The search functionality is under construction.
The search functionality is under construction.

Keyword Search Result

[Keyword] OpenFlow(25hit)

1-20hit(25hit)

  • Opimon: A Transparent, Low-Overhead Monitoring System for OpenFlow Networks Open Access

    Wassapon WATANAKEESUNTORN  Keichi TAKAHASHI  Chawanat NAKASAN  Kohei ICHIKAWA  Hajimu IIDA  

     
    PAPER-Network Management/Operation

      Pubricized:
    2021/10/21
      Vol:
    E105-B No:4
      Page(s):
    485-493

    OpenFlow is a widely adopted implementation of the Software-Defined Networking (SDN) architecture. Since conventional network monitoring systems are unable to cope with OpenFlow networks, researchers have developed various monitoring systems tailored for OpenFlow networks. However, these existing systems either rely on a specific controller framework or an API, both of which are not part of the OpenFlow specification, and thus limit their applicability. This article proposes a transparent and low-overhead monitoring system for OpenFlow networks, referred to as Opimon. Opimon monitors the network topology, switch statistics, and flow tables in an OpenFlow network and visualizes the result through a web interface in real-time. Opimon monitors a network by interposing a proxy between the controller and switches and intercepting every OpenFlow message exchanged. This design allows Opimon to be compatible with any OpenFlow switch or controller. We tested the functionalities of Opimon on a virtual network built using Mininet and a large-scale international OpenFlow testbed (PRAGMA-ENT). Furthermore, we measured the performance overhead incurred by Opimon and demonstrated that the overhead in terms of latency and throughput was less than 3% and 5%, respectively.

  • An Effective Use of SDN for Virtual-Link Provisioning in ISP Networks

    Slavica TOMOVIĆ  Igor RADUSINOVIĆ  

     
    PAPER-Network

      Pubricized:
    2018/10/18
      Vol:
    E102-B No:4
      Page(s):
    855-864

    The ability of Software Defined Networking (SDN) to dynamically adjust the network behaviour and to support fine-grained routing policies becomes increasingly attractive beyond the boundaries of Data Centre domains, where SDN has already gained enormous momentum. However, the wider adoption of SDN in ISP (Internet Service Provider) networks is still uncertain due to concerns about the scalability of a centralized traffic management in large-scale environments. This is particularly problematic when ISP offers virtual-link services, which imply a performance guaranteed data transfer between two network points. Our solution is a new approach to virtual-link mapping in SDN-based ISP networks. Within the problem's scope, we address traffic engineering (TE), QoS provisioning and failure recovery issues. In order to decrease the controller load, computational effort, and processing delay, we introduce a function split between online routing and TE. The TE functions are performed periodically, with configurable periodicity. In order to reduce the control overhead, we restrict the traffic optimization problem to load balancing over multiple static tunnels. This allows retention of the traditional MPLS routers in the network core and to achieve fast virtual-link restoration in case of physical-link failures. The online routing and admission control algorithms have been designed with the goal of low complexity, and to minimize Flow-table updates. In our simulation study, we compare the proposed virtual-link mapping solution with the solutions that exploit routing flexibility in fully SDN-enabled networks. We find that the throughput loss due to the use of static traffic tunnels is relatively small, while the control overhead is reduced significantly. A prototype of the proposed SDN control-plane is developed and validated in the Mininet emulator.

  • Design and Implementation of SDN-Based Proactive Firewall System in Collaboration with Domain Name Resolution

    Hiroya IKARASHI  Yong JIN  Nariyoshi YAMAI  Naoya KITAGAWA  Kiyohiko OKAYAMA  

     
    PAPER-Network Security

      Pubricized:
    2018/08/22
      Vol:
    E101-D No:11
      Page(s):
    2633-2643

    Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.

  • Optimizing Non-Uniform Bandwidth Reservation Based on Meter Table of Openflow

    Liaoruo HUANG  Qingguo SHEN  Zhangkai LUO  

     
    LETTER-Information Network

      Pubricized:
    2018/03/14
      Vol:
    E101-D No:6
      Page(s):
    1694-1698

    Bandwidth reservation is an important way to guarantee deterministic end-to-end service quality. However, with the traditional bandwidth reservation mechanism, the allocated bandwidth at each link is by default the same without considering the available resource of each link, which may lead to unbalanced resource utilization and limit the number of user connections that network can accommodate. In this paper, we propose a non-uniform bandwidth reservation method, which can further balance the resource utilization of network by optimizing the reserved bandwidth at each link according to its link load. Furthermore, to implement the proposed method, we devise a flexible and automatic bandwidth reservation mechanism based on meter table of Openflow. Through simulations, it is showed that our method can achieve better load balancing performance and make network accommodate more user connections comparing with the traditional methods in most application scenarios.

  • A Defense Mechanism of Random Routing Mutation in SDN

    Jiang LIU  Hongqi ZHANG  Zhencheng GUO  

     
    PAPER-Information Network

      Pubricized:
    2017/02/21
      Vol:
    E100-D No:5
      Page(s):
    1046-1054

    Focused on network reconnaissance, eavesdropping, and DoS attacks caused by static routing policies, this paper designs a random routing mutation architecture based on the OpenFlow protocol, which takes advantages of the global network view and centralized control in a software-defined network. An entropy matrix of network traffic characteristics is constructed by using volume measurements and characteristic measurements of network traffic. Random routing mutation is triggered according to the result of network anomaly detection, which using a wavelet transform and principal component analysis to handle the above entropy matrix for both spatial and temporal correlations. The generation of a random routing path is specified as a 0-1 knapsack problem, which is calculated using an improved ant colony algorithm. Theoretical analysis and simulation results show that the proposed method not only increases the difficulty of network reconnaissance and eavesdropping but also reduces the impact of DoS attacks on the normal communication in an SDN network.

  • Demonstration of SDN/OpenFlow-Based Path Control for Large-Scale Multi-Domain/Multi-Technology Optical Transport Networks

    Shan GAO  Xiaoyuan CAO  Takehiro SATO  Takaya MIYAZAWA  Sota YOSHIDA  Noboru YOSHIKANE  Takehiro TSURITANI  Hiroaki HARAI  Satoru OKAMOTO  Naoaki YAMANAKA  

     
    PAPER-Network

      Vol:
    E99-B No:7
      Page(s):
    1492-1500

    Software defined networking (SDN) and OpenFlow, which enables the abstraction of vendor/technology-specific attributes, improve the control and management flexibility of optical transport networks. In this paper, we present an interoperability demonstration of SDN/OpenFlow-based optical path control for multi-domain/multi-technology optical transport networks. We also summarize the abstraction approaches proposed for multi-technology network integration at SDN controllers.

  • Efficient Active Measurement for Monitoring Link-by-Link Performance in OpenFlow Networks

    Megumi SHIBUYA  Atsuo TACHIBANA  Teruyuki HASEGAWA  

     
    PAPER

      Vol:
    E99-B No:5
      Page(s):
    1032-1040

    To efficiently monitor the link performance in an OpenFlow network with a single measurement box (referred to a “beacon”), this paper presents a measurement scheme that calculates a set of measurement paths from the beacon to cover all links in the network based on the controllable feature of individual measurement paths in the OpenFlow network and comprehensively estimates the performance of all the physical links from round-trip active measurements. The scheme has a novel feature that minimize the maximum number of exclusive flow-entries for active measurements on OpenFlow switches by utilizing common packet header values in the probing packets to aggregate multiple entries into a single entry to save the resources in OpenFlow switches and controller. We demonstrate the effectiveness and feasibility of our solution through simulations and emulation scenarios.

  • ResilientFlow: Deployments of Distributed Control Channel Maintenance Modules to Recover SDN from Unexpected Failures

    Takuya OMIZO  Takuma WATANABE  Toyokazu AKIYAMA  Katsuyoshi IIDA  

     
    PAPER

      Vol:
    E99-B No:5
      Page(s):
    1041-1053

    Although SDN provides desirable characteristics such as the manageability, flexibility and extensibility of the networks, it has a considerable disadvantage in its reliability due to its centralized architecture. To protect SDN-enabled networks under large-scale, unexpected link failures, we propose ResilientFlow that deploys distributed modules called Control Channel Maintenance Module (CCMM) for every switch and controllers. The CCMMs makes switches able to maintain their own control channels, which are core and fundamental part of SDN. In this paper, we design, implement, and evaluate the ResilientFlow.

  • Elastic and Adaptive Resource Orchestration Architecture on 3-Tier Network Virtualization Model

    Masayoshi SHIMAMURA  Hiroaki YAMANAKA  Akira NAGATA  Katsuyoshi IIDA  Eiji KAWAI  Masato TSURU  

     
    PAPER-Information Network

      Pubricized:
    2016/01/18
      Vol:
    E99-D No:4
      Page(s):
    1127-1138

    Network virtualization environments (NVEs) are emerging to meet the increasing diversity of demands by Internet users where a virtual network (VN) can be constructed to accommodate each specific application service. In the future Internet, diverse service providers (SPs) will provide application services on their own VNs running across diverse infrastructure providers (InPs) that provide physical resources in an NVE. To realize both efficient resource utilization and good QoS of each individual service in such environments, SPs should perform adaptive control on network and computational resources in dynamic and competitive resource sharing, instead of explicit and sufficient reservation of physical resources for their VNs. On the other hand, two novel concepts, software-defined networking (SDN) and network function virtualization (NFV), have emerged to facilitate the efficient use of network and computational resources, flexible provisioning, network programmability, unified management, etc., which enable us to implement adaptive resource control. In this paper, therefore, we propose an architectural design of network orchestration for enabling SPs to maintain QoS of their applications aggressively by means of resource control on their VNs efficiently, by introducing virtual network provider (VNP) between InPs and SPs as 3-tier model, and by integrating SDN and NFV functionalities into NVE framework. We define new north-bound interfaces (NBIs) for resource requests, resource upgrades, resource programming, and alert notifications while using the standard OpenFlow interfaces for resource control on users' traffic flows. The feasibility of the proposed architecture is demonstrated through network experiments using a prototype implementation and a sample application service on nation-wide testbed networks, the JGN-X and RISE.

  • A Packet-In Message Filtering Mechanism for Protection of Control Plane in OpenFlow Switches

    Daisuke KOTANI  Yasuo OKABE  

     
    PAPER-Information Network

      Pubricized:
    2015/12/09
      Vol:
    E99-D No:3
      Page(s):
    695-707

    Protecting control planes in networking hardware from high rate packets is a critical issue for networks under operation. One common approach for conventional networking hardware is to offload expensive functions onto hard-wired offload engines as ASICs. This approach is inadequate for OpenFlow networks because it restricts a certain amount of flexibility for network control that OpenFlow tries to provide. Therefore, we need a control plane protection mechanism in OpenFlow switches as a last resort, while preserving flexibility for network control. In this paper, we propose a mechanism to filter out Packet-In messages, which include packets handled by the control plane in OpenFlow networks, without dropping important ones for network control. Switches record values of packet header fields before sending Packet-In messages, and filter out packets that have the same values as the recorded ones. The controllers set the header fields in advance whose values must be recorded, and the header fields are selected based on controller design. We have implemented and evaluated the proposed mechanism on a prototype software switch, concluding that it dramatically reduces CPU loads on switches while passes important Packet-In messages for network control.

  • Verification of Flow Matching Functionality in the Forwarding Plane of OpenFlow Networks

    Sachin SHARMA  Wouter TAVERNIER  Sahel SAHHAF  Didier COLLE  Mario PICKAVET  Piet DEMEESTER  

     
    PAPER

      Vol:
    E98-B No:11
      Page(s):
    2190-2201

    In OpenFlow, data and control plane are decoupled from switches or routers. While the data plane resides in the switches or routers, the control plane might be moved into one or more external servers (controllers). In this article, we propose verification mechanisms for the data plane functionality of switches. The latter consists of two parts: (1) Flow-Match Header part (to match a flow of incoming packets) and (2) action part (e.g., to forward incoming packets to an outgoing port). We propose a mechanism to verify the Flow-Match Header part of the data plane. The mechanism can be executed at the controller, or on an additional device or server (or virtual machines) attached to the network. Deploying a virtual machine (VM) or server for verification may decrease the load of the controller and/or consumed bandwidth between the controller and a switch. We propose a heuristic to place external verification devices or VMs in a network such that the verification time can be minimized. Verification time with respect to consumed resources are evaluated through emulation experiments. Results confirm that the verification time using the proposed heuristic is indeed shortened significantly, while requiring low bandwidth resources.

  • An Adaptation of Proxy Mobile IPv6 to OpenFlow Architecture over Software Defined Networking

    Seong-Mun KIM  Hyon-Young CHOI  Youn-Hee HAN  Sung-Gi MIN  

     
    PAPER-Network

      Vol:
    E98-B No:4
      Page(s):
    596-606

    In this paper, Proxy Mobile IPv6 (PMIPv6), which is a network-based mobility management protocol, is adapted to the OpenFlow architecture. Mobility-related signaling is generally performed by network entities on behalf of a mobile node, but in standard PMIPv6, the control and data packets are delivered and processed over the same network entities, which prevents the separation of the control and the data planes. In addition, IP tunneling inherent to PMIPv6 imposes excessive overhead for the network entities. In order to adapt PMIPv6 to the OpenFlow architecture, the mobility management function is separated from the PMIPv6 components, and components are reconstructed to take advantage of the offerings of the OpenFlow architecture. The components configure the flow table of the switches located in a path, which comprise the OpenFlow controller. Mobility-related signaling can then be performed at the dedicated secure channel, and all of the data packets can be sent normally in accordance with the flow table of the OpenFlow switches. Consequently, the proposed scheme eliminates IP tunneling when user traffic is forwarded and separates the data and the control planes. The performance analysis revealed that the proposed scheme can outperform PMIPv6 in terms of the signaling cost, packet delivery cost, and handover latency.

  • Ouroboros: Protocol Independent Forwarding for SDN

    Liang LI  Hamid FARHADY  Ping DU  Akihiro NAKAO  

     
    PAPER

      Vol:
    E97-B No:11
      Page(s):
    2278-2285

    In most cases, the programmability of Software Defined Network (SDN) refers to the flexibility existing in northbound interface that enables network managers to control the behaviors of the networks. However, the lack of flexibility in data plane conversely results in wasting potentially usable information for controlling flows, especially from network services and applications point of view. For example, OpenFlow switches only deal with L2-L4 headers and ignore the other parts of packet. We propose Ouroboros as a programmable switch logic to increase the flexibility of SDN southbound interface. Ouroboros switches not only remove the limitation of regular OpenFlow switches using packet headers as the reference for packet switching, but also provides a highly flexible interface for network managers to conduct application-specific flow control according to packet content at any arbitrary offsets. Ouroboros can penetrate deeply into packet (e.g., RTP or SIP) protocol headers, or further into packet payload, to process user-defined switching protocol. Our evaluations of Ouroboros on 10Gbps traffic indicates the effectiveness of proposed method.

  • Non-tunneling Overlay Approach for Virtual Tenant Networks in Cloud Datacenter

    Ryota KAWASHIMA  Hiroshi MATSUO  

     
    PAPER

      Vol:
    E97-B No:11
      Page(s):
    2259-2268

    Network virtualization is an essential technology for cloud datacenters that provide multi-tenancy services. SDN-enabled datacenters have introduced an edge-overlay (distributed tunneling) model to construct virtual tenant networks. The edge-overlay model generally uses L2-in-L3 tunneling protocols like VXLAN. However, the tunneling-based edge-overlay model has some performance and compatibility problems. We have proposed a yet another overlay approach without using IP tunneling. Our model leverages two methods, OpenFlow-based Virtual/Physical MAC address translation and host-based VLAN ID usage. The former method replaces VMs' MAC addresses to physical servers' ones, which prevents frame encapsulation as well as unnecessary MAC address learning by physical switches. The later method breaks a limitation of the number of VLAN-based virtual tenant networks (4094) by allocating entire VLAN ID space to each physical server and by mapping VLAN ID to VM with OpenFlow controller support. In our model, any special hardware equipment like OpenFlow hardware switches is not required and only software-based virtual switches and the controller are used. In this paper, we evaluated the performance of the proposed model comparing with the tunneling model using 40GbE environment. The results show that the performance of VM-to-VM communication with the proposed model is close to that of physical communication and exceeds 10Gbps throughput with large TCP segment, and the proposed model shows better scalability for the number of VMs.

  • A QoS-Aware Differential Processing Control Scheme for OpenFlow-Based Mobile Networks

    Yeunwoong KYUNG  Taihyong YIM  Taekook KIM  Tri M. NGUYEN  Jinwoo PARK  

     
    LETTER-Information Network

      Vol:
    E97-D No:8
      Page(s):
    2178-2181

    This paper proposes a QoS-aware differential processing control (QADPC) scheme for OpenFlow-based mobile networks. QADPC classifies the input packets to the control plane by considering end terminal mobility and service type. Then, different capacities are assigned to each classified packet for prioritized processing. By means of Markov chains, QADPC is evaluated in terms of blocking probability and waiting time in the control plane. Analytical results demonstrate that QADPC offers high priority packets both lower blocking probability and less waiting time.

  • Optical Network Management System for Instant Provisioning of QoS-Aware Path and Its Software Prototyping with OpenFlow

    Masashi TAKADA  Akira FUKUSHIMA  Yosuke TANIGAWA  Hideki TODE  

     
    PAPER

      Vol:
    E97-B No:7
      Page(s):
    1313-1324

    In conventional networks, service control function and network control function work independently. Therefore, stereotypical services are provided via fixed routes or selected routes in advance. Recently, advanced network services have been provided by assortment of distributed components at low cost. Furthermore, service platform, which unifies componentized network control and service control in order to provide advanced services with flexibility and stability, has attracted attention. In near future, network management system (NMS) is promising, which replies an answer quickly for such advanced service platforms when route setting is requested with some parameters: quality of service (QoS), source and destination addresses, cost (money) and so on. In addition, the NMS is required to provide routes exploiting functions such as path computation element (PCE) actually. This paper proposes scalable network architecture that can quickly reply an answer by pre-computing candidate routes when route setting is requested to a control unit like an Autonomous System (AS). Proposed architecture can manage network resources scalably, and answer the availability of the requested QoS-aware path settings instantaneously for the forthcoming service platform that finds an adequate combination of a server and a route. In the proposed method, hierarchical databases are established to manage the information related to optical network solution and their data are updated at fewer times by discretized states and their boundaries with some margin. Moreover, with multiple and overlapped overlay, it pre-computes multiple candidate routes with different characteristics like available bandwidth and the number of hops, latency, BER (bit error rate), before route set-up request comes. We present simulation results to verify the benefits of our proposed system. Then, we implement its prototype using OpenFlow, and evaluate its effectiveness in the experimental environment.

  • A Survey on OpenFlow Technologies Open Access

    Kazuya SUZUKI  Kentaro SONODA  Nobuyuki TOMIZAWA  Yutaka YAKUWA  Terutaka UCHIDA  Yuta HIGUCHI  Toshio TONOUCHI  Hideyuki SHIMONISHI  

     
    INVITED SURVEY PAPER

      Vol:
    E97-B No:2
      Page(s):
    375-386

    The paper presents a survey on OpenFlow related technologies that have been proposed as a means for researchers, network service creators, and others to easily design, test, and deploy their innovative ideas in experimental or production networks to accelerate research activities on network technologies. Rather than having programmability within each network node, separated OpenFlow controllers provide network control through pluggable software modules; thus, it is easy to develop new network control functions in executable form and test them in production networks. The emergence of OpenFlow has started various research activities. The paper surveys these activities and their results.

  • Deployment of OpenFlow/SDN Technologies to Carrier Services Open Access

    Yoichi SATO  Ichiro FUKUDA  Tomonori FUJITA  

     
    INVITED PAPER

      Vol:
    E96-B No:12
      Page(s):
    2946-2952

    The use of computing resources on network is becoming active in the Internet and private networks. OpenFlow/Software-Defined Networking (SDN) is drawing attention as a method to control network virtualization for the cloud computing services and other carrier services. This paper introduces examples of OpenFlow/SDN technologies applied to commercial cloud services. Various activities to expand coverage over commercial carrier networks are also mentioned.

  • OpenQFlow: Scalable OpenFlow with Flow-Based QoS

    Nam-Seok KO  Hwanjo HEO  Jong-Dae PARK  Hong-Shik PARK  

     
    PAPER

      Vol:
    E96-B No:2
      Page(s):
    479-488

    OpenFlow, originally proposed for campus and enterprise network experimentation, has become a promising SDN architecture that is considered as a widely-deployable production network node recently. It is, in a consequence, pointed out that OpenFlow cannot scale and replace today's versatile network devices due to its limited scalability and flexibility. In this paper, we propose OpenQFlow, a novel scalable and flexible variant of OpenFlow. OpenQFlow provides a fine-grained flow tracking while flow classification is decoupled from the tracking by separating the inefficiently coupled flow table to three different tables: flow state table, forwarding rule table, and QoS rule table. We also develop a two-tier flow-based QoS framework, derived from our new packet scheduling algorithm, which provides performance guarantee and fairness on both granularity levels of micro- and aggregate-flow at the same time. We have implemented OpenQFlow on an off-the-shelf microTCA chassis equipped with a commodity multicore processor, for which our architecture is suited, to achieve high-performance with carefully engineered software design and optimization.

  • Autonomous IP Fast Rerouting with Compressed Backup Flow Entries Using OpenFlow

    Shohei KAMAMURA  Daisaku SHIMAZAKI  Atsushi HIRAMATSU  Hidenori NAKAZATO  

     
    PAPER

      Vol:
    E96-D No:2
      Page(s):
    184-192

    This paper proposes an IP fast rerouting method which can be implemented in OpenFlow framework. While the current IP is robust, its reactive and global rerouting processes require the long recovery time against failure. On the other hand, IP fast rerouting provides a milliseconds-order recovery time by proactive and local restoration mechanism. Implementation of IP fast rerouting is not common in real systems, however; it requires the coordination of additional forwarding functions to a commercial hardware. We propose an IP fast rerouting mechanism using OpenFlow that separates control function from hardware implementation. Our mechanism does not require any extension of current forwarding hardware. On the contrary, increase of backup routes becomes main overhead of our proposal. We also embed the compression mechanism to our IP fast rerouting mechanism. We show the effectiveness of our IP fast rerouting in terms of the fast restoration and the backup routes compression effect through computer simulations.

1-20hit(25hit)