Biblio

The router's buffer size imposes significant impli-cations on the performance of the network. Network operators nowadays configure the router's buffer size manually and stati-cally. They typically configure large buffers that fill up and never go empty, increasing the Round-trip Time (RTT) of packets significantly and decreasing the application performance. Few works in the literature dynamically adjust the buffer size, but are implemented only in simulators, and therefore cannot be tested and deployed in production networks with real traffic. Previous work suggested setting the buffer size to the Bandwidth-delay Product (BDP) divided by the square root of the number of long flows. Such formula is adequate when the RTT and the number of long flows are known in advance. This paper proposes a system that leverages programmable switches as passive instruments to measure the RTT and count the number of flows traversing a legacy router. Based on the measurements, the programmable switch dynamically adjusts the buffer size of the legacy router in order to mitigate the unnecessary large queuing delays. Results show that when the buffer is adjusted dynamically, the RTT, the loss rate, and the fairness among long flows are enhanced. Additionally, the Flow Completion Time (FCT) of short flows sharing the queue is greatly improved. The system can be adopted in campus, enterprise, and service provider networks, without the need to replace legacy routers.

Packet classification is a key function in network security systems in SDN, which detect potential threats by matching the packet header bits and a given rule set. It needs to support multi-dimensional fields, large rule sets, and high throughput. Bit Vector-based packet classification methods can support multi-field matching and achieve a very high throughput, However, the range matching is still challenging. To address issue, this paper proposes a Range Supported Bit Vector (RSBV) algorithm for processing the range fields. RSBV uses specially designed codes to store the pre-computed results in memory, and the result of range matching is derived through pipelined Boolean operations. Through a two-dimensional modular architecture, the RSBV can operate at a high clock frequency and line-rate processing can be guaranteed. Experimental results show that for a 1K and 512-bit OpenFlow rule set, the RSBV can sustain a throughput of 520 Million Packets Per Second.

The application of the concept of software-defined networks (SDN) has, on the one hand, led to the simplification and reduction of switches price, and on the other hand, has created a significant number of problems related to the security of the SDN network. In several studies was noted that these problems are related to the lack of flexibility and programmability of the data plane, which is likely first to suffer potential denial-of-service (DoS) attacks. One possible way to overcome this problem is to increase the flexibility of the data plane by increasing the depth of programmability of the packet-switching nodes below the level of flow table management. Therefore, this paper investigates the opportunity of using the architecture of deeply programmable packet-switching nodes (DPPSN) in the implementation of a firewall. Then, an architectural model of the firewall based on a hybrid FPGA/CPU data plane architecture has been proposed and implemented. Realized firewall supports three models of DoS attacks mitigation: DoS traffic filtering on the output interface, DoS traffic filtering on the input interface, and DoS attack redirection to the honeypot. Experimental evaluation of the implemented firewall has shown that DoS traffic filtering at the input interface is the best strategy for DoS attack mitigation, which justified the application of the concept of deep network programmability.

Since the performance of bus interconnects does not scale with the number of processors connected to the bus, chip multiprocessors make use of on-chip networks that implement packet switching and virtual channel flow control to efficiently transport data. In this paper, we consider the test and fault-tolerance aspects of such a network-on-chip (NoC). Past work in this area has addressed the communication efficiency and deadlock-free properties in NoC, but when routing externally received data, aspects of security must be addressed. A malicious denial-of-service attack or a power virus can be launched by a malicious external agent. We propose a two-tier solution to this problem, where a local self-test manager in each processing element runs test algorithms to detect faults in local processing element and its associated physical and virtual channels. At the global level, the health of the NoC is tested using a sorting-based algorithm proposed in this paper. Similarly, we propose to handle fault-tolerance and security concerns in routing at two levels. At the local level, each node is capable of fault-tolerant routing by deflecting packets to an alternate path; when doing so, since a chance of deadlock may be created, the local router must be capable of guestimating a deadlock situation, switch to packet-switching instead of flit-switching and attempt to reroute the packet. At the global level, a routing agent plays the role of gathering fault data and provide the fault-information to nodes that seek this information periodically. Similarly, the agent is capable of detecting malformed packets coming from an external source and prevent injecting such packets into the network, thereby conserving the network bandwidth. The agent also attempts to guess attempts at denial-of-service attacks and power viruses and will reject packets. Use of a two-tier approach helps in keeping the IP modular and reduces their complexity, thereby making them easier to verify.

Continuous development of Network-on-Chip (NoC) enables different types of applications to run efficiently in a Multiprocessor System-on-Chip (MP-SoC). Guaranteed service (GS) can be provided by circuit switching NoC and Best effort service (BES) can be provided by packet switching NoC. A hybrid NoC containing both packet and circuit switching, can provide both types of services to these different applications. But these different applications can be of different security levels and one application can interfere another application's timing characteristics during network transmission. Using this interference, a malicious application can extract secret information from higher security level flows (timing side channel) or two applications can communicate covertly violating the system's security policy (covert timing channel). We propose different mechanisms to protect hybrid routers from timing channel attacks. For design space exploration, we propose three timing channel secure hybrid routers viz. Separate Hybrid (SH), Combined with Separate interface Hybrid (CSH), and Combined Hybrid (CH) routers. Simulation results show that all three routers are secure from timing channel when compared to a conventional hybrid router. Synthesis results show that the area increments compared to a conventional hybrid router are only 7.63, 11.8, and 19.69 percent for SH, CSH, and CH routers respectively. Thus simulation and synthesis results prove the effectiveness of our proposed mechanisms with acceptable area overheads.

Ideally, minimizing the flow completion time (FCT) requires millions of priorities supported by the underlying network so that each flow has its unique priority. However, in production datacenters, the available switch priority queues for flow scheduling are very limited (merely 2 or 3). This practical constraint seriously degrades the performance of previous approaches. In this paper, we introduce Explicit Priority Notification (EPN), a novel scheduling mechanism which emulates fine-grained priorities (i.e., desired priorities or DP) using only two switch priority queues. EPN can support various flow scheduling disciplines with or without flow size information. We have implemented EPN on commodity switches and evaluated its performance with both testbed experiments and extensive simulations. Our results show that, with flow size information, EPN achieves comparable FCT as pFabric that requires clean-slate switch hardware. And EPN also outperforms TCP by up to 60.5% if it bins the traffic into two priority queues according to flow size. In information-agnostic setting, EPN outperforms PIAS with two priority queues by up to 37.7%. To the best of our knowledge, EPN is the first system that provides millions of priorities for flow scheduling with commodity switches.