SoS Software-Defined Networking Presentations

 

 
SoS Logo

SoS Software-Defined Networking Presentations

 

The following presentations were made on June 16-17, 2016 at the Science of Security Software-Defined Networking (SoSSDN) Workshop at Illinois Institute of Technology, Chicago, Illinois. The University of Illinois at Urbana-Champaign Science of Security Lablet was the sponsor. The presenters and attendees were from academe, industry, and government.



“Keynote: Research Challenges in SDN,” Anita Nikolich, Program Director for Cybersecurity, Division of Advanced Cyberinfrastructure, National Science Foundation
Abstract: The National Science Foundation has made investments in Software Defined Networking (SDN) and Network Function Virtualization (NFV) for many years, in both the research and infrastructure areas. SDN and NFV enable systems to become more open to transformative research, with implications for revolutionary new applications and services. Additionally, the emerging concept of Software-Defined Exchanges will enable large-scale interconnection of Software-Defined infrastructures, owned and operated by many different organizations, to provide logically isolated “on demand” global scale infrastructure on an end-to-end basis, with enhanced flexibility and security for new applications.This talk will examine past NSF investments and successes in SDN/NFV, identify new research opportunities available to the community and present challenges that need to be overcome to make SDN/NFV a reality in operational cyberinfrastructure.

 

“Keynote: Developing and Maintaining Trust Among SDN Entities,” Frank Acker, Computer Security Researcher, Trusted Systems Research Group, Department of Defense
Abstract: A Trusted Platform Module (TPM) is a microchip installed on the motherboard to provide security related functions at the hardware level. One use of the TPM is to support Measurement and Attestation (M&A), which can provide a level of assurance that operating systems and application are loaded and operating as expected. Adapting this concept to Software Defined Networking (SDN) introduces additional complexities. Since the SDN architecture consists of multiple network planes and devices, developing a Root of Trust (RoT) in an environment with multiple TPM’s, and maintaining it, presents many hard research problems such as the interaction among the different SDN components. This talk discusses the CAVES M&A protocol and its implementation, use of TPM’s, and RoT development. Since many devices within the SDN functional planes exchange messages via different protocols, a formal analysis of the protocol design provides assurance of correct protocol interactions, thereby reducing attack surfaces. Conducting M&A of the software and systems may detect potential corruption of switches and other SDN entities during its instantiation and operation.

 

“SDNs, Clouds and Security SDNs, Clouds and Security,” Roy Campbell, Associate Dean for Information Technology and Sohaib and Sara Abbasi Professor of Computer Science, University of Illinois at Urbana-Champaign
Abstract: Cloud Computing has quickly been adopted for a wide range of computing throughout industry, government, military, and education. Software Defined Networks (SDN), with centrally managed controllers, can provide a powerful approach to organizing communications with and within a Cloud and could, perhaps, reduce the available opportunities for attacks on Cloud-based Cyberinfrastructures. However, recent events have shown how Cloud Computing is not a panacea to solving difficult security problems and has led to the creation of organizations that are dedicated to improve Cloud Security, for example the Cloud Security Alliance. Similarly, as SDN has become a more deployed technology, several security vulnerabilities have been identified for SDN that could impact their use in Cloud Computing scenarios. This talk focuses on the weaknesses and strengths of SDN networking as a solution to improving security of Cloud Computing implementations.

 

“Towards Network Aware VM Migration – Evaluating the Cost of VM Migration in SDN-based Cloud Computing Network,” Sachin Shetty, Associate Professor, Electrical and Computer Engineering, Tennessee State University
Abstract: Host virtualization allows data centers to live migrate an entire Virtual Machine (VM) to support data center maintenance and workload balancing. Live VM Migration can consume nearly the entire bandwidth which impacts the performance of competing flows in the network. The knowledge of the cost of VM Migration allows cloud data center administrators to intelligently reserve minimum bandwidth required to ensure network-aware VM migration. In this talk, we empirically evaluate the cost of migrating VM in a SDN based cloud computing networking testbed characterized by wide-area network dynamics and realistic traffic scenarios. We deploy end to end QoS policies and cost estimation model in an Openflow controller to reserve minimum bandwidths and measure traffic for successful VM Migration. Preliminary results based on experimental evaluation in the GENI testbed demonstrate that bandwidth reservation relieves the network of possible overloads during migration.  We present realistic scenarios that impact the accuracy of the cost estimation model. We conclude that link bandwidth, page dirty rate and user specified progress amount are the critical parameters in determining cost of VM migration.

 

“Dynamic Graph Query Primitives for SDN-based Cloud Network Management, Ramya Raghavendra, Research Scientist and Master Inventor, IBM TJ Watson Research Center
Abstract: The need to provide customers with the ability to configure the network in current cloud computing environments has motivated the Networking-as-a-Service (NaaS) systems designed for the cloud. Such systems can provide cloud customers access to virtual network functions, such as network-aware VM placement, real time network monitoring, diagnostics and management, all while supporting multiple device management protocols. These network management functionalities depend on a set of underlying graph primitives. In the first part of the talk, I will present the design and implementation of the software architecture including a shared graph library that can support network management operations. Using the illustrative case of all pair shortest path algorithm, we demonstrate how scalable lightweight dynamic graph query mechanisms can be implemented to enable practical computation times, in presence of network dynamism.  In the second part of the talk, I will present a brief overview of the future directions for SDN research that combines the concepts of Software Defined Networks, Software Defined Storage and Software Defined Compute in order to develop an innovative approach for a Software Defined Coalition Network.

 

“BigData Express – Toward Schedulable, Predictable, and High-performance Data Transfer,” Wenji Wu, Principal Network Research Investigator, Core Computing Division, Fermilab
Abstract: Big data has emerged as a driving force for scientific discoveries. Large scientific instruments (e.g., colliders, light sources, and telescopes) generate exponentially increasing volumes of data. To enable scientific discovery, science data must be collected, indexed, archived, shared, and analyzed, typically in a widely distributed, highly collaborative manner. Data transfer is now an essential function for science discoveries, particularly within big data environments. 
In DOE research communities, the emergence of distributed, extreme-scale science applications is generating significant challenges regarding data transfer. We believe that the data transfer challenges of the extreme-scale era are characterized by two relevant dimensions: (1) High-performance challenges. The DOE is working toward deploying terabit networks in support of extreme-scale science applications. Ideally, high-performance data transfer will reach terabit/s throughput to make full use of the underlying networks. And (2) Time-constraint challenges. Scientific applications typically have explicit or implicit time constraints on data transfer. Providing real-time and deadline-bound data transfer is a challenging task in the extreme-scale era. To meet these challenges, DOE’s Advanced Scientific Computing Research (ASCR) office has funded Fermilab and Oak Ridge National Laboratory to collaboratively work on the BigData Express project (http://bigdataexpress.fnal.gov). BigData Express seeks to provide a schedulable, predictable, and high-performance data transfer service for DOE’s large-scale science computing facilities (LCF, NERSC, and US-LHC computing facilities, among others) and their collaborators. In this talk, I will first discuss the data transfer challenges of extreme-scale science applications. The problems why the currently available data transfer tools and services will not be able to successfully address the high-performance and time-constraint challenges of data transfer to support extreme-scale science applications will be outlined and examined. I will then discuss the BigData Express design and architecture. A key feature of BigData Express will be to use software-defined networking (SDN) and software-defined storage (SDS) to develop a data-transfer-centric architecture to seamlessly integrate and effectively coordinate the various resources in an end-to-end loop. In this architecture, network and storage resources become directly schedulable resources applications. Network congestion and storage I/O contentions can be effectively reduced or eliminated.

 

“SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets,” Yan Chen, Professor, Electrical Engineering and Computer Science, Northwestern University
Abstract: The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications (apps). Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this paper, we present SDNShield, a permission control system that helps network administrators to express and enforce only the minimum required privileges to individual controller apps. SDNShield achieves this goal through (i) fine-grained SDN permission abstractions that allow accurate representation of app behavior boundary, (ii) automatic security policy reconciliation that incorporates security policies specified by administrators into the requested app permissions, and (iii) a lightweight thread-based controller architecture for controller/app isolation and reliable permission enforcement. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.

 

“Dynamic Control of Real-time Communication (RTC) using SDN: A Case Study of a 5G End-to-end Service,” Vijay Gurbani, Distinguished Member of Technical Staff, Bell Laboratories
Abstract: The next-generation 5G mobile network architecture will support the rapid deployment of new, dynamic network services that are capable of responding to current network conditions and demands. Software-defined Networking (SDN), virtualization technologies, and real-time analytics are the core components that will enable an adaptive and responsive 5G network. We present a case study of a real-time communications (RTC) video service that highlights the manner in which the core components (SDN, virtualization, analytics) allow a flexible and elastic 5G network. Because an end-to-end 5G network does not exist today, we construct one using artifacts from the current 4G/LTE network to host our dynamic network enabled RTC service. We identify three main insights from executing our service that could prove beneficial to the 5G network evolution: need for efficient horizontal control, need to limit identifier proliferation, and the existence of control-plane network functions in service network-function graphs.

 

“Toward a Robust and Secure SDN Control Layer,” Vinod Yegneswaran, Senior Computer Scientist, Computer Science Laboratory, SRI International
Abstract: Software-defined networks (SDNs) are gaining increased attention from those seeking solutions to the growing challenges in large-scale network traffic management. We will briefly touch on various efforts at SRI to secure the SDN controller, starting with NOX and Floodlight and more recently ONOS (Open Network Operating System). Given its flexible design, growing list of supported features, and collaborative community support, ONOS is an attractive hosting platform for a wide range of third-party distributed network management applications. We will discuss the underlying motivations for security extensions in ONOS and their implications for improving our understanding of how to securely management large-scale SDN-enabled networks. We present the design, implementation and performance analysis of {\em Security-mode ONOS}, an integrated security subsystem that was introduced within the Cardinal release of ONOS in April 2015.

 

“RAINCOAT: Randomization of Network Connectivity in Industrial COnTrol Systems to Mitigate Cyber-Attacks,” Hui Lin, Research Assistant, Electrical and Computer Engineering; Zbigniew Kalbarczyk, Research Professor, Coordinated Science Laboratory; Ravishankar K. Iyer, George and Ann Fisher Distinguished Professor of Engineering, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
Abstract: In this talk, we introduce Raincoat, a technique which employs Software-defined Networking (SDN) to randomize network connectivity of devices in ICS with the objective to mitigate cyber-attacks. An external adversary who has no knowledge on the actual network connectivity fails to learn the complete set of physical measurements and hence, can be misled when designing attack strategies. To further disrupt intelligence related to physical operations in the power grid, we spoof network responses which contain crafted payloads to obfuscate the actual system state and configuration. To decide decoy measurements, we design a HoneyGrid, a simulated power grid environment that uses the physical models of the real power grid to generate the spoofed measurements. We evaluate the proposed approach via simulation of example power grid configurations.

 

“Database-defined Network,” Anduo Wang, Assistant Professor, Computer and Information Science, Temple University
Abstract: In this talk, we champion a perspective that SDN control fundamentally revolves around data management, and explore the question: can software-defined networking benefit from database management? We argue that database system can step up to assistant with three key SDN issues: abstractions, reasoning, and security. For network abstractions, we discard any application-specific structure that might be outgrown by new demands. Instead, we adopt a plain relational representation of the entire network — network topology, forwarding, and control applications, using SQL as a universal data language that allows applications to create arbitrary high-level abstractions on the fly. Under this abstraction, SDN behaviors are normalized to database updates on a variety of network tables and application views. One benefit of this normalized representation is that it enables static analysis of network behavior by irrelevance reasoning of database updates. Intuitively, an application is independent of another, if the former updates are irrelevant to the triggering conditions monitored by the later. By automating irrelevance reasoning through SMT solving, we can build a rich set of tools towards high-level SDN management such as control plane orchestration. Finally, we discuss how SDN security can benefit from database access control and privacy support.


(ID#: 16-11362)