Kai Zhu,Chunming Wu,Boyang Zhou

DOI: https://doi.org/10.1049/cje.2019.08.011

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:Network function virtualization (NFV), has been widely adopted in existing networks since it brings lower capital expenditure and operating expense, as well as flexible and elastic deployment. Based on NFV, dynamic Service function chain (SFC) provides more comprehensive and thorough traffic steering over a series of middleboxes, e.g., DPI, and IDS. Nevertheless, dynamic SFC involves internal state migration in middleboxes, making it hard to allocate SFC requests. We propose a reconfigurable SFC scheduling approach with consideration on resource constraints and race of the state migration to collaborate the execution of the SFC reconfiguration, in the reasonable fashion based on a heuristic algorithm. The evaluation is conducted through discrete event simulation to validate the efficiency of our reconfigurable SFC scheduling, and the results demonstrate that the proposed method outperforms First Come First Serve scheduling and random scheduling.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Boyang Zhou,Chunming Wu,Xiaoyan Hong,Ming Jiang

DOI: https://doi.org/10.1109/ICC.2014.6883789

2014-01-01

Abstract:Programming a network for innovative services or for function improvements has never been easier using Software-Defined Networking (SDN). However, the programming tasks can also be significantly complicated by the asynchrony of data plane states and complexities of service control states. In order to reduce the complexity for programming a network service in Distributed Control Plane of SDN, we propose a proGRAmming Control (GRACE) layer as a generic solution, which provides two key features, namely, reconfigurability and reusability. Their implementations deal with aforementioned challenges, thus to achieve the consistency of the data plane states and the reusability of the service control states at the distributed controllers. This paper introduces the reconfigurability and reusability with their design goals and their impact on the programmability of DCP. We further use two popular network services, ICN (Information-Centric Networking) and CDN (Content Distribution Networks) to illustrate these concepts. NS-3 simulations and PlanetLab emulations are conducted to show the advantage of using the GRACE layer for ICN and CDN. Results show that the ICN Interest delay is reduced by 19.6% and CDN request delay is reduced by 81% in extremely harsh network conditions.

qingang dong,tao li,zhentao liu,lin jiang

2011-01-01

Abstract:Traffic control computation in high speed routers and switches is usually implemented with ad hoc hardware which is not reusable. This paper presents a reconfigurable architecture for network traffic control computations, based on an Augmented Finite State Machine (AFSM) controller, and the architecture is reconfigurable. The implementation of new traffic control features is realized in software, thus relieves the burden on hardware designers. Additionally, several traffic control algorithms in this paper are realized with the architecture to prove its hardware circuit high-speeded, reliable and stable. At last, with the electronic design automation tools (EDA), the frequency of the hardware circuit is up to 260MHz.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Cheng Zang,Zhongdong Huang,Gang Chen,Jinxiang Dong

DOI: https://doi.org/10.1109/CSCWD.2006.253234

2006-01-01

Abstract:The access control architecture using state-transfer-based dynamic policy is proposed to make access control more flexible and dynamic. This architecture can dynamically change the policy according to a state-transfer composed of a previous state and a current state. It can indicate the tendency of the system by using both previous and current information in order to decide a more appropriate policy to the current system and future condition. And there are two steps in this dynamic policy method, one is deciding a partial-state and the other one is deciding a state, two dynamic policy decision layers are included into this architecture in order to manage these two steps

Shaoteng Liu,Rebecca Steinert,Dejan Kostic

DOI: https://doi.org/10.1109/noms.2018.8406150

2018-01-01

Abstract:For large-scale programmable networks, flexible deployment of distributed control planes is essential for service availability and performance. However, existing approaches only focus on placing controllers whereas the consequent control traffic is often ignored. In this paper, we propose a black-box optimization framework offering the additional steps for quanti-fying the effect of the consequent control traffic when deploying a distributed control plane. Evaluating different implementations of the framework over real-world topologies shows that close to optimal solutions can be achieved. Moreover, experiments indicate that running a method for controller placement without considering the control traffic, cause excessive bandwidth usage (worst cases varying between 20.1%-50.1% more) and congestion, compared to our approach.

李黎,管晓宏,蔡忠闽,王恒涛

2009-01-01

Abstract:With the new challenges faced by information networks,the reconfigurable networks are becoming more and more important.This paper proposed a framework and an active reconfiguration policy for the reconfigurable network systems,and presented a three-dimensional reconfigurable architecture.By considering the integration of active defense and disaster recovery of critical technologies,it sets up an independent control management strategy,and has good controllability,manageability and adaptability.This architecture also provided the basis for the reconfiguration and architecture-level support.

HX Duan,JP Wu,X Li

DOI: https://doi.org/10.1109/icon.2000.875800

2001-01-01

Journal of Software

Abstract:This paper focus on the issues of management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of a large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under an environment with policy requirements described in this paper the new algorithm reduces the time complexity of lookup from O(N) of the traditional sequential algorithm to O(1), which therefore increases largely the throughput of firewalls.

Sicheng Zhao,Deyun Li,Kai Han,Zuqing Zhu

DOI: https://doi.org/10.1109/tnsm.2019.2901278

2019-01-01

IEEE Transactions on Network and Service Management

Abstract:The combination of network virtualization and software-defined networking enables an infrastructure provider to create software-defined virtual networks (vSDNs) over a shared substrate network (SNT), for supporting new network services more timely and cost-effectively. Meanwhile, as both the services and traffic in the Internet are becoming more and more dynamic, how to properly maintain vSDNs in a dynamic network environment exhibits increasing importance but still has not been fully explored. In this paper, we conduct a study on how to realize proactive and hitless vSDN reconfiguration to balance the utilization of ternary content-addressable memory (TCAM) in a dynamic SNT. Specifically, we consider both algorithm design and system prototyping. From the algorithmic perspective, we try to solve the problems of "what to reconfigure" and "how to reconfigure". A selection algorithm is designed to proactively choose the virtual switches (vSWs) that should be migrated to other substrate switches for balancing TCAM utilization, i.e., solving what to reconfigure. Then, for the problem of how to reconfigure, i.e., where to re-map the selected vSWs and the virtual links connecting to them, we formulate a mixed integer linear programming model to solve it exactly, and design two heuristics to improve time efficiency. Next, we move to the system part, implement the proposed algorithms in our protocol-oblivious forwarding enabled network virtualization hypervisor system, and conduct experiments to demonstrate proactive and hitless vSDN reconfiguration. The experimental results indicate that our proposal does make vSDN reconfiguration transparent to the vSDNs' virtual controllers and proactive, and when reconfiguring a vSDN with live traffic, it achieves hitless operations without traffic disruption.

Chenglin Xu,Cheng Xu,Bo Li,Siqi Li,Tao Li

DOI: https://doi.org/10.1016/j.comnet.2023.109900

IF: 5.493

2023-06-25

Computer Networks

Abstract:Software-defined networks (SDNs) can improve network resource utilization and optimize the performance of mobile cloud-edge computing networks (MECCNs) through unified and flexible network management. However, network traffic in MECCNs can change over time and space, which affects the performance of the control plane in an SDN. Further, an MECCN may require the temporary addition of network access points, further reducing the network management capabilities of the control plane. To ensure that the control plane can handle the constant changes in network traffic, adapt to dynamic changes in network access points, and provide continuous and efficient network management functions, this study focuses on the dynamic controller placement problem in SDN-enabled MECCNs. We study the deployment of a two-layer control plane and accordingly construct the corresponding delay, load balancing, and control reliability models. Next, we construct a joint optimization problem considering the developed delay, load balancing, and control reliability, and solve this problem using an algorithm based on the deep deterministic policy gradient algorithm. The experimental results demonstrate that the proposed algorithm outperforms other algorithms on a variable-node network.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Shaoteng Liu,Rebecca Steinert,Natalia Vesselinova,Dejan Kostic

DOI: https://doi.org/10.1109/access.2020.2984500

IF: 3.9

2020-01-01

IEEE Access

Abstract:Current trends strongly indicate a transition towards large-scale programmable networks with virtual network functions. In such a setting, deployment of distributed control planes will be vital for guaranteed service availability and performance. Moreover, deployment strategies need to be completed quickly in order to respond flexibly to varying network conditions. We propose an effective optimization approach that automatically decides on the needed number of controllers, their locations, control regions, and traffic routes into a plan which fulfills control flow reliability and routability requirements, including bandwidth and delay bounds. The approach is also fast: the algorithms for bandwidth and delay bounds can reduce the running time at the level of 50x and 500x, respectively, compared to state-of-the-art and direct solvers such as CPLEX. Altogether, our results indicate that computing a deployment plan adhering to predetermined performance requirements over network topologies of various sizes can be produced in seconds and minutes, rather than hours and days. Such fast allocation of resources that guarantees reliable connectivity and service quality is fundamental for elastic and efficient use of network resources.

Duan Haixin,Wu Jianping,Li Xing

2001-01-01

Abstract:Efforts of this paper focus on the issues about management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O (N) of traditional sequential algorithm to O (1), which therefore increases largely the throughput of firewalls.

Andrea Bianco,Paolo Giaccone,Seyedaidin Kelki,Nicolas Mejia Campos,Stefano Traverso,Tianzhu Zhang

DOI: https://doi.org/10.1109/icc.2017.7997297

2017-01-01

Abstract:The novel “stateful” approach in Software Defined Networking (SDN) provides programmable processing capabilities within the switches to reduce the interaction with the SDN controller and thus improve the scalability and the performance of the network. In our work we consider specifically the stateful extension of OpenFlow that was recently proposed, called Open-State, that allows to program simple state machines in almost-standard OpenFlow switches. We consider a reactive traffic control application that reacts to the traffic flows which are identified in real-time by a generic traffic classification engine. We devise an architecture in which an OpenState-enabled switch sends the minimum number of packets to the traffic classifier, in order to minimize the load on the classifier and improve the scalability of the approach. We design two stateful approaches to minimize the memory occupancy in the flow tables of the switches. Finally, we validate experimentally our solutions and estimate the required memory for the flow tables.

Yao Xin,Chengjun Jia,Wenjun Li,Ori Rottenstreich,Yang Xu,Gaogang Xie,Zhihong Tian,Jun Li

DOI: https://doi.org/10.1109/tc.2024.3477955

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Access Control Lists (ACLs) are crucial for ensuring the security and integrity of modern cloud and carrier networks by regulating access to sensitive information and resources. However, previous software and hardware implementations no longer meet the requirements of modern datacenters. The emergence of FPGA-based SmartNICs presents an opportunity to offload ACL functions from the host CPU, leading to improved network performance in datacenter applications. However, previous FPGA-based ACL designs lacked the necessary flexibility to support different rulesets without hardware reconfiguration while maintaining high performance. In this paper, we propose HACL, a heterogeneous and adaptive architecture for decision-tree-based ACL engine on FPGA. By employing techniques such as tree decomposition and recirculated pipeline scheduling, HACL can accommodate various rulesets without reconfiguring the underlying architecture. To facilitate the efficient mapping of different decision trees to memory and optimize the throughput of a ruleset, we also introduce a heterogeneous framework with a compiler in CPU platform for HACL. We implement HACL on a typical SmartNIC and evaluate its performance. The results demonstrate that HACL achieves a throughput exceeding 260 Mpps when processing 100K-scale ACL rulesets, with low hardware resource utilization. By integrating more engines, HACL can achieve even higher throughput and support larger rulesets.

Liang Wang,Leibo Liu,Jie Han,Xiaohang Wang,Shouyi Yin,Shaojun Wei

DOI: https://doi.org/10.1109/tpds.2019.2940190

IF: 5.3

2020-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:The communication behaviors in NoCs of chip-multiprocessors exhibit great spatial and temporal variations, which introduce significant challenges for the reconfiguration in NoCs. Existing reconfigurable NoCs are still far from ideal reconfiguration scenarios, in which globally reconfigurable interconnects can be immediately reconfigured to provide bandwidths on demand for varying traffic flows. In this paper, we propose a hybrid NoC architecture that globally reconfigures the ring-based interconnect to adapt to the varying traffic flows with a high flexibility. The ring-based interconnect has the following advantages. First, it includes horizontal rings and vertical rings, which can be dynamically combined or split to provide low-latency channels for heavy traffic flows. Second, each combined ring connects a number of nodes, thereby improving both the utilization of each ring and the probability to reuse previous reconfigurable interconnects. Finally, the reconfiguration algorithm has a linear-time complexity and can be implemented using a low-overhead hardware design, making it possible to achieve a fast reconfiguration in NoCs. The experimental results show that compared to recent reconfigurable NoCs, the proposed NoC architecture can greatly improve the saturation throughput for synthetic traffic patterns, and reduce the packet latency over 40 percent for realistic benchmarks without incurring significant area and power overhead.

Xinhao Deng,Mingwei Xu,Qi Li,Weijie Wu,Yuan Yang,Menghao Zhang,Yu Zhou,Jianping Wu

DOI: https://doi.org/10.1109/tnsm.2024.3422092

2024-08-25

IEEE Transactions on Network and Service Management

Abstract:Ternary Content Addressable Memory (TCAM) enables fast lookup and is widely used by routers and switches to support policy-based forwarding. Due to high cost and small capacity, only a small subset of important rules can be cached in TCAM, so determining it is critical to increasing the hit ratio. This is more challenging than traditional caching problems because of complicated rule dependency relationships. Existing works are based on heuristics and they don't work well under all practical scenarios. Worse still, the lack of fundamental understanding of the design space, complexity, and optimality makes all explorations in mystery. In this paper, we use a modeling-based method to formulate the problem, prove its complexity, and propose DROPS, a dynamic rule caching framework with a much higher hit ratio. In particular, we deduce the rule selection problem into a multi-dimensional rule space transformation problem. Thus, we are no longer limited by using the intrinsic rules; rather, we can transform original rules into "new rules" equivalently without rule dependency. We design non-trivial rule placement and update algorithms and implement them in programmable switches. In the experimental evaluation, we show that our method outperforms all existing methods.

computer science, information systems

Zichao Zhou,Changqing An,Jiahai Yang

DOI: https://doi.org/10.1109/icccas.2018.8768952

2018-01-01

Abstract:The operation and management of network is facing increasing complexities brought by the evolution of network protocols and the demands of rapid service delivery. In this paper, we propose a programmable network management architecture, which manages network based on NETCONF protocol and provides REST APIs to upper layer so that further programming can be done based on the APIs to implement flexible management. Functions of devices can be modeled based on YANG language, and the models can be translated into REST APIs. We apply it to the management of ADN (Address Driven Network), an innovative network architecture proposed by Tsinghua University to inhibit IP spoofing, improve network security and provide high service quality. We model the functions of ADN based on YANG language, and implement the network management functions based on the REST APIs. We deploy and evaluate it in a laboratory environment. Test result shows that the programmable network management architecture is flexible to implement management for new network services.

Zhang Peng,Chen Xiangning,Ge Yun,Jin Lin

DOI: https://doi.org/10.1049/cje.2016.06.004

IF: 1.019

2016-01-01

Chinese Journal of Electronics

Abstract:After studying the routing and forwarding process of network stream and the implementation of SDN, we propose a retractable management model for flow table. A structure with parallel tables and synthesis processing is proposed according to the feature of SDN and traditional network. The parallel tables share the same storage resources. Thanks to the separation of data plane and control plane, control plane owns more computing resources than traditional device. It evaluates the role of nodes and the action of network flows, makes adjustment according to the historical and current information and streamlines flow tables by consolidating and simplifying old flow entries. Through simulation, it is proved that the realized method can defend offensive traffic while ensuring the safety of accessing and forwarding, especially existing blocking attack.

Bo Yan,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/jsac.2018.2871296

IF: 16.4

2018-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Enforcing network policies is critical for service deployments over software-defined networks (SDN). Most existing studies suggest proactively compiling policies into flow entries in the data plane and updating the installed entries when necessary. With a growing amount of applications, taking a proactive approach may overflow underlying switch memory. Meanwhile, certain policies can be frequently updated. Such updates may propagate across configurations in the network, leading to a long time for correctness validation. To improve both the scalability and the flexibility of SDN policy enforcement, we advocate reactively deploying network policies in the data plane. To this end, we propose a network-wide policy enforcement framework named BigMaC. BigMaC advertises a neat policy model for network managers to specify various network policies as rules. It then caches the rules as flow entries in the switches reactively on demand. One major challenge for the BigMaC design is to guarantee the consistency of defined policies and cached entries in the network. To maintain consistency with efficient table usage and simple updates, we group rules into buckets and perform rule caching in the unit of buckets. With trace-driven simulations, we verify that BigMaC can significantly save table space and reduce update complexity compared to prior proposals.