Advance reservation access control using software-defined networking and tokens

https://doi.org/10.1016/j.future.2017.03.010Get rights and content

Highlights

  • Automates the advance reservation process using multidomain SDN orchestration.

  • Uses tokens to bind an end-to-end flow to the user that requested the reservation.

  • The system was deployed in the ESNet testbed.

  • Can reduce the provisioning time of an end-to-end circuit from days to minutes.

Abstract

Advance reservation systems allow users to reserve dedicated bandwidth connection resources from advanced high-speed networks. A common use case for such systems is data transfers in distributed science environments in which a user wants exclusive access to the reservation. However, current advance network reservation methods cannot ensure exclusive access of a network reservation to the specific flow for which the user made the reservation. We present here a novel network architecture that addresses this limitation and ensures that a reservation is used only by the intended flow. We achieve this by leveraging software-defined networking (SDN) and token-based authorization. We use SDN to orchestrate and automate the reservation of networking resources, end-to-end and across multiple administrative domains, and tokens to create a strong binding between the user or application that requested the reservation and the flows provisioned by SDN. We conducted experiments on the ESNet 100G SDN testbed, and demonstrated that our system effectively protects authorized flows from competing traffic in the network.

Introduction

Research and education networks (RENs) are characterized by high-speed backbone networks that support the needs of research and education communities within a geographic region. RENs often provide dedicated connections for individual research projects, and experimenters can establish and manage these connections through advance reservation systems  [1] such as the Internet2 advanced layer 2 service (AL2S)  [2] and the Energy Science Network (ESNet) on-demand secure circuits and advance reservation system (OSCARS)  [3]. Advance network reservation systems identify each connection by coarse-grained attributes such as endpoints (e.g., an IP address or an interface of a WAN border router), requested bandwidth, the start time, and the end time  [4]. However, a major problem with using such coarse-grained attributes to identify a network reservation is that an unauthorized user or application behind the point of ingress could consume the reservation, affecting the performance of legitimate users or applications. Moreover, setting up these reservations is a manual process that involves many network operators and can take from five to 45 days depending on the number of domains involved, as noted by Ibarra et al.  [5].

Software-defined networking (SDN) is a novel networking paradigm that enables global network programmability and rapid innovation by decoupling the control and data planes of network devices. An additional benefit of SDN is a fine-grained flow definition that allows for firewall-like services on network switches. SDN is widely used in data centers for network policy enforcement, traffic engineering, and tenant isolation. However, SDN is not enough to ensure network access control when user identification is required. Token-based authentication/authorization is widely used in web service architectures today. For instance, whenever a user accesses a third-party site with her Facebook credentials, the OAuth 2.0 protocol (RFC 6749), which uses tokens, is invoked to authorize the third-party site access to some credentials in that individual’s Facebook profile (e.g., username and email) for authentication purposes. Furthermore, OpenStack, a popular cloud orchestration open source project, uses tokens to authorize numerous application program interfaces (APIs) that require access to its services.

We present here a novel network architecture that provides advance reservation access control by leveraging SDN and token-based authorization. Our architecture is composed of three main elements: (1) an orchestrator that receives requests from users or applications and manages networking resources between sites, (2) a WAN controller that represents an advance reservation system connecting sites involved in a specific data transfer, and (3) site SDN controllers that manage the installation of flow rules on site switches so as to extend a reservation from the border router all the way to the data transfer node (DTN)  [6] in each site. The full workflow is automated, and no involvement from a network operator is required, thus reducing the provisioning time from several days to a few minutes. Our contributions are the following:

  • 1.

    A system that automates the advance reservation provisioning process using multidomain SDN orchestration.

  • 2.

    A system that uses tokens to strongly bind an end-to-end flow to the user or application that requested the reservation.

The reminder of this paper is as follows. Section  2 presents background material and Section  3 presents related work. Section  4 defines our system architecture. Section  5 describes our implementation and Section  6 presents our evaluation experiments. Section  7 discusses our results, and Section  8 presents our conclusions and future work.

Section snippets

Background and motivation

We provide background on advance reservation systems, software-defined networking, and tokens.

Related work

An early approach to defining a system architecture for advance reservation of bandwidth channels on research and education networks was UltraScience Net  [12], [13]. More than a decade ago, this architecture defined a separate control and data plane and a bandwidth scheduler. The southbound interface of UltraScience Net was based on a transaction language communicated over a command line interface. The use of OpenFlow is a significant improvement on that work, because OpenFlow provides an open

System architecture

We leverage SDN and token-based authorization to develop a network architecture that supports extending an advance reservation from a WAN border router to an endpoint, programmatically (i.e., without intervention of a network operator), and across multiple domains. Our architecture comprises an orchestrator that handles user requests and manages networking resources, a WAN controller representing an advance reservation system that connects sites involved in a specific data transfer, and a site

Proof-of-concept implementation

As shown in Fig. 2, our architecture implementation is composed of a WAN controller, one site controller per site, one data mover node per site, an orchestrator, and a user interface. Each component was coded in Python and communicates over TCP sockets sending JSON data. To communicate with the Ryu controller, we used the REST API that comes with the Ryu controller. The data transfers used iperf3. The system handles seven types of messages:

  • 1.

    REQ for requesting an advance reservation.

  • 2.

    PREPARE for

Evaluation

We conducted experiments on the ESNet 100G SDN testbed [27]. As shown in Fig. 3, we used two sites, Washington DC and CERN in Geneva, Switzerland, connected by a dedicated circuit with a total capacity of 5 Gbps and an average inter-site RTT of 90 ms. Each site has two OVS switches [17], one container endpoint, and one Ryu SDN controller [28]. All containers have 12 CPUs, 4 GB of RAM, 8 GB of disk, 10 Gigabit Ethernet virtual NICs, and all of them run Ubuntu 14.04. We used iperf3 in CUBIC TCP

Discussion

We have presented a first attempt to develop a system for orchestrating the end-to-end provisioning of an advance reservation using SDN and token-based authorization. We demonstrated that our solution can reduce the provisioning time of an end-to-end circuit from several days (manual process) to a few minutes (automated process). Additionally, we demonstrated that, by using tokens, a specific flow can be strongly associated with the owner of the reservation. For a real deployment, however, many

Conclusion and future work

We have described a system that provides end-to-end advance reservation access control. By using multidomain SDN orchestration, our system automates the advance reservation provisioning process. Furthermore, by using token-based authorization, our system strongly binds an end-to-end flow to the user or application that requested the reservation. We have deployed this system in the ESNet 100G SDN testbed, and demonstrated that our solution effectively protects authorized flows from competing

Acknowledgments

This work was supported in part by the US Department of Energy under contract number DEAC02-06CH11357 and SDN-SF project, and the National Science Foundation, under grant ACI-1440761. We thank Eric Pouyoul from ESnet for his help in setting up the testbed. We also thank Sean Donovan, Leon Gommans, and the anonymous reviewers for their feedback.

Joaquin Chung received both his B.S. in Electrics and Communications Engineering (2007) and his M.Sc. in Communication Systems Engineering with Emphasis in Data Networks (2013) from University of Panama, Panama. He is a Fulbright scholar and currently pursuing his Ph.D. in Electrical and Computer Engineering under the supervision of Dr. Henry Owen and Dr. Russ Clark at Georgia Institute of Technology, GA. His research interests include software-defined networking and software-defined exchanges.

References (33)

  • L. Gommans et al.

    Multi-domain lightpath authorization, using tokens

    Future Gener. Comput. Syst.

    (2009)
  • N. Charbonneau et al.

    Advance reservation frameworks in hybrid IP-WDM networks

    IEEE Commun. Mag.

    (2011)
  • Internet2, Layer 2 services,...
  • I. Monga et al.

    Hybrid networks: lessons learned and future challenges based on esnet4 experience

    IEEE Commun. Mag.

    (2011)
  • S. Tepsuporn et al.

    A multi-domain SDN for dynamic layer-2 path service

  • J. Ibarra, J. Bezerra, H. Morgan, L. Fernandez Lopez, M. Stanton, I. Machado, E. Grizendi, D. Cox, Benefits brought by...
  • Science dmz: Data transfer nodes,...
  • E. Dart et al.

    The Science DMZ: A network design pattern for data-intensive science

    Sci. Program.

    (2014)
  • A. Gupta et al.

    SDX: A software defined Internet exchange

  • J. Mambretti et al.

    Software-defined network exchanges (SDXs): Architecture, services, capabilities, and foundation technologies

  • D. Kreutz et al.

    Software-defined networking: A comprehensive survey

    Proc. IEEE

    (2015)
  • N. McKeown et al.

    Openflow: enabling innovation in campus networks

    ACM SIGCOMM Comput. Commun. Rev.

    (2008)
  • N.S.V. Rao et al.

    Ultrascience net: network testbed for large-scale science applications

    IEEE Commun. Mag.

    (2005)
  • N.S.V. Rao, Q. Wu, S. Ding, S.M. Carter, W.R. Wing, A. Banerjee, D. Ghosal, B. Mukherjee, Control plane for advance...
  • J. Zurawski et al.

    The DYNES instrument: A description and overview

    J. Phys. Conf. Ser.

    (2012)
  • Z. Zhang, B. Bockelman, D.W. Carder, T. Tannenbaum, Lark: Bringing network awareness to high throughput computing, in:...
  • Cited by (11)

    • Time and spectrum fragmentation-aware virtual optical network embedding in elastic optical networks

      2020, Optical Fiber Technology
      Citation Excerpt :

      To schedule the virtual network in advance, Bai et al., presented serval heuristic algorithms, which provided baselines for late advanced VONE algorithms [28]. Due to traditional advance reservation algorithms that cannot ensure exclusive access of a network reservation to the specific flow, Chuang et al., proposed a new network architecture to address this limitation and ensured that a reservation was used only by the intended flow [29]. Based on the specific feature of advance reservation requests, Wang et al., designed three re-provisioning strategies to re-provision them.

    • Orchestrating intercontinental advance reservations with software-defined exchanges

      2019, Future Generation Computer Systems
      Citation Excerpt :

      By taking advantage of the agile programmability of SDN, Ibarra et al. [5] improved the provisioning time of international advance reservations in R&E networks from several days to a few minutes. In [6], we proposed the use of SDN and tokens to protect access to advance reservations at the research facility end, while keeping the same improvements achieved in [5]. Although SDN effectively reduces provisioning times of advance reservations, however, international or intercontinental advance reservations will require WAN-optimized protocols for the coordination and composition of science network services.

    • RE-FPR: flow preemption routing scheme with redundancy elimination in Software Defined Data Center Networks

      2018, Sustainable Computing: Informatics and Systems
      Citation Excerpt :

      However, it increases the energy consumption of routers. To balance the router's energy consumption and the network power consumption, software defined networking (SDN) [10–12] comes into being, which achieves controlling the whole network equipment in a centralized manner and putting more network equipment into sleep mode. A centralized intelligent control model provided by SDN makes the deployment of data center network more simple and flexible.

    • Editorial INDIS special section FGCS

      2018, Future Generation Computer Systems
    View all citing articles on Scopus

    Joaquin Chung received both his B.S. in Electrics and Communications Engineering (2007) and his M.Sc. in Communication Systems Engineering with Emphasis in Data Networks (2013) from University of Panama, Panama. He is a Fulbright scholar and currently pursuing his Ph.D. in Electrical and Computer Engineering under the supervision of Dr. Henry Owen and Dr. Russ Clark at Georgia Institute of Technology, GA. His research interests include software-defined networking and software-defined exchanges.

    Eun-Sung Jung is an assistant professor in the department of Computer & Information Communications Engineering at Hongik University. He received his Ph.D. from University of Florida. During his Ph.D., Eun-Sung developed a novel framework for provisioning a variety of e-Science applications that require complex workflows that span over multiple domains. This framework provides guarantees on the performance while incurring minimal overhead, both necessary conditions for such a framework to be adopted in practice. In the past, He developed and shipped the cluster volume manager (CVM) software as a kernel module in Linux and Solaris operating systems at a start-up company.

    Rajkumar Kettimuthu is a Computer Scientist in the Mathematics and Computer Science Division at Argonne National Laboratory, and a Senior Fellow in the Computation Institute at The University of Chicago and Argonne National Laboratory. He received the B.E. degree from Anna University, Chennai, India, and an M.S. and Ph.D. from the Ohio State University, all in Computer Science and Engineering. His research is focused on high-speed transfer of large-scale data, software defined networking, rapid execution of data-intensive science workflows, parallel job scheduling and large-scale data analysis. He has co-authored more than 80 articles in the above-mentioned areas. He is a recipient of R&D 100 award. He is a senior member of both IEEE and ACM.

    Nageswara (Nagi) S.V. Rao is a Corporate Fellow in Computer Science and Mathematics Division, Oak Ridge National Laboratory, where he joined in 1993. He was on assignment at Missile Defense Agency as the Technical Director, C2BMC Knowledge Center during 2008–2010. He received B.Tech from National Institute of Technology, Warangal, India in Electronics and Communications Engineering in 1982, M.E. in Computer Science and Automation from Indian Institute of Science, Bangalore, India in 1984, and Ph.D. in Computer Science from Louisiana State University in 1988. He published more than 350 technical conference and journal papers in the areas of sensor networks, information fusion and high-performance networking. He is a Fellow of IEEE, and received 2005 IEEE Technical Achievement Award for his contributions to information fusion area. His research projects have been funded by multiple federal agencies including National Science Foundation, Department of Energy, Department of Defense, Domestic Nuclear Detection Office, and Defense Advanced Research Projects Agency.

    Ian Foster is Director of the Computation Institute, a joint institute of the University of Chicago and Argonne National Laboratory. He is also an Argonne Senior Scientist and Distinguished Fellow and the Arthur Holly Compton Distinguished Service Professor of Computer Science. Ian received a B.Sc. (Hons I) degree from the University of Canterbury, New Zealand, and a Ph.D. from Imperial College, United Kingdom, both in computer science. His research deals with distributed, parallel, and data-intensive computing technologies, and innovative applications of those technologies to scientific problems in such domains as climate change and biomedicine. Methods and software developed under his leadership underpin many large national and international cyberinfrastructures.

    Russ Clark is a senior research scientist in Georgia Tech’s School of Computer Science, and the co-director of the Georgia Tech Research Network Operations Center (GT-RNOC), which supports research efforts across campus. Dr. Clark received the B.S. in Mathematics and Computer Science from Vanderbilt University in 1987. He received the M.S. and Ph.D. degrees in Information and Computer Science from Georgia Institute of Technology in 1992 and 1995. For the years 1997–2000 he was a Senior Scientist with Empire Technologies, a network management software company. His research interests include Internet infrastructure and operating systems, mobile and wireless communications, network security, software-defined networking, and software-defined exchanges.

    Henry L. Owen received the B.E.E., M.S.E.E., and Ph.D. degrees from the Georgia Institute of Technology in 1980, 1983, and 1989 respectively. During 1991 he was on a leave of absence and he worked for the telecommunications firm ALCATEL-SEL in Stuttgart, Germany. Between 1992 and 1995, he spent summers performing research for ALCATEL-SEL on site in Stuttgart. At Georgia Tech Dr. Owen has implemented the Internet Programming and Internet Design laboratories and classes that provide networking equipment as well as an environment for hands on laboratory experimentation and project implementation. His research interests are internetworking, computer networks, quality of service in the Internet, network protocol implementations in operating systems, and software-defined networking.

    View full text