To safeguard critical services and assets in a distributed environment, collaborative intrusion detection systems (CIDSs) are usually adopted to share necessary data and information among various nodes, and enhance the detection capability. For simplifying the network management, software defined networking (SDN) is an emerging platform that decouples the controller plane from the data plane. Intuitively, SDN can help lighten the management complexity in CIDSs, and a CIDS can protect the security of SDN. In practical implementation, trust management is an important approach to help identify insider attacks (or malicious nodes) in CIDSs, but the challenge is how to ensure the data integrity when evaluating the reputation of a node. Motivated by the recent development of blockchain technology, in this work, we design BlockCSDN — a framework of blockchain-based collaborative intrusion detection in SDN, and take the challenge-based CIDS as a study. The experimental results under both external and internal attacks indicate that using blockchain technology can benefit the robustness and security of CIDSs and SDN.

Software-Defined Networking (SDN) enables flexible deployment and innovation of new networking applications by decoupling and abstracting the control and data planes. It has radically changed the concept and way of building and managing networked systems, and reduced the barriers to entry for new players in the service markets. It is considered to be a promising solution providing the scale and versatility necessary for IoT. However, SDN may also face many challenges, i.e., the centralized control plane would be a single point of failure. With the advent of blockchain technology, blockchain-based SDN has become an emerging architecture for securing a distributed network environment. Motivated by this, in this work, we summarize the generic framework of blockchain-based SDN, discuss security challenges and relevant solutions, and provide insights on the future development in this field.

By focusing on the recent swing to the centralized approach by the software defined network (SDN), this paper presents a novel network architecture for refactoring the current distributed Internet protocol (IP) by not only utilizing the SDN itself but also implementing its cooperation with the optical transport layer. The first IP refactoring is for flexible network topology reconfiguration: the global routing and explicit routing functions are transferred from the distributed routers to the centralized SDN. The second IP refactoring is for cost-efficient maintenance migration: we introduce a resource portable IP router that can behave as a shared backup router by cooperating with the optical transport path switching. Extensive evaluations show that our architecture makes the current IP network easier to configure and more scalable. We also validate the feasibility of our proposal.

Distributed Reflective Denial of Services (DRDoS) attacks have gained huge popularity and become a major factor in a number of massive cyber-attacks. Usually, the attackers launch this kind of attack with small volume of requests to generate a large volume of attack traffic aiming at the victim by using IP spoofing from legitimate hosts. There have been several approaches, such as static threshold based approach and confirmation-based approach, focusing on DRDoS attack detection at victim's side. However, these approaches have significant disadvantages: (1) they are only passive defences after the attack and (2) it is hard to trace back the attackers. To address this problem, considerable attention has been paid to the study of detecting DRDoS attack at source side. Because the existing proposals following this direction are supposed to be ineffective to deal with small volume of attack traffic, there is still a room for improvement. In this paper, we propose a novel method to detect DRDoS attack request traffic on SDN(Software Defined Network)-enabled gateways in the source side of attack traffic. Our method adjusts the sampling rate and provides a traffic-aware adaptive threshold along with the margin based on analysing observed traffic behind gateways. Experimental results show that the proposed method is a promising solution to detect DRDoS attack request in the source side.

To efficiently use network resources, internet service providers need to conduct traffic engineering that dynamically controls traffic routes to accommodate traffic change with limited network resources. The performance of traffic engineering (TE) depends on the accuracy of traffic prediction. However, the size of traffic change has been drastically increasing in recent years due to the growth in various types of network services, which has made traffic prediction difficult. Our approach to tackle this issue is to separate traffic into predictable and unpredictable parts and to apply different control policies. However, there are two challenges to achieving this: dynamically separating traffic according to predictability and dynamically controlling routes for each separated traffic part. In this paper, we propose a macroflow-based TE scheme that uses different routing policies in accordance with traffic predictability. We also propose a traffic-separation algorithm based on real-time traffic analysis and a framework for controlling separated traffic with software-defined networking technology, particularly OpenFlow. An evaluation of actual traffic measured in an Internet2 network shows that compared with current TE schemes the proposed scheme can reduce the maximum link load by 34% (at the most congested time) and the average link load by an average of 11%.

The objectives of this survey are to provide an in-depth coverage of a few selected research papers that have made significant contributions to the development of Network Function Virtualization (NFV), and to provide readers insights into the key advantages and disadvantages of NFV and Software Defined Networks (SDN) when compared to traditional networks. The research papers covered are classified into four categories: NFV Infrastructure (NFVI), Network Functions (NFs), Management And Network Orchestration (MANO), and service chaining. The NFVI papers describe “framework” software that implement common functions, such as dynamic scaling and load balancing, required by NF developers. Papers on NFs are classified as offering solutions for software switches or middleboxes. MANO papers covered in this survey are primarily on resource allocation (virtual network embedding), which is an orchestrator function. Finally, service chaining papers that offer examples and extensions are reviewed. Our conclusions are that with the current level of investment in NFV from cloud and Internet service providers, the promised cost savings are likely to be realized, though many challenges remain.

This paper presents past and recent trends of optical networks and addresses the future directions. First, we describe path networks with the historical backgrounds and trends. path networks have advanced by using various multiplexing technologies. They include time-division multiplexing (TDM), asynchronous transfer mode (ATM), and wavelength-division multiplexing (WDM). ATM was later succeeded to multi-protocol label switching (MPLS). Second, we present generalized MPLS technologies (GMPLS). In GMPLS, the label concept of MPLS is extended to other labels used in TDM, WDM, and fiber networks. GMPLS enables network operators to serve networks deployed by different technologies with a common protocol suite of GMPLS. Third, we describe multi-layer traffic engineering and a path computation element (PCE). Multi-layer traffic engineering designs and controls networks considering resource usages of more than one layer. This leads to use network resources more efficiently than the single-layer traffic engineering adopted independently for each layer. PCE is defined as a network element that computes paths, which are used for traffic engineering. Then, we address software-defined networks, which put the designed network functions into the programmable data plane by way of the management plane. We describe the evaluation from GMPLS to software defined networking (SDN) and transport SDN. Fifth, we describe the advanced devices and switches for optical networks. Finally, we address advances in networking technologies and future directions on optical networking.

For IP-based mobile networks, efficient mobility management is vital to provision seamless online service. IP address starvation and scalability issue constrain the wide deployment of existing mobility schemes, such as Mobile IP, Proxy Mobile IP, and their derivations. Most of the studies focus on the scenario of mobility among public networks. However, most of current networks, such as home networks, sensor networks, and enterprise networks, are deployed with private networks hard to apply mobility solutions. With the rapid development, Software Defined Networking (SDN) offers the opportunity of innovation to support mobility in private network schemes. In this paper, a novel mobility management scheme is presented to support mobile node moving from public network to private network in a seamless handover procedure. The centralized control manner and flexible flow management in SDN are utilized to provide network-based mobility support with better QoS guarantee. Benefiting from SDN/OpenFlow technology, complex handover process is simplified with fewer message exchanges. Furthermore, handover efficiency can be improved in terms of delay and overhead reduction, scalability, and security. Analytical analysis and implementation results showed a better performance than mobile IP in terms of latency and throughput variation.

DDoS remains a major threat to Software Defined Networks. To keep SDN secure, effective detection techniques for DDoS are indispensable. Most of the newly proposed schemes for detecting such attacks on SDN make the SDN controller act as the IDS or the central server of a collaborative IDS. The controller consequently becomes a target of the attacks and a heavy loaded point of collecting traffic. A collaborative intrusion detection system is proposed in this paper without the need for the controller to play a central role. It is deployed as a modified artificial neural network distributed over the entire substrate of SDN. It disperses its computation power over the network that requires every participating switch to perform like a neuron. The system is robust without individual targets and has a global view on a large-scale distributed attack without aggregating traffic over the network. Emulation results demonstrate its effectiveness.

Software defined networking (SDN) and OpenFlow, which enables the abstraction of vendor/technology-specific attributes, improve the control and management flexibility of optical transport networks. In this paper, we present an interoperability demonstration of SDN/OpenFlow-based optical path control for multi-domain/multi-technology optical transport networks. We also summarize the abstraction approaches proposed for multi-technology network integration at SDN controllers.

In this paper, Proxy Mobile IPv6 (PMIPv6), which is a network-based mobility management protocol, is adapted to the OpenFlow architecture. Mobility-related signaling is generally performed by network entities on behalf of a mobile node, but in standard PMIPv6, the control and data packets are delivered and processed over the same network entities, which prevents the separation of the control and the data planes. In addition, IP tunneling inherent to PMIPv6 imposes excessive overhead for the network entities. In order to adapt PMIPv6 to the OpenFlow architecture, the mobility management function is separated from the PMIPv6 components, and components are reconstructed to take advantage of the offerings of the OpenFlow architecture. The components configure the flow table of the switches located in a path, which comprise the OpenFlow controller. Mobility-related signaling can then be performed at the dedicated secure channel, and all of the data packets can be sent normally in accordance with the flow table of the OpenFlow switches. Consequently, the proposed scheme eliminates IP tunneling when user traffic is forwarded and separates the data and the control planes. The performance analysis revealed that the proposed scheme can outperform PMIPv6 in terms of the signaling cost, packet delivery cost, and handover latency.

In most cases, the programmability of Software Defined Network (SDN) refers to the flexibility existing in northbound interface that enables network managers to control the behaviors of the networks. However, the lack of flexibility in data plane conversely results in wasting potentially usable information for controlling flows, especially from network services and applications point of view. For example, OpenFlow switches only deal with L2-L4 headers and ignore the other parts of packet. We propose Ouroboros as a programmable switch logic to increase the flexibility of SDN southbound interface. Ouroboros switches not only remove the limitation of regular OpenFlow switches using packet headers as the reference for packet switching, but also provides a highly flexible interface for network managers to conduct application-specific flow control according to packet content at any arbitrary offsets. Ouroboros can penetrate deeply into packet (e.g., RTP or SIP) protocol headers, or further into packet payload, to process user-defined switching protocol. Our evaluations of Ouroboros on 10Gbps traffic indicates the effectiveness of proposed method.

In this invited paper, software defined network (SDN)-based approaches for future cost-effective optical mobile backhaul (MBH) networks are discussed, focusing on key principles, throughput optimization and dynamic service provisioning as its use cases. We propose a novel physical-layer aware throughput optimization algorithm that confirms > 100Mb/s end-to-end per-cell throughputs with ≥2.5Gb/s optical links deployed at legacy cell sites. We also demonstrate the first optical line terminal (OLT)-side optical Nyquist filtering of legacy 10G on-off-keying (OOK) signals, enabling dynamic >10Gb/s Orthogonal Frequency Domain Multiple Access (OFDMA) λ-overlays for MBH over passive optical network (PON) with 40-km transmission distances and 1:128 splitting ratios, without any ONU-side equipment upgrades. The software defined flexible optical access network architecture described in this paper is thus highly promising for future MBH networks.

OpenFlow, originally proposed for campus and enterprise network experimentation, has become a promising SDN architecture that is considered as a widely-deployable production network node recently. It is, in a consequence, pointed out that OpenFlow cannot scale and replace today's versatile network devices due to its limited scalability and flexibility. In this paper, we propose OpenQFlow, a novel scalable and flexible variant of OpenFlow. OpenQFlow provides a fine-grained flow tracking while flow classification is decoupled from the tracking by separating the inefficiently coupled flow table to three different tables: flow state table, forwarding rule table, and QoS rule table. We also develop a two-tier flow-based QoS framework, derived from our new packet scheduling algorithm, which provides performance guarantee and fairness on both granularity levels of micro- and aggregate-flow at the same time. We have implemented OpenQFlow on an off-the-shelf microTCA chassis equipped with a commodity multicore processor, for which our architecture is suited, to achieve high-performance with carefully engineered software design and optimization.

This letter proposes a new Hybrid Software Defined Network (HSDN) platform for the interoperation with legacy routing protocol to support hardware level network virtualization for multi-tenant environment. By considering current SDN issues in the production network, the proposed platform contributes to solve these issues at reasonable overhead. Our testbed shows that failure convergence time with the proposed platform is almost same as legacy routing protocol. On the other hand, it also shows that hardware level virtualization is supported with stable ICMP response times.