Xiaoli Zhang,Qi Li,Jianping Wu,Jiahai Yang

DOI: https://doi.org/10.1109/tnet.2020.3028846

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:With the advent of network function virtualization (NFV), outsourcing network functions (NFs) to the cloud is becoming increasingly popular for enterprises since it brings significant benefits for NF deployment and maintenance, such as improved scalability and reduced overhead. However, NF outsourcing limits the control of customer enterprises over NF deployment and management, consequently raising serious security concerns. Enterprises cannot ensure whether their outsourced NFs and associated service function chains (SFCs) are correctly enforced according to their specifications. In this paper, we propose vSFC, an SFC verification scheme that allows an enterprise to accurately verify the correctness of SFC enforcement in real time. Specifically, it can detect a wide range of SFC violations including forwarding path incompliance, packet dropping, and flow dropping attacks. Meanwhile, it is generic and agile, which can be applied to arbitrary cloud architectures without requiring any modification to NFs. To demonstrate the feasibility and performance of vSFC, we implement a vSFC prototype on top of Linux kernel-based virtual machines (KVM) and conduct extensive experiments with real traffic. The experimental results show that vSFC can accurately detect SFC violations with negligible overhead.

Huazhe Wang,Xin Li,Yu Zhao,Ye Yu,Hongkun Yang,Chen Qian

DOI: https://doi.org/10.48550/arXiv.1606.07079

2016-06-22

Networking and Internet Architecture

Abstract:There is an increasing trend that enterprises outsource their network functions to the cloud for lower cost and ease of management. However, network function outsourcing brings threats to the privacy of enterprises since the cloud is able to access the traffic and rules of in-cloud network functions. Current tools for secure network function outsourcing either incur large performance overhead or do not support real-time updates. In this paper, we present SICS, a secure service function chain outsourcing framework. SICS encrypts each packet header and use a label for in-cloud rule matching, which enables the cloud to perform its functionalities correctly with minimum header information leakage. Evaluation results show that SICS achieves higher throughput, faster construction and update speed, and lower resource overhead at both enterprise and cloud sides, compared to existing solutions.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Kai Zhu,Chunming Wu,Boyang Zhou

DOI: https://doi.org/10.1049/cje.2019.08.011

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:Network function virtualization (NFV), has been widely adopted in existing networks since it brings lower capital expenditure and operating expense, as well as flexible and elastic deployment. Based on NFV, dynamic Service function chain (SFC) provides more comprehensive and thorough traffic steering over a series of middleboxes, e.g., DPI, and IDS. Nevertheless, dynamic SFC involves internal state migration in middleboxes, making it hard to allocate SFC requests. We propose a reconfigurable SFC scheduling approach with consideration on resource constraints and race of the state migration to collaborate the execution of the SFC reconfiguration, in the reasonable fashion based on a heuristic algorithm. The evaluation is conducted through discrete event simulation to validate the efficiency of our reconfigurable SFC scheduling, and the results demonstrate that the proposed method outperforms First Come First Serve scheduling and random scheduling.

Dong Zhang,Xiang Chen,Qun Huang,Xiaoyan Hong,Chunming Wu,Haifeng Zhou,Yi Yang,Hongyan Liu,Yuxin Chen

DOI: https://doi.org/10.1109/access.2019.2950446

IF: 3.9

2019-01-01

IEEE Access

Abstract:Network function virtualization allows network functions to be implemented and managed flexibly as a service function chain (SFC) in the data plane to process flows. However, software-based SFCs lead to poor performance compared to proprietary middleboxes. Moreover, existing solutions tackling performance issues suffer from the development complexity incurred by hardware details. To address these problems, we leverage both the high performance of P4-capable devices and the high flexibility of P4 language. In this paper, we present a P4 Service Chaining framework (P4SC), which tackles multiple challenges for P4 to support the SFC implementation. P4SC provides a suite of primitives allowing efficient SFC expression, and a converter and a generator converting input SFC requests to the corresponding P4 program. Here, an algorithm based on longest common subsequence (LCS) is used to allow simultaneously implementing multiple SFCs. Moreover, P4SC offers a runtime manager for flexible SFC management at runtime. It also provides an automatic integration mechanism to integrate P4-based NFs into P4SC. We implement a P4SC prototype, which supports three types of P4-capable devices. The experimental results show that P4SC outperforms state of the arts with orders-of-magnitude SFC performance improvement while maintains high flexibility.

Dong Zhang,Zhifan Zheng,Xiang Lin,Xiang Chen,Chunming Wu

DOI: https://doi.org/10.23919/jcc.2021.00.008

2022-01-01

China Communications

Abstract:Service function chains (SFC) mapping takes the responsibility for managing virtual network functions (VNFs). In SFC mapping, existing solutions duplicate VNFs with redundant instances to provide high availability in response to failures. However, as a compromise, these solutions result in high resource consumption due to device maintenance. In this paper, we propose a novel method named dynamic backup sharing (DBS) that allows SFCs to dynamically share backups to reduce resource consumption. DBS formulates the problem of sharing backups among different VNFs as an integer linear programming (ILP). Thereafter, we design a novel online algorithm based on dynamic programming to solve the problem. The experimental results indicate that DBS outperforms state-of-the-art works by reducing resource consumption and improving the number of accepted requests.

Chen Yang,Bingtao Hu,Yixiong Feng,Hua Huang,Haoshan Lai,Jianrong Tan

DOI: https://doi.org/10.1002/eng2.12653

2023-01-01

Engineering Reports

Abstract:Network function virtualization (NFV) is an appealing solution that transforms complex network functions from dedicated hardware to software instances running in a virtualized environment. However, some new challenges will arise when deploying virtual network functions to meet the needs of NFV and edge-computing (EC) enabled 5G networks. In this paper, we focus on the service function chain (SFC) orchestration problem for EC-enabled networks to maximize the profit of network service providers. First, the mathematical model of SFC orchestration in NFV and EC-enabled networks is defined. Then, a two-stage heuristic algorithm is proposed to optimize the total revenue. Finally, the performance of the method is evaluated by simulation experiments and the results show its effectiveness.

Deval Bhamare,Mohammed Samaka,Aiman Erbad,Raj Jain,Lav Gupta,H. Anthony Chan

DOI: https://doi.org/10.48550/arXiv.1903.11550

2019-02-10

Networking and Internet Architecture

Abstract:Service Function Chaining (SFC) is the problem of deploying various network service instances over geographically distributed data centers and providing inter-connectivity among them. The goal is to enable the network traffic to flow smoothly through the underlying network, resulting in an optimal quality of experience to the end-users. Proper chaining of network functions leads to optimal utilization of distributed resources. This has been a de-facto model in the telecom industry with network functions deployed over underlying hardware. Though this model has served the telecom industry well so far, it has been adapted mostly to suit the static behavior of network services and service demands due to the deployment of the services directly over physical resources. This results in network ossification with larger delays to the end-users, especially with the data-centric model in which the computational resources are moving closer to end users. A novel networking paradigm, Network Function Virtualization (NFV), meets the user demands dynamically and reduces operational expenses (OpEx) and capital expenditures (CapEx), by implementing network functions in the software layer known as virtual network functions (VNFs). VNFs are then interconnected to form a complete end-to-end service, also known as service function chains (SFCs). In this work, we study the problem of deploying service function chains over network function virtualized architecture. Specifically, we study virtual network function placement problem for the optimal SFC formation across geographically distributed clouds. We set up the problem of minimizing inter-cloud traffic and response time in a multi-cloud scenario as an ILP optimization problem, along with important constraints such as total deployment costs and service level agreements (SLAs). We consider link delays and computational delays in our model.

Ben Wang,Jun Li,Shaohua Cao,Evrim Guler,Danyang Zheng

DOI: https://doi.org/10.1109/access.2024.3387083

IF: 3.9

2024-04-27

IEEE Access

Abstract:In the 5G and beyond 5G networks, achieving security-aware data transmission needs to convert clients ' requests into a service function chain (SFC), each service function (SF) providing a certain security guarantee. With diverse configuration techniques, an SF may own multiple versions, each version providing various security guarantees with diverse costs. It should be notice that, as the recent software failures have caused severe financial loss, great attentions from both academia and industry have been put onto the SFC reliability. In the literature, existing works have solely investigated the following two fields: 1) how to deploy a security-aware SFC, and 2) how to protect a traditional SFC. Simply applying these techniques to dealing with the problem of security-aware SFC protection might not be efficient as the backup and primary SFCs may not be identical for security-aware SFCs. Therefore, how to jointly take these fields into account is challenging and remains open. To tackle the above problem, this paper studies how to construct and embed a security-aware SFC with asymmetric dedicated protection. We mathematically define this problem and name it security-aware service function chaining, embedding, and protection with multi-versioned SFs (SFCEP-MF) with the objective of cost optimization. Next, to optimize the SFCEP-MF problem, we construct an efficient algorithm, called augmenting-path with primary-first disjoint SFP identifier (APPF-DSI). Extensive simulation results show that the APPF-DSI algorithm outperforms the benchmark approaches that are directly extended from the state-of-the-art.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shiyan Zhang,Beijia Wang,Qingxiao Huang,Yinhai Wu,Ruohan Xu,Kun Wang,Xinyu Zhang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys57074.2022.00110

2022-01-01

Abstract:As the network function virtualization (NFV) tech-nology is introduced, there is an expanding number of Internet-of-Things (IoT) mobile customers leveraging virtual network services in edge cloud networks. NFVs can be connected in a certain order to create a service function chain (SFC), also known as a SF chain. Owing to the large amount of service requests from IoT devices attempting to access their communication networks from anywhere at any time, the requirement for dynamic and adaptive deployment of SFCs to accommodate dynamic changes in service requests is a major challenge today. In this paper, the dynamic deployment of hybrid SFCs in multi-domain edge cloud networks is addressed with the optimisation objective of minimising the total cost. First, we propose an orchestration approach for hybrid SFCs based on splitting and aggregating policies. Therefore, aiming to balance GCN performance and complexity, we introduce an efficient hybrid SFC dynamic de-ployment algorithm, GCN-P-DRL. With extensive experimental evaluation, Our proposed algorithm attains the best performance in most metrics, with a 15.91% improvement in acceptance ratio and a 14.96% reduction in average delay when comparing to the available most advanced solutions.

Tarik Moufakir,Mohamed Faten Zhani,Abdelouahed Gherbi,Moayad Aloqaily,Nadir Ghrada

DOI: https://doi.org/10.48550/arXiv.2203.01098

2022-03-02

Abstract:With the emergence of network softwarization trend, traditional networking services offered by Internet providers are expected to evolve by fully leveraging new recent technologies like network function virtualization and software defined networking. In this paper, we investigate offering Service Function Chains as a Service (SFCaaS) in NFV Environments. We first describe the potential business model to offer such a service. We then conduct a detailed study of the costs of virtual machine instances offered by Amazon EC2 with respect to the location, instance size, and performance in order to guide service chain provisioning and resource allocation. Afterwards, we address the resource allocation problem for service chain functions from the SFC provider's perspective while leveraging the performed cost study. We hence formulate the problem as an Integer Linear Program (ILP) aiming at reducing the SFC provider's operational costs of virtual machine instances and links as well as the synchronization costs among the instances. We also propose a new heuristic algorithm to solve the mapping problem with the same aforementioned goals taking into account the conducted study of the costs of Amazon EC2 instances. We show through extensive simulations that the proposed heuristic significantly reduce operational costs compared to a Baseline algorithm inspired by the existing literature.

Networking and Internet Architecture

Khoshkholghi Mohammad Ali,Gokan Khan Michel,Alizadeh Noghani Kyoomars,Taheri Javid,Bhamare Deval,Kassler Andreas,Xiang Zhengzhe,Deng Shuiguang,Yang Xiaoxian

DOI: https://doi.org/10.1007/s11036-020-01661-w

2020-01-01

Abstract:Network Function Virtualization (NFV) is an emerging technology to consolidate network functions onto high volume storages, servers and switches located anywhere in the network. Virtual Network Functions (VNFs) are chained together to provide a specific network service, called Service Function Chains (SFCs). Regarding to Quality of Service (QoS) requirements and network features and states, SFCs are served through performing two tasks: VNF placement and link embedding on the substrate networks. Reducing deployment cost is a desired objective for all service providers in cloud/edge environments to increase their profit form demanded services. However, increasing resource utilization in order to decrease deployment cost may lead to increase the service latency and consequently increase SLA violation and decrease user satisfaction. To this end, we formulate a multi-objective optimization model to joint VNF placement and link embedding in order to reduce deployment cost and service latency with respect to a variety of constraints. We, then solve the optimization problem using two heuristic-based algorithms that perform close to optimum for large scale cloud/edge environments. Since the optimization model involves conflicting objectives, we also investigate pareto optimal solution so that it optimizes multiple objectives as much as possible. The efficiency of proposed algorithms is evaluated using both simulation and emulation. The evaluation results show that the proposed optimization approach succeed in minimizing both cost and latency while the results are as accurate as optimal solution obtained by Gurobi (5%).

Yong Yang,Buhong Wang,Rongxiao Guo,Jiwei Tian,Peng Luo,Dong Li,Xiaolu Li

DOI: https://doi.org/10.1038/s41598-024-76131-4

IF: 4.6

2024-10-30

Scientific Reports

Abstract:The air traffic information network is fundamental for ensuring the efficient and safe operation of flights. However, with the increasing demands of air traffic services, the rigidity of the traditional air traffic information network has become increasingly pronounced. Network function virtualization (NFV) technology presents an effective solution to address this issue. Within the NFV environment, the deployment of service function chains (SFC) forms the basis for achieving end-to-end air traffic services. This paper addresses the low delay and high security requirements inherent in air traffic services and proposes an efficient and secure SFC deployment for delay optimization (ESSFCD-DO) method. Primarily, the paper conducts a theoretical analysis of SFC deployment, and derives four key principles related to SFC delay, security, and resource cost. Subsequently, based on these principles, the ESSFCD-DO method is developed, which encompasses the virtual network function (VNF) aggregation algorithm for security and resources cost optimization (VNFAA-SRCO), the VNF deployment algorithm based on topology aware (VNFD-TA), and the algorithm for deploying virtual links based on k -shortest path. Experimental results demonstrate that, in comparison to other SFC deployment methods within this domain, ESSFCD-DO achieves significant optimizations in terms of end-to-end delay of SFC and long-term revenue-cost ratio, while ensuring security and service request acceptance rate.

multidisciplinary sciences

Jianan Hong,Kaiping Xue,Na Gai,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tdsc.2018.2845381

2020-01-01

Abstract:F2C (fog-to-cloud) enables service providers to rent the low-cost cloud/fog resources to publish their services, and the fog nodes, which are deployed at the edge, can provide short-latency service to users. However, new security threats come along with this new computing paradigm, where the access control and trusted payment are concerned in this work. We propose a privacy-preserving authentication scheme. By integrating k-times anonymous authentication (k-TAA) and attribute-based access control, in our proposed scheme, service providers can autonomously determine a fine-grained access policy and the maximal access times for authorized users. Thus, users who satisfy the access policy can receive benefits of this service for certain number of times without leaking any private information. Our authentication phase has a low latency because it is offloaded to the fog as what the service does. This paper presents a lightweight and trusted billing mechanism using Merkle Hash Tree (MHT), which can detect the cloud's service forgery with high probability, without costing too much of service provider's bandwidth and computation. Rigorous security analysis proves that the proposed scheme is secure against malicious users, fogs, and cloud, and the experimental results show the significant performance advantage on both the delay reduction and service providers' cost saving.

Yi Liu,Hong-qi Zhang,Jiang Liu,Ying-jie Yang

DOI: https://doi.org/10.1155/2017/9534754

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Security functions are usually deployed on proprietary hardware, which makes the delivery of security service inflexible and of high cost. Emerging technologies such as software-defined networking and network function virtualization go in the direction of executing functions as software components in virtual machines or containers provisioned in standard hardware resources. They enable network to provide customized security service by deploying Security Service Chain (SSC), which refers to steering flow through multiple security functions in a particular order specified by individual user or application. However, SSC Deployment Problem (SSC-DP) needs to be solved. It is a challenging problem for various reasons, such as the heterogeneity of instances in terms of service capacity and resource demand. In this paper, we propose an SSC-based approach to deliver security service to users without worrying about physical locations of security functions. For SSC-DP, we present a three-phase method to solve it while optimizing network and security resource allocation. The presented method allows network to serve a large number of flows and minimizes the latency seen by flows. Comparative experiments on the fat-tree and Waxman topologies show that our method performs better than other heuristics under a wide range of network conditions.

Niu Shaozhang,Tu Shanshan,Huang Yongfeng

DOI: https://doi.org/10.1049/cje.2015.07.015

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:Cloud computing services have got rapid development in the field of the lightweight terminal, especially wireless communications. The comprehensive access control system framework is proposed for the cloud. A kind of access control scheme based on attribute encryption is designed, in which lightweight devices can safely use cloud computing resources to outsource encrypt/decrypt operations, and not worry for exposing terminal sensitive data. The scheme is verified by performance evaluation about the security, computing, storage, to ensure the legitimate interests of users in the cloud.

Siping Liu,Yaoxue Zhang,Yuezhi Zhou,Qiang Yang

DOI: https://doi.org/10.2991/icibet.2013.269

2013-01-01

Abstract:Cloud computing is a hot technology of attracting so many eyeballs currently. Before its success, cloud computing has to overcome the service assurance obstacle that customers trust cloud service safe enough to deploy their critical applications upon it. Since devices such as hosts and networks are underlying infrastructures that support cloud computing, this paper demonstrates a S2R(Services mapped To Resources) model between devices and cloud services to solve this obstacle. S2R model leads all resource devices including hosts and networks etc to deliver a FPACS(Fault, Performance, Accounting, Configuration, Security) interface to support up-level scalable service delivery and assurance. The implementation of S2R will help put off customers' doubts about cloud computing and makes future network architecture take a new view under cloud ecosystems.

Hao Li,Xin Li,Zhuzhong Qian,Xiaolin Qin

DOI: https://doi.org/10.1109/infocomwkshps51825.2021.9484555

2021-01-01

Abstract:With the development of network technology, Network Function Virtualization (NFV) provides a good paradigm of sharing network resources, aiming to transfer network functions from hardware-based devices to software-defined Virtual Network Function (VNF) instances. Each type of VNF is mostly multi-instance, and different VNF instances require to be chained in a predefined sequence to form Service Function Chain (SFC) to provide network services. However, due to the resource capacity constraints of edge nodes and the high latency of cloud edge links in cloud-edge system, it is crucial and challengeable to deploy SFC in NFV-enabled networks. In our paper, we study the SFC deployment (SFC-D) problem in cloud-edge environment. We formulate the SFC-D as an Integer Linear Programming (ILP) model aiming to minimize the deployment cost, and propose a resource-aware deployment algorithm (RADA). According to our extensive evaluations, compared with the state-of-the-art counterpart algorithm, RADA performs better in the remaining available resources of nodes, and the average acceptance rate increases by 15%.

Anna Engelmann,Admela Jukan

DOI: https://doi.org/10.48550/arXiv.2005.02495

2020-04-01

Abstract:In the framework of Network Function Virtualization (NFV), the reliability of Service Function Chain (SFC), -- an end-to-end service is presented by a chain of virtual network functions (VNFs), is a complex function of placement, configuration and deployment requirements, both in hardware and software. Previous reliability analysis models cannot be directly applied to SFC because they do not consider aspects of system component sharing, heterogeneity of system components and their interdependency in case of failures. In this paper, we analyze service reliability of complex SFC configurations, including serial and parallel VNF chaining, as well as their related backup protection components. Our analysis is based on combinatorial analysis and a reduced binomial theorem, and this simple approach can be utilized to analyzing rather complex SFC configurations. We consider, for the first time, failure dependences among VNF components placed in data centers, racks, and servers. We show that our analysis can easily consider different VNF placement strategies in data center networks in arbitrary configurations and, thus, be effectively used for optimizations of the reliable SFC placement.

Networking and Internet Architecture

Jing Gao,Lei Feng,Peng Yu,Fanqin Zhou,Zihao Wu,Xuesong Qiu,Jingchun Li,Yifei Zhu

DOI: https://doi.org/10.1016/j.comnet.2022.109298

IF: 5.493

2022-10-24

Computer Networks

Abstract:Network function virtualization (NFV) technology enables cloud service providers (CSPs) to deploy their service function chains (SFCs) into the common shared physical infrastructures to operate the network or cloud service. However, designing a suitable placement scheme for multi-tenant SFCs to balance resource consumption with performance and security is a tricky issue. In this paper, we first proposed security constraints based on physical isolation and formulated the problem of reasonably placing multi-tenant SFCs subject to multiple constraints to minimize resource consumption. The proposed problem is more intractable than previous works because of the extra introduced security constraints. To solve it, a new non-uniform weighted hypergraph construction approach is proposed by defining hyperedge weights to represent the resource consumption on one SFC. A hypergraph matching algorithm is proposed to find the maximum weight subset of hypergraphs whose vertices do not intersect to give a high degree of physical isolation by dealing with the conflict graphs. Simulation results show that the proposed hypergraph matching algorithm outperforms the comparison schemes in terms of the resource consumption while satisfying the security requirements.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture