Christopher Metter,Valentin Burger,Zheng Hu,Ke Pei,Florian Wamser

DOI: https://doi.org/10.1109/cce.2018.8465741

2018-01-01

Abstract:The process of monitoring the network, especially for larger ones, is very complex and contains many pitfalls. For instance the balance between granularity of information and their performance impact on the network. With the help of SDN this challenge can become easier, as it offers new methods, mechanisms and opportunities. One of the current most important Open Source controllers is the ONOS SDN controller. According to its developers it is a production ready controller that offers high availability due to its logically centralized and physically distributed architecture. But, as our investigations show, it is unable to cope with hazardous network conditions such as sporadic or recurring packet loss. It either does not detect packet loss or only detects it after long time periods, failing all common network availability targets.

Lin Chanting,Wu Chunming,Huang Min,Wen Zhenyu,Zheng Qiuhua

DOI: https://doi.org/10.1109/cc.0.7560881

2016-01-01

China Communications

Abstract:The OpenFlow implementations (SDNs) have been deployed increasingly on varieties of networks in research institutions as well as commercial institutions. To develop an OpenFlow implementation, it is required to understand the performance of the network. A few benchmark tools (e.g., Cbench and OFlops) can be used to measure the network performance, while these tools take considerable time to simulate traffic behaviors and generate the required results, therefore extending the development time. In this paper, we present an analytical model, which is based on stochastic network calculus theory, for evaluating the performance of switch to controller. The previous studies show that stochastic network calculus can provide realistic emulation of real network traffic behaviors. Our model is evaluated by using both simulation tool and realistic testbed. The results show the stochastic network calculus based analysis model can realistically measure the network performance of the end-to-end properties between controller and switch.

Huan Zhou,Jiming Chen,Huanyang Zheng,Jie Wu

DOI: https://doi.org/10.1109/tvt.2015.2432120

IF: 6.8

2016-01-01

IEEE Transactions on Vehicular Technology

Abstract:To discover neighbor nodes, nodes in opportunistic mobile networks (OppNets) have to probe their environment continuously. This can be an extremely energy-consuming process. If nodes probe very frequently, a lot of energy will be consumed in the contact probing process and might be inefficient. On the other hand, infrequent contact probing might cause nodes to miss many of their contacts. Therefore, there exists a tradeoff between energy efficiency and contact opportunities in OppNets. To investigate this tradeoff, we first propose a model to investigate the contact probing process based on the random-waypoint model and obtain the expressions of the single detecting probability and the double detecting probability. Moreover, we also demonstrate that among all contact probing strategies with the same average probing interval, which do not have preknowledge of the contact process, the strategy that probes at a constant interval performs better than any arbitrary probing strategy in expectation in the single contact probing process. Then, extensive simulations are conducted to validate the correctness of our proposed model. Finally, based on the proposed model, we analyze the tradeoff between energy efficiency and the total number of effective contacts in the single and double contact probing processes. Our results show that the total number of effective contacts in the single and double contact probing processes has a lower bound and an upper bound, and the good tradeoff points are obviously different when the speed of nodes is different.

Xiang Chen,Hongyan Liu,Wenbin Zhang,Qun Huang,Dong Zhang,Haifeng Zhou,Xuan Liu,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2024.3421327

2024-01-01

Abstract:In modern data center networks (DCNs), network-stack processing denotes a large portion of the end-to-end latency of TCP flows. So profiling network-stack latency anomalies has been considered as a crucial part in DCN performance diagnosis and troubleshooting. In particular, such profiling requires full coverage (i.e., profiling every TCP packet) and low overhead (i.e., profiling should avoid high CPU consumption in end-hosts). However, existing solutions rely on system calls or tracepoints in end-hosts to implement network-stack latency profiling, leading to either low coverage or high overhead. We propose Torp, a framework that offers full-coverage and low-overhead profiling of network-stack latency. Our key idea is to offload as much of the profiling from costly system calls or tracepoints to the Torp agent built on eBPF modules, and further to include a Torp handler on the ToR switch to accelerate the remaining profiling operations. Torp efficiently coordinates the ToR switch and the Torp agent on end-hosts to jointly execute the entire latency profiling task. We have implemented Torp on $32\times 100$ Gbps Tofino switches. Testbed experiments indicate that Torp achieves full coverage and orders of magnitude lower host-side overhead compared to other solutions.

Xiang Chen,Hongyan Liu,Junyi Guo,Xinyue Jiang,Qun Huang,Dong Zhang,Chunming Wu,Haifeng Zhou

DOI: https://doi.org/10.1109/infocom48880.2022.9796758

2022-01-01

Abstract:In data center networks (DCNs), host-side packet processing accounts for a large portion of the end-to-end latency of TCP flows. Thus, the profiling of host-side latency anomalies has been considered as a crucial part in DCN performance diagnosis and troubleshooting. In particular, such profiling requires full coverage (i.e., profiling every TCP packet handled by end-hosts) and low overhead (i.e., profiling should avoid high CPU consumption in end-hosts). However, existing solutions fully rely on end-hosts to implement host-side latency profiling, leading to low coverage or high overhead. In this paper, we propose Torp, a framework that offers full-coverage and low-overhead profiling of host-side latency. Our key idea is to offload profiling operations to top-of-rack (ToR) switches, which inherently offer full coverage and line-rate packet processing performance. Specifically, Torp selectively offloads profiling operations to the ToR switch based on switch limitations. It efficiently coordinates the ToR switch and end-hosts to execute the entire latency profiling task. We have implemented Torp on 32×100Gbps Tofino switches. Testbed experiments indicate that Torp achieves full coverage and orders of magnitude lower host-side overhead compared to other solutions.

Yi Gao,Yuan Jing,Wei Dong

DOI: https://doi.org/10.1109/tnet.2018.2871213

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Knowing the trajectory of each packet in a network enables a large range of network debugging and management tasks. Existing packet trajectory tracing approaches for software-defined networking (SDN) either require high message/computational overhead or only focus on one kind of network topology. In this paper, we propose UniROPE, a robust and lightweight packet trajectory tracing approach that supports various network topologies. Using the flow information, UniROPE dynamically selects one of the two proposed packet trajectory tracing algorithms to achieve a better tradeoff between accuracy and efficiency. We implement UniROPE using P4, a high-level language for programming SDN switch operations, and evaluate its performance in networks with different topologies, scales, and link failure probabilities. Results show that UniROPE achieves a high successful ratio of packet trajectory tracing with small message/computational overheads in various networks. We also use three case studies to show the effectiveness of the traced packet trajectory information for network debugging and management.

Yangyang Wang,Jun Bi,Keyao Zhang

DOI: https://doi.org/10.1007/s11432-015-1057-7

2017-01-01

Science China Information Sciences

Abstract:SDN provides an approach to create desired network forwarding plane by programming applications. For a large-scale SDN network comprised of multiple domains and running multiple controller applications, it is difficult to measure and diagnose the problems of flow tables in data plane. Tracing the forwarding path of SDN is one of effective way for data plane state measurement. Previously proposed methods for debugging SDN were applied to a single administrative domain. There is less effort to trace the flow entries of the data plane in large-scale multi-domain SDN networks. In this paper, we propose a method of software defined data plane tracing in large-scale multi-domain SDN networks. Our method can trace forwarding paths, and get the matched flow entries and other customized trace information. We present the designs compatible with OpenFlow 1.0 and 1.3 switches. The performance and deployment effect are evaluated by simulation test and analysis. It shows that our method has better performance than traditional IP traceroute, and its deployment at about 20% of AS nodes can enable 70% of AS paths to be traceable.

Apoorv Shukla,Said Jawad Saidi,Stefan Schmid,Marco Canini,Thomas Zinner,Anja Feldmann

DOI: https://doi.org/10.1109/TNSM.2019.2955790

2020-05-02

Abstract:The conventional wisdom is that a software-defined network (SDN) operates under the premise that the logically centralized control plane has an accurate representation of the actual data plane state. Unfortunately, bugs, misconfigurations, faults or attacks can introduce inconsistencies that undermine correct operation. Previous work in this area, however, lacks a holistic methodology to tackle this problem and thus, addresses only certain parts of the problem. Yet, the consistency of the overall system is only as good as its least consistent part. Motivated by an analogy of network consistency checking with program testing, we propose to add active probe-based network state fuzzing to our consistency check repertoire. Hereby, our system, PAZZ, combines production traffic with active probes to periodically test if the actual forwarding path and decision elements (on the data plane) correspond to the expected ones (on the control plane). Our insight is that active traffic covers the inconsistency cases beyond the ones identified by passive traffic. PAZZ prototype was built and evaluated on topologies of varying scale and complexity. Our results show that PAZZ requires minimal network resources to detect persistent data plane faults through fuzzing and localize them quickly while outperforming baseline approaches.

Networking and Internet Architecture

Ao Li,Rohan Padhye,Vyas Sekar

DOI: https://doi.org/10.48550/arXiv.2209.04026

2022-09-09

Abstract:Performance issues in software-defined network (SDN) controllers can have serious impacts on the performance and availability of networks. We specifically consider stateful performance issues, where a sequence of initial input messages drives an SDN controller into a state such that its performance degrades pathologically when processing subsequent messages. We identify key challenges in applying canonical program analysis techniques: large input space of messages (e.g., stateful OpenFlow protocol), complex code base and software architecture (e.g., OSGi framework with dynamic launch), and the semantic dependencies between the internal state and external inputs. We design SPIDER, a practical fuzzing workflow that tackles these challenges and automatically uncovers such issues in SDN controllers. SPIDER's design entails a careful synthesis and extension of semantic fuzzing, performance fuzzing, and static analysis, taken together with domain-specific insights to tackle these challenges. We show that our design workflow is robust across two controllers -- ONOS and OpenDaylight -- with very different internal implementations. Using SPIDER, we were able to identify and confirm multiple stateful performance issues.

Cryptography and Security

Tian Pan,Xingchen Lin,Haoyu Song,Enge Song,Zizheng Bian,Hao Li,Jiao Zhang,Fuliang Li,Tao Huang,Chenhao Jia,Bin Liu

DOI: https://doi.org/10.1109/icdcs51616.2021.00090

2021-01-01

Abstract:Visibility is essential for operating and troubleshooting intricate networks. In-band Network Telemetry (INT) has been embedded in the latest merchant silicons to offer high-precision device and traffic state visibility. INT is actually an underlying technique and each INT instance covers only one monitoring path. The network-wide measurement coverage therefore requires a high-level orchestration to provision multiple INT paths. An optimal path planning is expected to produce a minimum number of paths with a minimum number of overlapping links. Eulerian trail has been used to solve the general problem. However, in production networks, the vantage points where one can deploy probes to start and terminate INT paths are constrained. In this work, we propose an optimal path planning algorithm, INT-probe, which achieves the network-wide telemetry coverage under the constraint of stationary probes. INT-probe formulates the constrained path planning into an extended multi-depot k-Chinese postman problem (MDCPP-set) and then reduces it to a solvable minimum weight perfect matching problem. We analyze algorithm's theoretical bound and the complexity. Extensive evaluation on both wide area networks and data center networks with different scales and topologies are conducted. We show INT-probe is efficient, high-performance, and practical for real-world deployment. For a large-scale data center networks with 1125 switches, INT-probe can generate 112 monitoring paths (reduced by 50.4 %) by allowing only 1.79% increase of the total path length, promptly resolving link failures within 744.71ms.

Yusu Zhao,Pengfei Zhang,Yongkun Wang,Yaohui Jin

DOI: https://doi.org/10.1109/lcomm.2017.2701369

IF: 3.5529

2024-01-01

IEEE Communications Letters

Abstract:Network issues on data plane manifest themselves as failed rules, which can be verified by the comparison between actual and desired network behavior. Previous efforts implement this leveraging end-to-end active probing, which falls short on timely locating the exact failure points and identifying responsible rules. With the help of the out-band channel in softwaredefined network (SDN), per hop active probing can be employed to perform per device or even per rule network behavior comparison. Therefore, we present SERVE, an SDN-enabled rule verification framework that automatically identifies data plane network issues with periodic per rule network behavior comparison. By modeling network devices as multi-rooted trees with respect to pipeline processing, probes can be generated from a per device perspective in a timely manner. We evaluate the performance of SERVE and validate its effectiveness and timeliness on a small deployment with typical use cases.

Peng Zhang,Hao Li,Chengchen Hu,Liujia Hu,Lei Xiong

DOI: https://doi.org/10.1145/2881025.2881038

2016-01-01

Abstract:Software defined networks provide new opportunities for automating the process of network debugging. Many tools have been developed to verify the correctness of network configurations on the control plane. However, due to software bugs and hardware faults of switches, the correctness of control plane may not readily translate into that of data plane. To bridge this gap, we present VeriDP, which can monitor "whether actual forwarding behaviors are complying with network configurations". Given that policies are well-configured, operators can leverage VeriDP to monitor the correctness of the network data plane. In a nutshell, VeriDP lets switches tag packets that they forward, and report tags together with headers to the verification server before the packets leave the network. The verification server pre-computes all header-to-tag mappings based on the configuration, and checks whether the reported tags agree with the mappings. We prototype VeriDP with both software and hardware OpenFlow switches, and use emulation to show that VeriDP can detect common data plane fault including black holes and access violations, with a minimal impact on the data plane.

Bong-Hwan Oh

DOI: https://doi.org/10.1109/tnsm.2024.3439472

2024-10-16

IEEE Transactions on Network and Service Management

Abstract:The advent of Programming Protocol-independent Packet Processors (P4) enables the programmability of data planes, which provides not only further flexibility but also the possibility of the emergence of new features. With programmable data planes, network monitoring functionalities can be evolved beyond the conventional mechanism of Software-Defined Networks (SDN) which is polling-based monitoring based on OpenFlow. Although the polling-based method is easy and simple to collect monitoring information, it can cause substantial monitoring overhead on both the controller side and the switch side. Unlike the OpenFlow-based SDN which has one option to collect pre-defined information using the polling-based method, monitoring performance can be improved by applying new monitoring approaches based on P4. In this paper, a novel mechanism referred to as P4-based Proactive Monitoring (PPM) is proposed in order to enhance the efficiency of monitoring collection operations. PPM scheme adopts a proactive approach which allows programmable switches to proactively forward monitoring information to the controller after the controller enables PPM. The measurement results show that PPM can not only enhance the efficiency of collecting monitoring information by applying a proactive mechanism but also minimize the general monitoring overhead compared to the polling-based method.

computer science, information systems

Panlong Yang,Guihai Chen,Qihui Wu

DOI: https://doi.org/10.1007/978-3-540-88140-7_4

2008-01-01

Abstract:A confidential and effective probing is fundamental to a cooperative and cognitive wireless network. Previous seminar works are not deadline sensitive, and often suffer from highly dynamic multi-channel environments. As they focus more on transmitting packets with the optimal channel, resources are not efficiently used when sufficient channels are available in multi-radio multi-channel systems. Decisions are made without time constraints, while in dynamic wireless environments, deadlines are always presented for both probing and data transmission process. In this paper, we propose a transmission deadline probing paradigm, and an optimal probing and transmission schedule with time constraints is proposed, which is a pure threshold policy. Simulation results show that, deadline probing paradigm effectively improves network resource utilization as multiple channels presented with probing and transmission deadlines.

Peng Zhang,Hao Li,Chengchen Hu,Liujia Hu,Lei Xiong,Ruilong Wang,Yuemei Zhang

DOI: https://doi.org/10.1145/2999572.2999605

2016-01-01

Abstract:How to debug large networks is always a challenging task. Software Defined Network (SDN) offers a centralized con- trol platform where operators can statically verify network policies, instead of checking configuration files device-by-device. While such a static verification is useful, it is still not enough: due to data plane faults, packets may not be forwarded according to control plane policies, resulting in network faults at runtime. To address this issue, we present VeriDP, a tool that can continuously monitor what we call control-data plane consistency, defined as the consistency between control plane policies and data plane forwarding behaviors. We prototype VeriDP with small modifications of both hardware and software SDN switches, and show that it can achieve a verification speed of 3 μs per packet, with a false negative rate as low as 0.1%, for the Stanford backbone and Internet2 topologies. In addition, when verification fails, VeriDP can localize faulty switches with a probability as high as 96% for fat tree topologies.

Marco Tiloca,Alexandra Stagkopoulou,Gianluca Dini

DOI: https://doi.org/10.48550/arXiv.1609.04554

2016-09-15

Abstract:Software Defined Networking (SDN) has been recently introduced as a new communication paradigm in computer networks. By separating the control plane from the data plane and entrusting packet forwarding to straightforward switches, SDN makes it possible to deploy and run networks which are more flexible to manage and easier to configure. This paper describes a set of extensions for the INET framework, which allow researchers and network designers to simulate SDN architectures and evaluate their performance and security at design time. Together with performance evaluation and design optimization of SDN networks, our extensions enable the simulation of SDN-based anomaly detection and mitigation techniques, as well as the quantitative evaluation of cyber-physical attacks and their impact on the network and application. This work is an ongoing research activity, and we plan to propose it for an official contribution to the INET framework.

Networking and Internet Architecture

Qi Li,Xiaoyue Zou,Qun Huang,Jing Zheng,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2018.2810880

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Like traditional IP networking, the emerging Software-Defined Networking (SDN) technology is vulnerable to sophisticated attacks against packets and their forwarding behaviors. However, existing proposals of packet forwarding verification for IP networking cannot be directly applied to the current SDN deployment due to the limited functionalities and resources in commercial off-the-shelf (COTS) SDN switches. We propose DynaPFV, a dynamic packet forwarding verification mechanism that is capable of detecting various sophisticated attacks against packet forwarding. DynaPFV leverages the controllability of SDN to examine both packets and flow statistics across a network of switches to detect violation of packet integrity and forwarding behaviors. To mitigate the verification overhead, DynaPFV dynamically adjusts the rates of packet sampling and flow statistics collection based on the prior detection results in order to preserve the verification accuracy. Furthermore, DynaPFV makes changes to the SDN controller only, and is directly deployable atop COTS SDN switches without modifications. We conduct theoretical analysis on the trade-off between performance and accuracy in our dynamic verification approach. We further prototype DynaPFV using the open-source Floodlight controller, and evaluate our DynaPFV prototype using Mininet simulations and hardware testbed experiments. DynaPFV achieves over 97 percent of verification accuracy only with less than 5 percent of throughput degradation and less than 10 percent of additional forwarding delays.

Yongzhe Jia,Lei Xu,Yuwang Yang,Xiaoling Zhang

DOI: https://doi.org/10.1109/lcomm.2019.2956033

IF: 3.5529

2020-01-01

IEEE Communications Letters

Abstract:In Software Defined Networking (SDN), it is crucial for the controller to manage the data plane and provide basic services with creating and maintaining a real-time abstract topology view for the application plane. Currently, most serious challenge for the topology discovery services is the efficiency of the topology discovery protocol. In this letter, we propose an automatic topology discovery protocol to collect and update the topology information efficiently and securely, which is without unnecessary modifications on the standard OpenFlow protocol or extra hardware logic on switches. We also design a novel probe frame structure for the proposed protocol to reduce the traffic overhead and the controller burden. Finally, the performance of the proposed protocol is evaluated for its efficiency, security, and scalability. The experimental results show that the proposed protocol outperforms the state-of-the-art OpenFlow-based topology discovery protocols.

Jinwoo Kim,Minjae Seo,Eduard Marin,Seungsoo Lee,Jaehyun Nam,Seungwon Shin

DOI: https://doi.org/10.1109/tifs.2024.3402967

IF: 7.231

2024-06-26

IEEE Transactions on Information Forensics and Security

Abstract:Distributed SDN (Software-Defined Networking) controllers have rapidly become an integral element of Wide Area Networks (WAN), particularly within SD-WAN, providing scalability and fault-tolerance for expansive network infrastructures. However, the architecture of these controllers introduces new potential attack surfaces that have thus far received inadequate attention. In response to these concerns, we introduce Ambusher, a testing tool designed to discover vulnerabilities within protocols used in distributed SDN controllers. Ambusher achieves this by leveraging protocol state fuzzing, which systematically finds attack scenarios based on an inferred state machine. Since learning states from a cluster is complicated, Ambusher proposes a novel methodology that extracts a single and relatively simple state machine, achieving efficient state-based fuzzing. Our evaluation of Ambusher, conducted on a real SD-WAN deployment spanning two campus networks and one enterprise network, illustrates its ability to uncover 6 potential vulnerabilities in the widely used distributed controller platform.

computer science, theory & methods,engineering, electrical & electronic

Yusu Zhao,Pengfei Zhang,Yaohui Jin

DOI: https://doi.org/10.1109/NOMS.2016.7502919

2016-01-01

Abstract:Network troubleshooting is always a tough and daunting task for network operators to struggle with, due to difficultly observed network state, large network size and limited tools such as ping and traceroute. Software-defined networking (SDN) brings us the centralized network control and the customized network management over the entire network, which enables new ways of network troubleshooting. Previous efforts focus on static checking, passive monitoring and active probing, which rely on scraping rules from either controller or network devices. Since those rules describe the actions supposed to be performed on packets, the actions having been performed on packets can be different. We propose the concept of packet behavior to describe the real changes of packets and highlight its importance towards network troubleshooting. Based on the novel approach of exporting packet behavior and flow rules via copies triggered by probes being actively sent, we present the design of Netography system and illustrate the procedures of troubleshooting tasks regarding forwarding errors as well as performance degradation caused by non-tenant-contention reasons. We implement a prototype and verify our system on a small deployment with three typical use cases.