发布求助
文献互助 智能选刊 最新文献

Proceedings of the 2019 ACM Symposium on SDN Research最新文献

筛选
英文 中文
eZTrust: Network-Independent Zero-Trust Perimeterization for Microservices eZTrust:微服务的网络独立零信任周边化
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3314349
Zirak Zaheer, Hyunseok Chang, S. Mukherjee, J. Merwe
{"title":"eZTrust: Network-Independent Zero-Trust Perimeterization for Microservices","authors":"Zirak Zaheer, Hyunseok Chang, S. Mukherjee, J. Merwe","doi":"10.1145/3314148.3314349","DOIUrl":"https://doi.org/10.1145/3314148.3314349","url":null,"abstract":"Emerging microservices-based workloads introduce new security risks in today's data centers as attacks can propagate laterally within the data center relatively easily by exploiting cross-service dependencies. As countermeasures for such attacks, traditional perimeterization approaches, such as network-endpoint-based access control, do not fare well in highly dynamic microservices environments (especially considering the management complexity, scalability and policy granularity of these earlier approaches). In this paper, we propose eZTrust, a network-independent perimeterization approach for microservices. eZTrust allows data center tenants to express access control policies based on fine-grained workload identities, and enables data center operators to enforce such policies reliably and efficiently in a purely network-independent fashion. To this end, we leverage eBPF, the extended Berkeley Packet Filter, to trace authentic workload identities and apply per-packet tagging and verification. We demonstrate the feasibility of our approach through extensive evaluation of our proof-of-concept prototype implementation. We find that, when comparable policies are enforced, eZTrust incurs 2--5 times lower packet latency and 1.5--2.5 times lower CPU overhead than traditional perimeterization schemes.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"238 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130621702","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 33
Say No to Rack Boundaries: Towards A Reconfigurable Pod-Centric DCN Architecture 对机架边界说不:走向可重构的以pod为中心的DCN架构
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3314350
Ding-Xue Wu, Weitao Wang, Ang Chen, T. Ng
{"title":"Say No to Rack Boundaries: Towards A Reconfigurable Pod-Centric DCN Architecture","authors":"Ding-Xue Wu, Weitao Wang, Ang Chen, T. Ng","doi":"10.1145/3314148.3314350","DOIUrl":"https://doi.org/10.1145/3314148.3314350","url":null,"abstract":"Data center networks are designed to interconnect large clusters of servers. However, their static, rack-based architecture poses many constraints. For instance, due to over-subscription, bandwidth tends to be highly unbalanced---while servers in the same rack enjoy full bisection bandwidth through a top-of-rack (ToR) switch, servers across racks have much more constrained bandwidth. This translates to a series of performance issues for modern cloud applications. In this paper, we propose a rackless data center (RDC) architecture that removes this fixed \"rack boundary\". We achieve this by inserting circuit switches at the edge layer, and dynamically reconfiguring the circuits to allow servers from different racks to form \"locality groups\". RDC optimizes the topology between servers and edge switches based on the changing workloads, and achieves lower flow completion times and improved load balance for realistic workloads.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"141 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133891915","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 6
NUTS: Network Updates in Real Time Systems NUTS:实时系统中的网络更新
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3318051
Saif U. N. Noor Prottoy, D. Saucez, W. Dabbous
{"title":"NUTS: Network Updates in Real Time Systems","authors":"Saif U. N. Noor Prottoy, D. Saucez, W. Dabbous","doi":"10.1145/3314148.3318051","DOIUrl":"https://doi.org/10.1145/3314148.3318051","url":null,"abstract":"Factories need to adapt their communication networks to versatile customer-driven markets. Software defined networking enables a programmatic approach that provides modularity, flexibility and paves the road for behavior certification. Previous works proposed rigorous programming languages and abstractions offering safety properties and verification in best-effort environments. In this work, we propose an approach to provide live update of network elements behavior while respecting real-time constraints. During the network updates, the traffic can be deviated to devices not involved in the desired upgrade ensuring that communication invariant and software requirements are always taken into account. We leverage Temporal NetKAT to write network wide programs and P4 annotations to give indications on the impact of the implementation on deterministic real-time communications passing through network appliances.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134073092","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
ADD: Application and Data-Driven Controller Design ADD:应用程序和数据驱动控制器设计
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3314351
Yikai Lin, Yuru Shao, Xiao Zhu, Junpeng Guo, K. Barton, Z. Morley Mao
{"title":"ADD: Application and Data-Driven Controller Design","authors":"Yikai Lin, Yuru Shao, Xiao Zhu, Junpeng Guo, K. Barton, Z. Morley Mao","doi":"10.1145/3314148.3314351","DOIUrl":"https://doi.org/10.1145/3314148.3314351","url":null,"abstract":"Existing SDN controllers commonly adopt an event-driven model that minimizes southbound communication and control-plane overhead. This model satisfies most existing SDN applications' goals to maximize data plane performance while still being able to programmatically control with a decent level of visibility. However, as network composition becomes more heterogeneous with NFV and IoT, such model can be insufficient for future applications that rely more on data analysis and intelligent decision making. In this paper, we present our findings in a case study on smart manufacturing systems, which have highly heterogeneous device compositions, and applications that are much less \"throughput\" hungry or \"latency\" sensitive than network applications but require a lot more data for (real-time) decision making. We share the insights we gain that help us design a new Application and Data-Driven (ADD) model for SDN controllers. We build a proof-of-concept ADD controller based on this model and develop two applications to showcase its new capabilities. Evaluation results show that ADD delivers satisfying scalability and performance. More importantly, applications enabled by ADD gain more insights of the data plane and can make better decisions faster.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124433837","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Enabling Policy Innovation in Interdomain Routing: A Software-Defined Approach 在域间路由中实现策略创新:一种软件定义的方法
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3314359
Anduo Wang, Zhijia Chen, Tony Yang, Minlan Yu
{"title":"Enabling Policy Innovation in Interdomain Routing: A Software-Defined Approach","authors":"Anduo Wang, Zhijia Chen, Tony Yang, Minlan Yu","doi":"10.1145/3314148.3314359","DOIUrl":"https://doi.org/10.1145/3314148.3314359","url":null,"abstract":"BGP is known to restrict policy expressiveness and induce uncontrolled policy interactions that are hard to understand, reuse, and evolve. We argue that the use of a path vector system as the carrier of interdomain policies is the root cause of these limitations. To this end, we propose an alternative policy scheme built in a software-defined controller to decouple policy making from the path vector system. Rather than treating policies as hardwired attributes of a route, that are configured and consumed as the route goes through the path vector decision process, we let policies flow, interact, and combine to influence end to end routes. This new software-defined scheme creates new space for policy language, route decision, and conflict resolution design, towards more flexible policies, cleaner policy enforcement, and controlled policy interaction. As a realization of our vision, we present an implementation that uses data integrity constraints for representing and reasoning about routing policies, addressing unique challenges in the decentralized interdomain environment.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129631535","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity 通过基于sdn的MUD活动监控检测对loT设备的容量攻击
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3314352
Ayyoob Hamza, H. Gharakheili, Theophilus A. Benson, V. Sivaraman
{"title":"Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity","authors":"Ayyoob Hamza, H. Gharakheili, Theophilus A. Benson, V. Sivaraman","doi":"10.1145/3314148.3314352","DOIUrl":"https://doi.org/10.1145/3314148.3314352","url":null,"abstract":"Smart environments equipped with IoT devices are increasingly under threat from an escalating number of sophisticated cyber-attacks. Current security approaches are inaccurate, expensive, or unscalable, as they require static signatures of known attacks, specialized hardware, or full packet inspection. The IETF Manufacturer Usage Description (MUD) framework aims to reduce the attack surface on an IoT device by formally defining its expected network behavior. In this paper, we use SDN to monitor compliance with the MUD behavioral profile, and develop machine learning methods to detect volumetric attacks such as DoS, reflective TCP/UDP/ICMP flooding, and ARP spoofing to IoT devices. Our first contribution develops a machine for detecting anomalous patterns of MUD-compliant network activity via coarse-grained (device-level) and fine-grained (flow-level) SDN telemetry for each IoT device, thereby giving visibility into flows that contribute to a volumetric attack. For our second contribution we measure network behavior of IoT devices by collecting benign and volumetric attacks traffic traces in our lab, label our dataset, and make it available to the public. Our last contribution prototypes a full working system (built with an OpenFlow switch, Faucet SDN controller, and a MUD policy engine), demonstrates its application in detecting volumetric attacks on several consumer IoT devices with high accuracy, and provides insights into cost and performance of our system. Our data and solution modules are released as open source to the community.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132456803","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 135
KeySFC
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3318048
C. Dominicini, G. Vassoler, Rodolfo V. Valentim, R. Villaça, M. Ribeiro, M. Martinello, E. Zambon
{"title":"KeySFC","authors":"C. Dominicini, G. Vassoler, Rodolfo V. Valentim, R. Villaça, M. Ribeiro, M. Martinello, E. Zambon","doi":"10.1145/3314148.3318048","DOIUrl":"https://doi.org/10.1145/3314148.3318048","url":null,"abstract":"One of the main challenges in network functions virtualization (NFV) is how to dynamically steer traffic flows through a set of service functions (SFs). Fig. 1(a) shows the embedding of a service function chaining (SFC) request in a NFV Infrastructure (NFVI). The overlay layer represents logical connections between virtual machines (VMs), while the underlay layer represents connections between physical nodes.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115072302","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Precise Time-synchronization in the Data-Plane using Programmable Switching ASICs 基于可编程交换asic的数据平面精确时间同步
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3314353
Pravein G. Kannan, Raj Joshi, M. Chan
{"title":"Precise Time-synchronization in the Data-Plane using Programmable Switching ASICs","authors":"Pravein G. Kannan, Raj Joshi, M. Chan","doi":"10.1145/3314148.3314353","DOIUrl":"https://doi.org/10.1145/3314148.3314353","url":null,"abstract":"Current implementations of time synchronization protocols (e.g. PTP) in standard industry-grade switches handle the protocol stack in the slow-path (control-plane). With new use cases of in-network computing using programmable switching ASICs, global time-synchronization in the data-plane is very much necessary for supporting distributed applications. In this paper, we explore the possibility of using programmable switching ASICs to design and implement a time synchronization protocol, DPTP, with the core logic running in the data-plane. We perform comprehensive measurement studies on the variable delay characteristics in the switches and NICs under different traffic conditions. Based on the measurement insights, we design and implement DPTP on a Barefoot Tofino switch using the P4 programming language. Our evaluation on a multi-switch testbed shows that DPTP can achieve median and 99th percentile synchronization error of 19 ns and 47 ns between 2 switches, 4-hops apart, in the presence of clock drifts and under heavy network load.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"78 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114660052","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 36
(Demo) Boléro: Enabling Policy Innovation in Interdomain Routing (演示)bolsamro:在域间路由中启用策略创新
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3318049
Zhijia Chen, Anduo Wang
{"title":"(Demo) Boléro: Enabling Policy Innovation in Interdomain Routing","authors":"Zhijia Chen, Anduo Wang","doi":"10.1145/3314148.3318049","DOIUrl":"https://doi.org/10.1145/3314148.3318049","url":null,"abstract":"BGP is known to restrict policy expressiveness and induce monolithic policies with uncontrolled interactions among ASes that are hard to understand, reuse, and evolve. We argue that the use of a path vector system as the carrier of interdomain policy is the root causes of these limitations. To this end, we propose an alternative policy scheme built in a software-defined controller to decouple policy making from the path vector system. This new software-defined scheme creates new space for policy language, route decision, and conflict resolution design, towards flexible policies, cleaner policy enforcement, and controlled policy interaction. In this demonstration, we showcase boléro, a realization of our vision via the use of data integrity constraints --- logical statements about what are the acceptable network states --- for representing and reasoning about AS policies, addressing unique challenges in the decentralized interdomain environment.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129382215","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Prophet: Real-time Queue Length Inference in Programmable Switches 先知:可编程交换机的实时队列长度推断
Proceedings of the 2019 ACM Symposium on SDN Research Pub Date : 2019-04-03 DOI: 10.1145/3314148.3318050
Shuhe Wang, J. Bi, Chen Sun, Yu Zhou
{"title":"Prophet: Real-time Queue Length Inference in Programmable Switches","authors":"Shuhe Wang, J. Bi, Chen Sun, Yu Zhou","doi":"10.1145/3314148.3318050","DOIUrl":"https://doi.org/10.1145/3314148.3318050","url":null,"abstract":"Programmable switches enable the implementation of many complex network functions directly in the data plane. Protocol Independent Switch Architecture (PISA) is a stateof-the-art architecture for programmable switches [1]. After entering a PISA switch, packets first go through an ingress pipeline, then enter the traffic manager that maintains multiple queues, and are finally processed by an egress pipeline. However, there exists an intrinsic constraint in PISA. The traffic manager generates metadatas of queue lengths which are only accessible in egress, while the ingress has no visibility in the queue status. This prevents PISA switches from supporting many advanced network functions. For instance, DRILL [3] employs per-packet load balancing by deciding which queue a packet should enter based on the lengths of candidate queues. The decision has to happen in ingress before packet queuing, which cannot be supported in PISA.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131008200","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信