Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:networks [2019/10/09 13:38]
Mark Schmidt
en:networks [2019/10/09 14:34]
Mark Schmidt
Line 1: Line 1:
 ====== Methods for flexible and intelligent network services ====== ====== Methods for flexible and intelligent network services ======
 The focus of this work package are methods for flexible and intelligent network operation. The following three use cases in the BelWü/​campus context are considered. The focus of this work package are methods for flexible and intelligent network operation. The following three use cases in the BelWü/​campus context are considered.
-  - Integration of High-Performance Zones (HPZs) in campus networks and the BelWü network ​(Verlinkung zu den unteren Sections mit Hilfe von Anchors) +  - [[#​integration_of_high-performance_zones_hpzs_in_campus_networks_and_in_the_belwue-network|Integration of High-Performance Zones (HPZs) in campus networks and the BelWü network]] 
-  - Firewall offloading in campus networks through firewall bypass for trustworthy traffic ​(Verlinkung zu den unteren Sections mit Hilfe von Anchors) +  - [[#​firewall_offloading_in_campus_networks_through_a_firewall_bypass_for_trustworthy_traffic|Firewall offloading in campus networks through firewall bypass for trustworthy traffic]] 
-  - Flexible application of the security protocols 802.1X, MACsec and IPsec in campus networks ​(Verlinkung zu den unteren Sections mit Hilfe von Anchors)+  - [[#​flexible_application_of_the_security_protocols_8021x_macsec_and_ipsec_in_campus_networks|Flexible application of the security protocols 802.1X, MACsec and IPsec in campus networks]]
 Innovations based on the SDN technologies OpenFlow and P4 are proposed, realized as prototypes, and partly deployed in operational networks. Innovations based on the SDN technologies OpenFlow and P4 are proposed, realized as prototypes, and partly deployed in operational networks.
  
Line 11: Line 11:
 Science DMZ, SciPass or CampusBypass have already proposed an integration of high-performance infrastructure in campus networks. In this project, High-Performance Zones (HPZs) equipped with high-performance servers and networks were set up in campus networks at different locations. The HPZs of different locations were connected via the optical high-performance network „Netzwerk für Innovation und Forschung“ (NeIF) and also integrated into the BelWü network and the campus networks. An OpenFlow-based approach was proposed which was first implemented in Mininet, then in a local testbed, and finally trialed on real hardware over the NeIF. For the latter, critical infrastructure was emulated to avoid issues with the operational network. A particular challenge were the responsibilities of the components. The campus networks and the HPZs are operated by the universities while the network between the campus networks and the forwarding within the NeIF between the HPZs are controlled by BelWü. Science DMZ, SciPass or CampusBypass have already proposed an integration of high-performance infrastructure in campus networks. In this project, High-Performance Zones (HPZs) equipped with high-performance servers and networks were set up in campus networks at different locations. The HPZs of different locations were connected via the optical high-performance network „Netzwerk für Innovation und Forschung“ (NeIF) and also integrated into the BelWü network and the campus networks. An OpenFlow-based approach was proposed which was first implemented in Mininet, then in a local testbed, and finally trialed on real hardware over the NeIF. For the latter, critical infrastructure was emulated to avoid issues with the operational network. A particular challenge were the responsibilities of the components. The campus networks and the HPZs are operated by the universities while the network between the campus networks and the forwarding within the NeIF between the HPZs are controlled by BelWü.
  
 +{{:​en:​sdn-neif.png?​400|SDN-NeIF architecture}}
  
 The proposed SDN architecture is illustrated in the figure. Each university location consists of a campus network and an HPZ. The campus network is connected via a campus router (CR) with a border router (BR) and a border switch (BS). The BR provides the uplink to the BelWü core network and to the Internet. The BS is an OpenFlow switch which is controlled by a central SDN controller (BSC) in the BelWü network and interconnects several university locations over the NeIF. It is also connected to the CR and the BR to interconnect the HPZ with the campus and the Internet. The proposed SDN architecture is illustrated in the figure. Each university location consists of a campus network and an HPZ. The campus network is connected via a campus router (CR) with a border router (BR) and a border switch (BS). The BR provides the uplink to the BelWü core network and to the Internet. The BS is an OpenFlow switch which is controlled by a central SDN controller (BSC) in the BelWü network and interconnects several university locations over the NeIF. It is also connected to the CR and the BR to interconnect the HPZ with the campus and the Internet.
Line 19: Line 20:
 Firewalls are often a bottleneck in the campus context if their capacity is lower than the network bandwidth. Their upgrade may be technically feasible, but it is very expensive. A typical use case is illustrated in the figure. Some traffic traversing a department firewall is trustworthy and does not need to be controlled by the firewall. Examples are flows between a department and the datacenter or other departments. Deviating such traffic around the firewall may be a cost-efficient way to mitigate the bottleneck. Firewalls are often a bottleneck in the campus context if their capacity is lower than the network bandwidth. Their upgrade may be technically feasible, but it is very expensive. A typical use case is illustrated in the figure. Some traffic traversing a department firewall is trustworthy and does not need to be controlled by the firewall. Examples are flows between a department and the datacenter or other departments. Deviating such traffic around the firewall may be a cost-efficient way to mitigate the bottleneck.
  
 +{{:​en:​fw-bypass.png?​400|Netzwork topology for the firewall bypass}}
  
 Several options were considered to deviate trustworthy thraffic around a firewall. Several options were considered to deviate trustworthy thraffic around a firewall.
Line 34: Line 36:
 The standard IEEE 802.1X describes protocols and procedures to secure LAN infrastructures using authentication and authorization. The principle is illustrated in the figure. Initially, a client can communicate only EAP with its access switch. Then, the client is authenticated by the authenticator on the access switch using the protocols EAP and RADIUS. With RADIUS, the authenticator requests remote authentication servers for authentication and authorization data. After successful authentication,​ the client is authorized. That means the switch grants the client access to the network, and the client’s traffic is possibly assigned to a specific VLAN. The standard IEEE 802.1X describes protocols and procedures to secure LAN infrastructures using authentication and authorization. The principle is illustrated in the figure. Initially, a client can communicate only EAP with its access switch. Then, the client is authenticated by the authenticator on the access switch using the protocols EAP and RADIUS. With RADIUS, the authenticator requests remote authentication servers for authentication and authorization data. After successful authentication,​ the client is authorized. That means the switch grants the client access to the network, and the client’s traffic is possibly assigned to a specific VLAN.
  
 +{{:​en:​8021x.png?​400|VLAN assignmnent based on 802.1X and SDN}}
  
 802.1X is a widely deployed concept, and it is also applied in eduroam. However, it has some shortcomings. 802.1X requires manual configuration of authenticators on switches. The authorization is stateless, i.e., access to the network cannot be denied to the client after authorization even if its authorization data has changed in the meantime. RADIUS or DIAMETER are required as backend authentication servers which are difficult to maintain while simple databases would suffice for local application. 802.1X is a widely deployed concept, and it is also applied in eduroam. However, it has some shortcomings. 802.1X requires manual configuration of authenticators on switches. The authorization is stateless, i.e., access to the network cannot be denied to the client after authorization even if its authorization data has changed in the meantime. RADIUS or DIAMETER are required as backend authentication servers which are difficult to maintain while simple databases would suffice for local application.
en/networks.txt · Last modified: 2019/10/09 14:34 by Mark Schmidt