Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175487
Julia Kułacz, Martyna Pawlus, Leonardo Boldrini, P. Grosso
This paper examines the Flexible Algorithm (FlexAlgo) for its potential to enable user-driven path control in intra-domain Segment Routing (SR) enabled networks. FlexAlgo is a relatively new approach to intra-domain routing that allows multiple custom algorithms to coexist within a single domain. This capability has the potential to provide users with greater control over the paths their data takes through a network. The research includes a thorough investigation of the FlexAlgo approach, including an examination of its underlying techniques, as well as a practical implementation of a FlexAlgo-based solution. We depict performed experiments where we implemented FlexAlgo in three different scenarios. We also present how we developed an automated tool for users to control traffic steering using preferred metrics and constraints. The results of this investigation demonstrate the capabilities of FlexAlgo as a means of enabling user-driven path control and therefore increase security and trust of users towards the network.
{"title":"Investigation of FlexAlgo for User-driven Path Control","authors":"Julia Kułacz, Martyna Pawlus, Leonardo Boldrini, P. Grosso","doi":"10.1109/NetSoft57336.2023.10175487","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175487","url":null,"abstract":"This paper examines the Flexible Algorithm (FlexAlgo) for its potential to enable user-driven path control in intra-domain Segment Routing (SR) enabled networks. FlexAlgo is a relatively new approach to intra-domain routing that allows multiple custom algorithms to coexist within a single domain. This capability has the potential to provide users with greater control over the paths their data takes through a network. The research includes a thorough investigation of the FlexAlgo approach, including an examination of its underlying techniques, as well as a practical implementation of a FlexAlgo-based solution. We depict performed experiments where we implemented FlexAlgo in three different scenarios. We also present how we developed an automated tool for users to control traffic steering using preferred metrics and constraints. The results of this investigation demonstrate the capabilities of FlexAlgo as a means of enabling user-driven path control and therefore increase security and trust of users towards the network.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122397221","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175472
Henrique B. Brum, C. R. P. D. Santos, T. Ferreto
Network monitoring is fundamental for the correct and expected functioning of today’s large computer networks, as it allows network operators to identify disruptive flows, such as microbursts and elephant flows. In-band Network Telemetry (INT) has become one of the main tools for collecting network information in recent years. By piggybacking information using data plane packets, INT can deliver real-time network statistics to monitoring applications. However, INT’s fine granularity comes with a high network overhead cost, especially when monitoring high-throughput flows. Knowing this limitation, this paper focuses on accurately collecting network statistics using INT while keeping the telemetry overhead to a minimum for two monitoring applications: microburst and elephant flow detection. To this end, we present DINT, a Dynamic INT algorithm capable of collecting fine-grained network metrics with minimum telemetry overhead that adapts itself to the latest network developments. We evaluated DINT against two other algorithms for the microburst and the elephant flow monitoring scenarios. The evaluation results showed that DINT offers higher adaptability than other techniques, providing a more accurate network view while requiring fewer telemetry data and, consequently, improving the performance of the monitoring applications.
{"title":"Providing Fine-grained Network Metrics for Monitoring Applications using In-band Telemetry","authors":"Henrique B. Brum, C. R. P. D. Santos, T. Ferreto","doi":"10.1109/NetSoft57336.2023.10175472","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175472","url":null,"abstract":"Network monitoring is fundamental for the correct and expected functioning of today’s large computer networks, as it allows network operators to identify disruptive flows, such as microbursts and elephant flows. In-band Network Telemetry (INT) has become one of the main tools for collecting network information in recent years. By piggybacking information using data plane packets, INT can deliver real-time network statistics to monitoring applications. However, INT’s fine granularity comes with a high network overhead cost, especially when monitoring high-throughput flows. Knowing this limitation, this paper focuses on accurately collecting network statistics using INT while keeping the telemetry overhead to a minimum for two monitoring applications: microburst and elephant flow detection. To this end, we present DINT, a Dynamic INT algorithm capable of collecting fine-grained network metrics with minimum telemetry overhead that adapts itself to the latest network developments. We evaluated DINT against two other algorithms for the microburst and the elephant flow monitoring scenarios. The evaluation results showed that DINT offers higher adaptability than other techniques, providing a more accurate network view while requiring fewer telemetry data and, consequently, improving the performance of the monitoring applications.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"198 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122527506","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175397
Csaba Györgyi, S. Laki, Stefan Schmid
Data plane programming gained much attention in the past years, having a fast-growing community both in academia and industry. Many tools have emerged to simplify and/or help the development of reliable data plane programs, including fuzzing, formal verification, and different code generators. However, even the tools themselves must be verified to meet the most stringent dependability requirements. In this paper, we investigate various tools and methods to verify code generators leveraging P4 through the example of P4RROT (an open source code generator focusing on the application layer). We show that our approach is efficient and can indeed successfully find bugs. We identify two bugs and propose reusable ideas, such as the use of ghost code.
{"title":"Toward Highly Reliable Programmable Data Planes: Verification of P4 Code Generation","authors":"Csaba Györgyi, S. Laki, Stefan Schmid","doi":"10.1109/NetSoft57336.2023.10175397","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175397","url":null,"abstract":"Data plane programming gained much attention in the past years, having a fast-growing community both in academia and industry. Many tools have emerged to simplify and/or help the development of reliable data plane programs, including fuzzing, formal verification, and different code generators. However, even the tools themselves must be verified to meet the most stringent dependability requirements. In this paper, we investigate various tools and methods to verify code generators leveraging P4 through the example of P4RROT (an open source code generator focusing on the application layer). We show that our approach is efficient and can indeed successfully find bugs. We identify two bugs and propose reusable ideas, such as the use of ghost code.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131479270","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175414
Javier Palomares, Estefanía Coronado, C. Cervelló-Pastor, S. Siddiqui
Edge to Cloud Continuum is a concept that integrates cloud computing and cellular networks that has been gaining popularity due to its potential to provide a seamless user experience and address the challenges of managing complex multi-domain networks involving massive IoT devices. Enabling intelligence in the Edge to Cloud Continuum can further enhance its capabilities, offering benefits such as reduced latency, improved scalability, enhanced resource utilization, and increased context awareness. This paper provides insights into the opportunities and challenges of enabling intelligence in Edge to Cloud Continuum, highlighting the potential of this technology. This study presents a comprehensive review of the existing literature on enabling intelligence in Edge to Cloud Continuum, to reach the research questions that will construct the PhD. Various tools and technologies that can be used to integrate intelligence into the Edge to Cloud Continuum system were explored and analyzed. In addition, this study provides a detailed work plan for the upcoming months of the project.
{"title":"Enabling Intelligence Inclusiveness in Edge to Cloud Continuum: Challenges and Opportunities","authors":"Javier Palomares, Estefanía Coronado, C. Cervelló-Pastor, S. Siddiqui","doi":"10.1109/NetSoft57336.2023.10175414","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175414","url":null,"abstract":"Edge to Cloud Continuum is a concept that integrates cloud computing and cellular networks that has been gaining popularity due to its potential to provide a seamless user experience and address the challenges of managing complex multi-domain networks involving massive IoT devices. Enabling intelligence in the Edge to Cloud Continuum can further enhance its capabilities, offering benefits such as reduced latency, improved scalability, enhanced resource utilization, and increased context awareness. This paper provides insights into the opportunities and challenges of enabling intelligence in Edge to Cloud Continuum, highlighting the potential of this technology. This study presents a comprehensive review of the existing literature on enabling intelligence in Edge to Cloud Continuum, to reach the research questions that will construct the PhD. Various tools and technologies that can be used to integrate intelligence into the Edge to Cloud Continuum system were explored and analyzed. In addition, this study provides a detailed work plan for the upcoming months of the project.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134164261","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175468
Chenxing Ji, F. Kuipers
To cater to constantly changing network needs, enabling stateful reconfiguration of Network Functions (NFs) is crucial. Recently, there has been growing interest in offloading NFs to programmable network devices. Unfortunately, it is currently not possible to maintain the full state of NFs during a switch reconfiguration without consuming network resources from and to neighboring switches. In this paper, we present State4, a framework that maintains the state of P4 programs during the reconfiguration of a P4-programmab1e network device, by only using a small amount of local resources on the switch undergoing reconfiguration. State4 acts on both the in-switch control-plane and the data-plane. By utilizing the in-switch local controller, State4 requires no external network resources to achieve reconfiguration while preserving states. As such, State4 enables on-the-fly reconfiguration of stateful NFs, at minimal traffic disruption, where previously traffic had to be re-routed.
{"title":"State4: State-preserving Reconfiguration of P4-programmable Switches","authors":"Chenxing Ji, F. Kuipers","doi":"10.1109/NetSoft57336.2023.10175468","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175468","url":null,"abstract":"To cater to constantly changing network needs, enabling stateful reconfiguration of Network Functions (NFs) is crucial. Recently, there has been growing interest in offloading NFs to programmable network devices. Unfortunately, it is currently not possible to maintain the full state of NFs during a switch reconfiguration without consuming network resources from and to neighboring switches. In this paper, we present State4, a framework that maintains the state of P4 programs during the reconfiguration of a P4-programmab1e network device, by only using a small amount of local resources on the switch undergoing reconfiguration. State4 acts on both the in-switch control-plane and the data-plane. By utilizing the in-switch local controller, State4 requires no external network resources to achieve reconfiguration while preserving states. As such, State4 enables on-the-fly reconfiguration of stateful NFs, at minimal traffic disruption, where previously traffic had to be re-routed.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133355408","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A data processor having an execution unit and which includes a control means having a first and a second control store. The control means has an input for receiving a control store address. In response to the received control store address, the first control store provides sequencing information at a first output for selecting the next control store address. Also, in response to the received control store address, the second control store supplies control information at a second output for controlling the execution unit. The data processor also includes means for receiving a macroinstruction and selection means responsive to the macroinstruction and to the sequencing information for generating the control store address. In a preferred embodiment, the control store address is received by both the input of the first control store and the input of the second control store. Each control word in the first control store has a unique control store address. However, a control word, in the second control store may be selected by many different control store addresses.
{"title":"Message from the Chairs","authors":"D. Kidder","doi":"10.1109/TIME.2005.27","DOIUrl":"https://doi.org/10.1109/TIME.2005.27","url":null,"abstract":"A data processor having an execution unit and which includes a control means having a first and a second control store. The control means has an input for receiving a control store address. In response to the received control store address, the first control store provides sequencing information at a first output for selecting the next control store address. Also, in response to the received control store address, the second control store supplies control information at a second output for controlling the execution unit. The data processor also includes means for receiving a macroinstruction and selection means responsive to the macroinstruction and to the sequencing information for generating the control store address. In a preferred embodiment, the control store address is received by both the input of the first control store and the input of the second control store. Each control word in the first control store has a unique control store address. However, a control word, in the second control store may be selected by many different control store addresses.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114899139","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175486
Francesco Settanni, L. Regano, C. Basile, A. Lioy
This paper presents an approach to the automatic remediation of threats reported by Cyber Threat Intelligence. Remediation strategies, named Recipes, are expressed in a close-to-natural language for easy validation. Thanks to the developed models, they are interpreted, contextualized, and then translated into CACAO Security playbooks, a standard format ready for automatic enforcement, without human intervention. The presented approach also allows sharing of remediation procedures on threat-sharing platforms (e.g. MISP) which improves the overall security posture. The effectiveness of the approach has been tested in the context of two EC-funded projects.
{"title":"A Model for Automated Cybersecurity Threat Remediation and Sharing","authors":"Francesco Settanni, L. Regano, C. Basile, A. Lioy","doi":"10.1109/NetSoft57336.2023.10175486","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175486","url":null,"abstract":"This paper presents an approach to the automatic remediation of threats reported by Cyber Threat Intelligence. Remediation strategies, named Recipes, are expressed in a close-to-natural language for easy validation. Thanks to the developed models, they are interpreted, contextualized, and then translated into CACAO Security playbooks, a standard format ready for automatic enforcement, without human intervention. The presented approach also allows sharing of remediation procedures on threat-sharing platforms (e.g. MISP) which improves the overall security posture. The effectiveness of the approach has been tested in the context of two EC-funded projects.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"6 6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123727485","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175476
Radhika Sukapuram, Sikha Deka
In Multi-access Edge Computing, services are hosted at the edge of the network to reduce latency and congestion. Services comprise Network Functions which provide security and optimize the network, and signalling and data processing functions. Services are chained to constitute Service Function Chains (SFCs). For latency critical applications or when the cloud is inaccessible, we posit that all the services of an SFC must be cached at the edge. Since services may be common across SFCs and require resources, the set of services to evict when the cache is full must be chosen such that as many SFCs as possible have all their services cached. We call this the SFC Cache Replacement Problem (SFC-CRP) and argue that measuring the service hit rate is insufficient. For the first time, we define the problem, quantity how to measure whether all the services of an SFC are cached at the edge and formulate it as an optimization problem. We implement the solution and demonstrate its effectiveness over a simple LRU heuristic by evaluations using datasets which we have derived from real (Alibaba) cluster traces.
{"title":"Edge Service Caching for Service Function Chains","authors":"Radhika Sukapuram, Sikha Deka","doi":"10.1109/NetSoft57336.2023.10175476","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175476","url":null,"abstract":"In Multi-access Edge Computing, services are hosted at the edge of the network to reduce latency and congestion. Services comprise Network Functions which provide security and optimize the network, and signalling and data processing functions. Services are chained to constitute Service Function Chains (SFCs). For latency critical applications or when the cloud is inaccessible, we posit that all the services of an SFC must be cached at the edge. Since services may be common across SFCs and require resources, the set of services to evict when the cache is full must be chosen such that as many SFCs as possible have all their services cached. We call this the SFC Cache Replacement Problem (SFC-CRP) and argue that measuring the service hit rate is insufficient. For the first time, we define the problem, quantity how to measure whether all the services of an SFC are cached at the edge and formulate it as an optimization problem. We implement the solution and demonstrate its effectiveness over a simple LRU heuristic by evaluations using datasets which we have derived from real (Alibaba) cluster traces.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125358682","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175459
Daniele Bringhenti, R. Sisto, Fulvio Valenza
Nowadays virtual computer networks are characterized by high dynamism and complexity. However, these features made the traditional manual approaches for network security management error-prone, unoptimized and time-consuming. This paper discusses the research carried out during my Ph.D. program on network security automation. In particular, it presents an approach based on constraint programming that combines automation, formal verification, and optimization for network security management. This approach has been proved to be general enough by means of multiple applications that have been developed. In particular, this paper describes VEREFOO, a framework for the automatic configuration of security functions, and FATO, a framework for the automatic orchestration of security transients. This methodology is extensively evaluated using different metrics and tests, and it has been compared to state-of-the-art solutions and to the requirements of dynamic virtual networks.
{"title":"Towards Security Automation in Virtual Networks","authors":"Daniele Bringhenti, R. Sisto, Fulvio Valenza","doi":"10.1109/NetSoft57336.2023.10175459","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175459","url":null,"abstract":"Nowadays virtual computer networks are characterized by high dynamism and complexity. However, these features made the traditional manual approaches for network security management error-prone, unoptimized and time-consuming. This paper discusses the research carried out during my Ph.D. program on network security automation. In particular, it presents an approach based on constraint programming that combines automation, formal verification, and optimization for network security management. This approach has been proved to be general enough by means of multiple applications that have been developed. In particular, this paper describes VEREFOO, a framework for the automatic configuration of security functions, and FATO, a framework for the automatic orchestration of security transients. This methodology is extensively evaluated using different metrics and tests, and it has been compared to state-of-the-art solutions and to the requirements of dynamic virtual networks.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124092198","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: