skip to main content

Explore Research Products in the NSF-PAR

Title: Provenance for Intent-Based Networking
Intent-based networking (IBN) promises to simplify the network management and automated orchestration of high-level policies in future networking architectures such as software-defined networking (SDN). However, such abstraction and automation creates new network visibility challenges. Existing SDN network forensics and diagnostics tools operate at a lower level of network abstraction, which makes intent-level reasoning difficult. We present PROVINTENT, a framework extension for SDN control plane tools that accounts for intent semantics. PROVINTENT records the provenance and evolution of intents as the network’s state and apps’ requests change over time and enables reasoning at multiple abstractions. We define an intent provenance model, we implement a proof-of-concept tool, and we evaluate the efficacy of PROVINTENT’s explanatory capabilities by using a representative intent-driven network application.  more » « less
Award ID(s):
1657534 1750024
NSF-PAR ID:
10146534
Author(s) / Creator(s):
; ;
Date Published:
Journal Name:
Proceedings of the IEEE Conference on Network Softwarization
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; ; ( , USENIX Security Symposium)
    null (Ed.)
    Software-defined networking (SDN) has emerged as a flexible network architecture for central and programmatic control. Although SDN can improve network security oversight and policy enforcement, ensuring the security of SDN from sophisticated attacks is an ongoing challenge for practitioners. Existing network forensics tools attempt to identify and track such attacks, but holistic causal reasoning across control and data planes remains challenging. We present PicoSDN, a provenance-informed causal observer for SDN attack analysis. PicoSDN leverages fine-grained data and execution partitioning techniques, as well as a unified control and data plane model, to allow practitioners to efficiently determine root causes of attacks and to make informed decisions on mitigating them. We implement PicoSDN on the popular ONOS SDN controller. Our evaluation across several attack case studies shows that PicoSDN is practical for the identification, analysis, and mitigation of SDN attacks. 
    more » « less
  2. ; ; ; ; ; ( , 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN))
    One of the goals of Software-Defined Networking (SDN) is to allow users to specify high-level policies into lower level network rules. Managing a network and decide what policy set is appropriate requires, however, expertise and low level know-how. An emerging SDN paradigm is to allow higher level network level decisions wishes in the form of “intents”. Despite its importance in simplifying network management, intent specification is not yet standardized. In this work, we propose a northbound interface (NBI) for intent declaration, based on Behavior-Driven Development. In our approach, intents are specified in plain English and translated by our system into pre-compiled network policies, that are in turn, converted into low-level rules by the software-defined infrastructure e.g. an SDN controller. We demonstrated our behavior-driven approach with two practical use cases: service function chaining deployed on OpenStack, supported by both ONOS and Ryu controllers, and dynamic firewall programming. We also measured the overhead and response time of our NBI. We believe that our approach is far more general and paves the way for a more expressive and simplified northbound interface for intent-driven networking. 
    more » « less
  3. ; ; ; ; ; ; ( , Gateways 2017)
    Poster Abstract: To interconnect research facilities across wide geographic areas, network operators deploy science networks, also referred to as Research and Education (R&E) networks. These networks allow experimenters to establish dedicated network connections between research facilities for transferring large amounts of data. Recently, R&E networks have started using Software-Defined Networking (SDN) and Software Defined Exchanges (SDX) for deploying these connections. AtlanticWave/SDX is a response to the growing demand to support end-to-end network services spanning multiple SDN domains. However, requesting these services is a challenging task for domain-expert scientists, because the interfaces of the R&E networks have been developed by network operators for network operators. In this paper, we propose interfaces that allow domain expert scientists to reserve resources of the scientific network using abstractions that focus on their data transfer needs for scientific workflow management. Recent trends in the networking field pursue better interfaces for requesting network services (e.g., intent-based networking). Although intents are sufficient for the needs of network operations, they are not abstract enough in most cases to be used by domain-expert scientists. This is an issue we are addressing in the AtlanticWave/SDX design: network operators and domain expert scientists will have their own interfaces focusing on their specific needs. 
    more » « less
  4. ; ; ; ; ; ; ( , Gateways 2017)
    To interconnect research facilities across wide geographic areas, network operators deploy science networks, also referred to as Research and Education (R&E) networks. These networks allow experimenters to establish dedicated network connections between research facilities for transferring large amounts of data. Recently, R&E networks have started using Software-Defined Networking (SDN) and Software Defined Exchanges (SDX) for deploying these connections. AtlanticWave/SDX is a response to the growing demand to support end-to-end network services spanning multiple SDN domains. However, requesting these services is a challenging task for domain-expert scientists, because the interfaces of the R&E networks have been developed by network operators for network operators. In this paper, we propose interfaces that allow domain expert scientists to reserve resources of the scientific network using abstractions that focus on their data transfer needs for scientific workflow management. Recent trends in the networking field pursue better interfaces for requesting network services (e.g., intent-based networking). Although intents are sufficient for the needs of network operations, they are not abstract enough in most cases to be used by domain-expert scientists. This is an issue we are addressing in the AtlanticWave/SDX design: network operators and domain-expert scientists will have their own interfaces focusing on their specific needs. 
    more » « less
  5. ; ; ; ; ( , 2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN))
    Software Defined Networking (SDN) and Network Function Virtualization (NFV) are transforming Data Center (DC), Telecom, and enterprise networking. The programmability offered by P4 enables SDN to be more protocol-independent and flexible. Data Centers are increasingly adopting SmartNICs (sNICs) to accelerate packet processing that can be leveraged to support packet processing pipelines and custom Network Functions (NFs). However, there are several challenges in integrating and deploying P4 based SDN control as well as host and sNIC-based programmable NFs. These include configuration and management of the data plane components (Host and sNIC P4 switches) for the SDN control plane and effective utilization of data plane resources. P4NFV addresses these concerns and provides a unified P4 switch abstraction framework to simplify the SDN control plane, reducing management complexities, and leveraging a host-local SDN Agent to improve the overall resource utilization. The SDN agent considers the network-wide, host, and sNIC specific capabilities and constraints. Based on workload and traffic characteristics, P4NFV determines the partitioning of the P4 tables and optimal placement of NFs (P4 actions) to minimize the overall delay and maximize resource utilization. P4NFV uses Mixed Integer Linear Programming (MILP) based optimization formulation and achieves up to 2. 5X increase in system capacity while minimizing the delay experienced by flows. P4NFV considers the number of packet exchanges, flow size, and state dependency to minimize the delay imposed by data transmission over PCI Express interface. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email