Your search keyword '"northbound interface"' showing total 99 results

1. Exploring the Security of Software Defined Network Controllers

Author

Kaur, Prabhjot, Patel, Shiv, Mittal, Sanjana, Sharma, Surbhi, Butakov, Sergey, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Prates, Raquel Oliveira, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, Misra, Sanjay, editor, Oluranti, Jonathan, editor, Damaševičius, Robertas, editor, and Maskeliunas, Rytis, editor

Published

2022

2. Defense mechanism of SDN application layer against DDoS attack based on API call management

Author

Yang WANG, Guangming TANG and Shuo WANG, Jiang CHU

Subjects

ddos, network security, sdn, northbound interface, Electronic computers. Computer science, QA75.5-76.95

Abstract

Due to thelack of strict access control, identity authentication and abnormal call detection, attackers may develop malicious applications easily and then it leads to theabuse of the northbound interface API (application programming interface) accordingly.There are mainly two patterns of DDoS (distributed denial-of-service) attacks against application layer.1) malicious App bypass the security review of the northbound interface and make a large number of calls to some API in a short time, thus causing the controller to crash and paralyzing the whole network; 2) attackers take a legitimate SDN (software defined network) application as the target and make a large number of short-time calls to the specific API needed by the application, which makes the legitimate App unable to call the API normally.Compared with the first pattern, the second one is more subtle.Therefore, it’s necessary to distinguish whether the App is malicious or not, effectively clean the App running on the attacked controller, and redistribute the controller to the legitimate App.Based on the in-depth analysis of the development trend of the current northbound interface, the possible DDoS attack patterns were simulated and practiced.Then a DDoS defense mechanism for SDN application layer was proposed.This mechanism added an App management layer between SDN application layer and control layer.Through reputation management, initial review, mapping allocation, anomaly detection and identification migration of the App, the malicious App attack on SDN can be predicted and resisted.The proposal focused on pre-examination of malicious App before attacks occur, so as to avoid attacks.If the attack has already happened, the operation of cleaning and separating the legitimate App from the malicious App is triggered.Theoretical and experimental results show that the proposed mechanism can effectively avoid DDoS attacks in SDN application layer, and the algorithm runs efficiently.

Published

2022

3. Application Threats to Exploit Northbound Interface Vulnerabilities in Software Defined Networks.

Author

RAUF, BILAL, ABBAS, HAIDER, USMAN, MUHAMMAD, ZIA, TANVEER A., IQBAL, WASEEM, ABBAS, YAWAR, and AFZAL, HAMMAD

Subjects

*SOFTWARE-defined networking, *TRUST

Abstract

Software Defined Networking (SDN) is an evolving technology that decouples the control functionality from the underlying hardware managed by the control plane. The application plane supports programmers to develop numerous applications (such as networking, management, security, etc.) that can even be executed from remote locations. Northbound interface (NBI) bridges the control and application planes to execute the thirdparty applications business logic. Due to the software bugs in applications and existing vulnerabilities such as illegal function calling, resource exhaustion, lack of trust, and so on, NBIs are susceptible to different attacks. Based on the extensive literature review, we have identified that the researchers and academia have mainly focused on the security of the control plane, data plane, and southbound interface (SBI). NBI, in comparison, has received far less attention. In this article, the security of the least explored, but a critical component of the SDN architecture, i.e., NBI, is analyzed. The article provides a brief overview of SDN, followed by a detailed discussion on the categories of NBI, vulnerabilities of NBI, and threats posed by malicious applications to NBI. Efforts of the researchers to counter malicious applications and NBI issues are then discussed in detail. The standardization efforts for the single acceptable NBI and security requirements of SDN by Open Networking Foundation (ONF) are also presented. The article concludes with the future research directions for the security of a single acceptable NBI. [ABSTRACT FROM AUTHOR]

Published

2022

4. 基于 API 调用管理的 SDN 应用层 DDoS 攻击防御机制.

Author

王洋, 汤光明, 王硕, and 楚江

Abstract

Copyright of Chinese Journal of Network & Information Security is the property of Beijing Xintong Media Co., Ltd. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2022

5. Toward a Trust-Based Authentication Framework of Northbound Interface in Software Defined Networking

Author

Duy, Phan The, Hien, Do Thi Thu, Van Vuong, Nguyen, Au, Nguyen Ngoc Hai, Pham, Van-Hau, Akan, Ozgur, Editorial Board Member, Bellavista, Paolo, Editorial Board Member, Cao, Jiannong, Editorial Board Member, Coulson, Geoffrey, Editorial Board Member, Dressler, Falko, Editorial Board Member, Ferrari, Domenico, Editorial Board Member, Gerla, Mario, Editorial Board Member, Kobayashi, Hisashi, Editorial Board Member, Palazzo, Sergio, Editorial Board Member, Sahni, Sartaj, Editorial Board Member, Shen, Xuemin (Sherman), Editorial Board Member, Stan, Mircea, Editorial Board Member, Xiaohua, Jia, Editorial Board Member, Zomaya, Albert Y., Editorial Board Member, Duong, Trung Quang, editor, Vo, Nguyen-Son, editor, Nguyen, Loi K., editor, Vien, Quoc-Tuan, editor, and Nguyen, Van-Dinh, editor

Published

2019

6. Software-Defined Networks and Methods to Mitigate Attacks on the Network

Author

Kumar, Shubham, Kumar, Sumit, Sarimela, Valluri, Kacprzyk, Janusz, Series Editor, Pal, Nikhil R., Advisory Editor, Bello Perez, Rafael, Advisory Editor, Corchado, Emilio S., Advisory Editor, Hagras, Hani, Advisory Editor, Kóczy, László T., Advisory Editor, Kreinovich, Vladik, Advisory Editor, Lin, Chin-Teng, Advisory Editor, Lu, Jie, Advisory Editor, Melin, Patricia, Advisory Editor, Nedjah, Nadia, Advisory Editor, Nguyen, Ngoc Thanh, Advisory Editor, Wang, Jun, Advisory Editor, Pati, Bibudhendu, editor, Panigrahi, Chhabi Rani, editor, Misra, Sudip, editor, Pujari, Arun K., editor, and Bakshi, Sambit, editor

Published

2019

7. An Enhanced Message Distribution Mechanism for Northbound Interfaces in the SDN Environment.

Author

Wang, Chenhui, Ni, Hong, Liu, Lei, and Raffaelli, Carla

Subjects

TELECOMMUNICATION systems, SOFTWARE-defined networking, DEGREES of freedom, TCP/IP, BANDWIDTHS

Abstract

Software-Defined Network (SDN), which is recommended as a new generation of the network, a substitute for TCP/IP network, has the characteristics of separation of data plane and control plane. Although the separation of the control plane brings a high degree of freedom and simple operation and maintenance, it also increases the cost of north–south communication. There are many additional modules for SDN to modify and enhance the basic functions of SDN. This paper proposes a message queue-based northbound communication mechanism, which pre-categorizes messages from the data plane and accurately pushes them to the apps potentially interested. This mechanism improves the efficiency of northbound communication and apps' execution. Furthermore, it supports both OpenFlow and the protocol-independent southbound interface, and it has strong compatibility. Experiments have proved that this mechanism can reduce the control-response latency by up to 41% when compared with the normal controller northbound communication system, and it also improves the network situation of the data plane, such as real-time bandwidth. [ABSTRACT FROM AUTHOR]

Published

2021

8. Designing a RESTful Northbound Interface for Incompatible Software Defined Network Controllers

Author

Alghamdi, Abdullah, Paul, David, and Sadgrove, Edmund

Published

2022

9. An Enhanced Message Distribution Mechanism for Northbound Interfaces in the SDN Environment

Author

Chenhui Wang, Hong Ni, and Lei Liu

Subjects

SDN, northbound interface, message distribution mechanism, message queue, Technology, Engineering (General). Civil engineering (General), TA1-2040, Biology (General), QH301-705.5, Physics, QC1-999, Chemistry, QD1-999

Abstract

Software-Defined Network (SDN), which is recommended as a new generation of the network, a substitute for TCP/IP network, has the characteristics of separation of data plane and control plane. Although the separation of the control plane brings a high degree of freedom and simple operation and maintenance, it also increases the cost of north–south communication. There are many additional modules for SDN to modify and enhance the basic functions of SDN. This paper proposes a message queue-based northbound communication mechanism, which pre-categorizes messages from the data plane and accurately pushes them to the apps potentially interested. This mechanism improves the efficiency of northbound communication and apps’ execution. Furthermore, it supports both OpenFlow and the protocol-independent southbound interface, and it has strong compatibility. Experiments have proved that this mechanism can reduce the control-response latency by up to 41% when compared with the normal controller northbound communication system, and it also improves the network situation of the data plane, such as real-time bandwidth.

Published

2021

10. BENBI: Scalable and Dynamic Access Control on the Northbound Interface of SDN-Based VANET.

Author

Weng, Jia-Si, Weng, Jian, Zhang, Yue, Luo, Weiqi, and Lan, Weiming

Subjects

*VEHICULAR ad hoc networks, *SCALABILITY, *SOFTWARE-defined networking, *ACCESS control of computer networks, *DATA transmission systems

Abstract

Recently, emerging SDN-based VANET (i.e., vehicular ad hoc network based on software-defined networking) enables VANET management to be programmable and flexible. It introduces SDN controllers to maintain network-wide resources and SDN applications to program configurations through arbitrarily accessing resources via the northbound interface (NBI). However, this brings with it security issues on the NBI, such as network-wide resource exposure and configuration manipulation. Most of the existing works employed permission systems to restrict resource access; these solutions are generally controller-dependent, which means controller codes need to be modified for giving access permissions to external applications. In this paper, we propose a scalable and dynamic access control scheme on the NBI for SDN-based VANET, named BENBI. In the proposed scheme, we dynamically and flexibly control network resources by employing broadcast encryption, rather than altering source codes of the controller or updating permission lists with various degrees of granularity. Moreover, the resources are encrypted during transmission so that they are only available to authorized applications. Finally, we implement a prototype of BENBI. The experimental results demonstrate that the cost of allocating secret keys is independent of the number of SDN entities being appointed, which indicates the scalability of our scheme. [ABSTRACT FROM AUTHOR]

Published

2019

11. Controller-Related Security Risks and Vulnerabilities in Software-Defined Networking

Abstract

Software-Defined Networking (SDN) is a relatively new networking paradigm that proposes to separate the control and the data logic in networks. The control logic is centralized in a controller, which allows for a programmable network. SDN is promising but also intro- duces some critical security vulnerabilities to networks. This work proposes a survey of state-of-the-art research into attacks and state-of-the-art defences arising from controller place- ment, controller failure and the northbound interface. Furthermore, it proposes a comparison and analysis of the limitations of that research. Finally, it proposes future research directions to improve SDN security focused on network con- sistency and on the interoperability of different defences., CSE3000 Research Project, Computer Science and Engineering

Published

2022

12. Controller-Related Security Risks and Vulnerabilities in Software-Defined Networking

Abstract

Software-Defined Networking (SDN) is a relatively new networking paradigm that proposes to separate the control and the data logic in networks. The control logic is centralized in a controller, which allows for a programmable network. SDN is promising but also intro- duces some critical security vulnerabilities to networks. This work proposes a survey of state-of-the-art research into attacks and state-of-the-art defences arising from controller place- ment, controller failure and the northbound interface. Furthermore, it proposes a comparison and analysis of the limitations of that research. Finally, it proposes future research directions to improve SDN security focused on network con- sistency and on the interoperability of different defences., CSE3000 Research Project, Computer Science and Engineering

Published

2022

13. Application Threats to Exploit Northbound Interface Vulnerabilities in Software Defined Networks

Author

Bilal Rauf, Yawar Abbas, Hammad Afzal, Waseem Iqbal, Tanveer A. Zia, Muhammad Usman, and Haider Abbas

Subjects

General Computer Science, Northbound interface, Exploit, Computer science, Interface (computing), 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Theoretical Computer Science, Resource (project management), Software bug, 0202 electrical engineering, electronic engineering, information engineering, Forwarding plane, Business logic, 020201 artificial intelligence & image processing, Software-defined networking, computer

Abstract

Software Defined Networking (SDN) is an evolving technology that decouples the control functionality from the underlying hardware managed by the control plane. The application plane supports programmers to develop numerous applications (such as networking, management, security, etc.) that can even be executed from remote locations. Northbound interface (NBI) bridges the control and application planes to execute the third-party applications business logic. Due to the software bugs in applications and existing vulnerabilities such as illegal function calling, resource exhaustion, lack of trust, and so on, NBIs are susceptible to different attacks. Based on the extensive literature review, we have identified that the researchers and academia have mainly focused on the security of the control plane, data plane, and southbound interface (SBI). NBI, in comparison, has received far less attention. In this article, the security of the least explored, but a critical component of the SDN architecture, i.e., NBI, is analyzed. The article provides a brief overview of SDN, followed by a detailed discussion on the categories of NBI, vulnerabilities of NBI, and threats posed by malicious applications to NBI. Efforts of the researchers to counter malicious applications and NBI issues are then discussed in detail. The standardization efforts for the single acceptable NBI and security requirements of SDN by Open Networking Foundation (ONF) are also presented. The article concludes with the future research directions for the security of a single acceptable NBI.

Published

2021

14. Enhanced Quality of Service Measurement Mechanism of Container-based Cloud Network Architecture

Author

Jhih-Dao Jhan, Yung-Chang Lai, Yong-Ling Chen, and Fei-Hua Kuo

Subjects

Service-level agreement, Network architecture, Northbound interface, Computer science, business.industry, Quality of service, Container (abstract data type), Network service, Cloud computing, Service provider, business, Computer network

Abstract

As the growth of development on both network architecture and cloud computing, the existing quality of service (QoS) measurement mechanism in VNF design is not sufficient for the cloud network architecture, especially the development of container technology. It is important for service provider to provide to customers a service level agreement (SLA) on cloud network service by provision of Container-as-a-Service (CaaS) and container network function (CNF). In this paper, we propose an enhanced vQOS (EvQOS) measurement mechanism for container-based network architecture that retains the vQOS in VNF architecture [1] including the TWAMP light (TWL) protocol and the northbound interface design, and provides a containerization architecture and the friendliness of system management and monitoring.

Published

2021

15. SDN Intent-based conformance checking: application to security policies

Author

Jacques Robin, Nicolas Herbaut, Raúl Mazo, Camilo Correa, Centre de Recherche en Informatique de Paris 1 (CRI), and Université Paris 1 Panthéon-Sorbonne (UP1)

Subjects

Reflection (computer programming), Northbound interface, Computer science, Distributed computing, security, Security policy, Conformance checking, conformance checking, [INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI], Intent-based networking, Scalability, Forwarding plane, Software-defined networking, Use case

Abstract

International audience; With the popularity of software defined networking architectures, the growing complexity of its use cases dictates the need for better auditability especially for security. In this paper, we aim at facilitating high-level management-plane policy configuration conformance auditing and their reflection in the data plane, to detect missing or spurious flow rules with respect to security policies. To this end, we propose an efficient conformance checking approach based on an intentional northbound interface as well as traces of management, control and data plane. Leveraging a proof-of-concept implementation of our approach, we compare its conformance-checking runtime and precision against a direct method on virtual topologies and find that it significantly improves scalability. We conclude by proposing directions for further enhancements extending the techniques presented herein.

Published

2021

16. Design and Implementation of Operation and Maintenance Support System of SDH Optical Fiber Transmission Network

Author

Na Liu, Pei Tong, Lei Liu, and Cong Wang

Subjects

Warning system, Performance management, Northbound interface, Computer science, business.industry, Troubleshooting, JavaScript, Variety (cybernetics), Visualization, Performance indicator, business, computer, Computer network, computer.programming_language

Abstract

SDH optical fiber transmission is widely used in various information transmission networks. It transmits a variety of information. According to the actual operation and maintenance requirements, the business management module of SDH optical fiber transmission network operation and maintenance support system is designed to realize the classified and targeted business management. The business records are information-based and scientific. Using the equipment performance data obtained from the northbound interface, the key performance indicators of the optical fiber transmission network can be extracted and displayed. It can give early warning of equipment failure and provide data support for network performance analysis and troubleshooting. Business management and device performance data are friendly displayed by the popular open source visualization tool based on JavaScript. The application of the system can improve the operation and maintenance efficiency of SDH optical fiber transmission network.

Published

2021

17. Research on filling algorithm of incomplete data in north interface of optical fiber network

Author

Ran Jinzhi, Yang Dewei, Lin Chushan, Zhao Weihu, Huang Bin, Zhou Xingfu, and Shen Kuo

Subjects

Network management, Northbound interface, business.industry, Computer science, Interface (Java), Decision tree learning, Random tree, business, Missing data, Algorithm, k-nearest neighbors algorithm, Random forest

Abstract

Northbound interface is the interface for manufacturers or operators to access and manage the network. Through it, the superior network management can obtain a large number of data such as configuration performance and operation and maintenance of optical network. For various reasons, there are usually missing values in real data sets. In order to improve the accuracy of filling missing values. In this paper, from the perspective of data mining, we use a variety of processing methods to fill the missing value of the north interface. In this paper, by analyzing the principle of KNN algorithm, decision tree algorithm, random forest algorithm and extreme random tree algorithm, the four algorithms are simulated in the missing value processing of northbound interface data respectively. The performance differences of various algorithms are compared and analyzed, and their advantages and disadvantages are compared. Finally, the most suitable algorithm for missing value processing of northbound interface data is found. Based on the simulation and experimental results, it is concluded that the extreme random tree algorithm has better filling effect in dealing with the missing values of the north interface.

Published

2021

18. Towards Adaptive QoS in SDN-enabled Heterogeneous Tactical Networks

Author

Peter Sevenich, Sharath Maligera Eswarappa, Johannes Loevenich, Roberto Rigolin F. Lopes, and Paulo H. L. Rettore

Subjects

Data flow diagram, Hybrid Scheduling, Adaptive quality of service multi-hop routing, Northbound interface, business.industry, Computer science, Network packet, Reliability (computer networking), Quality of service, Enhanced Data Rates for GSM Evolution, business, Computer network

Abstract

This paper introduces a mechanism to adaptively ensure Quality of Service (QoS) for user data flow by leveraging Software-Defined Networking (SDN) in heterogeneous tactical networks. We start with a hypothesis that an application using the northbound interface of the SDN controller can support the management of unreliable radio links at the edge of tactical networks. Thus, we developed applications to support adaptive shaping of user data flows over data rates supported by VHF and UHF radios, and to ensure the dropping of expired messages. We also introduce a hybrid scheduling mechanism for these user data flows using queuing discipline. The goal is to differentiate IP packets from command and control services with different QoS requirements. Our hypothesis was verified with experiments using four classes of messages with different QoS requirements, such as priority, reliability, and time of expire. Experimental results in an emulated network suggest that our solution can differentiate data flows in a heterogeneous tactical network while ensuring its QoS requirements.

Published

2021

19. Considerations on the Model Selection of SDOTN Controller Northbound Interface

Author

Guangquan Wang, Yanlei Zheng, and Liu Yacheng

Subjects

Rest (physics), Service (systems architecture), Northbound interface, Control theory, Interface (Java), Computer science, Model selection, Digital transformation, Control engineering, Communications system

Abstract

In the comprehensive digital transformation work, China Unicom takes the construction of SDOTN network as the top priority. This paper analyzes the reasons for the use of REST interface in SDOTN network. Based on the interface development experience, we make an in-depth interface model analysis of two mainstream northbound interface (NBI) of SDOTN controller, and give the basis and principles of model selection. Finally, the time to create the service is actually measured and the comparison data is given based on two different interface models.

Published

2021

20. BENBI: Scalable and Dynamic Access Control on the Northbound Interface of SDN-Based VANET

Author

Jiasi Weng, Weiming Lan, Weiqi Luo, Jian Weng, and Yue Zhang

Subjects

Vehicular ad hoc network, Northbound interface, Computer Networks and Communications, Computer science, business.industry, Aerospace Engineering, 020302 automobile design & engineering, Access control, 02 engineering and technology, Encryption, 0203 mechanical engineering, Automotive Engineering, Scalability, Electrical and Electronic Engineering, business, Broadcast encryption, Computer network

Abstract

Recently, emerging SDN-based VANET (i.e., vehicular ad hoc network based on software-defined networking) enables VANET management to be programmable and flexible. It introduces SDN controllers to maintain network-wide resources and SDN applications to program configurations through arbitrarily accessing resources via the northbound interface (NBI). However, this brings with it security issues on the NBI, such as network-wide resource exposure and configuration manipulation. Most of the existing works employed permission systems to restrict resource access; these solutions are generally controller-dependent, which means controller codes need to be modified for giving access permissions to external applications. In this paper, we propose a scalable and dynamic access control scheme on the NBI for SDN-based VANET, named BENBI. In the proposed scheme, we dynamically and flexibly control network resources by employing broadcast encryption, rather than altering source codes of the controller or updating permission lists with various degrees of granularity. Moreover, the resources are encrypted during transmission so that they are only available to authorized applications. Finally, we implement a prototype of BENBI. The experimental results demonstrate that the cost of allocating secret keys is independent of the number of SDN entities being appointed, which indicates the scalability of our scheme.

Published

2019

21. A RESTful Northbound Interface for Applications in Software Defined Networks

Author

Abdullah Alghamdi, David Paul, and Edmund J. Sadgrove

Subjects

Northbound interface, Computer science, Operating system, computer.software_genre, Software-defined networking, computer

Published

2021

22. P-SCOR: Integration of Constraint Programming Orchestration and Programmable Data Plane

Author

Franco Callegati, Marius Portmann, Marco Prandini, Siamak Layeghy, Andrea Melis, Davide Berardi, Melis A., Layeghy S., Berardi D., Portmann M., Prandini M., and Callegati F.

Subjects

Northbound interface, Computer Networks and Communications, Computer science, Programmable Data Plane, Security, Pfour, Context (language use), 02 engineering and technology, Constraint Programming, SDN, Real-time system, 0202 electrical engineering, electronic engineering, information engineering, Constraint programming, Forwarding plane, Constraint handling, Protocol, Process control, Orchestration (computing), Electrical and Electronic Engineering, business.industry, 020206 networking & telecommunications, Network management, Computer architecture, Programming, Software-defined networking, business, Switches

Abstract

In this manuscript we present an original implementation of network management functions in the context of Software Defined Networking. We demonstrate a full integration of an artificial intelligence driven management, an SDN control plane, and a programmable data plane. Constraint Programming is used to implement a management operating system that accepts high level specifications, via a northbound interface, in terms of operational objective and directives. These are translated in technology-specific constraints and directives for the SDN control plane, leveraging the programmable data plane, which is enriched with functionalities suited to feed data that enable the most effective operation of the “intelligent” control plane, by exploiting the P4 language.

Published

2021

23. An Adaptive Authenticated Model for Big Data Stream SAVI in SDN-Based Data Center Networks

Author

Junqing Yu, Dong Li, and Qizhao Zhou

Subjects

Data stream, Spoofing attack, Science (General), Northbound interface, Article Subject, Computer Networks and Communications, Computer science, Network packet, business.industry, Big data, Packet forwarding, Q1-390, T1-995, Network performance, Software-defined networking, business, Technology (General), Information Systems, Computer network

Abstract

With the rapid development of data-driven and bandwidth-intensive applications in the Software Defined Networking (SDN) northbound interface, big data stream is dynamically generated with high growth rates in SDN-based data center networks. However, a significant issue faced in big data stream communication is how to verify its authenticity in an untrusted environment. The big data stream traffic has the characteristics of security sensitivity, data size randomness, and latency sensitivity, putting high strain on the SDN-based communication system during larger spoofing events in it. In addition, the SDN controller may be overloaded under big data stream verification conditions on account of the fast increase of bandwidth-intensive applications and quick response requirements. To solve these problems, we propose a two-phase adaptive authenticated model (TAAM) by introducing source address validation implementation- (SAVI-) based IP source address verification. The model realizes real-time data stream address validation and dynamically reduces the redundant verification process. A traffic adaptive SAVI that utilizes a robust localization method followed by the Sequential Probability Ratio Test (SPRT) has been proposed to ensure differentiated executions of the big data stream packets forwarding and the spoofing packets discarding. The TAAM model could filter out the unmatched packets with better packet forwarding efficiency and fundamental security characteristics. The experimental results demonstrate that spoofing attacks under big data streams can be directly mitigated by it. Compared with the latest methods, TAAM can achieve desirable network performance in terms of transmission quality, security guarantee, and response time. It drops 97% of the spoofing attack packets while consuming only 9% of the controller CPU utilization on average.

Published

2021

24. An Improved Flow Rule Verification Against the Priority-passing attack in SDN

Author

Sipra Sahoo, Pravati Swain, and Romil Kumar

Subjects

Network architecture, Northbound interface, Binary search tree, Interface (Java), business.industry, Control theory, Computer science, Control system, Forwarding plane, Computer security model, business, Computer network

Abstract

Software-Defined Networking (SDN) is an emerging network architecture. Its property of network programmability makes the network technology more open and flexible. It is achievable by decoupling the data plane and control plane. The control plane has bridged the data plane and application plane by northbound interface and southbound interface, respectively. By using the interfaces of SDN controllers, different applications can enforce their own rules into the control. The controller applies the highest priority rules to the switches. The attacker can manipulate the SDN network by malicious rules with low priority. This paper discusses different scenarios of priority passing attack and proposes a security module. The proof of the proposed module explains that it nullifies the threat proposed by the attacker. Moreover, the Hashmap using Binary Search Tree (BST) is implemented in the security model to minimize the search time for matching flow rules. It is observed that the latency remains as low as 40ms even with 10 thousand rules.

Published

2020

25. Service Chain Orchestration Based on Deep Reinforcement Learning in Intent-Based IoT

Author

Zanhong Wu, Ying Zeng, and Zhan Shi

Subjects

Service (systems architecture), Network management, Cost efficiency, Northbound interface, Computer science, business.industry, Quality of service, Distributed computing, Reinforcement learning, Orchestration (computing), Reference architecture, business

Abstract

Intent-based network (IBN) is a novel approach to network management and automation designed to simplify a generic high-level policy called intent to a specific low-level network configuration. At present, plenty of researches have focused more on definition of intent-based northbound interface (NBI) but less on methods for intent-based service orchestration. In this paper, an IBN reference architecture is presented to manage IoT infrastructure and deliver end-to-end services across multi-domains. After that, this paper introduces a DDQN-based heuristic algorithm to solve the dynamic service chain orchestration problem. Simulation results clearly show that the proposed algorithm has better cost efficiency and convergence than those of compared algorithms, and can also guarantee the QoS requirements and make the traffic balanced.

Published

2020

26. Architecture of Segmentation Service of Software Defined Networks

Author

Dmitry Perepelkin, Ilya Tsyganov, and Maria Ivanchikova

Subjects

Service (systems architecture), Network architecture, Northbound interface, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Application layer, Networking hardware, Abstraction layer, Network management, Computer architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Software-defined networking

Abstract

Software defined networks (SDN) – is an innovative network architecture that provides centralized management of networks with a complex structure SDN consists of three layers: the infrastructure layer of network equipment, the network management layer (represented by SDN controllers) and the application layer. SDN controllers provide open programming interfaces that allow network applications to manage the network. Architecture and software implementation of the service for the development and implementation of SDN segmentation algorithms are proposed in paper. The aim of creating the presented service is to optimize the network resources usage through the use of an additional layer of abstraction – a layer of network segments.

Published

2020

27. Multi-Tenancy Cloud-Enabled Small Cell Security

Author

Babangida Albaba Abubakar and Haralambos Mouratidis

Subjects

Network architecture, Multitenancy, Northbound interface, business.industry, Computer science, Cloud computing, Computer security, computer.software_genre, Virtualization, Software-defined networking, business, Virtual network, computer, Requirements analysis

Abstract

The anticipated technological advancement of 5th Generation (5G) network is the ability to apply intelligence directly to network’s edge, in the form of virtual network appliances through the archetypes of Network Functions Virtualisation (NFV) and Edge Cloud Computing.The adoption and use of innovative technologies, such as Software Defined Networking (SDN) and NFV is the key to making 5G networks more promising. However, implementing these technologies yield to the imaging of new security challenges. A Cloud-Enabled Small Cell (CESC) provides multi-operator platform to integrates and execute at the virtualised environment. Providing services to multiple operators/tenants to access technologies and protocols in unified network architecture requires well-define security approach in order to deliver secured data communication, privacy and integrity. The CESC security requirement analysis was carried out using Secure Tropos (SecTro) methodology. The paper will thoroughly examine the CESC security challenges and provide possible solutions to mitigate those challenges.

Published

2019

28. Busoni: Policy Composition and Northbound Interface for IPv6 Segment Routing Networks

Author

Stefano Salsano, Xiaoming Fu, Pier Luigi Ventre, and Osamah L. Barakat

Subjects

Northbound interface, business.industry, Computer science, Network packet, 020206 networking & telecommunications, 02 engineering and technology, Source routing, IPv6, Chaining, 0202 electrical engineering, electronic engineering, information engineering, Routing (electronic design automation), Software-defined networking, business, Implementation, Computer network

Abstract

Segment Routing is a source routing based architecture that provides an opportunity to include a list of instructions called segments in the packet headers. The segments may allow the inclusion of detours for responding to Traffic Engineering needs or Service Function Chaining implementations. Even though there is an increasing interest towards enhancing and adopting Segment Routing, the administrators are still burdened with the task of manually write and maintain the segment lists. Such type of management presents several challenges ranging from error-prone configurations to increased response time for network updates. In this paper, we present a Segment Routing management framework named Busoni, which automates and simplifies the process of segments lists management. Additionally, we also provide programming tools to compose and manage Segment Routing policies that operate efficiently, even under multi-tenancy environments. Using different use cases, we show the programming capabilities offered by our framework.

Published

2019

29. The Research of Data Collection for Communication Equipment Based on Device Direct Connection and Northbound Interface

Subjects

Data collection, Northbound interface, business.industry, Computer science, business, Computer network, Connection (mathematics)

Published

2018

30. B-DAC: A decentralized access control framework on Northbound interface for securing SDN using blockchain.

Author

Duy, Phan The, Hoang, Hien Do, Hien, Do Thi Thu, Nguyen, Anh Gia-Tuan, and Pham, Van-Hau

Subjects

*SOFTWARE-defined networking, *COMPUTER network architectures, *OPENFLOW (Computer network protocol), *DATA integrity, *ACCESS control

Abstract

Software-Defined Network (SDN) is a new arising terminology of network architecture with outstanding features of orchestration by decoupling the control plane and the data plane in each network element. Even though it brings several benefits, SDN is vulnerable to a diversity of attacks. Abusing the single point of failure in the SDN controller component, hackers can shut down all network operations. More specifics, a malicious OpenFlow application can access to SDN controller to carry out harmful actions without any limitation owing to the lack of the access control mechanism as a standard in the Northbound. The sensitive information about the whole network such as network topology, flow information, and statistics can be gathered and leaked out. Even worse, the entire network can be taken over by the compromised controller. Hence, it is vital to build a scheme of access control for SDN's Northbound. Furthermore, it must also protect the data integrity and availability during data exchange between application and controller. To address such limitations, we introduce B-DAC, a blockchain-based framework for decentralized authentication and fine-grained access control for the Northbound interface to assist administrators in managing and protecting critical resources. With strict policy enforcement, B-DAC can perform decentralized access control for each request to keep network applications under surveillance for preventing over-privileged activities or security policy conflicts. To demonstrate the feasibility of our approach, we also implement a prototype of this framework to evaluate the security impact, effectiveness, and performance through typical use cases. [ABSTRACT FROM AUTHOR]

Published

2022

31. Attack Modeling and Risk Assessments in Software Defined networking (SDN)

Abstract

Software Defined Networking (SDN) is a technology which provides a network architecture with three distinct layers that is, the application layer which is made up of SDN applications, the control layer which is made up of the controller and the data plane layer which is made up of switches. However, the exits different types of SDN architectures some of which are interconnected with the physical network. At the core of SDN, the control plane is physically and logically separated from the data plane. The controller is connected to the application layer through an interface known as the northbound interface and to the data plane through another interface known as the southbound interface. The centralized control plane uses APIs to communicate through the northbound and southbound interface with the application layer and the data plane layer respectively. By default, these APIs such as Restful and OpenFlow APIs do not implement security mechanisms like data encryption and authentication thus, this introduces new network security threats to the SDN architecture. This report presents a technique known as threat modeling in SDN. To achieve this technique, attack scenarios are created based on the OpenFlow SDN vulnerabilities. After which these vulnerabilities are defined as predicates or facts and rules, a framework known as multihost multistage vulnerability analysis (MulVAL) then takes these predicates and rules to produce a threat model known as attack graph. The attack graph is further used to performed quantitative risk analysis using a metric to depict the risks associated to the OpenFlow SDN model

Published

2019

32. Attack Modeling and Risk Assessments in Software Defined networking (SDN)

Abstract

Software Defined Networking (SDN) is a technology which provides a network architecture with three distinct layers that is, the application layer which is made up of SDN applications, the control layer which is made up of the controller and the data plane layer which is made up of switches. However, the exits different types of SDN architectures some of which are interconnected with the physical network. At the core of SDN, the control plane is physically and logically separated from the data plane. The controller is connected to the application layer through an interface known as the northbound interface and to the data plane through another interface known as the southbound interface. The centralized control plane uses APIs to communicate through the northbound and southbound interface with the application layer and the data plane layer respectively. By default, these APIs such as Restful and OpenFlow APIs do not implement security mechanisms like data encryption and authentication thus, this introduces new network security threats to the SDN architecture. This report presents a technique known as threat modeling in SDN. To achieve this technique, attack scenarios are created based on the OpenFlow SDN vulnerabilities. After which these vulnerabilities are defined as predicates or facts and rules, a framework known as multihost multistage vulnerability analysis (MulVAL) then takes these predicates and rules to produce a threat model known as attack graph. The attack graph is further used to performed quantitative risk analysis using a metric to depict the risks associated to the OpenFlow SDN model

Published

2019

33. An Enhanced Message Distribution Mechanism for Northbound Interfaces in the SDN Environment

Author

Hong Ni, Lei Liu, and Chenhui Wang

Subjects

Technology, OpenFlow, Northbound interface, QH301-705.5, computer.internet_protocol, Computer science, QC1-999, Interface (computing), 02 engineering and technology, message distribution mechanism, Communications system, SDN, Internet protocol suite, 0202 electrical engineering, electronic engineering, information engineering, Forwarding plane, General Materials Science, Biology (General), QD1-999, Instrumentation, Fluid Flow and Transfer Processes, business.industry, Physics, Process Chemistry and Technology, Bandwidth (signal processing), General Engineering, 020206 networking & telecommunications, northbound interface, Engineering (General). Civil engineering (General), Computer Science Applications, message queue, Chemistry, 020201 artificial intelligence & image processing, TA1-2040, business, Message queue, computer, Computer network

Abstract

Software-Defined Network (SDN), which is recommended as a new generation of the network, a substitute for TCP/IP network, has the characteristics of separation of data plane and control plane. Although the separation of the control plane brings a high degree of freedom and simple operation and maintenance, it also increases the cost of north–south communication. There are many additional modules for SDN to modify and enhance the basic functions of SDN. This paper proposes a message queue-based northbound communication mechanism, which pre-categorizes messages from the data plane and accurately pushes them to the apps potentially interested. This mechanism improves the efficiency of northbound communication and apps’ execution. Furthermore, it supports both OpenFlow and the protocol-independent southbound interface, and it has strong compatibility. Experiments have proved that this mechanism can reduce the control-response latency by up to 41% when compared with the normal controller northbound communication system, and it also improves the network situation of the data plane, such as real-time bandwidth.

Published

2021

34. NBI Modeling Realization for SDOTN Based on ACTN

Author

Yanlei Zheng, Guangquan Wang, Zhou Yantao, and Liu Yacheng

Subjects

Open software, Northbound interface, Computer architecture, Transmission network, Interface model, Control theory, Computer science, Realization (systems), Abstraction (linguistics)

Abstract

The open Software Defined Network (SDN) capability of optical transmission network under telecom operation is always the core problem concerned by operators. Based on the idea of Abstraction and Control of TE Networks (ACTN), this paper analyzes the northbound interface (NBI) modeling of the controller system and explains how the interface model can meet the needs of the upper application system.

Published

2019

35. Risk Assessment Approach to Secure Northbound Interface of SDN Networks

Author

Marcin Jekot, Piotr Borylo, Piotr Jaglarz, Piotr Cholda, and Marcin Niemiec

Subjects

Northbound interface, business.industry, Computer science, media_common.quotation_subject, Numerical verification, Reputation system, Network cost, Communication source, Approaches of management, business, Risk assessment, Computer network, Reputation, media_common

Abstract

The most significant threats to networks usually originate from external entities. As such, the Northbound interface of SDN networks which ensures communication with external applications requires particularly close attention. In this paper we propose the Risk Assessment and Management approach to SEcure SDN (RAMSES). This novel solution is able to estimate the risk associated with traffic demand requests received via the Northbound-API in SDN networks. RAMSES quantifies the impact on network cost incurred by expected traffic demands and specifies the likelihood of adverse requests estimated using the reputation system. Accurate risk estimation allows SDN network administrators to make the right decisions and mitigate potential threat scenarios. This can be observed using extensive numerical verification based on an network optimization tool and several scenarios related to the reputation of the sender of the request. The verification of RAMSES confirmed the usefulness of its risk assessment approach to protecting SDN networks against threats associated with the Northbound-API.

Published

2019

36. Attack Modeling and Risk Assessments in Software Defined networking (SDN)

Author

Frankeline, Tanyi

Subjects

SDN, Northbound Interface, data plane OpenFlow, Southbound Interface, Attack Graph, Application layer, Attack Trees, Other Engineering and Technologies not elsewhere specified, Threat Model, MulVAL, Övrig annan teknik, Controller, Risk Analysis

Abstract

Software Defined Networking (SDN) is a technology which provides a network architecture with three distinct layers that is, the application layer which is made up of SDN applications, the control layer which is made up of the controller and the data plane layer which is made up of switches. However, the exits different types of SDN architectures some of which are interconnected with the physical network. At the core of SDN, the control plane is physically and logically separated from the data plane. The controller is connected to the application layer through an interface known as the northbound interface and to the data plane through another interface known as the southbound interface. The centralized control plane uses APIs to communicate through the northbound and southbound interface with the application layer and the data plane layer respectively. By default, these APIs such as Restful and OpenFlow APIs do not implement security mechanisms like data encryption and authentication thus, this introduces new network security threats to the SDN architecture. This report presents a technique known as threat modeling in SDN. To achieve this technique, attack scenarios are created based on the OpenFlow SDN vulnerabilities. After which these vulnerabilities are defined as predicates or facts and rules, a framework known as multihost multistage vulnerability analysis (MulVAL) then takes these predicates and rules to produce a threat model known as attack graph. The attack graph is further used to performed quantitative risk analysis using a metric to depict the risks associated to the OpenFlow SDN model

Published

2019

37. Toward a Trust-Based Authentication Framework of Northbound Interface in Software Defined Networking

Author

Phan The Duy, Do Thi Thu Hien, Nguyen Van Vuong, Nguyen Ngoc Hai Au, and Van-Hau Pham

Subjects

Network management, Network administrator, OpenFlow, Northbound interface, business.industry, Computer science, Authentication protocol, Forwarding plane, Single point of failure, business, Software-defined networking, Computer network

Abstract

Software Defined Networking (SDN) – a new rising terminology of network is recently gained more and more interest in both academic and industrial field. Not only decoupling of its control plane and data plane, SDN also provides the whole view of entire network for better and more flexible network management. Despite the benefits of the global view of the whole network, SDN with a single point of failure at the controller encounters some drawbacks and additional challenge for security. A malicious OpenFlow application (OF app) can access to SDN controller to perform illegal activities due to the lack of the authentication protocol in Northbound interface to ensure that only trusted, and authorized applications access critical network resources. The information about the whole network, such as topology data, flow information or statistics can be retrieved. Even worse the entire network can be controlled from the compromised controller. In this paper, we introduce Trust Trident - a framework of securing trustworthy authentication between applications and controller, with the controller-independent capability. It gives network administrator a fully and fine-grained observation of OF apps communicating with the controller. Threats in Northbound interface and counter measurements by our plugin are classified and evaluated according to the threat categories from the STRIDE methodology.

Published

2019

38. Standardized Northbound Interface Testing Automation on the Open and Disaggregated Optical Transport Equipment

Author

Chongjin Xie, Liang Dou, Tao Wang, Ming Xia, Yawei Yin, and Shuai Zhang

Subjects

NETCONF, Northbound interface, computer.internet_protocol, business.industry, Computer science, 02 engineering and technology, computer.software_genre, Network configuration, 01 natural sciences, Automation, GeneralLiterature_MISCELLANEOUS, 010309 optics, 020210 optoelectronics & photonics, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Operating system, business, computer, Protocol (object-oriented programming)

Abstract

The proposed demonstration will showcase a live testing of the northbound API on optical DCI equipment which is compliant with the NETCONF network configuration protocol and OpenConfig YANG data models.

Published

2019

39. A Fine-Grained Detection Mechanism for SDN Rule Collision

Author

Qiu Xiaochen, Zheng Shihui, Gu Lize, and Cai Yong-mei

Subjects

OpenFlow, Dependency (UML), Northbound interface, Computer science, Control theory, Distributed computing, Throughput, Function (mathematics), Software-defined networking, Collision

Abstract

The rules issued by third-party applications may have direct violations or indirect violations with existing security flow rules in the SDN (software-defined network), thereby leading to the failure of security rules. Currently, existing methods cannot detect the rule collision in a comprehensive and fine-grained manner. This paper proposes a deep detection mechanism for rule collision that can detect grammatical errors in the flow rules themselves, and can also detect direct and indirect rule collisions between third-party and security applications based on the set intersection method. In addition, our mechanism can effectively and automatically resolve the rule collision. Finally, we implement the detection mechanism in the RYU controller, and use Mininet to evaluate the function and performance. The results show that the mechanism proposed in this paper can accurately detect the static, dynamic and dependency collisions of flow rules, and ensure that the decline of throughput of the northbound interface of the SDN network is controlled at 20%.

Published

2019

40. A Security-Enhanced Monitoring System for Northbound Interface in SDN using Blockchain

Author

Hien Do Hoang, Phan The Duy, and Van-Hau Pham

Subjects

Immutability, Authentication, Northbound interface, business.industry, Control theory, Computer science, Key (cryptography), Single point of failure, business, Software-defined networking, Credential, Computer network

Abstract

In Software-Defined Networking (SDN), Northbound Interface provides APIs, which allow network applications to communicate with SDN controllers. However, a malicious application can access to SDN controller and perform illegal activities via these APIs. Although some studies proposed AAA (Authentication, Authorization, Accounting) systems to protect SDN controllers from malicious applications, their proposed systems also exist several limitations. Attackers can compromise a system, then modify its database or files to gain higher privileges. This system can be taken down because of Single Point of Failure threat. To enhance security for the Northbound interface, we propose a novel system using blockchain, namely BlockAS. It is used to authenticate, authorize and monitor accessing critical controller resources from applications. Specifically, BlockAS leverages blockchain features to maintain the immutability and decentralization of credential data. Our proposed system has five key properties: immutability of database, decentralization, authentication, authorization, and accounting to enhance security for SDN controller and its offered services.

Published

2019

41. Software-Defined Networks and Methods to Mitigate Attacks on the Network

Author

Valluri Sarimela, Sumit Kumar, and Shubham Kumar

Subjects

OpenFlow, Exploit, Northbound interface, business.industry, Computer science, Interface (computing), Forwarding plane, Denial-of-service attack, business, Software-defined networking, Networking hardware, Computer network

Abstract

Software-defined network (SDN) is becoming an advance technology. It is not only used to manage IP networks but also manages data centers as well as cloud data and it can be applied in various types of networks. Earlier approaches for IP networks were more complex and IP networks are now a big network; thus, it is very difficult to manage those networks in terms of configuring thenetwork devices, applying policies on the network dynamically and get the knowledge of the faults, load and changes in the network. Software-defined approach made it easy to manage and configure the network. The role of the SDN controller in network devices can be extended with an application that effectively solves a particular problem and provide a flexible management service. One of the protocols used for this technology is OpenFlow. It basically works on southbound interface, i.e., between controller and network devices. Many solutions to utilize the network and exploit as much information possible from the network is one of the aim of researchers and many solutions have been proposed for the same. One of the most important and distinct features is to detect denial-of-service (DoS) attack quickly and precisely. In this paper, we are going to give an introduction about how and why SDN is trending and also analysis of solutions to detect and save a network from DDoS attacks.

Published

2018

42. Implementation of Northbound Interface in Multi-domain Coordinate Control Framework

Author

Yaqiong Liu, Guochu Shou, Wenqi Bai, and Yihong Hu

Subjects

Northbound interface, Computer science, Interface (Java), business.industry, Distributed computing, Interoperability, Network topology, Coordinate control, GeneralLiterature_MISCELLANEOUS, Multi domain, Software, Computer Science::Networking and Internet Architecture, business, Abstraction (linguistics)

Abstract

We implement IETF YANG models interface and test its interoperability through a multi-domain coordinate experiment according to ACTN (Abstraction and Control of Traffic Engineered Networks) framework. We validate YANG models are well-suited for multi-domain coordination.

Published

2018

43. A Software Engineering Perspective on SDN Programmability

Author

Robson do Nascimento Fidalgo, Felipe A. Lopes, Marcelo Santos, and Stenio Fernandes

Subjects

Network architecture, Social software engineering, Resource-oriented architecture, Northbound interface, business.industry, Computer science, Software development, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Software deployment, Software construction, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Electrical and Electronic Engineering, business, Software engineering

Abstract

Software-defined networking (SDN) has received a great deal of attention from both academia and industry in recent years. Studies on SDN have brought a number of interesting technical discussions on network architecture design, along with scientific contributions. Researchers, network operators, and vendors are trying to establish new standards and provide guidelines for proper implementation and deployment of such novel approach. It is clear that many of these research efforts have been made in the southbound of the SDN architecture, while the northbound interface still needs improvements. By focusing in the SDN northbound, this paper surveys the body of knowledge and discusses the challenges for developing SDN software. We investigate the existing solutions and identify trends and challenges on programming for SDN environments. We also discuss future developments on techniques, specifications, and methodologies for programmable networks, with the orthogonal view from the software engineering discipline.

Published

2016

44. Opening up ROADMs: a filterless add/drop module for coherent-detection signals

Author

Josef Vojtech, Jaroslav Jedlinsky, Jan Kundrat, Ondrej Havlis, and Jan Radil

Subjects

NETCONF, Northbound interface, Computer Networks and Communications, Computer science, computer.internet_protocol, business.industry, Electrical engineering, 020206 networking & telecommunications, 02 engineering and technology, Multiplexer, 020210 optoelectronics & photonics, Wavelength-division multiplexing, Frequency grid, 0202 electrical engineering, electronic engineering, information engineering, Drop (telecommunication), Heterodyne detection, business, computer

Abstract

We present an open design of a filterless add/drop reconfigurable optical add/drop multiplexer module with a NETCONF northbound interface. Compared to commercial offerings, the device design is openly documented and available for detailed inspection. Performance is evaluated with up to seven adjacent high-speed 100 Gbps signals on a 50 GHz frequency grid.

Published

2020

45. Towards Application-Aware Networking: ML-Based End-to-End Application KPI/QoE Metrics Characterization in SDN

Author

Andrew Hines, Declan T. Delanev, and Hamed Z. Jahromi

Subjects

Northbound interface, Computer science, Quality of service, Interface (computing), 05 social sciences, 050801 communication & media studies, 02 engineering and technology, Metrics, 0508 media and communications, End-to-end principle, Computer architecture, Server, 0202 electrical engineering, electronic engineering, information engineering, Resource allocation (computer), 020201 artificial intelligence & image processing, Software-defined networking

Abstract

Software Defined Networking (SDN) presents a unique networking paradigm that facilitates the development of network innovations. This paper aims to improve application awareness by incorporating Machine Learning (ML) techniques within an open source SDN architecture. The paper explores how end-to-end application Key Performance Indicator (KPI) metrics can be designed and utilized for the purpose of application awareness in networks. The main goal of this research is to characterize application KPI metrics using a suitable ML approach based on available network data. Resource allocation and network orchestration tasks can be automated based on the findings. A key facet of this research is introducing a novel feedback interface to the SDN's Northbound Interface that receives realtime performance feedback from applications. This paper aim to show how could we exploit the applications feedback to determine useful characteristics of an application's traffic. A mapping application with a defined KPI is used for experimentation. Linear multiple regression is used to derive a characteristic relationship between the application KPI and the network metrics.

Published

2018

46. SDNKeeper: Lightweight Resource Protection and Management System for SDN-Based Cloud

Author

Yan Chen, Kaiyu Hou, Libin Song, Xue Leng, and Kai Bu

Subjects

Access network, Northbound interface, business.industry, Computer science, 020206 networking & telecommunications, Cloud computing, Access control, 02 engineering and technology, Network management, Management system, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), 020201 artificial intelligence & image processing, business, Software-defined networking, Computer network

Abstract

SDN-based cloud has the merit of allowing more flexibility in network management, however, the security of network accessing and the correctness of network configuration in SDN-based cloud have not been effectively addressed yet. In this paper, SDNKeeper, a generic and fine-grained policy enforcement system in SDN-based cloud is proposed, which can defend against unauthorized attacks and avoid network resource misconfiguration. With the usage of SDNKeeper, numerous flexible network management policies can be created by administrators, which give administrators the discretionary room on controlling the network resources. To be specific, SDNKeeper can reject any unauthorized network access request at Northbound Interface (NBI), which located between application plane and control plane. Moreover, compared with other traditional policy-based access control systems, SDNKeeper is totally application-transparent and lightweight, which is easy to implement, deploy and runtime configure. Based on the prototype implementation and evaluation, we conclude that SDNKeeper can perform access control accurately with negligible computation overhead whilst the throughput degradation is still within the acceptable range.

Published

2018

47. Social Data Driven SDN Network Operation using Northbound Interface

Author

Shu Yamamoto, Akihiro Nakao, Masato Oguchi, Saneyasu Yamaguchi, and Tsumugi Tairaku

Subjects

Northbound interface, User experience design, Computer science, business.industry, Traffic engineering, Wide area network, Testbed, Routing (electronic design automation), business, Software-defined networking, Data-driven, Computer network

Abstract

Software Defined Networking (SDN) enables highly flexible routing and traffic engineering. The network using the centralized SDN control can be operated by globally viewing the entire network. On the other hand, the network operation of the routing and traffic engineering based on internal network traffic monitoring does not immediately perform the network recovery specifically in case of the multiple network failures induced by the large scale disaster such as Great East Japan Earthquake. Hence, we will investigate the new network operation utilizing the external information abstracted from the social data. The social data contains the real-time user experience of the network quality degradation due to the emergency events, natural disaster etc. and useful for the immediate network recovery. The integration of the social data with SDN will enable the new network operation. In order to obtain the real-time information from the social data, Twitter is most relevant for our purpose. First, we constructed the SDN enabled network testbed in the wide area network controlled by the centralized system using th northbound interface (NBI). Next using the testbed, the network restoration experiment was successfully performed by the network path computation algorithm using actual Tweet logs of the Great East Japan Earthquake.

Published

2018

48. A Behavior-Driven Approach to Intent Specification for Software-Defined Infrastructure Management

Author

Gianluca Davoli, Flavio Esposito, Chiara Contoli, Jiayi Wang, Walter Cerroni, Franco Callegati, Flavio. Esposito, Jiayi Wang, C. Contoli, G. Davoli, W. Cerroni, and F. Callegati

Subjects

Firewall (construction), Service (systems architecture), Network management, Northbound interface, Computer science, business.industry, Chaining, Software-defined data center, Use case, Software-defined networking, business, Software engineering, NFV, SDN, intent-based networking

Abstract

One of the goals of Software-Defined Networking (SDN) is to allow users to specify high-level policies into lower level network rules. Managing a network and decide what policy set is appropriate requires, however, expertise and low level know-how. An emerging SDN paradigm is to allow higher-level network level decisions wishes in the form of "intents". Despite its importance in simplifying network management, intent specification is not yet standardized. In this work, we propose a northbound interface (NBI) for intent declaration, based on Behavior-Driven Development. In our approach, intents are specified in plain English and translated by our system into pre-compiled network policies, that are in turn, converted into low-level rules by the software-defined infrastructure e.g. an SDN controller. We demonstrated our behavior-driven approach with two practical use cases: service function chaining deployed on OpenStack, supported by both ONOS and Ryu controllers, and dynamic firewall programming. We also measured the overhead and response time of our NBI. We believe that our approach is far more general and paves the way for a more expressive and simplified northbound interface for intent-driven networking.

Published

2018

49. A Generic Emulation Framework for Reusing and Evaluating VNF Placement Algorithms

Author

Stefan Schneider, Manuel Peuster, and Holger Karl

Subjects

Emulation, Northbound interface, Computer science, Interface (Java), Testbed, Container (abstract data type), Network topology, Algorithm, Virtual network, Abstraction layer

Abstract

In recent years, a variety of different approaches have been proposed to tackle the problem of scaling and placing network services, consisting of interconnected virtual network functions (VNFs). This paper presents a placement abstraction layer (PAL) that provides a clear and simple northbound interface for using such algorithms while hiding their internal functionality and implementation. Through its southbound interface, PAL can connect to different back ends that evaluate the calculated placements, e.g., using simulations, emulations, or testbed approaches. As an example for such evaluation back ends, we introduce a novel placement emulation framework (PEF) that allows executing calculated placements using real, container- based VNFs on real-world network topologies. In a case study, we show how PAL and PEF facilitate reusing and evaluating placement algorithms as well as validating their underlying models and performance claims.

Published

2018

50. Secure northbound interface for SDN applications with NTRU public key infrastructure

Author

Mohammad Reza Majma and Seyed Bagher Hashemi Natanzi

Subjects

Authentication, 021103 operations research, Northbound interface, NTRU, Computer science, business.industry, Interface (computing), 0211 other engineering and technologies, Public key infrastructure, 02 engineering and technology, Encryption, 020202 computer hardware & architecture, Public-key cryptography, Digital signature, 0202 electrical engineering, electronic engineering, information engineering, business, Computer network

Abstract

The most important features of software-defined networking is the flexibility and network development capability by the ability of the network to be programmable. Accordingly, the controller delivers network resources to the third party applications or other networks through the Northbound Interface (NBI) of SDN. But this interface has some defects, including the lack of necessary security features such as authentication and access level determination. In this paper, we presented a new solution for using third party applications from network resources based on the NTRU algorithm and the NSS digital signature, which by the controller can provide network information only for approved and reliable programs through a safe REST API. The results show that using the NTRU against algorithms such as RSA and ECC presents low memory consumption, high speed, and low computing, although it does not work faster on small Networks.

Published

2017