Abstract: Static configurations serve great advantage for adversaries in discovering network targets and launching attacks. Identifying active IP addresses in a target domain is a precursory step for many attacks. Frequently changing hosts' IP addresses is a novel proactive moving target defense (MTD) that hides network assets from external/internal scanners. In this paper, we use OpenFlow to develop a MTD architecture that transparently mutates host IP addresses with high unpredictability and rate, while maintaining configuration integrity and minimizing operation overhead. The presented technique is called OpenFlow Random Host Mutation (OF-RHM) in which the OpenFlow controller frequently assigns each host a random virtual IP that is translated to/from the real IP of the host. The real IP remains untouched, so IP mutation is completely transparent for end-hosts. Named hosts are reachable via the virtual IP addresses acquired via DNS, but real IP addresses can be only reached by authorized entities. Our implementation and evaluation show that OF-RHM can effectively defend against stealthy scanning, worm propagation, and other scanning-based attack.

Abstract: While it has been a belief for over a decade that wireless sensor networks (WSN) are application-specific, we argue that it can lead to resource underutilization and counter-productivity. We also identify two other main problems with WSN: rigidity to policy changes and difficulty to manage. In this paper, we take a radical, yet backward and peer compatible, approach to tackle these problems inherent to WSN. We propose a Software-Defined WSN architecture and address key technical challenges for its core component, Sensor OpenFlow. This work represents the first effort that synergizes software-defined networking and WSN.

Abstract: Existing cellular networks suffer from inflexible and expensive equipment, complex control-plane protocols, and vendor-specific configuration interfaces. In this position paper, we argue that software defined networking (SDN) can simplify the design and management of cellular data networks, while enabling new services. However, supporting many subscribers, frequent mobility, fine-grained measurement and control, and real-time adaptation introduces new scalability challenges that future SDN architectures should address. As a first step, we propose extensions to controller platforms, switches, and base stations to enable controller applications to (i) express high-level policies based on subscriber attributes, rather than addresses and locations, (ii) apply real-time, fine-grained control through local agents on the switches, (iii)perform deep packet inspection and header compression on packets, and (iv)remotely manage shares of base-station resources.

Abstract: Networks are complex and prone to bugs. Existing tools that check configuration files and data-plane state operate offline at timescales of seconds to hours, and cannot detect or prevent bugs as they arise.Is it possible to check network-wide invariants in real time, as the network state evolves? The key challenge here is to achieve extremely low latency during the checks so that network performance is not affected. In this paper, we present a preliminary design, VeriFlow, which suggests that this goal is achievable. VeriFlow is a layer between a software-defined networking controller and network devices that checks for network-wide invariant violations dynamically as each forwarding rule is inserted. Based on an implementation using a Mininet OpenFlow network and Route Views trace data, we find that VeriFlow can perform rigorous checking within hundreds of microseconds per rule insertion.

Abstract: Techniques are described for providing managed virtual computer networks that have a configured logical network topology with virtual networking devices, such as by a network-accessible configurable network service, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the virtual networking devices if they were physically present. In some situations, the networking functionality provided for a managed computer network of a client includes receiving routing communications directed to the virtual networking devices, and using included routing information to identify and initiate external actions whose effects are not related to how network communications between computing nodes of the managed computer network are configured to be routed or otherwise forwarded through the managed computer network, such as external actions that affect devices that are not part of the managed computer network, or other types of external actions.

Abstract: OpenFlow is a Software Defined Networking (SDN) paradigm that decouples control and data forwarding layers of routing. In this paper, we propose OpenQoS, which is a novel OpenFlow controller design for multimedia delivery with end-to-end Quality of Service (QoS) support. Our approach is based on QoS routing where the routes of multimedia traffic are optimized dynamically to fulfill the required QoS. We measure performance of OpenQoS over a real test network and compare it with the performance of the current state-of-the-art, HTTP-based multi-bitrate adaptive streaming. Our experimental results show that OpenQoS can guarantee seamless video delivery with little or no video artifacts experienced by the end-users. Moreover, unlike current QoS architectures, in OpenQoS the guaranteed service is handled without having adverse effects on other types of traffic in the network.

Abstract: Network architectures such as Software-Defined Networks (SDNs) move the control logic off packet processing devices and onto external controllers. These network architectures with decoupled control...

Abstract: Our previous experience building systems for implementing network policies in home and enterprise networks has revealed that the intuitive notion of network policy in these domains is inherently dynamic and stateful. Current configuration languages, both in traditional network architectures and in OpenFlow systems, are not expressive enough to capture these policies. As a result, most prototype OpenFlow systems lack a configurable interface and instead require operators to program in the system implementation language, often C++. We describe Procera, a control architecture for software-defined networking (SDN) that includes a declarative policy language based on the notion of functional reactive programming; we extend this formalism with both signals relevant for expressing high-level network policies in a variety of network settings, including home and enterprise networks, and a collection of constructs expressing temporal queries over event streams that occur frequently in network policies. Although sophisticated users can take advantage of Procera's full expressiveness by expressing network policies directly in Procera, simpler configuration interfaces (e.g., graphical user interfaces) can also easily be built on top of this formalism.

Abstract: Software-defined networks (SDNs) are a new kind of network architecture in which a controller machine manages a distributed collection of switches by instructing them to install or uninstall packet-forwarding rules and report traffic statistics. The recently formed Open Networking Consortium, whose members include Google, Facebook, Microsoft, Verizon, and others, hopes to use this architecture to transform the way that enterprise and data center networks are implemented.In this paper, we define a high-level, declarative language, called NetCore, for expressing packet-forwarding policies on SDNs. NetCore is expressive, compositional, and has a formal semantics. To ensure that a majority of packets are processed efficiently on switches---instead of on the controller---we present new compilation algorithms for NetCore and couple them with a new run-time system that issues rule installation commands and traffic-statistics queries to switches. Together, the compiler and run-time system generate efficient rules whenever possible and outperform the simple, manual techniques commonly used to program SDNs today. In addition, the algorithms we develop are generic, assuming only that the packet-matching capabilities available on switches satisfy some basic algebraic laws.Overall, this paper delivers a new design for a high-level network programming language; an improved set of compiler algorithms; a new run-time system for SDN architectures; the first formal semantics and proofs of correctness in this domain; and an implementation and evaluation that demonstrates the performance benefits over traditional manual techniques.

Abstract: The {\it software defined networking} (SDN) paradigm promises to dramatically simplify network configuration and resource management. Such features are extremely valuable to network operators and therefore, the industrial (besides the academic) research and development community is paying increasing attention to SDN. Although wireless equipment manufacturers are increasing their involvement in SDN-related activities, to date there is not a clear and comprehensive understanding of what are the opportunities offered by SDN in most common networking scenarios involving wireless infrastructure less communications and how SDN concepts should be adapted to suit the characteristics of wireless and mobile communications. This paper is a first attempt to fill this gap as it aims at analyzing how SDN can be beneficial in wireless infrastructure less networking environments with special emphasis on wireless personal area networks (WPAN). Furthermore, a possible approach (called \emph{SDWN}) for such environments is presented and some design guidelines are provided.

Abstract: The behavior of a Software-Defined Network is controlled by programs, which like all software, will have bugs - but this programmatic control also enables new ways to debug networks. This paper introduces ndb, a prototype network debugger inspired by gdb, which implements two primitives useful for debugging an SDN: breakpoints and packet backtraces. We show how ndb modifies forwarding state and logs packet digests to rebuild the sequence of events leading to an errant packet, providing SDN programmers and operators with a valuable tool for tracking down the root cause of a bug.

Abstract: Configuration changes are a common source of instability in networks, leading to outages, performance disruptions, and security vulnerabilities. Even when the initial and final configurations are c...

Abstract: The Software-defined Network (SDN) design decouples forwarding and control planes, and runs the controlling functions on servers that might be in different physical locations from the forwarding elements. Such separation introduces new challenges to the network resiliency, because disconnection between switches and the controller could disable the forwarding plane. In this work, we analyze resiliency of the connection between control and forwarding planes in SDN. We propose algorithms to improve this resiliency by maximizing the possibility of fast failover—which we achieve through resilience-aware controller placement and control-traffic routing in the network.

Abstract: Most enterprises today run their applications on virtual machines (VMs). VM mobility - both live and offline, can provide enormous flexibility and also bring down OPEX (Operational Expenditure) costs. However, both live and offline migration of VMs is still limited to within a local network because of the complexities associated with cross subnet live and offline migration. These complexities mainly arise from the hierarchical addressing used by various layer 3 routing protocols. For cross data center VM mobility, virtualization vendors require that the network configuration of the new data center where a VM migrates must be similar to that of the old data center. This severely restricts wide spread use of VM migration across data center networks. For offline migration, the above limitations can be overcome by reconfiguring IP addresses for the migrated VMs. However, even this effort is non-trivial and time consuming as these IP addresses are embedded in various configuration files inside these VMs. As enterprises grow and new data centers emerge in different geographic locations, there is a need to interconnect these data centers in a way that allows seamless VM mobility. In this context, we present CrossRoads - a network fabric that provides layer agnostic and seamless live and offline VM mobility across multiple data centers. We leverage software defined networking and implement an OpenFlow based prototype of CrossRoads. CrossRoads extends the idea of location independence based on pseudo addresses proposed in recent research to work with a control plane overlay of OpenFlow network controllers in various data centers. We evaluate CrossRoads on an innovative testbed that leverages nested virtualization to emulate two data centers. Our results confirm that CrossRoads has negligible performance overhead as compared to a Default layer 2 network - its average performance was no worse than 2.3% as compared to Default fabric across all experiments. In some experiments, it even outperformed the Default by up to 30%.

Abstract: Software Defined Networks, which provide a programmable, logically centralized abstraction of network control, offer an escape from the current state of enterprise and datacenter network configuration, plagued by brittle, static solutions involving manual setting of myriad devices. But if SDNs provide an operating system for the network, we are missing the analog to system calls - an API for end-users and their applications to take part in network configuration. In response, we propose participatory networking, a new paradigmfor network configuration in which users submit requests or hints for current and future network properties such as quality of service, access control, and path selection.We describe the initial design and implementation of a participatory networking system, PANE, and its solutions to the challenges of resource arbitration and privilege delegation.

Abstract: IEEE 802.11 WLANs are a very important technology to provide high speed wireless Internet access. Especially at airports, university campuses or in city centers, WLAN coverage is becoming ubiquitous leading to a deployment of hundreds or thousands of Access Points (AP). Managing and configuring such large WLAN deployments is a challenge. Current WLAN management protocols such as CAPWAP are hard to extend with new functionality. In this paper, we present CloudMAC, a novel architecture for enterprise or carrier grade WLAN systems. By partially offloading the MAC layer processing to virtual machines provided by cloud services and by integrating our architecture with OpenFlow, a software defined networking approach, we achieve a new level of flexibility and reconfigurability. In Cloud-MAC APs just forward MAC frames between virtual APs and IEEE 802.11 stations. The processing of MAC layer frames as well as the creation of management frames is handled at the virtual APs while the binding between the virtual APs and the physical APs is managed using OpenFlow. The testbed evaluation shows that CloudMAC achieves similar performance as normal WLANs, but allows novel services to be implemented easily in high level programming languages. The paper presents a case study which shows that dynamically switching off APs to save energy can be performed seamlessly with CloudMAC, while a traditional WLAN architecture causes large interruptions for users.

Abstract: Worldwide mobile network operators have to spend billions to upgrade their own network to the latest standards for wireless communication of high-speed data for mobile phones (e.g. Long Term Evolution, LTE). This is in contrast with the decline in average revenue per user and threatens: (1) their profitability and (2) the fast adaptation of new standards. Investigating new mechanisms that can decrease the capital expenditures (capex) and operational expenditures (opex) of a mobile network is therefore essential. Enabling multiple mobile network operators on a common infrastructure is one such mechanism. Software defined networks can overcome this problem and a solution based on exploring OpenFlow (OF) as architecture for mobile network virtualization has been proposed. We investigate two network scenarios based on this OF solution in a techno-economic analysis: (scenario 1) software-defined, non-shared networks and (scenario 2) virtualized, shared networks and compare it against the current situation. By doing so, this paper provides insights on the relative cost savings that a mobile network operator can reach through Software Defined Networking (SDN) and network sharing. The techno-economic analysis indicates that SDN and virtualization of the first aggregation stage and second aggregation stage network infrastructure leads to substantial capex cost reductions for the mobile network operator. As a consequence, mobile network infrastructure virtualization through the use of OpenFlow could be one of the problem solvers to tackle the issue of rising costs and decreasing profitability. Still, we did not take into account the direct effect on operational expenditures and the indirect effect that network sharing can adversely affect the ability of the operators to differentiate themselves.

Abstract: Computer networks have historically evolved box by box, with individual network elements occupying specific ecological niches as routers, switches, load balancers, NATs (network address translation...

Abstract: The areas of Software-Defined Networking (SDN) and Information-Centric Networking (ICN) have gained increasing attention in the wider research community, while gaining credibility through corporate interest and investment. With the promise of SDN to simplify the deployment of alternative network architectures, the question arises how SDN and ICN could concretely be combined, deployed and tested. In this paper, we address this very question within a particular architectural context for ICN. We outline a possible realization in a novel design for ICN solutions and point to possible test bed deployments for future testing.

Abstract: To address the need for autonomous control of remote and distributed mobile systems, Machine-to-Machine (M2M) communications are rapidly gaining attention from both academia and industry. M2M communications have recently been deployed in smart grid, home networking, health care, and vehicular networking environments. This paper focuses on M2M communications in the vehicular networking context and investigates areas where M2M principles can improve vehicular networking. Since connected vehicles are essentially a network of machines that are communicating, preferably autonomously, vehicular networks can benefit a lot from M2M communications support. The M2M paradigm enhances vehicular networking by supporting large-scale deployment of devices, cross-platform networking, autonomous monitoring and control, visualization of the system and measurements, and security. We also present some of the challenges that still need to be addressed to fully enable M2M support in the vehicular networking environment. Of these, component standardization and data security management are considered to be the most significant challenges.

Abstract: A software-defined network overlay capability is configured to control one or more overlay networks using software-defined networking (SDN) in which control functions and forwarding functions are separated. The software-defined network overlay capability may be configured to vertically move packets across network layers, e.g., into an overlay network (e.g., into a tunnel via encapsulation), out of an overlay network (e.g., out of a tunnel via decapsulation), or the like. The software-defined network overlay capability may be configured to move packets from native forwarding infrastructure into an overlay network, between overlay networks (e.g., into a first overlay network from a second overlay network without leaving the second overlay network, out of a first overlay network and into a second overlay network, out of a first overlay network while remaining within a second overlay network, or the like), from an overlay network onto native forwarding infrastructure, or the like.

Abstract: University campuses, Supercomputer centers and RaE networks are challenged to architect, build and support IT infrastructure to deal effectively with the data deluge facing most science disciplines. Hybrid network architecture, multi-domain bandwidth reservations, performance monitoring and GLIF Open Lightpath Exchanges (GOLE) are examples of network architectures that have been proposed, championed and implemented successfully to meet the needs of science. Most recently, Science DMZ, a campus design pattern that bypasses traditional performance hotspots in typical campus network implementation, has been gaining momentum. In this paper and corresponding demonstration, we build upon the SC11 SCinet Research Sandbox demonstrator with Software-Defined networking to explore new architectural approaches. A virtual switch network abstraction is explored, that when combined with software-defined networking concepts provides the science users a simple, adaptable network framework to meet their upcoming application requirements.

Abstract: Information-centric networking (ICN) is a novel networking paradigm which is attracting increasing attention by both academic and industrial researchers. In fact, it promises to provide technological solutions that best fit with the way in which Internet is actually utilized. Assessment of proposed solutions require appropriate experimental testbeds. In this context OpenFlow, which has been developed to enable the deployment of novel networking solutions in the actual network infrastructure, represents a valuable tool. Accordingly, we are currently implementing an ICN solution - called CONET - for OpenFlow networks. The solution will be deployed in two testbeds, part of larger experimental OpenFlow facility distributed across Europe realized by the EU funded OFELIA project. In particular one testbed will be based on the Open vSwitch platform while the other will be deployed on NetFPGA platforms. Our implementation has been designed to easily support other ICN solutions with simple modification of the code. Basic ICN functionality that are specifically addressed in our implementation are data naming, route-by-name, and in-network caching.

Abstract: This paper presents motivation and ongoing work towards a system for Quality of Experience (QoE)-driven path assignment for multimedia services. The system goal is to enable negotiation of service and network communication parameters between end-users and to assign the network paths that are used for delivering multimedia flows according to the agreed service configuration. The key concept behind the system is a centralized multi-user optimization of the path assignments, which maximizes QoE by taking into account service utility functions, network topology, link capacities, and delay. Based on the output of the optimization process, the system implementation uses the OpenFlow to set up forwarding paths for the network elements.

Abstract: Motivated by a vision of a fully connected world, we explore how Software-Defined Networking (SDN) can be utilized to support heterogeneous environments consisting of both infrastructure-based and infrastructure-less networks. To make the case for SDN in heterogeneous networks, or Heterogeneous SDN (H-SDN), we examine application scenarios in which H-SDN is a key enabling technology.

Abstract: The research introduced in this paper focuses on controller scalability and performance issues in Software-Defined Networks (SDNs), and discusses a new routing scheme that leverages a variation of Source Routing for use in OpenFlow-based networks. The research aims to reduce the state needed to be distributed to the network devices by the controller(s) in SDNs, and in return improve the scale, convergence time, fault tolerance and cost of such network architectures.

Abstract: Systems, methods, and non-transitory computer-readable storage media for personalizing applications, such as web applications, based on social networking data. A system configured to practice the method first identifies a user of an application, such as by requesting the user to log in to or create a user profile. The system optionally requests authorization from the user to access the social networking data, such as if all or part of the social networking data is private. The system can cache the social networking data in order to save bandwidth or keep requests within the terms of service of a social networking API. The system can assign the user into a user category based on the social networking data, and customize a user interface of the application based on the social networking data and/or the user category by adjusting at least one of location, size, and appearance of a user interface element.

Abstract: Multipoint communication is an important requirement for many types of applications such as videoconferencing, IPTV and online radio. However, the division of Internet in autonomous systems hinders the widespread adoption of traditional multicast protocols, which, for using distributed algorithms, delay the group control events processing. This paper proposes a multicast clean-slate approach logically centralized based on programmable networks and anticipated processing for all routes from each possible source, aiming to reduce event delays. A prototype was implemented based on OpenFlow technology. In addition, extensive evaluation was performed and results show promising delays comparable to the requirements of multipoint applications.

Abstract: A flow deflection capability is provided for deflecting data flows within a Software Defined Network (SDN) in order to provide security for the SDN. A flow forwarding rule is generated for a first network element of the SDN based on detection of a condition (e.g., TCAM utilization condition, CPU utilization condition, or the like) associated with the first network element. The flow forwarding rule is generated by a control element of the SDN or the first network element of the SDN. The flow forwarding rule is indicative that at least a portion of new flow requests received at the first network element are to be forwarded from the first network element to a second network element of the SDN. The flow forwarding rule may specify full flow deflection or selective flow deflection.