Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions

Doriguzzi-Corin, Roberto; Scott-Hayward, Sandra; Siracusa, Domenico; Savi, Marco; Salvadori, Elio

doi:10.1109/tnsm.2019.2941128

Cited by 36 publications

(35 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…[46]) as ratio between the number of adopted CPU cores and of flows supported by the middlebox. Even though this is just a possible and rough estimation for the processing requirement (see [47] for a different strategy based on CPU cycles/s), it allows to TABLE VI PERFORMANCE COMPARISON BETWEEN ILP AND HCA |C| = 3, N user = 300, N iter = 100 |C| = 6, N user = 150, N iter = 100 |C| = 8, N user = 450, N iter = 10 Latency Costs [15] HCA ILP HCA ILP HCA ILP Average number of active NFV nodes ω = 0 ms, κ = 0 ms 2.91 ± 0.057 2.91 ± 0.057 2.95 ± 0.043 2.95 ± 0.043 6.00 ± 0.000 6.00 ± 0.000 ω = 0 ms, κ = 1.75 ms 2.95 ± 0, 052 2.93 ± 0.058 2.99 ± 0.034 2.97 ± 0.034 6.11 ± 0.260 6.00 ± 0.000 ω = 0.4 ms, κ = 0 ms 3.09 ± 0.090 3.07 ± 0.086 3.00 ± 0.028 2.99 ± 0.020 7.86 ± 0.640 6.45 ± 0.410 Results are reported along with 95% confidence intervals understand which are the most processing-hungry VNFs: for example, according to our estimation, a Traffic Monitor is about 15 times more processing-hungry than a Firewall. The six VNFs can be chained in different ways to provide four heterogeneous SFCs, reported in Table V.…”

Section: A Computational Settingsmentioning

confidence: 99%

Impact of Processing-Resource Sharing on the Placement of Chained Virtual Network Functions

Savi

Tornatore

Verticale

2021

IEEE Trans. Cloud Comput.

Self Cite

View full text Add to dashboard Cite

Network Function Virtualization (NFV) provides higher flexibility for network operators and reduces the complexity in network service deployment. Using NFV, Virtual Network Functions (VNF) can be located in various network nodes and chained together in a Service Function Chain (SFC) to provide a specific service. Consolidating multiple VNFs in a smaller number of locations would allow decreasing capital expenditures. However, excessive consolidation of VNFs might cause additional latency penalties due to processing-resource sharing, and this is undesirable, as SFCs are bounded by service-specific latency requirements. In this paper, we identify two different types of penalties (referred as "costs") related to the processingresource sharing among multiple VNFs: the context switching costs and the upscaling costs. Context switching costs arise when multiple CPU processes (e.g., supporting different VNFs) share the same CPU and thus repeated loading/saving of their context is required. Upscaling costs are incurred by VNFs requiring multi-core implementations, since they suffer a penalty due to the load-balancing needs among CPU cores. These costs affect how the chained VNFs are placed in the network to meet the performance requirement of the SFCs. We evaluate their impact while considering SFCs with different bandwidth and latency requirements in a scenario of VNF consolidation.

show abstract

Section: A Computational Settingsmentioning

confidence: 99%

Impact of Processing-Resource Sharing on the Placement of Chained Virtual Network Functions

Savi

Tornatore

Verticale

2021

IEEE Trans. Cloud Comput.

Self Cite

View full text Add to dashboard Cite

show abstract

“…The proposal avoids VNFI resource fragmentation and security service latency. The authors of [14], [15] proposed an Integer Linear Programming (ILP) formulation for placing VNSFs with respect to both the quality of service requirements and the security constraints. They argue that omitting the QoS requirements by forcing all the traffic to traverse the whole VNSFs chain can cause performance degradation to latency-sensitive applications, especially when traversing computationally-demanding security functions such as IDS.…”

Section: Related Workmentioning

confidence: 99%

Designing Security-Aware Service Requests for NFV-Enabled Networks

Jmila

Blanc

2019

2019 28th International Conference on Computer Communication and Networks (ICCCN)

View full text Add to dashboard Cite

Network Function Virtualization (NFV) is a new concept where virtualization is used to shift "network functions" (e.g., routers, switches, load-balancers, proxies) from specialized hardware appliances to software images running on high volume servers. The resource allocation problem in the NFV environment has received considerable attention in the past years. However, little attention was paid to the security aspects of the problem in spite of the increasing number of vulnerabilities faced by cloudbased applications. Securing the services is an urgent need to completely benefit from the advantages offered by NFV. In this paper, we show how a network service request, composed of a set of service function chains (SFC) should be modified and enriched to take into consideration the security requirements of the supported service. We examine the well-known security best practices and propose a two-step algorithm that extends the initial SFC requests to a more complex chaining model that includes the security requirements of the service.

show abstract

“…Nevertheless, the integration of traditional hardware appliances and software-defined functions is not trivial and can be influenced by multiple factors, such as: (i) the hSDN deployment model (cf. Section 2), which might determine how the traffic is routed within the network and where the security functions can be executed [112], [113], (ii) the specific security policies and bestpractices of the operator/enterprise, which define how each class of network traffic should be processed [114], [115], and (iii) the user requirements in terms of QoS (usually maximum end-toend latency and minimum bandwidth), as busy links and devices might create bottlenecks in the network.…”

Section: Threat Detection and Mitigationmentioning

confidence: 99%

Hybrid SDN evolution: A comprehensive survey of the state-of-the-art

et al. 2021

Self Cite

View full text Add to dashboard Cite

Software-Defined Networking (SDN) is an evolutionary networking paradigm which has been adopted by large network and cloud providers, among which are Tech Giants. However, embracing a new and futuristic paradigm as an alternative to well-established and mature legacy networking paradigm requires a lot of time along with considerable financial resources and technical expertise. Consequently, many enterprises can not afford it. A compromise solution then is a hybrid networking environment (a.k.a. Hybrid SDN (hSDN)) in which SDN functionalities are leveraged while existing traditional network infrastructures are acknowledged.Recently, hSDN has been seen as a viable networking solution for a diverse range of businesses and organizations. Accordingly, the body of literature on hSDN research has improved remarkably. On this account, we present this paper as a comprehensive state-of-the-art survey which expands upon hSDN from many different perspectives.

show abstract

Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions

Cited by 36 publications

References 32 publications

Impact of Processing-Resource Sharing on the Placement of Chained Virtual Network Functions

Impact of Processing-Resource Sharing on the Placement of Chained Virtual Network Functions

Designing Security-Aware Service Requests for NFV-Enabled Networks

Hybrid SDN evolution: A comprehensive survey of the state-of-the-art

Contact Info

Product

Resources

About