller (APC) and adopt the message bus system as the northbound interface instead ‏of the RESTful APIs for providing the service to deliver the OpenFlow messages in real-time.‏ (...)

The simplicity of Internet design has led to enormous growth and innovation. In recent decades several network technologies, services and applications have appeared, which demand specific network requirements for their correct operation. In traditional networks, operators are responsible for providing a network configuration sufficiently robust to deal with a wide range of network events and applications. To achieve this is incredibly difficult because: i) the state of the networks can change continuously and today's networks do not provide a mechanism to automatically respond to the wide range of events that may occur and ii) the static nature of current network devices does not permit detailed control-layer configuration, given that the hardware and software are provided by the manufacturer and can not be customized. This is the basis of the current, present-day Internet and its architecture, that has grown in an evolutionary fashion from experimental beginnings, rather than from a deliberate strategy. The unpredictable network growth in terms of size and heterogeneity, has exposed a number of fundamental complexities in the current architecture. For instance, the manual configuration of control functions on network devices that may lead to misconfigurations. This is evident that network management requires more intelligent and efficient management systems to coordinate thousands of network elements and applications, the high demand on network performance and growing configuration complexity. In recent decades, several approaches have been introduced in order to improve the network management, such as: MPLS, virtualization and programmable networks. These latter networks have been proposed as a way of facilitating network evolution. In particular, Software Defined Networking (SDN), a networking paradigm focused on allowing software developers to rely on network resources in an easy manner, unifying the state network distribution and a general-purpose technique to manage any type of network in an transparent manner. In SDN, network intelligence is logically centralized in software-based controllers (the control layer), and network devices become simple packet forwarding devices (the data layer) that can be programmed via an open interface. By decoupling the control and data layers, network devices can be easily programmed and reconfigured, allowing the behaviour of different types of network devices to be unified. Even though SDN is quite recent, it has already been standardized and implemented in the Internet by several recognized companies such as Google. Several SDN architectures have been proposed to handle current and future network services. However, there are still important research challenges to be addressed in SDN. Some of these current challenges are related to: i) SDN scalability as control is centralized, ii) control layer robustness as any failure can lead to switches to be disconnected from the controller, iii) consistency of network information as wrong decisions can be made affecting network performance and iv) security as controllers can be attacked. The purpose of this thesis is to address the first three of the aforementioned problems. They are addressed from the first premise, ignoring existing approaches offered in traditional networks to remedy some of these issues. First, a controller placement protocol is proposed, taking into account the network/service requirements. To measure the robustness of a control layer, a robustess metric is designed and evaluated. This metric can also be used to select controller placements in a SDN network that minimize the data loss. Finally, a resource discovery protocol is designed, implemented and evaluated. This protocol discovers any network topology in time efficient, avoiding making assumptions about the network state as it happens in traditional networks.
En las redes tradicionales, los operadores de red son responsables de proporcionar una configuración de red lo suficientemente robusta que permita gestionar los diferentes tipos de eventos que puedan afectar el funcionamiento de esta y los requerimientos de los servicios. Esto es difícil de alcanzar dado que: i) el funcionamiento de las redes puede variar en cualquier momento y las redes actuales no cuentan con un mecanismo que les permita reaccionar eficientemente al amplio rango de eventos que pueden ocurrir y ii) la naturaleza estática de las elementos de red no permite una detallada configuración dado que su hardware/software no pueden ser modificados de una manera eficiente. El impredecible crecimiento de la red en terminos de su tamaño y su heterogeneidad, han expuesto un número de complejidades en la actual arquitectura de red. Primero, los elementos de red tienen que soportar un gran número de comandos/configuraciones sobre un especifico sistema operativo, dificultando la instalación de un nuevo software sobre ellos, debido a incompatibilidades con el hardware o debido a que el software es incapaz de gestionar las capacidades del hardware. Segundo, la configuración manual de las funciones de control sobre los elementos de red pueden llevar a configurar erróneamente las tablas de enrutamiento. Finalmente, la integración vertical de los middleboxes dificulta a los operadores especificar las políticas de alto nivel sobre las tradicionales tecnologías de red. La gestión de la red requiere un sistema inteligente y eficiente que coordine: i) los miles de elementos y aplicaciones presentes en la red, ii) la alta demanda sobre el rendimiento de la red y iii) la creciente complejidad en la configuración de las redes. En las últimas décadas, diferentes soluciones han sido propuestas con el objetivo de mejorar la gestión de la red, tales como MPLS, virtualización y las redes programables. En este último caso, las redes definidas por software o SDNs permiten a los desarrolladores de software gestionar los recursos de red en una manera fácil, dado que la distribución del estado de la red es unificado, lo cual permite gestionar cualquier tipo de red en una manera transparente y en tiempo eficiente. En SDN, la inteligencia de la red esta lógicamente centralizada en unos elementos de red llamados controladores, de modo que los demás elementos que actúan en la red solo transmiten paquetes hacia el destino. Estos elementos, son configurados por los controladores a través de una interface abierta. Es decir, SDN desacopla la capa de control de la capa de datos permitiendo que los elementos de red puedan ser programados y re-configurados independiente del tipo de red. Aún cuando SDN es reciente, este ha sido estandarizado e implementado por diferentes compañías (ej. Google). Sin embargo, hay varios desafios por resolver en SDN aún. Algunos de estos desafios están relacionados con: i) la escalabilidad de los controladores, como estos están centralizados, ii) la robustez de la capa de control, dado que un fallo en esta puede dejar los elementos de red sin conexión con el controlador, iii) la consistencia de la información de control, para evitar tomar decisiones que afecten la operación de la red, y finalmente iv) la seguridad. En esta tesis, los primeros tres desafios son tratados desde el punto de vista de la localización de los controladores en la red, los cuales son seleccionados teniendo en cuenta los requerimientos de los servicios/aplicaciones y las características de la red. La primera contribución de esta tesis es un algoritmo que selecciona el número de controladores y su localización en la red. Un parámetro de robustez que permite seleccionar los controladores desde los cuales se construye una capa de control robusta y también puede medir la robustez de cualquier capa de control, es definida. Finalmente, un protocolo que descubre la topología y características de cualquier red es propuesto y evaluado.

Emerging Software Defined Networking (SDN) technology has provided excellent flexibility to large-scale networks in terms of control, management, security, and maintenance. On the other hand, recent years witnessed a tremendous growth of the critical infrastructure networks, namely the Smart-Grid, in terms of its underlying communication infrastructure. Such large local networks requires significant effort in terms of network management and security. We explore the potential utilization of the SDN technology over the Smart Grid communication architecture. Specifically, we introduce three novel SDN deployment scenarios in local networks of Smart Grid. Moreover, we also investigate the pertinent security aspects with each deployment scenario along with possible solutions. On the other hand, we conducted experiments by using actual Smart Grid communication data to assess the recovery performance of the proposed SDN-based system. The results show that SDN is a viable technology for the Smart Grid communications with almost negligible delays in switching to backup wireless links.

Software-defined networking (SDN) is an emerging architecture with a great potentialto foster the development of modern networks. By separating the controlplane from the network devices and centralizing it at a software-based controller,SDN provides network-wide visibility and flexible programmability to networkadministrators. However, the security aspects of SDN are not yet fully understood.For example, while SDN is resistant to some topology poisoning attacks inwhich the attacker misleads the routing algorithm about the network structure,similar attacks by compromised hosts and switches are still known to be possible.The goal of this thesis is to thoroughly analyze the topology poisoning attacksinitiated by compromised switches and to identify whether they are a threat toSDN. We identify three base cases of the topology poisoning attack, in which theattack that requires a single compromised switch is a new variant of topologypoisoning. We develop proof-of-concept implementations for these attacks inemulated networks based on OpenFlow, the most popular framework for SDN.We also evaluate the attacks in simulated networks by measuring how muchadditional traffic the attacker can divert to the compromised switches. A widerange of network topologies and routing algorithms are used in the simulations.The simulation results show that the discovered attacks are severe in many cases.Furthermore, the seriousness of the attacks increases according to the number oftunnels that the attacker can fabricate and also depends on the distance betweenthe tunnel endpoints. The simulations indicate that network design can help tomitigate the attacks by, for example, shortening the paths between switches in thenetwork, randomizing regular network structure, or increasing the load-balancingcapability of the routing strategy.

Resource management is of paramount importance in network scenarios and it is a long-standing and still open issue. Unfortunately, while technology and innovation continue to evolve, our network infrastructure system has been maintained almost in the same shape for decades and this phenomenon is known as “Internet ossification”. Software-Defined Networking (SDN) is an emerging paradigm in computer networking that allows a logically centralized software program to control the behavior of an entire network. This is done by decoupling the network control logic from the underlying physical routers and switches that forward traffic to the selected destination. One mechanism that allows the control plane to communicate with the data plane is OpenFlow. The network operators could write high-level control programs that specify the behavior of an entire network. Moreover, the centralized control makes it possible to define more specific and complex tasks that could involve many network functionalities, e.g., security, resource management and control, into a single framework. Nowadays, the explosive growth of real time applications that require stringent Quality of Service (QoS) guarantees, brings the network programmers to design network protocols that deliver certain performance guarantees. This thesis exploits the use of SDN in conjunction with OpenFlow to manage differentiating network services with an high QoS. Initially, we define a QoS Management and Orchestration architecture that allows us to manage the network in a modular way. Then, we provide a seamless integration between the architecture and the standard SDN paradigm following the separation between the control and data planes. This work is a first step towards the deployment of our proposal in the University of California, Los Angeles (UCLA) campus network with differentiating services and stringent QoS requirements. We also plan to exploit our solution to manage the handoff between different network technologies, e.g., Wi-Fi and WiMAX. Indeed, the model can be run with different parameters, depending on the communication protocol and can provide optimal results to be implemented on the campus network.

Denna studie fokuserar på att samla information om Software Defined Networking, dess protokoll och dess kontroller. Det som jag har lärt mig under arbetet kommer att användas för att utvärdera två olika kontroller, POX och ONOS. Ett traditionellt nätverks kommer att sättas upp fysiskt och användas som en grund för att jämföra kontrollerna. Den traditionella lösningen använder två routrar och fyra switchar, och egenskaper som testas är bland annat lager 2 och lager 3 samt deras protokoll för redundans. Kontrollerna kommer sedan att användas för att se om de lever upp till samma krav. Resultaten av denna studie visar att varken POX eller ONOS kunde användas för varje testat scenario, inte med de moduler som kontrollerna kommer förinstallerade med. Det visade också att de egenskaper som de levde upp till var en hel del lättare att konfigurera och övervaka jämfört med dess traditionella motsvarigheter. Detta visar vikten av att lista ut vad som behövs och förväntas från nätverket innan man försöker hitta en passande lösning för att utföra detta. All information som samlats i denna studie används också för att skapa en laboration som ska introducera andra till koncepten kring SDN. Den undersöker hur Mininet kan användas för att virtualisera ett nätverk, hur flöden kan installeras med OpenFlow samt hur en kontroller kan användas för att förenkla administration av ett nätverk.
This study focuses on gathering information about Software Defined Networking, it's protocols ans it's controllers. What I have learned doing this will be used to evaluate two different controllers, POX and ONOS. A traditional network setup will be set up physically and serve as a base when it comes to comparing the controllers. The traditional setup includes two routers and four switches, and among the tested characteristics are layer 2 and 3 and it's redundancy protocols. The controllers will then be used to try and live up to the same characteristics. The result of this study shows that neither POX nor ONOS could be used for every scenario tested, not with the basic modules the controllers comes with. It also showed that the characteristics they did manage was a fair bit easier to setup and monitor compared to it's traditional counterparts, thus showing the importance of figuring out what is needed from a network before trying to find a fitting solution to how it needs to be set up. All the information gathered in this study is also used to create a lab instruction meant to introduce others to the concepts of SDN. It explores how to use Mininet to virtualise a network environment, how to install flows using OpenFlow and how to use a controller to simplify the management of the network.

This dissertation starts by realizing that network management is a very complex and error-prone task. The major causes are identified through interviews and systematic analysis of network config- uration data on two large campus networks. This dissertation finds that network events and dynamic reactions to them should be programmatically encoded in the network control program by opera- tors, and some events should be automatically handled for them if the desired reaction is general. This dissertation presents two new solutions for managing and configuring networks using Software- Defined Networking (SDN) paradigm: Kinetic and Coronet. Kinetic is a programming language and central control platform that allows operators to implement traffic control application that reacts to various kinds of network events in a concise, intuitive way. The event-reaction logic is checked for correction before deployment to prevent misconfigurations. Coronet is a data-plane failure recovery service for arbitrary SDN control applications. Coronet pre-plans primary and backup routing paths for any given topology. Such pre-planning guarantees that Coronet can perform fast recovery when there is failure. Multiple techniques are used to ensure that the solution scales to large networks with more than 100 switches. Performance and usability evaluations show that both solutions are feasible and are great alternative solutions to current mechanisms to reduce misconfigurations.

In questo elaborato si descrive l'emergente approccio alle reti, il Software Defined Network, ed i suoi benefici. Successivamente viene preso in considerazione un importante componente di questa nuova architettura: il protocollo OpenFlow; si spiega che cos'è e si elencano i benefici che può apportare ad un'architettura SDN a sostegno di questi vengono mostrati quattro differenti casi d'uso di OF, comparati poi ad altri scenari equivalenti che non usano questo protocollo. Infine si è pensato ad alcuni possibili studi e sviluppi circa quest'architettura.

Questa tesi ha l’obiettivo di comprendere e valutare se l’approccio al paradigma SDN, che verrà spiegato nel capitolo 1, può essere utilizzato efficacemente per implementare dei sistemi atti alla protezione e alla sicurezza di una rete più o meno estesa. Oltre ad introdurre il paradigma SDN con i relativi componenti basilari, si introduce il protocollo fondamentale OpenFlow, per la gestione dei vari componenti. Per ottenere l’obiettivo prestabilito, si sono seguiti alcuni passaggi preliminari. Primo tra tutti si è studiato cos’è l’SDN. Esso introduce una potenziale innovazione nell’utilizzo della rete. La combinazione tra la visione globale di tutta la rete e la programmabilità di essa, rende la gestione del traffico di rete un processo abbastanza complicato in termini di livello applicativo, ma con un risultato alquanto performante in termini di flessibilità. Le alterazioni all’architettura di rete introdotte da SDN devono essere valutate per garantire che la sicurezza di rete sia mantenuta. Le Software Defined Network (come vedremo nei primi capitoli) sono in grado di interagire attraverso tutti i livelli del modello ISO/OSI e questa loro caratteristica può creare problemi. Nelle reti odierne, quando si agisce in un ambiente “confinato”, è facile sia prevedere cosa potrebbe accadere, che riuscire a tracciare gli eventi meno facilmente rilevabili. Invece, quando si gestiscono più livelli, la situazione diventa molto più complessa perché si hanno più fattori da gestire, la variabilità dei casi possibili aumenta fortemente e diventa più complicato anche distinguere i casi leciti da quelli illeciti. Sulla base di queste complicazioni, ci si è chiesto se SDN abbia delle problematiche di sicurezza e come potrebbe essere usato per la sicurezza. Per rispondere a questo interrogativo si è fatta una revisione della letteratura a riguardo, indicando, nel capitolo 3, alcune delle soluzioni che sono state studiate. Successivamente si sono chiariti gli strumenti che vengono utilizzati per la creazione e la gestione di queste reti (capitolo 4) ed infine (capitolo 5) si è provato ad implementare un caso di studio per capire quali sono i problemi da affrontare a livello pratico. Successivamente verranno descritti tutti i passaggi individuati in maniera dettagliata ed alla fine si terranno alcune conclusioni sulla base dell’esperienza svolta.

Quello delle reti di sensori radio è ad oggi, nel mondo delle telecomunicazioni, uno dei campi che sta crescendo e si sta sviluppando più velocemente, essendo uno dei punti cardine della visione dell’Internet of Things (IoT). La natura di questo tipo di reti, costituite il più delle volte da dispositivi semplici e a basso costo, che devono essere in grado di svolgere diversi tipi di applicazioni nonostante la potenza di calcolo limitata, porta alla necessità di un protocollo di rete che sia allo stesso tempo flessibile e di bassa complessità. Inoltre, la futura quinta generazione di reti cellulari (5G) dovrà inglobare anche il traffico dovuto alla reti IoT, con il prerequisito di una latenza che sia bassa e deterministica, ed il tutto tramite un approccio centralizzato. Dato questo scenario, l’applicazione del concetto di Software Defined Networking all’interno delle reti di sensori radio potrebbe essere una possibile soluzione alle sfide del 5G, e questa dissertazione presenta un’implementazione di tale principio. In particolare, questa tesi descrive la struttura di una rete IoT basata su SDN, con alcuni dei servizi addizionali che questa può fornire rispetto ad altre soluzioni per reti di sensori, come è stata implementata, ed i risultati ottenuti tramite i test effettuati.

Software-Defined Networking (SDN) is an emerging trend in networking that offers a number of advantages such as smoother network management over traditional networks. By decoupling the control and data planes from network elements, a huge amount of new opportunities arise, especially in network virtualization. In cloud datacenters, where virtualization plays a fundamental role, SDN presents itself as the perfect candidate to ease infrastructure management and to ensure correct operation. Even if the original SDN ideology advocates openness of source and interfaces, multiple networking vendors offer their own proprietary solutions. In this work, an open-source SDN solution, named Tungsten Fabric, will be deployed in a virtualized datacenter and a number of SDN-related use-cases will be examined. The main goal of this work is to determine whether Tungsten Fabric can deliver the same set of use-cases as a proprietary solution from Juniper, named Contrail Cloud. Finally, this work will give some guidelines on whether open-source SDN is the right candidate for Ericsson.

The concept of Software Defined Networking (SDN) may be a way to face the fast growing computer network infrastructure with its demands and requirements. The concept is attracting the interest of enterprises to expand their respective network infrastructures, but one has to consider the impacts of migrating from an existing network infrastructure to an SDN network. One way that could minimize the impacts is to proceed a soft migration from a traditional IP network to SDN, creating what is so called a heterogeneous network. Instead of fully replacing the network infrastructure and face the impacts of it, the idea of the soft migration is to replace a part of it with an environment of SDN and examine the performance of it. This thesis work will analyze the performance of a network consisting of a traditional IP network combined with SDN. It is essential during this work to identify the differences in performance when having a heterogeneous network in comparison with having a dedicated traditional IP network. Therefore, the questions that will be addressed during this thesis work is to examine how such a heterogeneous network can be designed and measure the performance of it in terms of throughput, jitter and packet losses. By the method of experimentation and the studying of related works of the SDN fundamentals, we hope to achieve our goals with this thesis work, to give us and the reader a clearer insight.

La conception originale d'Internet n'a pas pris en compte les aspects de sécurité du réseau, l’objectif prioritaire était de faciliter le processus de communication. Par conséquent, de nombreux protocoles de l'infrastructure Internet exposent un ensemble de vulnérabilités. Ces dernières peuvent être exploitées par les attaquants afin de mener un ensemble d’attaques. Les attaques par déni de service distribué (DDoS) représentent une grande menace; DDoS est l'une des attaques les plus dévastatrices causant des dommages collatéraux aux opérateurs de réseau ainsi qu'aux fournisseurs de services Internet. Les réseaux programmables (SDN) ont émergé comme un nouveau paradigme promettant de résoudre les limitations de l’architecture réseau actuelle en découplant le plan de contrôle du plan de données. D'une part, cette séparation permet un meilleur contrôle du réseau et apporte de nouvelles capacités pour mitiger les attaques par DDoS. D'autre part, cette séparation introduit de nouveaux défis en matière de sécurité du plan de contrôle. L’enjeu de cette thèse est double. D'une part, étudier et explorer l’apport du SDN à la sécurité afin de concevoir des solutions efficaces qui vont mitiger plusieurs vecteurs d’attaques. D'autre part, protéger le SDN contre ces attaques. À travers ce travail de recherche, nous contribuons à la mitigation des attaques par déni de service distribué sur deux niveaux (intra et inter-domaine), et nous contribuons au renforcement de la sécurité dans le SDN
The original design of Internet did not take into consideration security aspects of the network; the priority was to facilitate the process of communication. Therefore, many of the protocols that are part of the Internet infrastructure expose a set of vulnerabilities that can be exploited by attackers to carry out a set of attacks. Distributed Denial-of-Service (DDoS) represents a big threat and one of the most devastating and destructive attacks plaguing network operators and Internet service providers (ISPs) in stealthy way. Software defined networks (SDN) is an emerging technology that promises to solve the limitations of the conventional network architecture by decoupling the control plane from the data plane. On one hand, the separation of the control plane from the data plane allows for more control over the network and brings new capabilities to deal with DDoS attacks. On the other hand, this separation introduces new challenges regarding the security of the control plane. This thesis aims to deal with DDoS attacks while protecting the resources of the control plane. In this thesis, we contribute to the mitigation of both intra-domain and inter-domain DDoS attacks, and we contribute to the reinforcement of security aspects in SDN

This thesis presents a novel Software-Defined Networking based flexible handover management mechanism for 5G mobile networks. The performance of Distributed Mobility Management process is enhanced through a novel 'Handover Mode Selection' approach, in which the Software-Defined Network Controller evaluates the protocol's mode of operation for the next handover event according to the Mobile Node's current mobility profile. The analytical evaluation and the simulations through ns-3 network simulator of the proposed solution show significant handover performance improvement under high mobility and high session activity scenarios.

Software Defined Networking (SDN) is a technology which provides a network architecture with three distinct layers that is, the application layer which is made up of SDN applications, the control layer which is made up of the controller and the data plane layer which is made up of switches. However, the exits different types of SDN architectures some of which are interconnected with the physical network. At the core of SDN, the control plane is physically and logically separated from the data plane. The controller is connected to the application layer through an interface known as the northbound interface and to the data plane through another interface known as the southbound interface. The centralized control plane uses APIs to communicate through the northbound and southbound interface with the application layer and the data plane layer respectively. By default, these APIs such as Restful and OpenFlow APIs do not implement security mechanisms like data encryption and authentication thus, this introduces new network security threats to the SDN architecture. This report presents a technique known as threat modeling in SDN. To achieve this technique, attack scenarios are created based on the OpenFlow SDN vulnerabilities. After which these vulnerabilities are defined as predicates or facts and rules, a framework known as multihost multistage vulnerability analysis (MulVAL) then takes these predicates and rules to produce a threat model known as attack graph. The attack graph is further used to performed quantitative risk analysis using a metric to depict the risks associated to the OpenFlow SDN model

La tesi in oggetto tratta di come la virtualizzazione, tecnica ormai adottata in molteplici campi dell’informatica, possa essere il futuro delle reti di telecomunicazione. Infatti, NFV (Network Function Virtualization) è un tassello fondamentale per la realizzazione delle cosiddette reti “softwarizzate”, comunemente chiamate SDN (Software-Defined Networking). Queste ultime basano la grande maggioranza delle proprie funzionalità su software installati nel livello applicativo e demandano la gestione del flusso dei dati ad uno o più controller, il quale orchestra l’hardware al livello sottostante (tipicamente switch e router) tramite il protocollo OpenFlow. Questa nuova tipologia di approccio apre la strada per innumerevoli possibilità: gli apparati di rete diventano sostanzialmente dispositivi passivi e assumono un ruolo marginale, mentre il coordinamento delle funzioni di rete attraverso dei software permette di gestire la rete e tutte le sue funzioni tramite la cosiddetta programmazione diretta. È però necessario sottolineare che, poiché questa nuova tipologia di reti comporta un cambiamento radicale rispetto a come le conosciamo oggi, per rendere realtà (e standard) SDN ci sono da affrontare diverse difficoltà. In particolar modo viene posta l’attenzione sulla tutela di questi sistemi, fornendo una panoramica di quali sono le sfide che la loro messa in sicurezza comporta. L’insieme delle tecnologie atte alla salvaguardia della rete da minacce, sia interne che esterne, attraverso l’impiego di applicativi viene denominata SDS (Software-Defined Security). La sicurezza viene così affidata a software appositamente pensati che, potenzialmente, rendono l’applicazione delle politiche di sicurezza all’interno della rete estremamente dinamiche, efficienti ed efficaci.

Mestrado em Engenharia Eletrónica e Telecomunicações
New challenges are being raised in the networking field with the increasing number of connected devices. The growth of mobile data usage has to be considered as a requirement for the deployment of future 5G networks, especially regarding mobility scenarios. Software-Defined Networking (SDN) enables a greater degree of dynamism and simplification for the deployment of those 5G networks. SDN provides the separation of the control plane from the forwarding plane, allowing more control, adaptability and cost reduction. The growth of SDN integration in new mechanisms and network architectures led to the development of different controller solutions, with a wide variety of characteristics. Several SDN controllers exist, which originated from the different needs of operators and research teams. That resulted in the development of their own controller versions, which made comparison efforts more difficult. As such, this work provides a wider study of several open-source controllers, (namely, OpenDaylight (ODL), Open Network Operative System (ONOS), Ryu and POX), by evaluating not only their performance, but also their characteristics in a qualitative way. Taking performance as a critical issue among SDN controllers, several criteria were evaluated by benchmarking the controllers under different operational conditions, using the Cbench tool. Results are presented regarding both qualitative and quantitative comparisons between those SDN controllers under test.
Com o aumento do número de dispositivos ligados em rede, surgem novos desafios no ramo das redes. A necessidade de acompanhar o crescimento da utilização de dados móveis é um dos requisitos a ter em conta nas futuras redes 5G (5a Geração), sobretudo em cenários de mobilidade. As redes controladas por software (do inglês, Software-Defined Networking (SDN)) permitem a simplificação e dinamismo necessários à criação das referidas redes 5G. As SDNs promovem ainda a separação do plano de controlo do plano de dados, permitindo um maior controlo, adaptabilidade e redução de custos. O crescimento da tecnologia SDN levou ao desenvolvimento de diferentes controladores, com diferentes características. Existem vários controladores SDN, com origem em diferentes necessidades dos operadores e equipas de investigação. Este desenvolvimento individualizado tornou as comparações entre os controladores mais difíceis. Deste modo, o trabalho desenvolvido fornece um estudo mais abrangente de vários controladores open-source (OpenDaylight (ODL), Open Network Operative System (ONOS), Ryu and POX), avaliando não só a sua performance como as suas características de uma forma qualitativa. Considerando a performance crucial nos controladores SDN, foram considerados vários critérios na avaliação dos controladores sob diferentes circunstâncias, utilizando a ferramenta Cbench. Os resultados apresentados são relativos à comparação qualitativa e quantitativa dos controladores em teste.

Doctor of Philosophy
Department of Electrical and Computer Engineering
Don M. Gruenbacher
Caterina M. Scoglio
Cybersecurity is playing a vital role in today's network. We can use security devices, such as a deep packet inspection (DPI) device, to enhance cybersecurity. However, a DPI has a limited amount of inspection capability, which cannot catch up with the ever-increasing volume of network traffic, and that gap is getting even larger. Therefore, inspecting every single packet using DPI is impractical. Our objective is to find a tradeoff between network security and network performance. More explicitly, we aim at maximizing the utilization of security devices, while not decreasing network throughput. We propose two prototypes to address this issue in a demilitarized zone (DMZ) architecture. Our first prototype involves a flow-size based DMZ criterion. In a campus network elephant flows, flows with large data rate, are usually science data and they are mostly safe. Moreover, the majority of the network bandwidth is consumed by elephant flows. Therefore, we propose a DMZ prototype that we inspect elephant flows for a few seconds, and then we allow them to bypass DPI inspection, as long as they are identified as safe flows; and they can be periodically inspected to ensure they remain safe. Our second prototype is a congestion-aware DMZ scheme. Instead of determining whether a flow is safe or not by its size, we treat all flows identically. We measure the data rates of all flows, and use a global optimization algorithm to determine which flows are allowed to safely bypass a DPI. The objective is to maximize DPI utilization. Both prototypes are implemented using OpenFlow in this work, and extensive experiments are performed to test both prototypes' feasibility. The results attest that the two prototypes are effective in ensuring network security while not compromising network performance. A number of tools for SDN network configuring and testing are also developed.

Ce travail a pour but d'améliorer l'efficacité énergétique des réseaux de cœur en éteignant un sous-ensemble de liens par une approche SDN (Software Defined Network). Nous nous différencions des nombreux travaux de ce domaine par une réactivité accrue aux variations des conditions réseaux. Cela a été rendu possible grâce à une complexité calculatoire réduite et une attention particulière au surcoût induit par les échanges de données. Pour valider les solutions proposées, nous les avons testées sur une plateforme spécialement construite à cet effet.Dans la première partie de cette thèse, nous présentons l'architecture logicielle ``SegmenT Routing based Energy Efficient Traffic Engineering'' (STREETE). Le cœur de la solution repose sur un re-routage dynamique du trafic en fonction de la charge du réseau dans le but d'éteindre certains liens peu utilisés. Cette solution utilise des algorithmes de graphes dynamiques pour réduire la complexité calculatoire et atteindre des temps de calcul de l'ordre des millisecondes sur un réseau de 50 nœuds. Nos solutions ont aussi été validées sur une plateforme de test comprenant le contrôleur SDN ONOS et des commutateurs OpenFlow. Nous comparons nos algorithmes aux solutions optimales obtenues grâce à des techniques de programmation linéaires en nombres entiers et montrons que le nombre de liens allumés peut être efficacement réduit pour diminuer la consommation électrique tout en évitant de surcharger le réseau.Dans la deuxième partie de cette thèse, nous cherchons à améliorer la performance de STREETE dans le cas d’une forte charge, qui ne peut pas être écoulée par le réseau si des algorithmes de routages à plus courts chemins sont utilisés. Nous analysons des méthodes d'équilibrage de charge pour obtenir un placement presque optimal des flux dans le réseau.Dans la dernière partie, nous évaluons la combinaison des deux techniques proposées précédemment : STREETE avec équilibrage de charge. Ensuite, nous utilisons notre plateforme de test pour analyser l'impact de re-routages fréquents sur les flux TCP. Cela nous permet de donner des indications sur des améliorations à prendre en compte afin d'éviter des instabilités causées par des basculements incontrôlés des flux réseau entre des chemins alternatifs. Nous croyons à l'importance de fournir des résultats reproductibles à la communauté scientifique. Ainsi, une grande partie des résultats présentés dans cette thèse peuvent être facilement reproduits à l'aide des instructions et logiciels fournis
This work seeks to improve the energy efficiency of backbone networks by automatically managing the paths of network flows to reduce the over-provisioning. Compared to numerous works in this field, we stand out by focusing on low computational complexity and smooth deployment of the proposed solution in the context of Software Defined Networks (SDN). To ensure that we meet these requirements, we validate the proposed solutions on a network testbed built for this purpose. Moreover, we believe that it is indispensable for the research community in computer science to improve the reproducibility of experiments. Thus, one can reproduce most of the results presented in this thesis by following a couple of simple steps. In the first part of this thesis, we present a framework for putting links and line cards into sleep mode during off-peak periods and rapidly bringing them back on when more network capacity is needed. The solution, which we term ``SegmenT Routing based Energy Efficient Traffic Engineering'' (STREETE), was implemented using state-of-art dynamic graph algorithms. STREETE achieves execution times of tens of milliseconds on a 50-node network. The approach was also validated on a testbed using the ONOS SDN controller along with OpenFlow switches. We compared our algorithm against optimal solutions obtained via a Mixed Integer Linear Programming (MILP) model to demonstrate that it can effectively prevent network congestion, avoid turning-on unneeded links, and provide excellent energy-efficiency. The second part of this thesis studies solutions for maximizing the utilization of existing components to extend the STREETE framework to workloads that are not very well handled by its original form. This includes the high network loads that cannot be routed through the network without a fine-grained management of the flows. In this part, we diverge from the shortest path routing, which is traditionally used in computer networks, and perform a particular load balancing of the network flows. In the last part of this thesis, we combine STREETE with the proposed load balancing technique and evaluate the performance of this combination both regarding turned-off links and in its ability to keep the network out of congestion. After that, we use our network testbed to evaluate the impact of our solutions on the TCP flows and provide an intuition about the additional constraints that must be considered to avoid instabilities due to traffic oscillations between multiple paths

L'obiettivo di questa tesi è verificare il comportamento e le interazioni tra uno switch e più controller, al variare del ruolo assunto da questi ultimi, in una rete virtuale SDN con protocollo OpenFlow. Nella tesi sono presenti tre capitoli, i primi due sono puramente teorici mentre il terzo descrive i test che sono stati effettuati. I primi due capitoli introducono e descrivono gli elementi principali di SDN ed OpenFlow, in particolare viene presentata l'architettura multi controller che è il tema fondamentale di questa tesi. Il terzo capitolo è il fulcro della tesi, descrive la topologia ed i test che sono stati effettuati per verificare il comportamento e le interazioni tra lo switch ed i controller.

In this thesis, a novel framework for dynamic congestion control has been proposed. The study is about the congestion control in broadband communication networks. Congestion results when demand temporarily exceeds capacity and leads to severe degradation of Quality of Service (QoS) and possibly loss of traffic. Since traffic is stochastic in nature, high demand may arise anywhere in a network and possibly causing congestion. There are different ways to mitigate the effects of congestion, by rerouting, by aggregation to take advantage of statistical multiplexing, and by discarding too demanding traffic, which is known as admission control. This thesis will try to accommodate as much traffic as possible, and study the effect of routing and aggregation on a rather general mix of traffic types. Software Defined Networking (SDN) and Network Function Virtualization (NFV) are concepts that allow for dynamic configuration of network resources by decoupling control from payload data and allocation of network functions to the most suitable physical node. This allows implementation of a centralised control that takes the state of the entire network into account and configures nodes dynamically to avoid congestion. Assumes that node controls can be expressed in commands supported by OpenFlow v1.3. Due to state dependencies in space and time, the network dynamics are very complex, and resort to a simulation approach. The load in the network depends on many factors, such as traffic characteristics and the traffic matrix, topology and node capacities. To be able to study the impact of control functions, some parts of the environment is fixed, such as the topology and the node capacities, and statistically average the traffic distribution in the network by randomly generated traffic matrices. The traffic consists of approximately equal intensity of smooth, bursty and long memory traffic. By designing an algorithm that route traffic and configure queue resources so that delay is minimised, this thesis chooses the delay to be the optimisation parameter because it is additive and real-time applications are delay sensitive. The optimisation being studied both with respect to total end-to-end delay and maximum end-to-end delay. The delay is used as link weights and paths are determined by Dijkstra's algorithm. Furthermore, nodes are configured to serve the traffic optimally which in turn depends on the routing. The proposed algorithm is a fixed-point system of equations that iteratively evaluates routing - aggregation - delay until an equilibrium point is found. Three strategies are compared: static node configuration where each queue is allocated 1/3 of the node resources and no aggregation, aggregation of real-time (taken as smooth and bursty) traffic onto the same queue, and dynamic aggregation based on the entropy of the traffic streams and their aggregates. The results of the simulation study show good results, with gains of 10-40% in the QoS parameters. By simulation, the positive effects of the proposed routing and aggregation strategy and the usefulness of the algorithm. The proposed algorithm constitutes the central control logic, and the resulting control actions are realisable through the SDN/NFV architecture.

Software-defined Networking (SDN) enables flexible network management, but as networks evolve to a large number of end-points with diverse network policies, higher speed, and higher utilization, abstraction of networks by SDN makes monitoring and debugging network problems increasingly harder and challenging. While some problems impact packet processing in the data plane (e.g., congestion), some cause policy deployment failures (e.g., hardware bugs); both create inconsistency between operator intent and actual network behavior. Existing debugging tools are not sufficient to accurately detect, localize, and understand the root cause of problems observed in a large-scale networks; either they lack in-network resources (compute, memory, or/and network bandwidth) or take long time for debugging network problems. This thesis presents three debugging tools: PathDump, SwitchPointer, and Scout, and a technique for tracing packet trajectories called CherryPick. We call for a different approach to network monitoring and debugging: in contrast to implementing debugging functionality entirely in-network, we should carefully partition the debugging tasks between end-hosts and network elements. Towards this direction, we present CherryPick, PathDump, and SwitchPointer. The core of CherryPick is to cherry-pick the links that are key to representing an end-to-end path of a packet, and to embed picked linkIDs into its header on its way to destination. PathDump is an end-host based network debugger based on tracing packet trajectories, and exploits resources at the end-hosts to implement various monitoring and debugging functionalities. PathDump currently runs over a real network comprising only of commodity hardware, and yet, can support surprisingly a large class of network debugging problems with minimal in-network functionality. The key contributions of SwitchPointer is to efficiently provide network visibility to end-host based network debuggers like PathDump by using switch memory as a "directory service" - each switch, rather than storing telemetry data necessary for debugging functionalities, stores pointers to end hosts where relevant telemetry data is stored. The key design choice of thinking about memory as a directory service allows to solve performance problems that were hard or infeasible with existing designs. Finally, we present and solve a network policy fault localization problem that arises in operating policy management frameworks for a production network. We develop Scout, a fully-automated system that localizes faults in a large scale policy deployment and further pin-points the physical-level failures which are most likely cause for observed faults.