When opening OpenFlow testbeds between partners, we have been faced by many compatibility issues regarding the standard. We have thus extended a testing framework to properly identify and correct those.
Complementary to the testbed, we also researched on network services orchestration for mitigating of DDoS by leveraging network softwarization in two manners. First, traffic can be redirected using SDN towards dedicated security middleboxes instantiated as NFV. This can be seen as an allocation problem. A first formulation of problem has been set but required refinement in order to fulfill two constraints: being enough realist and viable for numerical resolution. Secondly, we also investigated a more probabilistic approach based on local optimization (more scalable) but which should tend to a global optimum to scatter attack traffic in time and space as most as possible.
We defined and implemented an OpenFlow tester based on the previously mentioned testing framework. This work has been in the core of an Inria internship under the FP7 Flamingo project. The main output is the extension of an open-source software https://github.com/pred/oftest
Anomaly detection with OpenFlow
Since OpenFlow can be leveraged for performing network anomaly detection, this work consists in reviewing the literature, identifying existing limits and proposing new approaches.
First, one limitation is the view of the controller in Software-Defined Networks which is global to network (and not local) but still very network-centric while threats, attacks and traffic analysis in general require more knowledge, i.e. context, about traffic. Such a limitation was identified and the starting point of a collaboration started few months before the official associate team kick-off. We introduced a higher-level abstraction for defining user- and application-specific policies in SDN networks rather than only relying on IP addresses and ports. These policies are actually automatically mapped to OpenFlow rules by retrieving flow-based information of active users and applications in real-time. The framework has been implemented and evaluated by measuring the underlying overhead.
Second, P. Chaignon, a PhD student, has investigated more in details the advantages and limitations of SDN technologies (OpenFlow and others) to monitor attacks in networks. The goal is to clearly define the boundaries of the expressivity of each programming language or API and propose extensions to OpenFlow.
P4 support for ICN
Although content-awareness at the network level is becoming more and more needed, Information-Centric Networking (ICN)-based solutions struggle to emerge. Architecture-tied designs of ICN devices cannot be easily deployed and tested in operational networks. In the meantime, the vision of SDN has grown and taken new shapes. This has been leading to a rethink of network devices designs with the aim to offer full-programmability through high-level programming languages for packet processors. We have thus studied how such languages like POF or P4 are suitable for ICN. Major difficulties are the large use of TLV (Type Length Value) fields in ICN which are hard and costly to parse at line rate. We identified incompatibilities and made some trade-off to implement and test a first version of ICN over P4.