Periodic Reporting for period 2 - BEBA (Behavioral Based Forwarding)
Periodo di rendicontazione: 2016-02-01 al 2017-03-31
Software Defined Networking relies on logically centralized control systems that collect information and events from the network. Unfortunately, the static nature of the forwarding abstraction on which SDN data plane nodes are based, necessarily requires the intervention of a controller for any forwarding rule change, even for those that are related to changes of local states (i.e. confined within a single data plane device) representing the current networking conditions.
Three fundamental drawbacks emerge. The most obvious regards performance and scalability limitations related to (i) the unnecessary delay required to update the forwarding rules and (ii) the single computational bottleneck introduced by a centralized controller.
Second, such approach brings about security and reliability implications, as the communication channel between a remote control entity and the switch can be severely impaired by targeted denial of service attacks or link physical failures.
Finally, the “dumb nature” of traditional SDN switches results in dramatic functional limitations that impede the deployment of real time, self-adapting monitoring and mitigation applications directly in the fast path.
BEBA aims at providing the unprecedented ability to program, in a platform-agnostic manner, not only “just” plain forwarding rules, but also dynamic (custom) states determining which forwarding rules should be applied at a given time, and the relevant policies formalizing how states should evolve.
By introducing intelligence directly into the data plane nodes, BEBA will free SDN programmers from having to necessarily rely on the centralized controller intervention to implement more complex forwarding strategies.
Moreover BEBA will therefore permit organizations and network operators to deploy part of their stateful flow processing operations directly on the fast data path and inside the switch. This will dramatically improve the ability to instantly (i.e. at real-time, packet-level, temporal time-scale) modify the forwarding data plane in reaction to specific packet-level events, and in front of sudden changes or anomalies in the traffic behaviour, including attacks.
BEBA will start from defining novel use case application scenarios and requirements, which will inspire the extension of the basic SDN match/action forwarding behavior into more complex approaches based on eXtended Finite State Machines.
In a second phase, the project has focused on something much more ambitious. BEBA will aim at transforming a switch into a sort of network/flow processor programmed through a platform-independent abstraction. Our belief is that this can be accomplished by further introducing the ability to store temporary data into “memory registries” associated to flow entries, and provide the ability to enforce state transitions only if conditions on such registries are satisfied, as well as support registry updates upon the occurrence of events and/or state transitions.
According to such novel abstraction, BEBA will extend the data plane and control plane mechanisms, data structures and protocols and on top of these will allow the deployment of novel monitoring security and innovative forwarding applications.
Three fundamental drawbacks emerge. The most obvious regards performance and scalability limitations related to (i) the unnecessary delay required to update the forwarding rules and (ii) the single computational bottleneck introduced by a centralized controller.
Second, such approach brings about security and reliability implications, as the communication channel between a remote control entity and the switch can be severely impaired by targeted denial of service attacks or link physical failures.
Finally, the “dumb nature” of traditional SDN switches results in dramatic functional limitations that impede the deployment of real time, self-adapting monitoring and mitigation applications directly in the fast path.
BEBA aims at providing the unprecedented ability to program, in a platform-agnostic manner, not only “just” plain forwarding rules, but also dynamic (custom) states determining which forwarding rules should be applied at a given time, and the relevant policies formalizing how states should evolve.
By introducing intelligence directly into the data plane nodes, BEBA will free SDN programmers from having to necessarily rely on the centralized controller intervention to implement more complex forwarding strategies.
Moreover BEBA will therefore permit organizations and network operators to deploy part of their stateful flow processing operations directly on the fast data path and inside the switch. This will dramatically improve the ability to instantly (i.e. at real-time, packet-level, temporal time-scale) modify the forwarding data plane in reaction to specific packet-level events, and in front of sudden changes or anomalies in the traffic behaviour, including attacks.
BEBA will start from defining novel use case application scenarios and requirements, which will inspire the extension of the basic SDN match/action forwarding behavior into more complex approaches based on eXtended Finite State Machines.
In a second phase, the project has focused on something much more ambitious. BEBA will aim at transforming a switch into a sort of network/flow processor programmed through a platform-independent abstraction. Our belief is that this can be accomplished by further introducing the ability to store temporary data into “memory registries” associated to flow entries, and provide the ability to enforce state transitions only if conditions on such registries are satisfied, as well as support registry updates upon the occurrence of events and/or state transitions.
According to such novel abstraction, BEBA will extend the data plane and control plane mechanisms, data structures and protocols and on top of these will allow the deployment of novel monitoring security and innovative forwarding applications.
During the second reporting period the project has:
1. Specified the BEBA Full XFSM abstraction, API and PoC implementation
2. Accelerated the BEBA componetns in 3 different implementations
3. Defined a formal verification tool
4. Provided a security assessment of the stateful paradigm
5. Designed and verified new ”advanced” use cases
6. Impacted the ONF standardization community
7. Contributed to several open source projects
8. Assesed the project results in both emulated and real world environments
These results coincide with the following achieved milestones:
M5: Full specification prototype, WP2, WP3, Month 21
M6: Prototype demo, performance assessment, D2.4 D3.4
M7: Final validation, WP6, Month 27
M8: Standardization and disseminations activities finalization
1. Specified the BEBA Full XFSM abstraction, API and PoC implementation
2. Accelerated the BEBA componetns in 3 different implementations
3. Defined a formal verification tool
4. Provided a security assessment of the stateful paradigm
5. Designed and verified new ”advanced” use cases
6. Impacted the ONF standardization community
7. Contributed to several open source projects
8. Assesed the project results in both emulated and real world environments
These results coincide with the following achieved milestones:
M5: Full specification prototype, WP2, WP3, Month 21
M6: Prototype demo, performance assessment, D2.4 D3.4
M7: Final validation, WP6, Month 27
M8: Standardization and disseminations activities finalization
Progress beyond the state of the art
During the second reporting period, the project developed both a hardware and software proof of concept implementation of a data plane API able to implement a FULL XFSM and the internal flow computing architecture, including the integration with an existing SDN controller. This is a important progress with respect to the state of the art, since the project reached the goal of providing a usable configurable stateful BEBA forwarding abstraction using a few simple architectural extensions to the standard OpenFlow pipeline.
The project focused also on the software acceleration of the BEBA abstraction. In this field, both the use of PFQ packet I/O acceleration framework to improve ofsoftswitch and the netmap packet I/O acceleration framework to accelerate Open vSwitch has been investigated. Moreover, BEBA has accelerated the BEBA components in 3 different implementations: a PFQ based user space implementation, a NMAP based kernel implementation and a eBPF kernel implementation.
The project also innovated in the support and manage of control tasks, identifying the separation between the switch level control tasks to be directly implemented inside the BEBA nodes and the global SDN controller tasks. For this to happen, we designed a bi-directional API that formalizes the signaling between the controller and the switches.
From the application point of view, the projects identified several network-wide and node-level middlebox-type applications to be implemented according to the proposed BEBA abstraction.
The network-wide applications will take benefit from the BEBA advanced functionalities running into multiple BEBA nodes, while the node-level middlebox-type applications will highlight the benefits offered by BEBA advanced functionalities running in a single BEBA node. Examples of network-wide applications applications are the ARP replyer application, the automatic link failover application and, for the node-level application the local remediation to TCP SYN flooding attacks.
Impact
The project accurately disseminated the results of the project’s activities to ensure that these results have a positive impact on the research community. These activities has been carried out through publications, participation in technical meeting and organisation of academic events and standardisation efforts. Moreover, the project deployed a website, mostly meant for external contacts. With its website the BEBA consortium wants to inform the stakeholders about the project status and results.
The scientific publications of the project (22 between conference and journal publications for the entire project) are inline and exceeds the originally planned objectives for quality and quantity.
The project has been very active in the academic dissemination: project partners as participated in 27 dissemination activities among demonstrations, tutorials and invited talks.
For the standardization activities the project members proposed both OpenState and in-switch packet generation as an extension to be included in the OpenFlow 1.6 specification. Both of them have been accepted as work items by the ONF. As per ONF ways of working two tickets (EXT-562 and EXT-563, links require a ONF JIRA account, only available to members) have been created to track and document discussion around the proposed extension.
During the second reporting period, the project developed both a hardware and software proof of concept implementation of a data plane API able to implement a FULL XFSM and the internal flow computing architecture, including the integration with an existing SDN controller. This is a important progress with respect to the state of the art, since the project reached the goal of providing a usable configurable stateful BEBA forwarding abstraction using a few simple architectural extensions to the standard OpenFlow pipeline.
The project focused also on the software acceleration of the BEBA abstraction. In this field, both the use of PFQ packet I/O acceleration framework to improve ofsoftswitch and the netmap packet I/O acceleration framework to accelerate Open vSwitch has been investigated. Moreover, BEBA has accelerated the BEBA components in 3 different implementations: a PFQ based user space implementation, a NMAP based kernel implementation and a eBPF kernel implementation.
The project also innovated in the support and manage of control tasks, identifying the separation between the switch level control tasks to be directly implemented inside the BEBA nodes and the global SDN controller tasks. For this to happen, we designed a bi-directional API that formalizes the signaling between the controller and the switches.
From the application point of view, the projects identified several network-wide and node-level middlebox-type applications to be implemented according to the proposed BEBA abstraction.
The network-wide applications will take benefit from the BEBA advanced functionalities running into multiple BEBA nodes, while the node-level middlebox-type applications will highlight the benefits offered by BEBA advanced functionalities running in a single BEBA node. Examples of network-wide applications applications are the ARP replyer application, the automatic link failover application and, for the node-level application the local remediation to TCP SYN flooding attacks.
Impact
The project accurately disseminated the results of the project’s activities to ensure that these results have a positive impact on the research community. These activities has been carried out through publications, participation in technical meeting and organisation of academic events and standardisation efforts. Moreover, the project deployed a website, mostly meant for external contacts. With its website the BEBA consortium wants to inform the stakeholders about the project status and results.
The scientific publications of the project (22 between conference and journal publications for the entire project) are inline and exceeds the originally planned objectives for quality and quantity.
The project has been very active in the academic dissemination: project partners as participated in 27 dissemination activities among demonstrations, tutorials and invited talks.
For the standardization activities the project members proposed both OpenState and in-switch packet generation as an extension to be included in the OpenFlow 1.6 specification. Both of them have been accepted as work items by the ONF. As per ONF ways of working two tickets (EXT-562 and EXT-563, links require a ONF JIRA account, only available to members) have been created to track and document discussion around the proposed extension.