SFCMon: An Efficient and Scalable Monitoring System for Network Flows in SFC-enabled Domains

Bonfim, Michel; Dias, Kelvin Lopes; Fernandes, Stênio

doi:10.5753/wpietf.2019.6581

Cited by 1 publication

(11 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Concerning the data plane, FrameRTP4 implements a customizable P4 program to provide line‐rate processing directly within the switches. To this end, such program provides the following functionalities: (i) an SFC implementation to enable low‐level lifecycle management of NS instances; (ii) an efficient and scalable P4 table‐based ACL that applies wildcard rules for the detection and mitigation of known attacks; and (iii) an efficient and scalable monitoring solution, namely SFCMon, to keep track network flows in SFC environments.…”

Section: The Framertp4 Frameworkmentioning

confidence: 99%

“…The first component is an SFC implementation that aims to enable low‐level lifecycle management of NS instances. For this, we adapt a reference implementation that was proposed in one of our previous works . SFC is a key enabler for 5G NS .…”

Section: The Framertp4 Frameworkmentioning

confidence: 99%

“…Finally, the third component consists of an efficient and scalable monitoring solution, namely SFCMon, to keep track network flows in SFC environments. To this end, we adapt a reference implementation that was proposed in one of our previous works . To achieve the desired goals, SFCMon works with a pipeline of probabilistic data structures to detect large flows and to store some of their features, such as packet counting.…”

Section: The Framertp4 Frameworkmentioning

confidence: 99%

“…Furthermore, this program consists of an efficient and scalable P4 table‐based ACL that applies wildcard rules for the detection and mitigation of known attacks. Besides, the P4 program deploys a monitoring system, namely SFCMon, one of our previous work that uses BFs and sketches to support an efficient and scalable mechanism to track network flows.…”

Section: Introductionmentioning

confidence: 99%

“…Besides, we follow the RFC 8300 to define a P4 header for the Network Service Header (NSH). An efficient and scalable monitoring solution, namely SFCMon , a P4 program to keep track network flows in SFC environments. For this, we adapt a reference implementation that was proposed in one of our previous works . An efficient and scalable P4‐based ACL implementation that applies wildcard rules for the real‐time detection and mitigation of known attacks. The FrameRTP4 Switch , a P4 program reference implementation that provides a processing pipeline that integrates the three components above. The FrameRTP4 Controller , a P4Runtime‐based SDN controller reference implementation that enables flow control and SFCMon management on one or more FrameRTP4 Switches. A Wildcard Rule Generator solution that implements an algorithm for 5‐tuple rules compression that aims to reduce the number of rules required to realize policies on a single FrameRTP4 Switch. The FrameRTP4 Orchestrator , a Python‐based program that controls one or more FrameRTP4 Controllers to provide security for end‐to‐end NS.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

A real‐time attack defense framework for 5G network slicing

et al. 2020

Self Cite

View full text Add to dashboard Cite

Network Slicing (NS) is a key enabler to support 5G network services on-demand. However, since NS is a result of the recent advancement in Software-Defined Networking and Network Function Virtualization, it introduces new security issues which include attacks against an NS instance within an operator network and interslice security threats. In this scenario, identifying and mitigating attacks in real-time is of paramount importance to improve security aspects. However, it is far from being straightforward. Therefore, this work proposes the FrameRTP4, a P4-based framework that aims to deliver real-time attack detection and mitigation mechanisms in 5G NS scenarios. For this, it provides a P4-based switch that implements an Service Function Chaining protocol layer, an efficient and scalable Access Control List for the detection and mitigation of known attacks, and a monitoring system aiming to reduce the overhead induced on the control channel. Furthermore, it delivers an orchestrator that aims to control all switches in order to enable lifecycle management of NS instances and P4 table rules. Besides, it also performs some autonomous tasks such as the wildcard rules generation and the detection of new threats by using machine learning algorithms. Preliminary results point to the potential benefits of FrameRTP4 to be part of a 5G NS infrastructure. K E Y W O R D S5G, bloom filter, cybersecurity, network function virtualization, network slice, P4

show abstract

Section: The Framertp4 Frameworkmentioning

confidence: 99%

Section: The Framertp4 Frameworkmentioning

confidence: 99%

Section: The Framertp4 Frameworkmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%