NET3: Network Softwarisation III
Friday, 11 June 2021, 09:30-11:00, Zoom Room
Session Chair: Franco Callegati (Univ. Bologna, Italy)
A Security Monitoring Architecture Based on Data Plane Programmability
Amir Alsadi (University of Bologna, Italy); Davide Berardi (Università di Bologna, Italy); Franco Callegati (Universita` di Bologna, Italy); Andrea Melis and Marco Prandini (University of Bologna, Italy)
Software Defined Networking has put the accent on the implementation of effective, sophisticated algorithms for the control plane, running on centralized devices. Pure centralization, however, also introduces inefficiencies and limitations in many scenarios, often negatively affecting security. Network applications could benefit from data plane programmability, e.g. implementing the increasingly popular P4 language. In this paper, we show that P4-enabled switches can run simple yet significant tasks that enhance the cooperation with the control plane, improving traffic analysis functionalities of practical relevance for security monitoring purposes. We also show how this P4-based solutions can be integrated into an SDN architecture acting as an Intrusion Detection System.
Blockchain-Based Zero Touch Service Assurance in Cross-Domain Network Slicing
Vasileios Theodorou (Intracom S.A. Telecom Solutions, Greece); Alexios Lekidis (Intracom Telecom, Greece); Theodoros Bozios (Intracom S.A. Telecom Solutions, Greece); Kalman Meth (IBM, Israel); Adriana Fernández-Fernández (Fundació i2CAT, Internet i Innovació Digital a Catalunya, Spain); James Taylor (Bartr Group, United Kingdom (Great Britain)); Pedro Diogo and Pedro Martins (Ubiwhere, Portugal); Rasoul Behravesh (Fondazione Bruno Kessler, Italy)
The inclusion of resource sharing schemes within Network Function Virtualization (NFV) ecosystems allows for optimised usage of 5G infrastructure and extended capabilities of network slicing services. In such environments, marketplaces are formed to facilitate the exchange of NFV services across administrative domains, which may, however, belong to untrusted and unreliable entities. In this work, we propose a novel zero-touch approach for cross-domain network slicing service assurance, using enterprise blockchain technologies and employing an AI-driven closed-loop automation architecture. Our approach is based on the lifecycle management of Service Level Agreements (SLAs) using smart contracts-from service negotiation to service binding, monitoring, reconfiguration and decommissioning. Our closed-loop architecture is materialised using Cloud-Native operational Data Lakes and allows to continuously monitor the status and health of exchanged services and to detect or predict SLA violations so that immediate mitigation actions are taken to ensure service continuity. The proposed approach is applied in real Content Distribution Networks scenarios within the European project 5GZORRO and our experimental results demonstrate the ability of our system to accurately predict changes in service demand and to timely respond with preventive scaling actions.
Distributed AI-Based Security for Massive Numbers of Network Slices in 5G & Beyond Mobile Systems
Chafika Benzaid and Tarik Taleb (Aalto University, Finland); Cao-Thanh Phan (BCOM, France); Christos Tselios (University of Patras & Citrix Inc., Greece); George Tsolis (Citrix Systems Inc., Greece)
The envisioned massive deployment of network slices in 5G and beyond mobile systems makes the shift towards zero- touch, scalable and secure slice lifecycle management a necessity. This is to harvest the benefits of network slicing in enabling profitable services. These benefits will not be attained without ensuring a high level security of the created network slices and the underlying infrastructure, above all in a zero-touch automated fashion. In this vein, this paper presents the architecture of an innovative network slicing security orchestration framework, being developed within the EU H2020 MonB5G project. The framework leverages the potential of Security as a Service (SECaaS) and Artificial Intelligence (AI) to foster fully-distributed, autonomic and fine-grained management of network slicing security from the node level to the end-to-end and inter-slice levels.
Network Policies in Kubernetes: Performance Evaluation and Security Analysis
Gerald Budigiri (KU Leuven, Belgium); Christoph Baumann (Ericsson Research, Sweden); Jan Tobias Mühlberg, Eddy Truyen and Wouter Joosen (KU Leuven, Belgium)
5G applications with ultra-high reliability and low latency requirements necessitate the adoption of edge computing solutions in mobile networks. Container orchestration frameworks like Kubernetes (K8s) have further emerged as the preferred standard to dynamically deploy edge applications on demand of end-users and third-party companies. Unfortunately, complex networking and security concerns have been highlighted as challenges that impede the successful adoption of container technology by the industry. The security challenge is exacerbated by (mis-)conceptions that secure inter-container communication comes at the cost of performance, yet both requirements are vital for 5G edge-computing use cases. Pursuing low-overhead security solutions, this paper investigates network policies, the K8s concept for controlling network isolation between tenants. We evaluate performance overheads of eBPF-based solutions by Calico and Cilium, and analyze the security of network policies, highlighting security threats to network policies and outline corresponding state-of-the-art solutions. Our assessment shows that network policies are a suitable low-overhead security solution for low-latency inter-container communication.
vL2-WIM: Flexible Virtual Layer 2 Connectivity Services in Distributed 5G MANO Domains
Timo Kellermann (Universitat Politècnica de Catalunya & i2CAT Foundation, Spain); Ferran Canellas (i2CAT, Spain); Ricardo González and Daniel Camps-Mur (i2CAT Foundation, Spain)
Future 5G networks will be implemented as distributed clouds where virtual network functions and services are instantiated on demand. To support the required flexibility and automation, novel data center interconnect technology must support stringent data plane requirements brought along by 5G Radio Access Networks (RANs), while delivering the necessary flexibility in the service definition and enabling automation in the service provisioning. In this paper we present vL2-WIM, a novel WAN Infrastructure Manager (WIM) that enables virtual layer 2 services across data centers in distributed 5G MANO deployments. We provide a detailed evaluation of vL2-WIM showing how complex connectivity services composed of up to 30 Virtual Network Functions (VNFs) in different compute domains can be provisioned in less than 15 seconds.