Section: New Results

Orchestration

Programming of network functions

Participants : Thibault Cholez [contact] , Diane Adjavon [Orange Labs] , Anthony Anthony, Raouf Boutaba, Paul Chaignon, Shihabur Rahman Chowdhury, Olivier Festor, Jérôme François, Kahina Lazri [Orange Labs] , Xavier Marchal.

NFV is a key technology for the successful deployment of new network protocol stacks like Named Data Networking (NDN). Instead of trying to oddly couple IP and new Information-Centric Networking protocols, one should rather deploy them in different network slices and ensure their isolation. We proposed a complete NFV architecture composed of several Virtual Network Functions (VNF) designed for NDN and orchestrated so that they can dynamically adapt the topology to react against issues such as an ongoing attack [25].

To push even further the possibilities of NFV, we applied the microservice architecture inherited from the software world to design atomic and flexible functions that must be combined to process NDN traffic. The proposed architecture, described in $\mu$NDN [16], includes seven orchestrated microservices. Some of them are components extracted from the monolithic and heavy-burden NDN router while others are new on-path functions that can perform specific processing on the traffic like a signature-verification module or a name-filtering module. The evaluation through two realistic scenarios proved the ability of our manager to dynamically scale-up bottleneck functions and mitigate ongoing attacks on the NDN network. We also refined our countermeasure against information leakage attacks in NDN [4].

In [8], we proposed to offload part of the processing of VNF to the programmable switches. The problem resides in guaranteeing a fair scheduling at the switch level assuming the required run-to-completion execution. We thus defined a token-based scheduling approach. In [6], we defined a new scheduler for VNFs that integrates a CPU cycle estimator and a heuristic to avoid wasting idle CPU cycles.

Software-defined security for clouds

Participants : Rémi Badonnel [contact] , Olivier Festor, Maxime Compastié, He Ruan [Orange Labs] .

We have pursued our work on a software-defined security framework for enabling the enforcement of security policies in distributed clouds. This framework aims at dynamically integrating and configuring security mechanisms for protecting cloud services that are distributed over multi-cloud and multi-tenant environments. In that context, we have described in [11] generation mechanisms for building protected cloud resources based on unikernels in an on-the-fly manner. These unikernels integrate security mechanisms at an early stage, and are characterized by highly-constrained configurations, in order to reduce the attack surface. A demonstration of this work has been showcased during the IFIP/IEEE NOMS 2018 international conference [10]. We have also investigated the exploitation of the TOSCA orchestration language to drive the generation of these unikernels. This language supports the specification of cloud services in the form of topologies and their orchestrations. The objective was to extend this language to both describe the generation of unikernel ressources, and specify different levels of security to be orchestrated. We have designed a framework to interpret this extended language, and to generate and configure protected resources according to these levels. We have evaluated the performance of generation mechanisms through extensive experiments. This generation can be performed in a proactive manner with respect to security levels, in accordance with elasticity and on-demand cloud properties.

Chaining of security functions

Participants : Rémi Badonnel [contact] , Abdelkader Lahmadi, Stephan Merz, Nicolas Schnepf.

Software-defined networking offers new opportunities for protecting end users and their applications. It enables the elaboraboration of security chains that combines different security functions, such as firewalls, intrusion detection systems, and services for preventing data leakage. In that context, we have continued our efforts on the orchestration and verification of security chains, in collaboration with Stephan Merz from the VeriDis project-team at Inria Nancy. In particular, we have formalized and extended our approach for generating SDN policies to protect Android applications [21], [22]. We have introduced a system based on inference rules for automating the generation of such chains [20], taking into account both their networking behavior and the OS-level permissions that they request. By using first-order predicates for classifying network traffic observed in flow traces, the composition and factorization of security chains to be applied for several applications becomes straightforward. Our system infers a high-level representation of the security functions, which can be translated into an concrete implementation in the Pyretic language for programming software-defined networks. We showed that the generated chains satisfy several desirable properties such as the absence of black holes or loops, shadowing freedom, and that they are consistent with the underlying security policy. We are currently working on optimizing and improving the parameterization of the security chains that are generated by our inference system.