To see the other types of publications on this topic, follow the link: Software Defined Networking Security.
Dissertations / Theses on the topic 'Software Defined Networking Security'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Software Defined Networking Security.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Taylor, Curtis Robin. "Software-defined Networking: Improving Security for Enterprise and Home Networks." Digital WPI, 2017. https://digitalcommons.wpi.edu/etd-dissertations/161.
Full textAbstract:
In enterprise networks, all aspects of the network, such as placement of security devices and performance, must be carefully considered. Even with forethought, networks operators are ultimately unaware of intra-subnet traffic. The inability to monitor intra-subnet traffic leads to blind spots in the network where compromised hosts have unfettered access to the network for spreading and reconnaissance. While network security middleboxes help to address compromises, they are limited in only seeing a subset of all network traffic that traverses routed infrastructure, which is where middleboxes are frequently deployed. Furthermore, traditional middleboxes are inherently limited to network-level information when making security decisions. Software-defined networking (SDN) is a networking paradigm that allows logically centralized control of network switches and routers. SDN can help address visibility concerns while providing the benefits of a centralized network control platform, but traditional switch-based SDN leads to concerns of scalability and is ultimately limited in that only network-level information is available to the controller. This dissertation addresses these SDN limitations in the enterprise by pushing the SDN functionality to the end-hosts. In doing so, we address scalability concerns and provide network operators with better situational awareness by incorporating system-level and graphical user interface (GUI) context into network information handled by the controller. By incorporating host-context, our approach shows a modest 16% reduction in flows that can be processed each second compared to switch-based SDN. In comparison to enterprise networks, residential networks are much more constrained. Residential networks are limited in that the operators typically lack the experience necessary to properly secure the network. As a result, devices on home networks are sometimes compromised and, unbeknownst to the home user, perform nefarious acts such as distributed denial of services (DDoS) attacks on the Internet. Even with operator expertise in residential networks, the network infrastructure is limited to a resource-constrained router that is not extensible. Fortunately, SDN has the potential to increase security and network control in residential networks by outsourcing functionality to the cloud where third-party experts can provide proper support. In residential networks, this dissertation uses SDN along with cloud-based resources to introduce enterprise-grade network security solutions where previously infeasible. As part of our residential efforts, we build and evaluate device-agnostic security solutions that are able to better protect the increasing number of Internet of Things (IoT) devices. Our work also shows that the performance of outsourcing residential network control to the cloud is feasible for up to 90% of home networks in the United States.
2
Li, Xin. "Enhancing network robustness using software-defined networking." Diss., Kansas State University, 2017. http://hdl.handle.net/2097/38236.
Full textAbstract:
Doctor of PhilosophyDepartment of Electrical and Computer Engineering
Don M. Gruenbacher
Caterina M. Scoglio
As today's networks are no longer individual networks, networks are less robust towards failures and attacks. For example, computer networks and power networks are interdependent. Computer networks provide smart control for power networks, while power networks provide power supply. Localized network failures and attacks are amplified and exacerbated back and forth between two networks due to their interdependencies. This dissertation focuses on finding solutions to enhance network robustness. Software-defined networking provides a programmable architecture, which can dynamically adapt to any changes and can reduce the complexities of network traffic management. This architecture brings opportunities to enhance network robustness, for example, adapting to network changes, routing traffic bypassing malfunction devices, dropping malicious flows, etc. However, as SDN is rapidly proceeding from vision to reality, the SDN architecture itself might be exposed to some robustness threats. Especially, the SDN control plane is tremendously attractive to attackers, since it is the "brain" of entire networks. Thus, researching on network robustness helps protect network from a destructive disaster. In this dissertation, we first build a novel, realistic interdependent network framework to model cyber-physical networks. We allocate dependency links under a limited budget and evaluate network robustness. We further revise a network flow algorithm and find solutions to obtain a basic robust network structure. Extensive simulations on random networks and real networks show that our deployment method produces topologies that are more robust than the ones obtained by other deployment techniques. Second, we tackle middlebox chain problems using SDN. In computer networks, applications require traffic to sequence through multiple types of middleboxes to accomplish network functionality. Middlebox policies, numerous applications' requirements, and resource allocations complicate network management. Furthermore, middlebox failures can affect network robustness. We formulate a mixed-integer linear programming problem to achieve a network load-balancing objective in the context of middlebox policy chain routing. Our global routing approach manages network resources efficiently by simplifying candidate-path selections, balancing the entire network and using the simulated annealing algorithm. Moreover, in case of middlebox failures, we design a fast rerouting mechanism by exploiting the remaining link and middlebox resources locally. We implement proposed routing approaches on a Mininet testbed and evaluate experiments' scalability, assessing the effectiveness of the approaches. Third, we build an adversary model to describe in detail how to launch distributed denial of service (DDoS) attacks to overwhelm the SDN controller. Then we discuss possible defense mechanisms to protect the controller from DDoS attacks. We implement a successful DDoS attack and our defense mechanism on the Mininet testbed to demonstrate its feasibility in the real world. In summary, we vertically dive into enhancing network robustness by constructing a topological framework, making routing decisions, and protecting the SDN controller.
3
Tseng, Yuchia. "Securing network applications in software defined networking." Electronic Thesis or Diss., Sorbonne Paris Cité, 2018. http://www.theses.fr/2018USPCB036.
Full textAbstract:
Suite à l'introduction de divers services Internet, les réseaux informatiques ont été reconnus comme ayant joué un rôle essentiel dans la vie moderne au cours du dernier demi-siècle. Le développement rapide et la convergence des technologies informatiques et de communication créent le besoin de connecter divers périphériques avec différents systèmes d'exploitation et protocoles. Il en résulte de nombreux défis pour fournir une intégration transparente d'une grande quantité de dispositifs physiques ou d'entités hétérogènes. Ainsi, les réseaux définis par logiciel (Software Defined Networks, SDN) en tant que paradigme émergent ont le potentiel de révolutionner la gestion des réseaux en centralisant le contrôle et la visibilité globale sur l'ensemble du réseau. Cependant, les problèmes de sécurité demeurent une préoccupation importante et empêchent l'adoption généralisée du SDN. Pour identifier les menaces, nous avons effectué une analyse en 3 dimensions pour évaluer la sécurité de SDN. Dans cette analyse, nous avons repris 9 principes de sécurité pour le contrôleur SDN et vérifié la sécurité des contrôleurs SDN actuels avec ces principes. Nous avons constaté que les contrôleurs SDN, ONOS et OpenContrail sont relativement plus sécurisés que les autres selon notre méthodologie d'analyse. Nous avons également trouvé le besoin urgent d'atténuer le problème d'injection d'applications malveillantes. Par conséquent, nous avons proposé une couche d'amélioration de la sécurité (Security-enhancing layer, couche SE) pour protéger l'interaction entre le plan de contrôle et le plan d’application. Cette couche SE est indépendante du contrôleur et peut fonctionner avec OpenDaylight, ONOS, Floodlight, Ryu et POX, avec une faible complexité de déploiement. Aucune modification de leurs codes sources n'est requise dans leur mise en œuvre alors que la sécurité globale du contrôleur SDN est améliorée. Le prototype I, Controller SEPA, protège le contrôleur SDN avec l'authentification de l'application réseau, l'autorisation, l'isolation des applications et le blindage de l'information avec un coût additionnel négligeable de moins de 0,1% à 0,3%. Nous avons développé le prototype II de la couche SE, appelé Controller DAC, qui rend dynamique le contrôle d'accès. Le controller DAC peut détecter l'utilisation abusive de l'API en comptabilisant les opérations de l'application réseau avec un coût additionnel inférieure à 0,5%. Grâce à cette couche SE, la sécurité globale du contrôleur SDN est améliorée mais avec un coût additionnel inférieure à 0,5%. De plus, nous avons tenté de fournir un framework de déploiement d'application réseau sécurisé pour le contrôleur SDN avec un orchestrateur. Tout d'abord, nous avons sécurisé le contrôleur SDN en utilisant la file d'attente de messages pour remplacer les interfaces populaires actuelles, y compris les RESTful APIs et les APIs internes, à l'aide d'une interface orientée événement décomposable. Avec cette nouvelle interface northbound, l'orchestrateur peut déployer les applications réseau dans le bac à sable(sanbox) avec contrôle des ressources et contrôle d'accès. Cette approche peut efficacement protéger contre les menaces, qui incluent les attaques d'épuisement des ressources (Resource exhaustion attacks) et le traitement des données sur le contrôleur SDN actuel. Nous avons également implémenté une application réseau déployée par l'orchestrateur pour détecter une attaque spécifique à OpenFlow, appelée attaque par contournement de priorité, pour évaluer l'utilité de l'interface norttbound. À long terme, le temps de traitement d'un message packet_in dans cette interface est inférieur à cinq millisecondes mais l'application réseau peut être complètement découplée et isolée du contrôleur SDN.The rapid development and convergence of computing technologies and communications create the need to connect diverse devices with different operating systems and protocols. This resulted in numerous challenges to provide seamless integration of a large amount of heterogeneous physical devices or entities. Hence, Software-defined Networks (SDN), as an emerging paradigm, has the potential to revolutionize the legacy network management and accelerate the network innovation by centralizing the control and visibility over the network. However, security issues remain a significant concern and impede SDN from being widely adopted.To identity the threats that inherent to SDN, we conducted a deep analysis in 3 dimensions to evaluate the security of the proposed architecture. In this analysis, we summarized 9security principles for the SDN controller and checked the security of the current well-known SDN controllers with those principles. We found that the SDN controllers, namely ONOS and OpenContrail, are relatively two more secure controllers according to our conducted methodology. We also found the urgent need to integrate the mechanisms such as connection verification, application-based access control, and data-to-control traffic control for securely implementing a SDN controller. In this thesis, we focus on the app-to-control threats, which could be partially mitigated by the application-based access control. As the malicious network application can be injected to the SDN controller through external APIs, i.e., RESTful APIs, or internal APIs, including OSGi bundles, Java APIs, Python APIs etc. In this thesis, we discuss how to protect the SDN controller against the malicious operations caused by the network application injection both through the external APIs and the internal APIs. We proposed a security-enhancing layer (SE-layer) to protect the interaction between the control plane and the application plane in an efficient way with the fine-grained access control, especially hardening the SDN controller against the attacks from the external APIs. This SE-layer is implemented in the RESTful-based northbound interfaces in the SDN controller and hence it is controller-independent for working with most popular controllers, such as OpenDaylight, ONOS, Floodlight, Ryu and POX, with low deployment complexity. No modifications of the source codes are required in their implementations while the overall security of the SDN controller is enhanced. Our developed prototype I, Controller SEPA, protects well the SDN controller with network application authentication, authorization, application isolation, and information shielding with negligible latency from less than 0.1% to 0.3% for protecting SDN controller against the attacks via external APIs, i.e, RESTful APIs. We developed also the SE-layer prototype II, called Controller DAC, which makes dynamic the access control. Controller DAC can detect the API abuse from the external APIs by accounting the network application operation with latency less than 0.5%. Thanks to this SE-layer, the overall security of the SDN controller is improved but with a latency of less than 0.5%. However, the SE-layer can isolate the network application to communicate the controller only through the RESTful APIs. However, the RESTful APIs is insufficient in the use cases which needs the real-time service to deliver the OpenFlow messages. Therefore, we proposed a security-enhancing architecture for securing the network application deployment through the internal APIs in SDN, with a new SDN architecture dubbed SENAD. In SENAD, we split the SDN controller in: (1) a data plane controller (DPC), and (2) an application plane controller (APC) and adopt the message bus system as the northbound interface instead of the RESTful APIs for providing the service to deliver the OpenFlow messages in real-time. (...)
4
Aydeger, Abdullah. "Software Defined Networking for Smart Grid Communications." FIU Digital Commons, 2016. http://digitalcommons.fiu.edu/etd/2580.
Full textAbstract:
Emerging Software Defined Networking (SDN) technology has provided excellent flexibility to large-scale networks in terms of control, management, security, and maintenance. On the other hand, recent years witnessed a tremendous growth of the critical infrastructure networks, namely the Smart-Grid, in terms of its underlying communication infrastructure. Such large local networks requires significant effort in terms of network management and security. We explore the potential utilization of the SDN technology over the Smart Grid communication architecture. Specifically, we introduce three novel SDN deployment scenarios in local networks of Smart Grid. Moreover, we also investigate the pertinent security aspects with each deployment scenario along with possible solutions. On the other hand, we conducted experiments by using actual Smart Grid communication data to assess the recovery performance of the proposed SDN-based system. The results show that SDN is a viable technology for the Smart Grid communications with almost negligible delays in switching to backup wireless links.
5
Ahmad, I. (Ijaz). "Improving software defined cognitive and secure networking." Doctoral thesis, Oulun yliopisto, 2018. http://urn.fi/urn:isbn:9789526219516.
Full textAbstract:
Abstract Traditional communication networks consist of large sets of vendor-specific manually configurable devices. These devices are hardwired with specific control logic or algorithms used for different network functions. The resulting networks comprise distributed control plane architectures that are complex in nature, difficult to integrate and operate, and are least efficient in terms of resource usage. However, the rapid increase in data traffic requires the integrated use of diverse access technologies and autonomic network operations with increased resource efficiency. Therefore, the concepts of Software Defined Networking (SDN) are proposed that decouple the network control plane from the data-forwarding plane and logically centralize the control plane. The SDN control plane can integrate a diverse set of devices, and tune them at run-time through vendor-agnostic programmable Application Programming Interfaces (APIs). This thesis proposes software defined cognitive networking to enable intelligent use of network resources. Different radio access technologies, including cognitive radios, are integrated through a common control platform to increase the overall network performance. The architectural framework of software defined cognitive networking is presented alongside the experimental performance evaluation. Since SDN enables applications to change the network behavior and centralizes the network control plane to oversee the whole network, it is highly important to investigate SDN in terms of security. Therefore, this thesis finds the potential security vulnerabilities in SDN, studies the proposed security platforms and architectures for those vulnerabilities, and presents future directions for unresolved security vulnerabilities. Furthermore, this thesis also investigates the potential security challenges and their solutions for the enabling technologies of 5G, such as SDN, cloud technologies, and virtual network functions, and provides key insights into increasing the security of 5G networksTiivistelmä Perinteiset tietoliikenneverkot pohjautuvat usein laajoille manuaalisesti konfiguroitaville valmistajakohtaisille ratkaisuille. Niissä käytetään laitekohtaista kontrollilogiikkaa tai verkon eri toiminnallisuuksien algoritmeja. Tämän johdosta verkon hajautettu kontrollitaso muodostuu monimutkaiseksi, jota on vaikea integroida ja operoida, eikä se ole kovin joustava resurssien käytön suhteen. Tietoliikenteen määrän kasvaessa tulee entistä tärkeämmäksi integroida useita verkkoteknologioita ja autonomisia verkon toiminnallisuuksia tehokkaan resurssinhallinnan saavuttamiseksi. Ohjelmisto-ohjatut verkkoratkaisut (SDN, Software Defined Networking) tarjoavat keinon hallita erikseen verkon kontrolliliikennettä eroteltuna dataliikenteestä keskitetysti. Tämä kontrollitaso voi integroida erilaisia verkkolaitteita ja ohjata niitä ajonaikaisesti valmistajariippumattoman sovellusohjelmointirajapinnan kautta. Tässä työssä on tutkittu älykästä ohjelmisto-ohjattavaa verkkoratkaisua, jonka avulla eri radioverkkoteknologiat (mukaan lukien konginitiiviradio) voidaan integroida yhteisen kontrollialustan kautta lisäämään verkon kokonaissuorituskykyä. Työssä esitetään kognitiivinen ohjelmisto-ohjattu verkon arkkitehtuuriratkaisu sekä sen suorituskyvyn arviointi mittauksiin pohjautuen. Koska ohjelmisto-ohjattu verkko pohjautuu koko verkon keskitettyyn kontrollilogiikkaan, on tietoturvan merkitys korostunut entisestään. Tässä työssä on sen vuoksi tutkittu juuri tällaisen verkkoratkaisun mahdollisia tietoturvauhkia sekä niiden torjumiseen soveltuvia ratkaisuvaihtoehtoja sekä esitetään tulevaisuuden kehityssuuntia vielä ratkaisemattomille uhkille. Lisäksi työssä on tutkittu laajemmin tulevien 5G verkkojen tietoturvauhkia ja niiden ratkaisuja, liittyen ohjelmisto-ohjattuihin verkkoratkaisuin, pilviteknologioihin ja virtualisoiduille verkkotoiminnallisuuksille. Työ tarjoaa myös näkemyksen siitä, miten verkon tietoturvaa voidaan kokonaisuudessaan lisätä 5G verkoissa
6
Lei, Yunsen. "Towards Better Kernel and Network Monitoring of Software Actions." Digital WPI, 2020. https://digitalcommons.wpi.edu/etd-theses/1367.
Full textAbstract:
Monitoring software actions is one of the most studied approaches to help security researchers understand how software interacts with the system or network. In many cases, monitoring is an important component to help detect attacks that use software vulnerabilities as a vector to compromise endpoints. Attacks are becoming more sophisticated and network use is growing dramatically. Both host-based and network-based monitoring are facing different challenges. A host-based approach has more insight into software's actions but puts itself at the risk of compromise. When deployed on the server endpoint, the lack of separation between different clients only further complicates the monitoring scope. Compared to network-based approaches, host-based monitoring usually loses control of a software's network trace once the network packet leaves the endpoint. On the other hand, network-based monitoring usually has full control of a software's network packets but confronts scalability problems as the network grows. This thesis focuses on the limitations of the current monitoring approaches and technologies and proposes different solutions to mitigate the current problem. For software-defined networking, we design and implement a host-based SDN system that achieves the same forwarding path control and packet rewriting functionality as a switch-based SDN. Our implementation empower the host-based SDN with more control in the network even without using any SDN-enabled middleboxes, allowing SDN adoption in large-scale deployments. We further corroborate flow reports from different host SDN agents to address the endpoint compromise problem. On the server endpoint, we leverage containers as a light-weight environment to separate different clients and build monitoring infrastructures to narrow down the monitoring scope that have the potential to facilitate further forensic analysis.
7
Sriskandarajah, Shriparen. "Detection and mitigation of denial-of-service attacks against software-defined networking." Thesis, Queensland University of Technology, 2021. https://eprints.qut.edu.au/226951/1/Shriparen_Sriskandarajah_Thesis.pdf.
Full textAbstract:
Software-defined networking (SDN) is an emerging architecture in computer networking that was introduced to fulfill the demand of current Internet-based services and applications. New features introduced in the SDN architecture open the space for attackers to disrupt the SDN-based networks using new types of Denial-of-Service (DoS) attacks. In this study, first, we present a new DoS attack, namely the control channel DoS attack. Second, we present another new DoS attack to overwhelm the flow table of the SDN switches, namely the flow rule overwhelming attack. Finally, we propose novel strategies to detect and mitigate DoS attacks against the SDN architecture.
8
Abou, El Houda Zakaria. "Security Enforcement through Software Defined Networks (SDN)." Thesis, Troyes, 2021. http://www.theses.fr/2021TROY0023.
Full textAbstract:
La conception originale d'Internet n'a pas pris en compte les aspects de sécurité du réseau, l’objectif prioritaire était de faciliter le processus de communication. Par conséquent, de nombreux protocoles de l'infrastructure Internet exposent un ensemble de vulnérabilités. Ces dernières peuvent être exploitées par les attaquants afin de mener un ensemble d’attaques. Les attaques par déni de service distribué (DDoS) représentent une grande menace; DDoS est l'une des attaques les plus dévastatrices causant des dommages collatéraux aux opérateurs de réseau ainsi qu'aux fournisseurs de services Internet. Les réseaux programmables (SDN) ont émergé comme un nouveau paradigme promettant de résoudre les limitations de l’architecture réseau actuelle en découplant le plan de contrôle du plan de données. D'une part, cette séparation permet un meilleur contrôle du réseau et apporte de nouvelles capacités pour mitiger les attaques par DDoS. D'autre part, cette séparation introduit de nouveaux défis en matière de sécurité du plan de contrôle. L’enjeu de cette thèse est double. D'une part, étudier et explorer l’apport du SDN à la sécurité afin de concevoir des solutions efficaces qui vont mitiger plusieurs vecteurs d’attaques. D'autre part, protéger le SDN contre ces attaques. À travers ce travail de recherche, nous contribuons à la mitigation des attaques par déni de service distribué sur deux niveaux (intra et inter-domaine), et nous contribuons au renforcement de la sécurité dans le SDNThe original design of Internet did not take into consideration security aspects of the network; the priority was to facilitate the process of communication. Therefore, many of the protocols that are part of the Internet infrastructure expose a set of vulnerabilities that can be exploited by attackers to carry out a set of attacks. Distributed Denial-of-Service (DDoS) represents a big threat and one of the most devastating and destructive attacks plaguing network operators and Internet service providers (ISPs) in stealthy way. Software defined networks (SDN) is an emerging technology that promises to solve the limitations of the conventional network architecture by decoupling the control plane from the data plane. On one hand, the separation of the control plane from the data plane allows for more control over the network and brings new capabilities to deal with DDoS attacks. On the other hand, this separation introduces new challenges regarding the security of the control plane. This thesis aims to deal with DDoS attacks while protecting the resources of the control plane. In this thesis, we contribute to the mitigation of both intra-domain and inter-domain DDoS attacks, and we contribute to the reinforcement of security aspects in SDN
9
Taylor, Curtis R. "Leveraging Software-Defined Networking and Virtualization for a One-to-One Client-Server Model." Digital WPI, 2014. https://digitalcommons.wpi.edu/etd-theses/577.
Full textAbstract:
Modern computer networks allow server resources to be shared. While this multiplexing is the unsung hero of scalability and performance, the fact that clients are sharing resources and each client’s network traffic is transmitted in a larger pool of the total network traffic, poses distinct challenges for security. By adopting multiplexing so broadly, the networking and systems communities have implicitly favored performance over security. When servers multiplexing clients are compromised, the attack is able to spread by exploiting unsuspecting clients sharing the resource. Drive-by-downloads are an example of an attack where a Web server is compromised and begins distributing malware to connecting clients. As a result of using today’s many-to-one client-server network model, current approaches are inadequate at protecting the network and its resources. We propose a redesign of the modern network infrastructure. Our approach involves moving from the current many-to-one client-server model to a one-to-one client-server model. In redesigning the network, we provide a means of better accountability for traffic between clients and servers. With accountability, we enable the ability to quickly determine which client is responsible for an attack. This allows us to quickly repair the affected entities. To accomplish this accountability, we separate each client’s communication into separate flows. A flow is identified by various network features, such as IP addresses and ports. Further, instead of allowing multiple clients to be multiplexed at the same server, we use a technique that allows each client to communicate with a server that is logically separate from all other clients. Accordingly, a server compromise only effects a single client. We create a one-to-one client-server model using virtualization techniques and OpenFlow, a software-defined network (SDN) protocol. We complete our model in three phases. In the first, we deploy a physical SDN using physical machines and a commodity network switch that supports OpenFlow to gain an initial understanding of SDNs. The next phase involves implementation of Choreographer, a DNS access control mechanism, in a virtualized SDN environment for better scalability over our physical configuration. Finally, we leverage Choreographer to dynamically instantiate a server for each client and create network flows that allow a client to reach the requested server.
10
Rivera, Polanco Sergio A. "AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN." UKnowledge, 2019. https://uknowledge.uky.edu/cs_etds/87.
Full textAbstract:
Campus networks have recently experienced a proliferation of devices ranging from personal use devices (e.g. smartphones, laptops, tablets), to special-purpose network equipment (e.g. firewalls, network address translation boxes, network caches, load balancers, virtual private network servers, and authentication servers), as well as special-purpose systems (badge readers, IP phones, cameras, location trackers, etc.). To establish directives and regulations regarding the ways in which these heterogeneous systems are allowed to interact with each other and the network infrastructure, organizations typically appoint policy writing committees (PWCs) to create acceptable use policy (AUP) documents describing the rules and behavioral guidelines that all campus network interactions must abide by.
While users are the audience for AUP documents produced by an organization's PWC, network administrators are the responsible party enforcing the contents of such policies using low-level CLI instructions and configuration files that are typically difficult to understand and are almost impossible to show that they do, in fact, enforce the AUPs. In other words, mapping the contents of imprecise unstructured sentences into technical configurations is a challenging task that relies on the interpretation and expertise of the network operator carrying out the policy enforcement. Moreover, there are multiple places where policy enforcement can take place. For example, policies governing servers (e.g., web, mail, and file servers) are often encoded into the server's configuration files. However, from a security perspective, conflating policy enforcement with server configuration is a dangerous practice because minor server misconfigurations could open up avenues for security exploits. On the other hand, policies that are enforced in the network tend to rarely change over time and are often based on one-size-fits-all policies that can severely limit the fast-paced dynamics of emerging research workflows found in campus networks.
This dissertation addresses the above problems by leveraging recent advances in Software-Defined Networking (SDN) to support systems that enable novel in-network approaches developed to support an organization's network security policies. Namely, we introduce PoLanCO, a human-readable yet technically-precise policy language that serves as a middle-ground between the imprecise statements found in AUPs and the technical low-level mechanisms used to implement them. Real-world examples show that PoLanCO is capable of implementing a wide range of policies found in campus networks. In addition, we also present the concept of Network Security Caps, an enforcement layer that separates server/device functionality from policy enforcement. A Network Security Cap intercepts packets coming from, and going to, servers and ensures policy compliance before allowing network devices to process packets using the traditional forwarding mechanisms. Lastly, we propose the on-demand security exceptions model to cope with the dynamics of emerging research workflows that are not suited for a one-size-fits-all security approach. In the proposed model, network users and providers establish trust relationships that can be used to temporarily bypass the policy compliance checks applied to general-purpose traffic -- typically by network appliances that perform Deep Packet Inspection, thereby creating network bottlenecks. We describe the components of a prototype exception system as well as experiments showing that through short-lived exceptions researchers can realize significant improvements for their special-purpose traffic.
11
Niyaz, Quamar. "Design and Implementation of a Deep Learning based Intrusion Detection System in Software-Defined Networking Environment." University of Toledo / OhioLINK, 2017. http://rave.ohiolink.edu/etdc/view?acc_num=toledo1501785493311223.
Full text
12
Liyanage, M. (Madhusanka). "Enhancing security and scalability of Virtual Private LAN Services." Doctoral thesis, Oulun yliopisto, 2016. http://urn.fi/urn:isbn:9789526213767.
Full textAbstract:
Abstract Ethernet based VPLS (Virtual Private LAN Service) is a transparent, protocol independent, multipoint L2VPN (Layer 2 Virtual Private Network) mechanism to interconnect remote customer sites over IP (Internet Protocol) or MPLS (Multiprotocol Label Switching) based provider networks. VPLS networks are now becoming attractive in many Enterprise applications, such as DCI (data center interconnect), voice over IP (VoIP) and videoconferencing services due to their simple, protocol-independent and cost efficient operation. However, these new VPLS applications demand additional requirements, such as elevated security, enhanced scalability, optimum utilization of network resources and further reduction in operational costs. Hence, the motivation of this thesis is to develop secure and scalable VPLS architectures for future communication networks. First, a scalable secure flat-VPLS architecture is proposed based on a Host Identity Protocol (HIP). It contains a session key-based security mechanism and an efficient broadcast mechanism that increase the forwarding and security plane scalability of VPLS networks. Second, a secure hierarchical-VPLS architecture is proposed to achieve control plane scalability. A novel encrypted label-based secure frame forwarding mechanism is designed to transport L2 frames over a hierarchical VPLS network. Third, a novel Distributed Spanning Tree Protocol (DSTP) is designed to maintain a loop free Ethernet network over a VPLS network. With DSTP it is proposed to run a modified STP (Spanning Tree Protocol) instance in each remote segment of the VPLS network. In addition, two Redundancy Identification Mechanisms (RIMs) termed Customer Associated RIMs (CARIM) and Provider Associated RIMs (PARIM) are used to mitigate the impact of invisible loops in the provider network. Lastly, a novel SDN (Software Defined Networking) based VPLS (Soft-VPLS) architecture is designed to overcome tunnel management limitations in legacy secure VPLS architectures. Moreover, three new mechanisms are proposed to improve the performance of legacy tunnel management functions: 1) A dynamic tunnel establishment mechanism, 2) a tunnel resumption mechanism and 3) a fast transmission mechanism. The proposed architecture utilizes a centralized controller to command VPLS tunnel establishment based on real-time network behavior. Hence, the results of the thesis will help for more secure, scalable and efficient system design and development of VPLS networks. It will also help to optimize the utilization of network resources and further reduction in operational costs of future VPLS networksTiivistelmä Ethernet-pohjainen VPLS (Virtual Private LAN Service) on läpinäkyvä, protokollasta riippumaton monipisteverkkomekanismi (Layer 2 Virtual Private Network, L2VPN), jolla yhdistetään asiakkaan etäkohteet IP (Internet Protocol)- tai MPLS (Multiprotocol Label Switching) -yhteyskäytäntöön pohjautuvien palveluntarjoajan verkkojen kautta. VPLS-verkoista on yksinkertaisen protokollasta riippumattoman ja kustannustehokkaan toimintatapansa ansiosta tullut kiinnostavia monien yrityssovellusten kannalta. Tällaisia sovelluksia ovat esimerkiksi DCI (Data Center Interconnect), VoIP (Voice over IP) ja videoneuvottelupalvelut. Uusilta VPLS-sovelluksilta vaaditaan kuitenkin uusia asioita, kuten parempaa tietoturvaa ja skaalautuvuutta, optimaalista verkkoresurssien hyödyntämistä ja käyttökustannusten pienentämistä entisestään. Tämän väitöskirjan tarkoituksena onkin kehittää turvallisia ja skaalautuvia VPLS-arkkitehtuureja tulevaisuuden tietoliikenneverkoille. Ensin väitöskirjassa esitellään skaalautuva ja turvallinen flat-VPLS-arkkitehtuuri, joka perustuu Host Identity Protocol (HIP) -protokollaan. Seuraavaksi käsitellään istuntoavaimiin perustuvaa tietoturvamekanismia ja tehokasta lähetysmekanismia, joka parantaa VPLS-verkkojen edelleenlähetyksen ja tietoturvatason skaalautuvuutta. Tämän jälkeen esitellään turvallinen, hierarkkinen VPLS-arkkitehtuuri, jolla saadaan aikaan ohjaustason skaalautuvuus. Väitöskirjassa kuvataan myös uusi salattu verkkotunnuksiin perustuva tietokehysten edelleenlähetysmekanismi, jolla L2-kehykset siirretään hierarkkisessa VPLS-verkossa. Lisäksi väitöskirjassa ehdotetaan uuden Distributed Spanning Tree Protocol (DSTP) -protokollan käyttämistä vapaan Ethernet-verkkosilmukan ylläpitämiseen VPLS-verkossa. DSTP:n avulla on mahdollista ajaa muokattu STP (Spanning Tree Protocol) -esiintymä jokaisessa VPLS-verkon etäsegmentissä. Väitöskirjassa esitetään myös kaksi Redundancy Identification Mechanism (RIM) -mekanismia, Customer Associated RIM (CARIM) ja Provider Associated RIM (PARIM), joilla pienennetään näkymättömien silmukoiden vaikutusta palveluntarjoajan verkossa. Viimeiseksi ehdotetaan uutta SDN (Software Defined Networking) -pohjaista VPLS-arkkitehtuuria (Soft-VPLS) vanhojen turvallisten VPLS-arkkitehtuurien tunnelinhallintaongelmien poistoon. Näiden lisäksi väitöskirjassa ehdotetaan kolmea uutta mekanismia, joilla voidaan parantaa vanhojen arkkitehtuurien tunnelinhallintatoimintoja: 1) dynaaminen tunnelinluontimekanismi, 2) tunnelin jatkomekanismi ja 3) nopea tiedonsiirtomekanismi. Ehdotetussa arkkitehtuurissa käytetään VPLS-tunnelin luomisen hallintaan keskitettyä ohjainta, joka perustuu reaaliaikaiseen verkon käyttäytymiseen. Tutkimuksen tulokset auttavat suunnittelemaan ja kehittämään turvallisempia, skaalautuvampia ja tehokkaampia VLPS järjestelmiä, sekä auttavat hyödyntämään tehokkaammin verkon resursseja ja madaltamaan verkon operatiivisia kustannuksia
13
Wu, Haotian. "OpenFlow-enabled dynamic DMZ for local networks." Diss., Kansas State University, 2017. http://hdl.handle.net/2097/38231.
Full textAbstract:
Doctor of PhilosophyDepartment of Electrical and Computer Engineering
Don M. Gruenbacher
Caterina M. Scoglio
Cybersecurity is playing a vital role in today's network. We can use security devices, such as a deep packet inspection (DPI) device, to enhance cybersecurity. However, a DPI has a limited amount of inspection capability, which cannot catch up with the ever-increasing volume of network traffic, and that gap is getting even larger. Therefore, inspecting every single packet using DPI is impractical. Our objective is to find a tradeoff between network security and network performance. More explicitly, we aim at maximizing the utilization of security devices, while not decreasing network throughput. We propose two prototypes to address this issue in a demilitarized zone (DMZ) architecture. Our first prototype involves a flow-size based DMZ criterion. In a campus network elephant flows, flows with large data rate, are usually science data and they are mostly safe. Moreover, the majority of the network bandwidth is consumed by elephant flows. Therefore, we propose a DMZ prototype that we inspect elephant flows for a few seconds, and then we allow them to bypass DPI inspection, as long as they are identified as safe flows; and they can be periodically inspected to ensure they remain safe. Our second prototype is a congestion-aware DMZ scheme. Instead of determining whether a flow is safe or not by its size, we treat all flows identically. We measure the data rates of all flows, and use a global optimization algorithm to determine which flows are allowed to safely bypass a DPI. The objective is to maximize DPI utilization. Both prototypes are implemented using OpenFlow in this work, and extensive experiments are performed to test both prototypes' feasibility. The results attest that the two prototypes are effective in ensuring network security while not compromising network performance. A number of tools for SDN network configuring and testing are also developed.
14
Müller, Lucas Fernando. "Survivor : estratégias de posicionamento de controladores orientadas à sobrevivência em redes definidas por software." reponame:Biblioteca Digital de Teses e Dissertações da UFRGS, 2014. http://hdl.handle.net/10183/115065.
Full textAbstract:
O paradigma SDN simplifica o gerenciamento da rede ao concentrar todas as tarefas de controle em uma única entidade, o controlador. Nesse modo de operação, os dispositivos de encaminhamento só funcionam de forma completa enquanto conectados a um controlador. Neste contexto, a literatura recente identificou questões fundamentais, como o isolamento de dispositivos em função de disrupções na rede e a sobrecarga de um controlador, e propôs estratégias de posicionamento do controlador para enfrentá-las. Contudo, as propostas atuais têm limitações cruciais: (i) a conectividade dispositivo-controlador é modelada usando um único caminho, ainda que na prática possam ocorrer múltiplas conexões concorrentes; (ii) alterações no comportamento da chegada de novos fluxos são manipulados sob demanda, assumindo que a rede em si pode sustentar altas taxas de requisição; e (iii) mecanismos de recuperação de falhas requerem informações pré-definidas, que, por sua vez, não são otimizadas. Esta dissertação apresenta Survivor, uma nova abordagem de posicionamento do controlador para redes WAN que visa enfrentar esses desafios. A abordagem trata três aspectos de forma explícita durante o projeto da rede: a conectividade, a capacidade e a recuperação. Além disso, tais aspectos são planejados para dois estados distintos da rede: pré e pós-disrupção. Em outras palavras, a rede é configurada da melhor forma tanto para operação normal, quanto para operação após eventos de disrupção. Para este fim, a abordagem é dividida em duas etapas. A primeira define o posicionamento de instâncias do controlador, enquanto a segunda especifica uma lista de controladores de backup para cada dispositivo na rede. Ademais, são desenvolvidas duas estratégias com base na abordagem Survivor. A primeira, implementada em Programação Linear Inteira, garante uma solução ótima a um custo computacional alto. A segunda, implementada através de heurísticas, fornece soluções sub-ótimas a um custo computacional muito mais baixo. Comparações com o estado-da-arte mostram que a abordagem Survivor provê ganhos significativos na sobrevivência (identificado na probabilidade mais baixa de perda de conectividade) e no estado convergente da rede através de mecanismos de recuperação mais inteligentes.The SDN paradigm simplifies network management by focusing all control tasks into a single entity, the controller. In this way, forwarding devices can only operate correctly while connected to a logically centralized controller. Within this context, recent literature identified fundamental issues, such as device isolation due to disruptions in the network and controller overload, and proposed controller placement strategies to tackle them. However, current proposals have crucial limitations: (i) device-controller connectivity is modeled using single paths, yet in practice multiple concurrent connections may occur; (ii) peaks in the arrival of new flows are only handled on-demand, assuming that the network itself can sustain high request rates; and (iii) failover mechanisms require predefined information which, in turn, has been overlooked. This dissertation presents Survivor, a novel controller placement approach for WAN networks that addresses these challenges. The approach explicitly considers the following three aspects in the network design process: connectivity, capacity and recovery. Moreover, these aspects are planned for two distinct states of the network: pre and postdisruption. In other words, the network is configured optimally for both normal operation and for operation after disruption events. To this end, the approach is divided into two steps. The first defines the positioning of the controller instances, and the second specifies a list of backup controllers for each device on the network. Moreover, two strategies based on Survivor are developed. The first strategy, implemented with Integer Linear Programming, guarantees an optimal solution with a high computational cost. The second strategy, implemented using heuristics, provides sub-optimal solutions with a much lower computational cost. Comparisons to the state-of-the-art show that the Survivor approach provides significant increases in network survivability (identified with the lowest probability of connectivity loss) and converged network state through smarter recovery mechanisms.
15
Namal, S. (Suneth). "Enhanced communication security and mobility management in small-cell networks." Doctoral thesis, Oulun yliopisto, 2014. http://urn.fi/urn:isbn:9789526206370.
Full textAbstract:
Abstract Software-Defined Networks (SDN) focus on addressing the challenges of increased complexity and unified communication, for which the conventional networks are not optimally suited due to their static architecture. This dissertation discusses the methods about how to enhance communication security and mobility management in small-cell networks with IEEE 802.11 backhaul. Although 802.11 has become a mission-critical component of enterprise networks, in many cases it is not managed with the same rigor as the wired networks. 802.11 networks are thus in need of undergoing the same unified management as the wired networks. This dissertation also addresses several new issues from the perspective of mobility management in 802.11 backhaul. Due to lack of built-in quality of service support, IEEE 802.11 experiences serious challenges in meeting the demands of modern services and applications. 802.11 networks require significantly longer duration in association compared to what the real-time applications can tolerate. To optimise host mobility in IEEE 802.11, an extension to the initial authentication is provided by utilising Host Identity Protocol (HIP) based identity attributes and Elliptic Curve Cryptography (ECC) based session key generation. Finally, this dissertation puts forward the concept of SDN based cell mobility and network function virtualization, its counterpart. This is validated by introducing a unified SDN and cognitive radio architecture for harmonized end-to-end resource allocation and management presented at the endTiivistelmä Ohjelmisto-ohjatut verkot (SDN) keskittyvät ratkaisemaan haasteita liittyen kasvaneeseen verkkojen monimutkaisuuteen ja yhtenäiseen kommunikaatioon, mihin perinteiset verkot eivät staattisen rakenteensa vuoksi sovellu. Väitöskirja käsittelee menetelmiä, joilla kommunikaation turvallisuutta ja liikkuvuuden hallintaa voidaan parantaa IEEE 802.11 langattomissa piensoluverkoissa. Vaikkakin 802.11 on muodostunut avainkomponentiksi yritysverkoissa, monissa tapauksissa sitä ei hallinnoida yhtä täsmällisesti kuin langallista verkkoa. 802.11 verkoissa on näin ollen tarve samantyyppiselle yhtenäiselle hallinnalle, kuin langallisissa verkoissa on. Väitöskirja keskittyy myös moniin uusiin liikkuvuuden hallintaan liittyviin ongelmiin 802.11 verkoissa. Johtuen sisäänrakennetun yhteyden laatumäärittelyn (QoS) puuttumisesta, IEEE 802.11 verkoille on haasteellista vastata modernien palvelujen ja sovellusten vaatimuksiin. 802.11 verkot vaativat huomattavasti pidemmän ajan verkkoon liittymisessä, kuin reaaliaikasovellukset vaativat. Työssä on esitelty laajennus alustavalle varmennukselle IEEE 802.11-standardiin isäntälaitteen liikkuvuuden optimoimiseksi, joka hyödyntää Host Identity Protocol (HIP)-pohjaisia identiteettiominaisuuksia sekä elliptisten käyrien salausmenetelmiin (ECC) perustuvaa istunnon avaimen luontia. Lopuksi työssä esitellään ohjelmisto-ohjattuihin verkkoihin pohjautuva solujen liikkuvuuden konsepti, sekä siihen olennaisesti liittyvä verkon virtualisointi. Tämä validoidaan esittelemällä yhtenäinen SDN:ään ja kognitiiviseen radioon perustuva arkkitehtuuri harmonisoidulle päästä päähän resurssien varaamiselle ja hallinnoinnille, joka esitellään lopussa
16
Kekely, Lukáš. "Hardwarová akcelerace aplikací pro monitorování a bezpečnost vysokorychlostních sítí." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2013. http://www.nusl.cz/ntk/nusl-236345.
Full textAbstract:
This master's thesis deals with the design of software controlled hardware acceleration system for high-speed networks. The main goal is to provide easy access to acceleration for various network security and monitoring applications. The proposed system is designed for 100 Gbps networks. It enables high-speed processing on an FPGA card together with flexible software control. The combination of hardware speed and software flexibility allows easy creation of complex high-performance network applications. Achievable performance improvement of three chosen monitoring and security applications is shown using simulation model of the designed system.
17
Kekely, Lukáš. "Softwarově řízené monitorování síťového provozu." Doctoral thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2017. http://www.nusl.cz/ntk/nusl-412592.
Full textAbstract:
Tato disertační práce se zabývá návrhem nového způsobu softwarově řízené (definované) hardwarové akcelerace pro moderní vysokorychlostní počítačové sítě. Hlavním cílem práce je formulace obecného, flexibilního a jednoduše použitelného konceptu akcelerace použitelného pro různé bezpečnostní a monitorovací aplikace, který by umožnil jejich reálné nasazení ve 100 Gb/s a rychlejších sítích. Disertační práce začíná rozborem aktuálního stavu poznání v oborech síťového monitorování, bezpečnosti a způsobů akcelerace zpracování vysokorychlostních síťových dat. Na základě tohoto rozboru je formulován a navržen zcela nový koncept s názvem Softwarově definované monitorování (SDM). Klíčová funkcionalita uvedeného konceptu je postavená na hardwarově akcelerované, aplikačně specifické (řízené), na tocích založené, informované redukci a distribuci zachycených síťových dat. Toto je zajištěno spojením vysokorychlostního hardwarového zpracování s flexibilním softwarovým řízením, které tak společně umožňují jednoduchou tvorbu různých komplexních a vysoce výkonných síťových aplikací. Pokročilé optimalizace a vylepšení základního SDM konceptu a jeho vybraných komponent jsou v práci též zkoumány, což vede k návrhu zcela unikátní a obecně použitelné FPGA architektury modulárního analyzátoru hlaviček paketů a vysoce výkonného klasifikátoru paketů založeného na kukaččím hashovaní. Nakonec je vytvořen vysokorychlostní SDM prototyp postavený nad FPGA akcelerační síťovou kartou, který je podrobně ověřen v podmínkách nasazení do reálných sítí. Jsou změřeny a diskutovány dosažitelné zlepšení výkonností v několika vybraných monitorovacích a bezpečnostních případech užití. Vytvořený SDM prototyp je rovněž nasazen v produkčním monitorování reálné páteřní sítě sdružení Cesnet a byl komercializován společností Netcope Technologies.
18
Paradis, Thomas. "Software-Defined Networking." Thesis, KTH, Skolan för informations- och kommunikationsteknik (ICT), 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-143882.
Full textAbstract:
Software Defined Networks (SDN) is a paradigm in which routing decisions are taken by a control layer. In contrast to conventional network structures, the control plane and forwarding plane are separated and communicate through standard protocols like OpenFlow. Historically, network management was based on a layered approach, each one isolated from the others. SDN proposes a radically different approach by bringing together the management of all these layers into a single controller. It is therefore easy to get a unified management policy despite the complexity of current networks requirements while ensuring performance through the use of dedicated devices for the forwarding plane. Such an upheaval can meet the current challenges of managing an increasingly dynamic network imposed by the development of cloud computing or the increased mobility of everyday devices. Many solutions have emerged, but all do not satisfy the same issues and are not necessarily usable in a real environment. The purpose of this thesis is to study and report on existing solutions and technologies as well as conceive a demonstration prototype to present the benefits of this approach. This project also focuses on an analysis of risks posed by these technologies and the possible solutions.
19
Pitzus, Antonio. "SDN : Software Defined Networking." Bachelor's thesis, Alma Mater Studiorum - Università di Bologna, 2017. http://amslaurea.unibo.it/14006/.
Full textAbstract:
In un periodo in cui tutto si evolve rapidamente, il settore delle telecomunicazioni sta assistendo alla crescita esponenziale del numero di dispositivi mobili costantemente connessi alla rete; ciò richiede la necessità di un nuovo modo di gestire le reti.
La nuova visione che sta maturando in questi ultimi tempi è quella di adottare un modello di rete dinamico, flessibile e soprattutto affidabile e che non richieda grossi sforzi di manutenzione o l’installazione di ulteriori hardware da parte degli operatori.
Una rete con queste caratteristiche può essere sviluppata grazie ad un modello architetturale innovativo come il Software Defined Networking (SDN) e ad un nuovo modo di sfruttare le funzionalità degli apparati di rete come la Network Function Virtualization (NFV), la quale è a sua volta un processo di virtualizzazione delle funzionalità di rete svolte da apparati di telecomunicazione fisici.
Questi due concetti sono strettamente legati tra loro e possono comportare particolari vantaggi se applicati contemporaneamente, ma sono di per sè indipendenti.
Software Defined Networking (SDN) è un’ architettura utilizzata per la realizzazione di reti di telecomunicazione nelle quali il piano di controllo della rete e quello del trasporto dei dati sono separati logicamente.
La Network Function Virtualization (NFV) è il processo di virtualizzazione delle funzionalità di rete svolte da apparati di telecomunicazione fisici.
Un ultimo aspetto da trattare riguarda la comunicazione del controller SDN di alto e basso livello.
La comunicazione di alto livello, ovvero quella con i software applicativi è consentita grazie alle NBI (North-Bound Interfaces), mentre quella di basso livello, ovvero con i dispositivi hardware è consentita grazie alle SBI (South-Bound Interfaces).
Queste due interfacce riescono a soddisfare le richieste del controller SDN grazie all' applicazione del paradigma Intent NBI, di tipo dichiarativo, non prescrittivo e indipendente dal fornitore.
20
Vigneux, Lara. "Software Defined Networking: tre casi d'uso." Bachelor's thesis, Alma Mater Studiorum - Università di Bologna, 2016. http://amslaurea.unibo.it/10501/.
Full textAbstract:
Le reti devono essere in grado di gestire i modelli di traffico generati dalle nuove applicazioni, per questo si sta concentrando un interesse senza precedenti nella storia di Internet parlando di Software Defined Networking (SDN), un nuovo modo di concepire le reti.
SDN è un paradigma che permette di dividere il piano di controllo dal piano dati consentendo il controllo della rete da un dispositivo unico centralizzato,il controller.
In questa tesi abbiamo voluto esaminare due specifici casi di studio, affinché si dimostri come SDN possa fornire il miglior supporto per risolvere il problema delle architetture tradizionali, e uno strumento utile per progettare SDN.
Per primo viene analizzato Procera, utilizzato nelle reti domestiche e nelle reti campus per dimostrare che, grazie ad esso, è possibile ridurre la complessità di un’intera rete.
Poi è stato visto AgNos, un’architettura basata su azioni svolte da agenti rappresentando così un ottimo strumento di lavoro sia perché gli agenti sono implementati nei controller di rete e sia perché AgNos ha la peculiarità di fornire all’utente (o al sistema) un livello stabile di concretezza.
Inoltre sono stati analizzati due problemi comuni su Internet:
1.la mitigazione degli attacchi Ddos, dove i domini SDN collaborano per filtrare i pacchetti dalla fonte per evitare l’esaurimento delle risorse
2.l’attuazione di un meccanismo di prevenzione per risolvere il problema dell’attacco Dos nella fase iniziale rendendo l’aggressione più facile da gestire.
L’ultimo argomento trattato è il sistema Mininet, ottimo strumento di lavoro in quanto permette di emulare topologie di rete in cui fanno parte host, switch e controller, creati utilizzando il software.
Rappresenta un ottimo strumento per implementare reti SDN ed è molto utile per lo sviluppo, l'insegnamento e la ricerca grazie alla sua peculiarità di essere open source.
21
Marini, Riccardo. "Software Defined Networking Architectures for LoRaWAN." Master's thesis, Alma Mater Studiorum - Università di Bologna, 2019.
Find full textAbstract:
This thesis proposes new solutions for LoRaWAN networks taking advantages of Software Defined Networking architectures. In particular, an analysis of the current implementation of the Adaptive Data Rate mechanism developed by LoRaWAN standard, as well as a proposal of a new algorithm, will be provided. This will be addressed by considering both a cloud-based and a fog-based architecture in order to observe differences between the two approaches in a number of different scenarios. The proposed algorithms and the two architectures are compared via numerical results achieved through simulations and experimental tests.
22
Svantesson, Björn. "Software Defined Networking : Virtual Router Performance." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2016. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-13417.
Full textAbstract:
Virtualization is becoming more and more popular since the hardware that is available today often has theability to run more than just a single machine. The hardware is too powerful in relation to the requirementsof the software that is supposed to run on the hardware, making it inefficient to run too little software ontoo powerful of machines. With virtualization, the ability exists to run a lot of different software on thesame hardware, thereby increasing the efficiency of hardware usage.Virtualization doesn't stop at just virtualizing operating systems or commodity software, but can also beused to virtualize networking components. These networking components include everything from routersto switches and are possible to set up on any kind of virtulized system.When discussing virtualization of networking components, the experssion “Software Defined Networking”is hard to miss. Software Defined Networking is a definition that contains all of these virtualized networkingcomponents and is the expression that should be used when researching further into this subject. There'san increasing interest in these virtualized networking components now in relation to just a few years ago.This is due to company networking becoming much more complex now in relation to the complexity thatcould be found in a network a few years back. More services need to be up inside of the network and a lotof people believe that Software Defined Networking can help in this regard.This thesis aim is to try to find out what kind of differences there are between multiple different softwarerouters. Finding out things like, which one of the routers that offer the highest network speed for the leastamount of hardware cost, are the kind of things that this thesis will be focused on. It will also look at somedifferent aspects of performance that the routers offer in relation to one another in order to try toestablish if there exists any kind of “best” router in multiple different areas.The idea is to build up a virtualized network that somewhat relates to how a normal network looks insmaller companies today. This network will then be used for different types of testing while having thesoftware based router placed in the middle and having it take care of routing between different local virtualnetworks. All of the routers will be placed on the same server and their configuration will be very basicwhile also making sure that each of the routers get access to the same amount of hardware.After initial testing, all routers that perform bad will be opted out for additional testing. This is done tomake sure that there's no unnecessary testing done on routers that seem to not be able to keep up withthe other ones. The results from these tests will be compared to the results of a hardware router with thesame kind of tests used with it in the middle in relation to the tests the software routers had to go through.The results from the testing were fairly surprising, only having one single router being eliminated early onas the remaining ones continued to “battle” one another with more tests. These tests were compared tothe results of a hardware router and the results here were also quite surprising with a much betterperformance in many different areas from the software routers perspective.
23
Adduci, Pietro. "Software-Defined Networking: lo standard Openflow." Bachelor's thesis, Alma Mater Studiorum - Università di Bologna, 2014. http://amslaurea.unibo.it/7241/.
Full text
24
Marchelletta, Enrico Maria. "Rassegna su software-defined networking e openflow." Bachelor's thesis, Alma Mater Studiorum - Università di Bologna, 2015. http://amslaurea.unibo.it/9108/.
Full textAbstract:
Questa tesi è una rassegna sul tema del Software-Defined Networking (SDN):un paradigma emergente nel campo delle reti di calcolatori che consente di controllare, tramite un software centralizzato a livello logico, il comportamento dell’intera rete. In particolore è stato approfondito il protocollo OpenFlow ovvero l'interfaccia aperta e standardizzata per la comunicazione tra piano di controllo e piano di inoltro che è divenuto uno standard “de facto” nell'ambito della tecnologia SDN.
25
Voellmy, Andreas Richard. "Programmable and Scalable Software-Defined Networking Controllers." Thesis, Yale University, 2014. http://pqdtopen.proquest.com/#viewpdf?dispub=3580888.
Full textAbstract:
A major recent development in computer networking is the notion of Software-Defined Networking (SDN), which allows a network to customize its behaviors through centralized policies at a conceptually centralized network controller. The SDN architecture replaces closed, vertically-integrated, and fixed-function appliances with general-purpose packet processing devices, programmed through open, vendor-neutral APIs by control software executing on centralized servers. This open design exposes the capabilities of network devices and provides consumers with increased flexibility.
Although several elements of the SDN architecture, notably the OpenFlow standards, have been developed, writing an SDN controller remains highly difficult. Existing programming frameworks require either explicit or restricted declarative specification of flow patterns and provide little support for maintaining consistency between controller and distributed switch state, thereby introducing a major source of complexity in SDN programming.
In this dissertation, we demonstrate that it is feasible to use arguably the simplest possible programming model for centralized SDN policies, in which the programmer specifies the forwarding behavior of a network by defining a packet-processing function as an ordinary algorithm in a general-purpose language. This function, which we call an algorithmic policy, is conceptually executed on every packet in the network and has access to centralized network and policy state. This programming model eliminates the complex and performance-critical task of generating and maintaining sets of rules on individual, distributed switches.
To implement algorithmic policies efficiently, we introduce Maple, an SDN programming framework that can be embedded into any programming language with appropriate support. We have implemented Maple in both Java and Haskell, including an optimizing compiler and runtime system with three novel components. First, Maple's optimizer automatically discovers reusable forwarding decisions from a generic running control program. Specifically, the optimizer observes algorithm execution traces, organizes these traces to develop a partial decision tree for the algorithm, called a trace tree, and incrementally compiles these trace trees into optimized flow tables for distributed switches. Second, Maple introduces state dependency localization and fast repair techniques to efficiently maintain consistency between algorithmic policy and distributed flow tables. Third, Maple includes the McNettle OpenFlow network controller that efficiently executes user-defined OpenFlow event handlers written in Haskell on multicore CPUs, supporting the execution of algorithmic policies that require the central controller to process many packets. Through efficient message processing and enhancements to the Glasgow Haskell Compiler runtime system, McNettle network controllers can scale to handle over 20 million OpenFlow events per second on 40 CPU cores.
26
Cerboni, Simone Marco. "Software Defined Networking for The Internet of Things." Master's thesis, Alma Mater Studiorum - Università di Bologna, 2016.
Find full textAbstract:
Quello delle reti di sensori radio è ad oggi, nel mondo delle telecomunicazioni, uno dei campi che sta crescendo e si sta sviluppando più velocemente, essendo uno dei punti cardine della visione dell’Internet of Things (IoT). La natura di questo tipo di reti, costituite il più delle volte da dispositivi semplici e a basso costo, che devono essere in grado di svolgere diversi tipi di applicazioni nonostante la potenza di calcolo limitata, porta alla necessità di un protocollo di rete che sia allo stesso tempo flessibile e di bassa complessità. Inoltre, la futura quinta generazione di reti cellulari (5G) dovrà inglobare anche il traffico dovuto alla reti IoT, con il prerequisito di una latenza che sia bassa e deterministica, ed il tutto tramite un approccio centralizzato. Dato questo scenario, l’applicazione del concetto di Software Defined Networking all’interno delle reti di sensori radio potrebbe essere una possibile soluzione alle sfide del 5G, e questa dissertazione presenta un’implementazione di tale principio.
In particolare, questa tesi descrive la struttura di una rete IoT basata su SDN, con alcuni dei servizi addizionali che questa può fornire rispetto ad altre soluzioni per reti di sensori, come è stata implementata, ed i risultati ottenuti tramite i test effettuati.
27
Rodríguez, Natal Alberto. "Decoupling state from control in software-defined networking." Doctoral thesis, Universitat Politècnica de Catalunya, 2016. http://hdl.handle.net/10803/398399.
Full textAbstract:
Software-Defined Networking (SDN) arose as a solution to address the limitations of traditional networking. In SDN networks, the control-plane is decoupled from the data-plane devices and logically centralized in a new network element, the SDN controller. SDN enables easier network operation and allows forwarding devices and control logic to evolve independently. The centralization of the control permits to have a global view of the network and act on it as a whole, but at the same time requires a careful design to keep the controller scalable. Commonly, a logically centralized controller is instantiated over a physically distributed infrastructure that leverages on a distributed network state database. Control applications running on top of the controller modify this state to make it compliant with their control policies or to react to network events. The controller programs the data-plane devices to reflect these state changes.
Interestingly, current SDN approaches keep the network state architecturally as part of the controller. However, this thesis arguments that the network state can be an SDN component on its own, logically separated from the controller. In the same way that originally SDN decoupled control from data, this thesis lays the foundations to explore the decoupling of state from control. This logical separation entitles state and control to scale independently and allows focusing on their individual functionality and requirements. This may be beneficial, at least, when the control has to be asynchronous and when the control has to be decentralized. For those scenarios this thesis describes two architectures driven by specific use-cases.
On one hand, when data-plane devices are subject to a high churn they require an asynchronous control communication with the controller. This is the case for end-nodes (e.g. smartphones, home-routers) since they are transient and/or highly mobile. In this case, pushing the state to the data-plane devices presents an architectural challenge. As a consequence, to enable SDN for end-nodes we advocate for a design where the state is rather pushed to a standalone database disjointed from the controller. Data-plane devices directly access this state database and retrieve the state they need on demand. Following this idea, we propose an SDN architecture that leverages on distributed and symmetric controller nodes offering an intent-driven northbound to the control applications, and on a state database with a connectionless pull-based southbound towards the data-plane nodes.
On the other hand, SDN centralization comprises several challenges besides keeping the controller scalable. The control signaling required introduces an inherent latency burden and the aggregation of local information conceals local details. Therefore, SDN centralization may result unsuitable for scenarios that require fine local control with minimal latency. This is the case of Network Function Virtualization (NFV) in operator networks. For that scenario this thesis describes an architecture where the state remains centralized, but the control is decentralized and moved close to the data-plane devices. The architecture seeks to find a balance among the traditional decentralized networks and the centralization brought by SDN. In contrast to existing SDN deployments, the control is distributed over the network but federated and coordinated thanks to the central state database.
In both described architectures we use the Locator/Identity Separation Protocol (LISP) for state exchange. Therefore, another contribution of this thesis is to analyze LISP as an SDN protocol. Besides, in the second part of the thesis we delve deeper into the implications of deploying SDN for end-nodes. Particularly, we analyze the mobility aspects of LISP signaling along with its inherent privacy concerns and we introduce OpenOverlayRouter, a LISP-capable overlay software for end-nodes SDN deployments.Las redes definidas por software (SDN) aparecen como solución a las limitaciones de las redes tradicionales. En SDN el control se extrae de los dispositivos del plano de datos y se centraliza a un nuevo dispositivo llamado controlador. La centralización del control permite tener una visión y gestión global de la red, sin embargo el controlador se ha de diseñar con cuidado para que sea escalable. Normalmente, un controlador centralizado lógicamente se despliega sobre una infraestructura distribuida físicamente, en parte haciendo uso de una base de datos que almacena el estado de la red. Las aplicaciones de control que se ejecutan sobre el controlador modifican este estado conforme a sus políticas de control o como reacción a eventos en la red. En respuesta, el controlador programa el plano de datos para reflejar estos cambios en el estado. Las propuestas SDN existentes consideran arquitecturalmente el estado como parte del controlador. Esta tesis, sin embargo, defiende que el estado de la red puede ser un elemento por si mismo, separado del controlador. De la misma manera que originalmente SDN separó el plano de control del plano de datos, esta tesis abre el camino para explorar la separación de estado y control. Esta separación conceptual hace posible escalar estado y control por separado y permite centrarse de manera individual en las funcionalidades y requerimientos de cada uno. Esto sirve de ayuda cuando el control tiene que ser asíncrono y/o cuando el control tiene que ser descentralizado. Para esos dos escenarios, esta tesis describe dos arquitecturas motivadas por casos de uso concretos. Por un lado, cuando los dispositivos del plano de datos no están siempre disponibles, necesitan comunicarse con el controlador de manera asíncrona. Este escenario se da con dispositivos de red finales (móviles, routers domésticos, etc) que se conectan transitoriamente a la red y/o cambian de conexión con frecuencia. Este escenario dificulta que el controlador programe de manera pro-activa el estado en estos dispositivos. Así pues, para integrar estos dispositivos en despliegues SDN, esta tesis aboga porque el controlador almacene el estado en una base de datos independiente, separada del controlador, a la que los dispositivos acceden directamente para obtener el estado que necesiten cuando lo necesiten. Siguiendo esta idea, proponemos una arquitectura SDN para dispositivos finales basada en un controlador distribuido con una interfaz declarativa hacia las aplicaciones de control y en una base de datos con una interfaz sin conexión y bajo demanda hacia el plano de datos. Por otro lado, la centralización de SDN presenta varios desafíos más allá de la escalabilidad del controlador. En concreto, la señalización de control requerida introduce una latencia adicional y la agregación de la información oculta los detalles locales. Esta centralización resulta inadecuada cuando se necesita un control local preciso con mínima latencia. Este es el caso de la virtualización de funciones de red (NFV) en redes de operadores. Para ese escenario esta tesis describe una arquitectura donde el estado permanece centralizado pero el control se descentraliza y mueve cerca del plano de datos. Se busca equilibrar la descentralización de las redes tradicionales y la centralización de SDN. En contraste con los despliegues SDN existentes, el control está distribuido por la red pero federado y coordinado gracias a la base de datos central. En las dos arquitecturas descritas usamos el Protocolo de Separación de Localización e Identidad (LISP) para el intercambio de estado, por tanto otra contribución de esta tesis es analizar LISP como protocolo SDN. En la segunda parte de esta tesis profundizamos en las implicaciones de desplegar SDN para nodos finales. Particularmente, analizamos LISP en entornos de movilidad junto con su problemática en términos de privacidad y presentamos OpenOverlayRouter, un software para despliegues SDN basados en LISP.
28
Jiménez, Agudelo Yury Andrea. "Scalability and robustness in software-defined networking (SDN)." Doctoral thesis, Universitat Politècnica de Catalunya, 2016. http://hdl.handle.net/10803/397652.
Full textAbstract:
The simplicity of Internet design has led to enormous growth and innovation. In recent decades several network technologies, services and applications have appeared, which demand specific network requirements for their correct operation.
In traditional networks, operators are responsible for providing a network configuration sufficiently robust to deal with a wide range of network events and applications. To achieve this is incredibly difficult because: i) the state of the networks can change continuously and today's networks do not provide a mechanism to automatically respond to the wide range of events that may occur and ii) the static nature of current network devices does not permit detailed control-layer configuration, given that the hardware and software are provided by the manufacturer and can not be customized.
This is the basis of the current, present-day Internet and its architecture, that has grown in an evolutionary fashion from experimental beginnings, rather than from a deliberate strategy. The unpredictable network growth in terms of size and heterogeneity, has exposed a number of fundamental complexities in the current architecture. For instance, the manual configuration of control functions on network devices that may lead to misconfigurations.
This is evident that network management requires more intelligent and efficient management systems to coordinate thousands of network elements and applications, the high demand on network performance and growing configuration complexity. In recent decades, several approaches have been introduced in order to improve the network management, such as: MPLS, virtualization and programmable networks. These latter networks have been proposed as a way of facilitating network evolution. In particular, Software Defined Networking (SDN), a networking paradigm focused on allowing software developers to rely on network resources in an easy manner, unifying the state network distribution and a general-purpose technique to manage any type of network in an transparent manner.
In SDN, network intelligence is logically centralized in software-based controllers (the control layer), and network devices become simple packet forwarding devices (the data layer) that can be programmed via an open interface. By decoupling the control and data layers, network devices can be easily programmed and reconfigured, allowing the behaviour of different types of network devices to be unified. Even though SDN is quite recent, it has already been standardized and implemented in the Internet by several recognized companies such as Google. Several SDN architectures have been proposed to handle current and future network services. However, there are still important research challenges to be addressed in SDN. Some of these current challenges are related to: i) SDN scalability as control is centralized, ii) control layer robustness as any failure can lead to switches to be disconnected from the controller, iii) consistency of network information as wrong decisions can be made affecting network performance and iv) security as controllers can be attacked.
The purpose of this thesis is to address the first three of the aforementioned problems. They are addressed from the first premise, ignoring existing approaches offered in traditional networks to remedy some of these issues. First, a controller placement protocol is proposed, taking into account the network/service requirements. To measure the robustness of a control layer, a robustess metric is designed and evaluated. This metric can also be used to select controller placements in a SDN network that minimize the data loss. Finally, a resource discovery protocol is designed, implemented and evaluated. This protocol discovers any network topology in time efficient, avoiding making assumptions about the network state as it happens in traditional networks.En las redes tradicionales, los operadores de red son responsables de proporcionar una configuración de red lo suficientemente robusta que permita gestionar los diferentes tipos de eventos que puedan afectar el funcionamiento de esta y los requerimientos de los servicios. Esto es difícil de alcanzar dado que: i) el funcionamiento de las redes puede variar en cualquier momento y las redes actuales no cuentan con un mecanismo que les permita reaccionar eficientemente al amplio rango de eventos que pueden ocurrir y ii) la naturaleza estática de las elementos de red no permite una detallada configuración dado que su hardware/software no pueden ser modificados de una manera eficiente. El impredecible crecimiento de la red en terminos de su tamaño y su heterogeneidad, han expuesto un número de complejidades en la actual arquitectura de red. Primero, los elementos de red tienen que soportar un gran número de comandos/configuraciones sobre un especifico sistema operativo, dificultando la instalación de un nuevo software sobre ellos, debido a incompatibilidades con el hardware o debido a que el software es incapaz de gestionar las capacidades del hardware. Segundo, la configuración manual de las funciones de control sobre los elementos de red pueden llevar a configurar erróneamente las tablas de enrutamiento. Finalmente, la integración vertical de los middleboxes dificulta a los operadores especificar las políticas de alto nivel sobre las tradicionales tecnologías de red. La gestión de la red requiere un sistema inteligente y eficiente que coordine: i) los miles de elementos y aplicaciones presentes en la red, ii) la alta demanda sobre el rendimiento de la red y iii) la creciente complejidad en la configuración de las redes. En las últimas décadas, diferentes soluciones han sido propuestas con el objetivo de mejorar la gestión de la red, tales como MPLS, virtualización y las redes programables. En este último caso, las redes definidas por software o SDNs permiten a los desarrolladores de software gestionar los recursos de red en una manera fácil, dado que la distribución del estado de la red es unificado, lo cual permite gestionar cualquier tipo de red en una manera transparente y en tiempo eficiente. En SDN, la inteligencia de la red esta lógicamente centralizada en unos elementos de red llamados controladores, de modo que los demás elementos que actúan en la red solo transmiten paquetes hacia el destino. Estos elementos, son configurados por los controladores a través de una interface abierta. Es decir, SDN desacopla la capa de control de la capa de datos permitiendo que los elementos de red puedan ser programados y re-configurados independiente del tipo de red. Aún cuando SDN es reciente, este ha sido estandarizado e implementado por diferentes compañías (ej. Google). Sin embargo, hay varios desafios por resolver en SDN aún. Algunos de estos desafios están relacionados con: i) la escalabilidad de los controladores, como estos están centralizados, ii) la robustez de la capa de control, dado que un fallo en esta puede dejar los elementos de red sin conexión con el controlador, iii) la consistencia de la información de control, para evitar tomar decisiones que afecten la operación de la red, y finalmente iv) la seguridad. En esta tesis, los primeros tres desafios son tratados desde el punto de vista de la localización de los controladores en la red, los cuales son seleccionados teniendo en cuenta los requerimientos de los servicios/aplicaciones y las características de la red. La primera contribución de esta tesis es un algoritmo que selecciona el número de controladores y su localización en la red. Un parámetro de robustez que permite seleccionar los controladores desde los cuales se construye una capa de control robusta y también puede medir la robustez de cualquier capa de control, es definida. Finalmente, un protocolo que descubre la topología y características de cualquier red es propuesto y evaluado.
29
Abujoda, Ahmed Mohamed Ahmed [Verfasser]. "Software-defined middlebox networking / Ahmed Mohamed Ahmed Abujoda." Hannover : Technische Informationsbibliothek (TIB), 2016. http://d-nb.info/1108822118/34.
Full text
30
Liu, Binghan. "Software Defined Networking and Tunneling for Mobile Networks." Thesis, KTH, Kommunikationssystem, CoS, 2013. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-118376.
Full textAbstract:
With the deployment of Long Term Evolution (LTE) networks, mobile networks will become an important infrastructure component in the cloud ecosystem. However, in the cloud computing era, traditional routing and switching platforms do not meet the requirements of this new trend, especially in a mobile network environment. With the recent advances in software switches and efficient virtualization using commodity servers, Software Defined Networking (SDN) has emerged as a powerful technology to meet the new requirements for supporting a new generation of cloud service. This thesis describers an experimental investigation of cloud computing, SDN, and a mobile network’s packet core. The design of a mobile network exploiting the evolution of SDN is also presented. The actual implementation consists of a GTP enabled Open vSwitch together with the transparent mode of mobile network SDN evolution. Open vSwitch is a SDN product designed for computer networks. The implementation extends Open vSwitch with an implementation of the GTP protocol. This extension enables Open vSwitch to be an excellent SDN component for mobile networks. In transparent mode, a cloud data center is deployed without making any modification to the existing mobile networks. In the practical evaluation of the GTP-U tunnel protocol implementation, the measured metrics are UDP and TCP throughput, end-to-end latency and jitter. Two experiments have been conducted and described in the evaluation chapter. Cloud computing has become one of the hottest Internet topics. It is attractive for the mobile network to adopt cloud computing technology in order to enjoy the benefits of cloud computing. For example, to reduce network construction cost, make the network deployment more flexible, etc. This thesis presents an potential direction for mobile network cloud computing. Since this thesis relies on open source projects, readers may use the results to explore a feasible direction for mobile network cloud computing evolution.Med utbyggnaden av långa (LTE) Term Evolution nätverk, mobila nätverk kommer blivit en viktig infrastruktur komponent i molnet ekosystemet. Men i cloud computing eran, uppfyller traditionella routing och switching plattformar inte kraven i denna nya trend, särskilt i ett mobilnät miljö. Med de senaste framstegen i programvara växlar och effektiv virtualisering påråvaror servrar, programvarustyrd Nätverk (SDN) har utvecklats till en kraftfull teknik för att möta de nya kraven för att stödja en ny generation av molntjänst. Denna avhandling beskrivarna en försöksverksamhet inriktad undersökning av cloud computing, SDN och ett mobilnät är Packet Core. Utformningen av ett mobilnät utnyttja SDN utveckling presenteras också. Det faktiska genomförandet består av en GTP aktiverad Open Vswitch tillsammans med transparent läge av mobilnätet SDN evolution. Öppna Vswitch är en SDN-produkt avsedd för datornätverk. Genomförandet utökar Open Vswitch med en implementering av GTP-protokollet. Denna uppgradering gör Open Vswitch vara som en utmärkt SDN komponent för mobila nätverk. I transparent läge är ett moln datacenter utplacerade utan göra eventuella ändringar till befintliga mobilnät. I den praktiska utvärderingen av GTP-U tunnel protokollimplementering, de uppmätta mått är UDP och TCP genomströmning, end-to-end-latens, jitter och paketförluster. Tvåexperiment har utförts i utvärderingen kapitlet. Cloud computing har blivit en av de hetaste av Internet. Således kan framtiden för det mobila nätet ocksåanta teknik cloud computing och dra nytta av cloud computing. Till exempel minska kostnaderna nätbyggnad, gör nätverket distribuera mer flexibla, etc. .. Denna avhandling presenterar en möjlig inriktning för mobilnät cloud computing. Eftersom denna avhandling bygger påopen source-projekt, läsarna använda resultatet av den att utforska möjliga riktning mobilnät cloud computing utveckling.
31
Hollinghurst, Joe. "Enabling software defined networking in high criticality networks." Thesis, University of Bristol, 2018. http://hdl.handle.net/1983/8ac68df0-62ba-4cf8-beee-b69ee807f43e.
Full textAbstract:
High-criticality networking solutions are often dedicated, highly specialised, even bespoke in case of hard real-time guarantees. This is required to ensure (quasi) deterministic behaviour of the network services as seen by critical applications. However, dedicated networks incur significant expense, along with the inability to update the system efficiently and effectively. Software-Defined Networking (SDN) uses controllers to allow dynamic, user-controlled, on-demand configuration of the network. This provokes interesting questions on the applicability of SDN concepts and architectures in high-criticality networks. Although SDN offers flexibility and programmability to the network infrastructure through the introduction of a controller, the controller introduces extra delay into the system. This is due to new flows querying the controller for instructions of how to route traffic. This becomes an increasing problem for large scale and delay sensitive networks such as those found in high-criticality infrastructure. The delay introduced can be minimised by optimal placement of the controller or decreased further by introducing additional controllers. Although the problem of optimal placement for multiple controllers is known to be NP hard, approximations can be used. The analysis of three different methods has been conducted and investigates the scalability, and how the accuracy of the methods varies with the complexity. In the latter stage of the thesis the use of redundancy and coding is analysed with the aim to reduce latency and increase reliability within the network. The objective is to provide an analysis of the gains achievable through the use of redundant messages and coding. Both redundancy and coding increase the network load and hence the delay of each packet, but can reduce overall delay by exploiting independent randomness across multiple paths. Both the average delay minimisation and probabilistic guarantees on delay exceeding some tolerance threshold are considered.
32
Kim, Hyojoon. "Facilitating dynamic network control with software-defined networking." Diss., Georgia Institute of Technology, 2015. http://hdl.handle.net/1853/53939.
Full textAbstract:
This dissertation starts by realizing that network management is a very complex and error-prone task. The major causes are identified through interviews and systematic analysis of network config- uration data on two large campus networks. This dissertation finds that network events and dynamic reactions to them should be programmatically encoded in the network control program by opera- tors, and some events should be automatically handled for them if the desired reaction is general. This dissertation presents two new solutions for managing and configuring networks using Software- Defined Networking (SDN) paradigm: Kinetic and Coronet. Kinetic is a programming language and central control platform that allows operators to implement traffic control application that reacts to various kinds of network events in a concise, intuitive way. The event-reaction logic is checked for correction before deployment to prevent misconfigurations. Coronet is a data-plane failure recovery service for arbitrary SDN control applications. Coronet pre-plans primary and backup routing paths for any given topology. Such pre-planning guarantees that Coronet can perform fast recovery when there is failure. Multiple techniques are used to ensure that the solution scales to large networks with more than 100 switches. Performance and usability evaluations show that both solutions are feasible and are great alternative solutions to current mechanisms to reduce misconfigurations.
33
Nyberg, Tihmmy. "Introduktion till Software Defined Networking : Utvärdering av kontroller." Thesis, Mittuniversitetet, Institutionen för informationssystem och –teknologi, 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-39380.
Full textAbstract:
Denna studie fokuserar på att samla information om Software Defined Networking, dess protokoll och dess kontroller. Det som jag har lärt mig under arbetet kommer att användas för att utvärdera två olika kontroller, POX och ONOS. Ett traditionellt nätverks kommer att sättas upp fysiskt och användas som en grund för att jämföra kontrollerna. Den traditionella lösningen använder två routrar och fyra switchar, och egenskaper som testas är bland annat lager 2 och lager 3 samt deras protokoll för redundans. Kontrollerna kommer sedan att användas för att se om de lever upp till samma krav. Resultaten av denna studie visar att varken POX eller ONOS kunde användas för varje testat scenario, inte med de moduler som kontrollerna kommer förinstallerade med. Det visade också att de egenskaper som de levde upp till var en hel del lättare att konfigurera och övervaka jämfört med dess traditionella motsvarigheter. Detta visar vikten av att lista ut vad som behövs och förväntas från nätverket innan man försöker hitta en passande lösning för att utföra detta. All information som samlats i denna studie används också för att skapa en laboration som ska introducera andra till koncepten kring SDN. Den undersöker hur Mininet kan användas för att virtualisera ett nätverk, hur flöden kan installeras med OpenFlow samt hur en kontroller kan användas för att förenkla administration av ett nätverk.This study focuses on gathering information about Software Defined Networking, it's protocols ans it's controllers. What I have learned doing this will be used to evaluate two different controllers, POX and ONOS. A traditional network setup will be set up physically and serve as a base when it comes to comparing the controllers. The traditional setup includes two routers and four switches, and among the tested characteristics are layer 2 and 3 and it's redundancy protocols. The controllers will then be used to try and live up to the same characteristics. The result of this study shows that neither POX nor ONOS could be used for every scenario tested, not with the basic modules the controllers comes with. It also showed that the characteristics they did manage was a fair bit easier to setup and monitor compared to it's traditional counterparts, thus showing the importance of figuring out what is needed from a network before trying to find a fitting solution to how it needs to be set up. All the information gathered in this study is also used to create a lab instruction meant to introduce others to the concepts of SDN. It explores how to use Mininet to virtualise a network environment, how to install flows using OpenFlow and how to use a controller to simplify the management of the network.
34
Hossain, Md Billal. "QoS-Aware Intelligent Routing For Software Defined Networking." University of Akron / OhioLINK, 2020. http://rave.ohiolink.edu/etdc/view?acc_num=akron1595086618729923.
Full text
35
Pagola, Moledo Santiago. "Vendor-Independent Software-Defined Networking : Beyond The Hype." Thesis, Linköpings universitet, Databas och informationsteknik, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-157456.
Full textAbstract:
Software-Defined Networking (SDN) is an emerging trend in networking that offers a number of advantages such as smoother network management over traditional networks. By decoupling the control and data planes from network elements, a huge amount of new opportunities arise, especially in network virtualization. In cloud datacenters, where virtualization plays a fundamental role, SDN presents itself as the perfect candidate to ease infrastructure management and to ensure correct operation. Even if the original SDN ideology advocates openness of source and interfaces, multiple networking vendors offer their own proprietary solutions. In this work, an open-source SDN solution, named Tungsten Fabric, will be deployed in a virtualized datacenter and a number of SDN-related use-cases will be examined. The main goal of this work is to determine whether Tungsten Fabric can deliver the same set of use-cases as a proprietary solution from Juniper, named Contrail Cloud. Finally, this work will give some guidelines on whether open-source SDN is the right candidate for Ericsson.
36
Sahay, Rishikesh. "Policy-driven autonomic cyberdefense using software-defined networking." Thesis, Evry, Institut national des télécommunications, 2017. http://www.theses.fr/2017TELE0022/document.
Full textAbstract:
Les attaques cybernétiques causent une perte importante non seulement pour les utilisateurs finaux, mais aussi pour les fournisseurs de services Internet (FAI). Récemment, les clients des FAI ont été la cible numéro un de cyber-attaques telles que les attaques par déni de service distribué (DDoS). Ces attaques sont favorisées par la disponibilité généralisée outils pour lancer les attaques. Il y a donc un besoin crucial de contrer ces attaques par des mécanismes de défense efficaces. Les chercheurs ont consacré d’énormes efforts à la protection du réseau contre les cyber-attaques. Les méthodes de défense contiennent d’abord un processus de détection, complété par l’atténuation. Le manque d’automatisation dans tout le cycle de détection à l’atténuation augmente les dégâts causés par les cyber-attaques. Cela provoque des configurations manuelles de périphériques l’administrateur pour atténuer les attaques affectent la disponibilité du réseau. Par conséquent, il est nécessaire de compléter la boucle de sécurité avec un mécanisme efficace pour automatiser l’atténuation. Dans cette thèse, nous proposons un cadre d’atténuation autonome pour atténuer les attaques réseau qui visent les ressources du réseau, comme par les attaques exemple DDoS. Notre cadre fournit une atténuation collaborative entre le FAI et ses clients. Nous utilisons la technologie SDN (Software-Defined Networking) pour déployer le cadre d’atténuation. Le but de notre cadre peut se résumer comme suit : d’abord, les clients détectent les attaques et partagent les informations sur les menaces avec son fournisseur de services Internet pour effectuer l’atténuation à la demande. Nous développons davantage le système pour améliorer l’aspect gestion du cadre au niveau l’ISP. Ce système effectue l’extraction d’alertes, l’adaptation et les configurations d’appareils. Nous développons un langage de politique pour définir la politique de haut niveau qui se traduit par des règles OpenFlow. Enfin, nous montrons l’applicabilité du cadre par la simulation ainsi que la validation des tests. Nous avons évalué différentes métriques QoS et QoE (qualité de l’expérience utilisateur) dans les réseaux SDN. L’application du cadre démontre son efficacité non seulement en atténuant les attaques pour la victime, mais aussi en réduisant les dommages causés au trafic autres clients du FAICyber attacks cause significant loss not only to end-users, but also Internet Service Providers (ISP). Recently, customers of the ISP have been the number one target of the cyber attacks such as Distributed Denial of Service attacks (DDoS). These attacks are encouraged by the widespread availability of tools to launch the attacks. So, there is a crucial need to counter these attacks (DDoS, botnet attacks, etc.) by effective defense mechanisms. Researchers have devoted huge efforts on protecting the network from cyber attacks. Defense methodologies first contains a detection process, completed by mitigation. Lack of automation in the whole cycle of detection to mitigation increase the damage caused by cyber attacks. It requires manual configurations of devices by the administrator to mitigate the attacks which cause the network downtime. Therefore, it is necessary to close the security loop with an efficient mechanism to automate the mitigation process. In this thesis, we propose an autonomic mitigation framework to mitigate attacks that target the network resources. Our framework provides a collaborative mitigation strategy between the ISP and its customers. The implementation relies on Software-Defined Networking (SDN) technology to deploy the mitigation framework. The contribution of our framework can be summarized as follows: first the customers detect the attacks and share the threat information with its ISP to perform the on-demand mitigation. We further develop the system to improve the management aspect of the framework at the ISP side. This system performs the alert extraction, adaptation and device configurations. We develop a policy language to define the high level policy which is translated into OpenFlow rules. Finally, we show the applicability of the framework through simulation as well as testbed validation. We evaluate different QoS and QoE (quality of user experience) metrics in SDN networks. The application of the framework demonstrates its effectiveness in not only mitigating attacks for the victim, but also reducing the damage caused to traffic of other customers of the ISP
37
Ahmed, Haroon, and Gabriel Sund. "Security challenges within Software Defined Networks." Thesis, KTH, Skolan för informations- och kommunikationsteknik (ICT), 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-177394.
Full textAbstract:
A large amount of today's communication occurs within data centers where a large number of virtual servers (running one or more virtual machines) provide service providers with the infrastructure needed for their applications and services. In this thesis, we will look at the next step in the virtualization revolution, the virtualized network. Software-defined networking (SDN) is a relatively new concept that is moving the field towards a more software-based solution to networking. Today when a packet is forwarded through a network of routers, decisions are made at each router as to which router is the next hop destination for the packet. With SDN these decisions are made by a centralized SDN controller that decides upon the best path and instructs the devices along this path as to what action each should perform. Taking SDN to its extreme minimizes the physical network components and increases the number of virtualized components. The reasons behind this trend are several, although the most prominent are simplified processing and network administration, a greater degree of automation, increased flexibility, and shorter provisioning times. This in turn leads to a reduction in operating expenditures and capital expenditures for data center owners, which both drive the further development of this technology. Virtualization has been gaining ground in the last decade. However, the initial introduction of virtualization began in the 1970s with server virtualization offering the ability to create several virtual server instances on one physical server. Today we already have taken small steps towards a virtualized network by virtualization of network equipment such as switches, routers, and firewalls. Common to virtualization is that it is in early stages all of the technologies have encountered trust issues and general concerns related to whether software-based solutions are as rugged and reliable as hardwarebased solutions. SDN has also encountered these issues, and discussion of these issues continues among both believers and skeptics. Concerns about trust remain a problem for the growing number of cloud-based services where multitenant deployments may lead to loss of personal integrity and other security risks. As a relatively new technology, SDN is still immature and has a number of vulnerabilities. As with most software-based solutions, the potential for security risks increases. This thesis investigates how denial-of-service (DoS) attacks affect an SDN environment and a singlethreaded controller, described by text and via simulations. The results of our investigations concerning trust in a multi-tenancy environment in SDN suggest that standardization and clear service level agreements are necessary to consolidate customers’ confidence. Attracting small groups of customers to participate in user cases in the initial stages of implementation can generate valuable support for a broader implementation of SDN in the underlying infrastructure. With regard to denial-of-service attacks, our conclusion is that hackers can by target the centralized SDN controller, thus negatively affect most of the network infrastructure (because the entire infrastructure directly depends upon a functioning SDN controller). SDN introduces new vulnerabilities, which is natural as SDN is a relatively new technology. Therefore, SDN needs to be thoroughly tested and examined before making a widespread deployment.Dagens kommunikation sker till stor del via serverhallar där till stor grad virtualiserade servermiljöer förser serviceleverantörer med infrastukturen som krävs för att driva dess applikationer och tjänster. I vårt arbete kommer vi titta på nästa steg i denna virtualiseringsrevolution, den om virtualiserade nätverk. mjukvarudefinierat nätverk (eng. Software-defined network, eller SDN) kallas detta förhållandevis nya begrepp som syftar till mjukvarubaserade nätverk. När ett paket idag transporteras genom ett nätverk tas beslut lokalt vid varje router vilken router som är nästa destination för paketet, skillnaden i ett SDN nätverk är att besluten istället tas utifrån ett fågelperspektiv där den bästa vägen beslutas i en centraliserad mjukvaruprocess med överblick över hela nätverket och inte bara tom nästa router, denna process är även kallad SDN kontroll. Drar man uttrycket SDN till sin spets handlar det om att ersätta befintlig nätverksutrustning med virtualiserade dito. Anledningen till stegen mot denna utveckling är flera, de mest framträdande torde vara; förenklade processer samt nätverksadministration, större grad av automation, ökad flexibilitet och kortare provisionstider. Detta i sin tur leder till en sänkning av löpande kostnader samt anläggningskostnader för serverhallsinnehavare, något som driver på utvecklingen. Virtualisering har sedan början på 2000-talet varit på stark frammarsch, det började med servervirtualisering och förmågan att skapa flertalet virtualiserade servrar på en fysisk server. Idag har vi virtualisering av nätverksutrustning, såsom switchar, routrar och brandväggar. Gemensamt för all denna utveckling är att den har i tidigt stadie stött på förtroendefrågor och överlag problem kopplade till huruvida mjukvarubaserade lösningar är likvärdigt robusta och pålitliga som traditionella hårdvarubaserade lösningar. Detta problem är även något som SDN stött på och det diskuteras idag flitigt bland förespråkare och skeptiker. Dessa förtroendefrågor går på tvären mot det ökande antalet molnbaserade tjänster, typiska tjänster där säkerheten och den personliga integriten är vital. Vidare räknar man med att SDN, liksom annan ny teknik medför vissa barnsjukdomar såsom kryphål i säkerheten. Vi kommer i detta arbete att undersöka hur överbelastningsattacker (eng. Denial-of-Service, eller DoS-attacker) påverkar en SDN miljö och en singel-trådig kontroller, i text och genom simulering. Resultatet av våra undersökningar i ämnet SDN i en multitenans miljö är att standardisering och tydliga servicenivåavtal behövs för att befästa förtroendet bland kunder. Att attrahera kunder för att delta i mindre användningsfall (eng. user cases) i ett inledningsskede är också värdefullt i argumenteringen för en bredare implementering av SDN i underliggande infrastruktur. Vad gäller DoS-attacker kom vi fram till att det som hackare går att manipulera en SDN infrastruktur på ett sätt som inte är möjligt med dagens lösningar. Till exempel riktade attacker mot den centraliserade SDN kontrollen, slår man denna kontroll ur funktion påverkas stora delar av infrastrukturen eftersom de är i ett direkt beroende av en fungerande SDN kontroll. I och med att SDN är en ny teknik så öppnas också upp nya möjligheter för angrepp, med det i åtanke är det viktigt att SDN genomgår rigorösa tester innan större implementation.
38
Sund, Gabriel, and Haroon Ahmed. "Security challenges within Software Defined Networks." Thesis, KTH, Radio Systems Laboratory (RS Lab), 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-156030.
Full textAbstract:
A large amount of today's communication occurs within data centers where a large number of virtual servers (running one or more virtual machines) provide service providers with the infrastructure needed for their applications and services. In this thesis, we will look at the next step in the virtualization revolution, the virtualized network. Software-defined networking (SDN) is a relatively new concept that is moving the field towards a more software-based solution to networking. Today when a packet is forwarded through a network of routers, decisions are made at each router as to which router is the next hop destination for the packet. With SDN these decisions are made by a centralized SDN controller that decides upon the best path and instructs the devices along this path as to what action each should perform. Taking SDN to its extreme minimizes the physical network components and increases the number of virtualized components. The reasons behind this trend are several, although the most prominent are simplified processing and network administration, a greater degree of automation, increased flexibility, and shorter provisioning times. This in turn leads to a reduction in operating expenditures and capital expenditures for data center owners, which both drive the further development of this technology. Virtualization has been gaining ground in the last decade. However, the initial introduction of virtualization began in the 1970s with server virtualization offering the ability to create several virtual server instances on one physical server. Today we already have taken small steps towards a virtualized network by virtualization of network equipment such as switches, routers, and firewalls. Common to virtualization is that it is in early stages all of the technologies have encountered trust issues and general concerns related to whether software-based solutions are as rugged and reliable as hardware-based solutions. SDN has also encountered these issues, and discussion of these issues continues among both believers and skeptics. Concerns about trust remain a problem for the growing number of cloud-based services where multitenant deployments may lead to loss of personal integrity and other security risks. As a relatively new technology, SDN is still immature and has a number of vulnerabilities. As with most software-based solutions, the potential for security risks increases. This thesis investigates how denial-of-service (DoS) attacks affect an SDN environment and a single-threaded controller, described by text and via simulations. The results of our investigations concerning trust in a multi-tenancy environment in SDN suggest that standardization and clear service level agreements are necessary to consolidate customers’ confidence. Attracting small groups of customers to participate in user cases in the initial stages of implementation can generate valuable support for a broader implementation of SDN in the underlying infrastructure. With regard to denial-of-service attacks, our conclusion is that hackers can by target the centralized SDN controller, thus negatively affect most of the network infrastructure (because the entire infrastructure directly depends upon a functioning SDN controller). SDN introduces new vulnerabilities, which is natural as SDN is a relatively new technology. Therefore, SDN needs to be thoroughly tested and examined before making a widespread deployment.Dagens kommunikation sker till stor del via serverhallar där till stor grad virtualiserade servermiljöer förser serviceleverantörer med infrastukturen som krävs för att driva dess applikationer och tjänster. I vårt arbete kommer vi titta på nästa steg i denna virtualiseringsrevolution, den om virtualiserade nätverk. mjukvarudefinierat nätverk (eng. Software-defined network, eller SDN) kallas detta förhållandevis nya begrepp som syftar till mjukvarubaserade nätverk. När ett paket idag transporteras genom ett nätverk tas beslut lokalt vid varje router vilken router som är nästa destination för paketet, skillnaden i ett SDN nätverk är att besluten istället tas utifrån ett fågelperspektiv där den bästa vägen beslutas i en centraliserad mjukvaruprocess med överblick över hela nätverket och inte bara tom nästa router, denna process är även kallad SDN kontroll. Drar man uttrycket SDN till sin spets handlar det om att ersätta befintlig nätverksutrustning med virtualiserade dito. Anledningen till stegen mot denna utveckling är flera, de mest framträdande torde vara; förenklade processer samt nätverksadministration, större grad av automation, ökad flexibilitet och kortare provisionstider. Detta i sin tur leder till en sänkning av löpande kostnader samt anläggningskostnader för serverhallsinnehavare, något som driver på utvecklingen. Virtualisering har sedan början på 2000-talet varit på stark frammarsch, det började med servervirtualisering och förmågan att skapa flertalet virtualiserade servrar på en fysisk server. Idag har vi virtualisering av nätverksutrustning, såsom switchar, routrar och brandväggar. Gemensamt för all denna utveckling är att den har i tidigt stadie stött på förtroendefrågor och överlag problem kopplade till huruvida mjukvarubaserade lösningar är likvärdigt robusta och pålitliga som traditionella hårdvarubaserade lösningar. Detta problem är även något som SDN stött på och det diskuteras idag flitigt bland förespråkare och skeptiker. Dessa förtroendefrågor går på tvären mot det ökande antalet molnbaserade tjänster, typiska tjänster där säkerheten och den personliga integriten är vital. Vidare räknar man med att SDN, liksom annan ny teknik medför vissa barnsjukdomar såsom kryphål i säkerheten. Vi kommer i detta arbete att undersöka hur överbelastningsattacker (eng. Denial-of-Service, eller DoS-attacker) påverkar en SDN miljö och en singel-trådig kontroller, i text och genom simulering. Resultatet av våra undersökningar i ämnet SDN i en multitenans miljö är att standardisering och tydliga servicenivåavtal behövs för att befästa förtroendet bland kunder. Att attrahera kunder för att delta i mindre användningsfall (eng. user cases) i ett inledningsskede är också värdefullt i argumenteringen för en bredare implementering av SDN i underliggande infrastruktur. Vad gäller DoS-attacker kom vi fram till att det som hackare går att manipulera en SDN infrastruktur på ett sätt som inte är möjligt med dagens lösningar. Till exempel riktade attacker mot den centraliserade SDN kontrollen, slår man denna kontroll ur funktion påverkas stora delar av infrastrukturen eftersom de är i ett direkt beroende av en fungerande SDN kontroll. I och med att SDN är en ny teknik så öppnas också upp nya möjligheter för angrepp, med det i åtanke är det viktigt att SDN genomgår rigorösa tester innan större implementation.
39
Compastié, Maxime. "Software-defined Security for Distributed Clouds." Thesis, Université de Lorraine, 2018. http://www.theses.fr/2018LORR0307/document.
Full textAbstract:
Dans cette thèse, nous proposons une approche pour la sécurité programmable dans le cloud distribué. Plus spécifiquement, nous montrons de quelle façon cette programmabilité peut contribuer à la protection de services cloud distribués, à travers la génération d'images unikernels fortement contraintes. Celles-ci sont instanciées sous forme de machines virtuelles légères, dont la surface d'attaque est réduite et dont la sécurité est pilotée par un orchestrateur de sécurité. Les contributions de cette thèse sont triples. Premièrement, nous présentons une architecture logique supportant la programmabilité des mécanismes de sécurité dans un contexte multi-cloud et multi-tenant. Elle permet l'alignement et le paramétrage de ces mécanismes pour des services cloud dont les ressources sont réparties auprès de différents fournisseurs et tenants. Deuxièmement, nous introduisons une méthode de génération à la volée d'images unikernels sécurisées. Celle-ci permet d'aboutir à des ressources spécifiques et contraintes, qui intègrent les mécanismes de sécurité dès la phase de construction des images. Elles peuvent être élaborées réactivement ou proactivement pour répondre à des besoins d'élasticité. Troisièmement, nous proposons d'étendre le langage d'orchestration TOSCA, afin qu'il soit possible de générer automatiquement des ressources sécurisées, selon différents niveaux de sécurité en phase avec l'orchestration. Enfin, nous détaillons un prototypage et un ensemble d'expérimentations permettant d'évaluer les bénéfices et limites de l'approche proposéeIn this thesis, we propose an approach for software-defined security in distributed clouds. More specifically, we show to what extent this programmability can contribute to the protection of distributed cloud services, through the generation of secured unikernel images. These ones are instantiated in the form of lightweight virtual machines, whose attack surface is limited and whose security is driven by a security orchestrator. The contributions of this thesis are threefold. First, we present a logical architecture supporting the programmability of security mechanims in a multi-cloud and multi-tenant context. It permits to align and parameterize these mechanisms for cloud services whose resources are spread over several providers and tenants. Second, we introduce a method for generating secured unikernel images in an on-the-fly manner. This one permits to lead to specific and constrained resources, that integrate security mechanisms as soon as the image generation phase. These ones may be built in a reactive or proactive manner, in order to address elasticity requirements. Third, we propose to extend the TOSCA orchestration language, so that is is possible to generate automatically secured resources, according to different security levels in phase with the orchestration. Finally, we detail a prototyping and extensive series of experiments that are used to evaluate the benefits and limits of the proposed approach
40
Ou, Yanni. "Virtualization and software-defined networking control of optical transceivers." Thesis, University of Bristol, 2017. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.715742.
Full text
41
Thanh, Bui Tien. "Analysis of Topology Poisoning Attacks in Software-Defined Networking." Thesis, KTH, Skolan för informations- och kommunikationsteknik (ICT), 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-172353.
Full textAbstract:
Software-defined networking (SDN) is an emerging architecture with a great potentialto foster the development of modern networks. By separating the controlplane from the network devices and centralizing it at a software-based controller,SDN provides network-wide visibility and flexible programmability to networkadministrators. However, the security aspects of SDN are not yet fully understood.For example, while SDN is resistant to some topology poisoning attacks inwhich the attacker misleads the routing algorithm about the network structure,similar attacks by compromised hosts and switches are still known to be possible.The goal of this thesis is to thoroughly analyze the topology poisoning attacksinitiated by compromised switches and to identify whether they are a threat toSDN. We identify three base cases of the topology poisoning attack, in which theattack that requires a single compromised switch is a new variant of topologypoisoning. We develop proof-of-concept implementations for these attacks inemulated networks based on OpenFlow, the most popular framework for SDN.We also evaluate the attacks in simulated networks by measuring how muchadditional traffic the attacker can divert to the compromised switches. A widerange of network topologies and routing algorithms are used in the simulations.The simulation results show that the discovered attacks are severe in many cases.Furthermore, the seriousness of the attacks increases according to the number oftunnels that the attacker can fabricate and also depends on the distance betweenthe tunnel endpoints. The simulations indicate that network design can help tomitigate the attacks by, for example, shortening the paths between switches in thenetwork, randomizing regular network structure, or increasing the load-balancingcapability of the routing strategy.
42
Hughes, Jason J. "Employing deceptive dynamic network topology through software-defined networking." Thesis, Monterey, California: Naval Postgraduate School, 2014. http://hdl.handle.net/10945/41392.
Full textAbstract:
Approved for public release; distribution is unlimited.Computer networks are constantly being actively probed in attempts to build topological maps of intermediate nodes and discover endpoints, either for academic research or nefarious schemes. While some networks employ recommended conventional countermea-sures to simply block such probing at the boundary or shunt such traffic to honey pot systems, other networks remain completely open either by design or neglect. Our research builds on previous work on the concept of presenting a deceptive network topology, which goes beyond conventional network security countermeasures of detecting and blocking network probe traffic. By employing the technologies from the emerging field of Software-Defined Networking and the OpenFlow protocol, we constructed a custom-built SDN controller to listen for network probes and craft customized deceptive replies to those probes. Through employment of various network probing utilities against our custom-built SDN controller in a test network environment, we are able to present a believable deceptive representation of the network topology to an adversary. Therefore, this work demonstrates that the primitives of the expand-ing OpenFlow protocol show strong potential for constructing an enterprise-grade dynamic deceptive network topology solution to protect computer networks.
43
MacFarland, Douglas C. "Exploring Host-based Software Defined Networking and its Applications." Digital WPI, 2015. https://digitalcommons.wpi.edu/etd-theses/594.
Full textAbstract:
Network operators need detailed understanding of their networks in order to ensure functionality and to mitigate security risks. Unfortunately, legacy networks are poorly suited to providing this understanding. While the software-defined networking paradigm has the potential to, existing switch-based implementations are unable to scale sufficiently to provide information in a fine-grained. Furthermore, as switches are inherently blind to the inner workings of hosts, significantly hindering an operator's ability to understand the true context behind network traffic.
In this work, we explore a host-based software-defined networking implementation. We evaluation our implementation, showing that it is able to scale beyond the capabilities of a switch-based implementation. Furthermore, we discuss various detailed network policies that network operators can write and enforce which are impossible in a switch-based implementation. We also implement and discuss an anti-reconnaissance system that can be deployed without any additional components.
44
Neves, Marcelo Veiga. "Application-aware software-defined networking to accelerate mapreduce applications." Pontifícia Universidade Católica do Rio Grande do Sul, 2015. http://hdl.handle.net/10923/7074.
Full textAbstract:
Made available in DSpace on 2015-03-17T02:01:04Z (GMT). No. of bitstreams: 1
000466322-Texto+Completo-0.pdf: 4102408 bytes, checksum: d0728ba001c22ab7a016962b0a3e122f (MD5)
Previous issue date: 2015The rise of Internet of Things sensors, social networking and mobile devices has led to an explosion of available data. Gaining insights into this data has led to the area of Big Data analytics. The MapReduce (MR) framework, as implemented in Hadoop, has become the de facto standard for Big Data analytics. It also forms a base platform for a plurality of Big Data technologies that are used today. To handle the ever-increasing data size, Hadoop is a scalable framework that allows dedicated, seemingly unbound numbers of servers to participate in the analytics process. Response time of an analytics request is an important factor for time to value/insights. While the compute and disk I/O requirements can be scaled with the number of servers, scaling the system leads to increased network traffic. Arguably, the communication-heavy phase of MR contributes significantly to the overall response time. This problem is further aggravated, if communication patterns are heavily skewed, as is not uncommon in many MR workloads. MR applications normally run in large data centers (DCs) employing dense network topologies (e. g. multi-rooted trees) with multiple paths available between any pair of hosts. These DC network designs, combined with recent software-defined network (SDN) programmability, offer a new opportunity to dynamically and intelligently configure the network to achieve shorter application runtime. The initial intuition motivating our work is that the well-defined structure of MR and the rich traffic demand information available in Hadoop’s log and meta-data files could be used to guide the network control. We therefore conjecture that an application-aware network control (i. e., one that knows the applicationlevel semantics and traffic demands) can improve MR applications’ performance when compared to state-of-the-art application-agnostic network control. To confirm our thesis, we first studied MR systems in detail and identified typical communication patterns and common causes of network-related performance bottlenecks in MR applications. Then, we studied the state of the art in DC networks and evaluated its ability to handle MapReduce-like communication patterns. Our results confirmed the assumption that existing techniques are not able to deal with MR communication patterns mainly because of the lack of visibility of application-level information. Based on these findings, we proposed an architecture for an application-aware network control for DCs running MR applications. We implemented a prototype within a SDN controller and used it to successfully accelerate MR applications. Depending on the network oversubscription ratio, we demonstrated a 2% to 58% reduction in the job completion time for popular MR benchmarks, when compared to ECMP (the de facto flow allocation algorithm in multipath DC networks), thus, confirming the thesis. Other contributions include a method to predict network demands in MR applications, algorithms to identify the critical communication path in MR shuffle and dynamically alocate paths to flows in a multipath network, and an emulation-based testbed for realistic MR workloads.
O modelo de programação MapReduce (MR), tal como implementado por Hadoop, tornou-se o padrão de facto para análise de dados de larga escala em data centers, sendo também a base para uma grande variedade de tecnologias de Big Data que são utilizadas atualmente. Neste contexto, Hadoop é um framework escalável que permite a utilização de um grande número de servidores para manipular os crescentes conjutos de dados da área de Big Data. Enquanto capacidade de processamento e E/S podem ser escalados através da adição de mais servidores, isto gera um tráfego acentuado na rede. No caso de MR, a fase que realiza comunicações via rede representa uma significante parcela do tempo total de execução. Esse problema é agravado ainda mais quando os padrões de comunicação são desbalanceados, o que não é incomum para muitas aplicações MR. MR normalmente executa em grandes data centers (DC) de commodity hardware. A rede de tais DCs normalmente utiliza topologias densas que oferecem múltiplos caminhos alternativos (multipath) entre cada par de hosts. Este tipo de topologia, combinado com a emergente tecnologia de redes definidas por software (SDN), possibilita a criação de protocolos inteligentes para distribuir o tráfego entre os diferentes caminhos disponíveis e reduzir o tempo de execução das aplicações. Assim, esse trabalho propõe a criação de um controle de rede ciente de aplicação (isto é, que conhece as semânticas e demandas de tráfego do nível de aplicação) para melhorar o desempenho de aplicações MR quando comparado com um controle de rede tradicional. Para isso, primeiramente estudou-se MR em detalhes e identificou-se os padrões típicos de comunicação e causas frequentes de gargalos de desempenho relativos à utilização de rede nesse tipo de aplicação. Em seguida, estudou-se o estado da arte em redes de data centers e sua habilidade de lidar com os padrões de comunicação encontrados em aplicações MR. Baseado nos resultados obtidos, foi proposta uma arquitetura para controle de rede ciente de aplicação. Um protótipo foi desenvolvido utilizando um controlador SDN, o qual foi utilizado com sucesso para acelerar aplicações MR. Experimentos utilizando benchmarks populares e diferentes características de rede demonstraram uma redução de 2% a 58% no tempo total de execução de aplicações MR. Além do ganho de desempenho em aplicações MR, outras contribuições desse trabalho incluem um método para predizer demandas de tráfego de aplicações MR, heurísticas para otimização de rede e um ambiente de testes para redes de data centers baseado em emulação.
45
Forgione, Alessandro. "Openflow e software-defined networking: l'evoluzione della rete programmabile." Bachelor's thesis, Alma Mater Studiorum - Università di Bologna, 2014. http://amslaurea.unibo.it/7919/.
Full textAbstract:
Il paradigma “Software-Defined Networking” (SDN) ha suscitato recentemente interesse grazie allo sviluppo e all'implementazione di uno standard tecnologico come OpenFlow. Con il modello SDN viene proposta una rete programmabile tramite la separazione dell’unità di controllo e l'unità di instradamento, rendendo quindi i nodi di rete (come ad es. router o switch) esclusivamente hardware che inoltra pacchetti di dati secondo le regole dettate dal controller. OpenFlow rappresenta lo standard dominante nella tecnologia SDN in grado di far comunicare l'unità controller e l'hardware di uno o più nodi di rete. L'utilizzo di OpenFlow consente maggiore dinamicità e agevolazione nella personalizzazione della rete attraverso un'interfaccia utente, includendo svariate funzioni quali la modifica e l’automatizzazione delle regole di instradamento, la creazione di una rete virtuale dotata di nodi logici o la possibilità di monitorare il traffico accrescendo la sicurezza della propria rete.
46
Hiryanto, Lely. "Multi-Stage Network Upgrade for Green Software Defined Networking." Thesis, Curtin University, 2022. http://hdl.handle.net/20.500.11937/88898.
Full textAbstract:
This thesis addresses three versions of a novel problem, called Green Multi-Stage Upgrade (GMSU), to upgrade legacy networks to Software Defined Networks (SDNs). The three versions, namely GMSU-1, GMSU-2, and GMSU-3, consider legacy networks that support IEEE 802.1AX, where each link contains multiple cables. Each version aims to replace a set of legacy-switches with SDN-switches over multiple stages. The aim is to maximally turn off unused cables adjacent to SDN-switches to save energy.
47
Dolci, Alessandro. "Traffic Management in Reti Spontanee basato su Software-Defined Networking." Master's thesis, Alma Mater Studiorum - Università di Bologna, 2018. http://amslaurea.unibo.it/15240/.
Full textAbstract:
La crescente diffusione di dispositivi mobili dotati di interfacce di rete eterogenee ha generato un notevole interesse verso l'ambito delle Mobile Ad-hoc Networks. Tuttavia, un aspetto finora sottovalutato nella progettazione di reti di tale tipologia è quello relativo alle garanzie di Quality of Service fornite per le comunicazioni in corso.
Il presente lavoro è dedicato alla presentazione di una soluzione per la gestione del livello di qualità di servizio riguardante le interazioni attive all'interno di reti spontanee, sulla base del paradigma architetturale di Software-Defined Networking.
La soluzione ha previsto la progettazione e l'implementazione di un'estensione del middleware RAMP, realizzato in precedenza presso l'Università di Bologna, al fine di introdurre una modalità di gestione centralizzata delle reti. Essa prevede l'organizzazione del traffico relativo ad applicazioni differenti in flow dedicati e la presenza di un controller in grado di dialogare con tutti i nodi attivi, allo scopo di poter mantenere una visione complessiva della topologia e della situazione della rete e di poter imporre le proprie decisioni.
48
Anderson, DeJuan M. "An investigation into the use of software-defined networking controllers." Thesis, Massachusetts Institute of Technology, 2017. http://hdl.handle.net/1721.1/112893.
Full textAbstract:
Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2017.Cataloged from PDF version of thesis.
Includes bibliographical references (pages 93-96).
Software Defined Networking (SDN) is rapidly gaining acceptance and use in terrestrial networks but little research has been done to apply it to aerial networks. This paper details an investigation on seven open-source controllers using a specific set of criteria based on the characteristics of both aerial and terrestrial networks. It was determined that Open Network Operating System (ONOS) and OpenDaylight (ODL) are the two best foundations for large or complex use cases. It was further discovered that ODL with default parameters can generate extreme amounts of traffic during controller failure and recovery and reacts more slowly than ONOS under the same conditions. This paper also documents a new algorithm created by the author for use in aerial networks that takes advantage of their small size to leverage a highly parallelizable problem representation and solution. This algorithm solves the problem of deciding which directional antennas to align to form connections and efficiently processes frequent updates while generating an exact solution for the optimal path.
by DeJuan M. Anderson.
M. Eng.
49
Tammana, Praveen Aravind Babu. "Software-defined datacenter network debugging." Thesis, University of Edinburgh, 2018. http://hdl.handle.net/1842/31326.
Full textAbstract:
Software-defined Networking (SDN) enables flexible network management, but as networks evolve to a large number of end-points with diverse network policies, higher speed, and higher utilization, abstraction of networks by SDN makes monitoring and debugging network problems increasingly harder and challenging. While some problems impact packet processing in the data plane (e.g., congestion), some cause policy deployment failures (e.g., hardware bugs); both create inconsistency between operator intent and actual network behavior. Existing debugging tools are not sufficient to accurately detect, localize, and understand the root cause of problems observed in a large-scale networks; either they lack in-network resources (compute, memory, or/and network bandwidth) or take long time for debugging network problems. This thesis presents three debugging tools: PathDump, SwitchPointer, and Scout, and a technique for tracing packet trajectories called CherryPick. We call for a different approach to network monitoring and debugging: in contrast to implementing debugging functionality entirely in-network, we should carefully partition the debugging tasks between end-hosts and network elements. Towards this direction, we present CherryPick, PathDump, and SwitchPointer. The core of CherryPick is to cherry-pick the links that are key to representing an end-to-end path of a packet, and to embed picked linkIDs into its header on its way to destination. PathDump is an end-host based network debugger based on tracing packet trajectories, and exploits resources at the end-hosts to implement various monitoring and debugging functionalities. PathDump currently runs over a real network comprising only of commodity hardware, and yet, can support surprisingly a large class of network debugging problems with minimal in-network functionality. The key contributions of SwitchPointer is to efficiently provide network visibility to end-host based network debuggers like PathDump by using switch memory as a "directory service" - each switch, rather than storing telemetry data necessary for debugging functionalities, stores pointers to end hosts where relevant telemetry data is stored. The key design choice of thinking about memory as a directory service allows to solve performance problems that were hard or infeasible with existing designs. Finally, we present and solve a network policy fault localization problem that arises in operating policy management frameworks for a production network. We develop Scout, a fully-automated system that localizes faults in a large scale policy deployment and further pin-points the physical-level failures which are most likely cause for observed faults.
50
Padalino, Montenero Dmitrij David. "Multi-layer Routing in Reti Spontanee basato su Software Defined Networking." Master's thesis, Alma Mater Studiorum - Università di Bologna, 2019. http://amslaurea.unibo.it/18292/.
Full textAbstract:
In un ambiente come quello delle MANET, dove non è prevista la presenza di un’infrastruttura a supporto della comunicazione, sono i dispositivi stessi che tramite l’utilizzo di protocolli distribuiti, basati sullo scambio di informazioni locali, devono essere in grado di coordinarsi al fine di comunicare gli uni con gli altri. L’impiego di tali protocolli può diventare un limite in caso si vogliano adottare delle tecniche di routing più sofisticate, rispettare dei requisiti di Quality of Service oppure introdurre delle politiche di Traffic Engineering. A tal scopo può essere utile prendere ispirazione da quanto fatto nello sviluppo di altre tecnologie per introdurre un nuovo paradigma di gestione delle reti spontanee. Una possibile soluzione è rappresentata dall’utilizzo dei principi alla base del Software-Defined Networking (SDN), utilizzato ampiamente nella gestione dei data center, il quale grazie alla presenza di un’intelligenza centralizzata può ampliare considerevolmente le capacità che una rete spontanea è in grado di supportare.
Lo scopo di questo lavoro consiste nell’impiegare il paradigma SDN nell’ambito delle reti spontanee per realizzare una funzionalità di basso livello per consentire l’instradamento dei messaggi scambiati tra i dispositivi mobili attraverso il Policy-based Routing e un’altra di alto livello per permettere l'inserimento dinamico, l’attivazione e l’applicazione di regole di Routing e di Traffic Engineering per una manipolazione avanzata in tempo reale dei pacchetti in transito in fase di comunicazione.