The Diamond Approach for SDN Security

Angelo Liguori, Huawei, German Research Center; and Marcel Winandy, Huawei, German Research Center

IEEE Softwarization, March 2018

 

Software Defined Networking (SDN) has attracted a lot of interest in both academia and industry, and it has started to be adopted in real system implementations. SDN emerged as a new concept with the intent of enabling central programmability of the network, although it can be traced back to earlier concepts like Active Networks, Network Control Point, and Routing Control Platform [1,2,3]. SDN is based on the idea of decoupling the control plane from the data plane, introducing a logically centralized control with open interfaces, and providing an API on abstractions of the network elements to program their forwarding behaviour [4]. SDN opens new opportunities for telecommunications and network operators as well as enterprise networks by providing effective means for fast infrastructure provisioning and dynamic reconfiguration of networks.

SDN also poses new challenges to be faced as it introduces new components to the network (APIs, applications, controller). The overall complexity of ensuring security increases, the central control becomes a new popular target, and the openness of interfaces makes it difficult to define and enforce a security policy. Moreover, SDN security has a twofold meaning [5]: “Security by SDN”, i.e. increasing the overall network security of a system using SDN, and “Security for SDN”, i.e., ensuring the secure implementation and operation of the SDN infrastructure itself. We believe that the problem of security for SDN should be addressed first (to a practical and sufficient level) before new security services using SDN can be effectively deployed. A key issue is the security of the SDN controller as it is the “brain” of the network. Any successful attack at the controller can harm the whole network.

Attacks to SDN can take the form of Denial-of-Service, aiming at undermining the availability of network operations, or the form of Man-in-the-Middle with the goal to modify the rules sent to the network devices to take control of the network paths. An attacker would also try to compromise the controller exploiting vulnerabilities and installing malicious applications, in the attempt of taking full control of the network infrastructure. The mitigation of security risks in SDN requires a secure-by-design approach to provide adequate protection of the infrastructure from both malicious attacks and unintentional vectors (bugged applications, devices misconfiguration, etc.).

A couple of secure designs for SDN controllers have been discussed in research, e.g., [6,7,8,9]. FortNOX [9] extends the controller with a conflict detection engine for flow rules and a role-based application authorization. SE-Floodlight [6] adds a security enforcement kernel to the controller, i.e., all operations from applications towards the data plane have to pass a security mediation for authentication and authorization. ROSEMARY [7] focuses on resilience through SDN applications containment, resource utilization monitoring, application permissions, and minimizing functionality in the controller kernel. LegoSDN [8] adds reliability and fault tolerance by providing an application sandboxing design and a mechanism to recover applications from a variety of failures.

While we can find common patterns in these works (separating security from other functionality, isolating applications, etc.), they have not yet been fully adopted by industry. For example, the leading open-source controllers OpenDaylight and ONOS have both some forms of authentication and authorization for external applications, but other security functionality is either lacking (e.g. isolation of internal applications/plug-ins) or mixed together with other functionality in one large executable. A reason for the low adoption might be that the SDN community is missing an overview of the security problems and security patterns and a lack of understanding how to apply them to SDN. In addition, many existing research works neglect some industry demands, e.g. they build their designs on single-instance controllers and do not consider a fully distributed architecture.

In order to overcome these obstacles, we have systemized six core design principles which we consider mandatory for a secure SDN controller architecture. They are derived from best practices of system security and cover common security patterns from the mentioned research works as well as important industry requirements. For illustration, we put these principles as vertexes of a polyhedron, calling to mind the shape of a diamond shielding the controller (see Figure 1). Hence, we call it the Diamond Approach for SDN Security.

Figure 1: SDN Security Principles (Diamond Approach)

 

Complete Mediation: Each time a subject attempts to access a resource, the system should mediate the action. This principle requires systematic access control for resources so that access to them be checked every time to ensure that the subject has proper privileges. The “mediator” should be the logic unique authority for this checking, and it could take advantage of the features provided by distributed systems.

Compartmentalization: This principle, aka Sandboxing, enforces the rule that an occurred security problem should be limited within the specific compartment containing it. This is a well-known concept in all contexts that require safety, e.g. life-critical systems. For SDN it applies to the business and control layers, where applications should be separated and isolated from each other and from the controller itself.

Code Size Minimization: An important aspect in security is to reduce the trusted computing base, i.e., that part of the system that is essentially needed for security and if compromised can totally break the security. First, minimizing the Lines of Code (LOC) reduces the possibility of errors and the attack surface exploitable by an attacker. Second, a thin software layer can be semi-formally or formally verified in order to give mathematical evidences that it correctly fulfils the requirements it claims.

Capability-based Control: This allows to attach authorizations (i.e. capabilities) to the subjects demanding the service instead of attaching them to the resources providing it (Access Control List approach). A capability is completely transferable and it represents the ability to perform privileged operations. In a dynamic environment, where SDN applications and their security context can change often, a capability-based control can be easier managed and audited.

Concurrency: In a distributed system, it is important that components can be executed and work together concurrently. This is extremely important in environments like SDN where controllers can be distributed in clusters and the environment is highly dynamic. Operations like Leader Election and Node Replication are examples where secure concurrency is necessary.

Compatibility: In the variety of SDN controllers currently available on the market, the integration of security mechanisms should not significantly impact the interface design and implementation of existing controllers. A solution to make SDN secure should be transparent for the controller in order to allow customers to apply security in deployed infrastructures and preserve the “openness” SDN originally introduced.

We applied the idea of the diamond approach in our Secure Controller Architecture (SCONA) that pools and combines together these principles. Figure 2 depicts an overview of SCONA components, each of one designed to address the SDN security problem in a seamlessly way from the application (business) layer to the data plane.

Figure 2: SCONA Architecture

 

The main component of SCONA is the Network Security Kernel (NSK). It follows the idea of security kernels from operating systems and is specifically designed to accomplish the principles of complete mediation of all the messages (synchronous and asynchronous) between applications and data plane, compartmentalization of security functionality from the rest of the controller, and code size minimization (our current prototype has less than 20k LOC).

SCONA Controller Applications Sandbox (CAS) and Controlled Trusted Software (CTS) also enforce the principle of compartmentalization, avoiding that internal applications could be used to subvert the security of the overall controller and providing an environment for trusted higher-level security functions, e.g. application behaviour monitoring. The remaining, non-security related functionality of the SDN controller is what we call the Controller Core (CC) component. SCONA implements a capability-based reference monitor engine that enforces the security check for every application and data plane device through the cooperation of NSK and SCONA Controller Core (CC).

For concurrency, the NSK is also designed to be highly scalable and reconfigurable in order to provide high performance in terms of availability. Finally, NSK is designed to be compatible with existing SDN protocols and controller APIs because it enforces only access decisions between components and their requests. Higher level aspects (e.g., checking consistency of the SDN policy) are left to CTS.

SCONA and our diamond approach try to overcome the often partial perspective offered by prior research and existing industry implementations. A key difference and the novelty of our approach lies in the fact that SCONA logically envelopes the controller. It effectively enforces not only the security of applications towards data plane, but also limits the attacks coming from data plane against applications and the controller itself.

Further challenges need to be addressed in order to still enhance the security of SDN. For example a formal analysis of SCONA code or the introduction of a policy checker engine, just to name a few. Formal verification provides evidences of the correctness of the developed components and algorithms, whereas the capability to check if applications’ commands could lead to conflicting rules against the established security policies can help maintaining the network in a secure and consistent state. Performance and fault tolerance are also important aspects to address in order to make SCONA scalable and augment the resilience of our solution.

We are currently evaluating and enhancing our prototype according to the afore-mentioned features and hope to push this technology into products in the near future.

 

Bibliography:

 

  1. D. Tennenhouse, J. Smith, W. Sincoskie, D. Wetherall, and G. Minden, “A survey of active network research” IEEE Communications Magazine, vol. 35, no. 1, pp. 80–86, Jan. 1997
  2. D. Sheinbein and R. P. Weber, “800 service using SPC network capability”, Bell Syst. Tech. J., vol. 61, no. 7, pp. 1737–1744, Sep. 1982
  3. M. Caesar et al., “Design and implementation of a routing control platform”, Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation,vol. 2, pp. 15–28, 2005
  4. M. Jarschel, T. Zinner, T. Hossfeld, P. Tran-Gia, W. Kellerer, “Interfaces, Attributes, and Use Cases: A Compass for SDN”, IEEE Communications Magazine, vol. 52, pp. 210-217, 2014
  5. S. Scott-Hayward, G. O'Callaghan, and S. Sezer, “SDN Security: A Survey”, IEEE SDN for Future Networks and Services (SDN4FNS), Trento, pp. 1-7, 2013
  6. P. Porras, P, S. Cheung, S, M. Fong, K. Skinner, V. Yegneswaran, “Securing the Software Defined Network Control Layer”, 2015.
  7. S. Shin, Y. Song, T. Lee, S. Lee, J. Chung, P. Porras, V. Yegneswaran, J. Noh, and B. Byunghoon Kang, “Rosemary: A Robust, Secure, and High-performance Network Operating System”. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 78-89. 2014.
  8. B. Chandrasekaran, B. Tschaen, and T. Benson, “Isolating and Tolerating SDN Application Failures with LegoSDN”. In Proceedings of the Symposium on SDN Research (SOSR '16). ACM, New York, NY, USA, Article 7, 12 pages, 2016
  9. P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu, “A security enforcement kernel for OpenFlow networks”. In Proceedings of the first workshop on Hot topics in software defined networks (HotSDN '12). ACM, New York, NY, USA, 121-126, 2012

 


 

Angelo Liguori

Dr. Angelo Liguori received his Ph.D. in Telecommunications at the University "Roma TRE" with the thesis "Design and Implementation of Multilevel Security Architectures". He gained more than 10 years’ experience in the field of ICT security including involvement in projects concerning Defense and Satellite Systems.

He currently works in the SDN Security research team at Huawei's European Cyber Security & Privacy Lab (CSPL).

 

Author 2Marcel Winandy

Dr. Marcel Winandy is a Security Technologist and leading the SDN Security research at Huawei's Cyber Security & Privacy Lab (CSPL) in Germany. Dr. Winandy has a strong background in system security, cloud and operating system security, and trusted computing. Before joining Huawei, he worked as researcher in academia and as security architect at Sirrix AG. He has been working on computer security for more than a decade, and had been actively involved in several large national and international research and development projects on secure operating systems and trusted computing infrastructures. He is author of over 40 scientific and technical papers. Marcel Winandy has a diploma (MSc) in Computer Science from University of Bonn, and a Dr.-Ing. (PhD) in IT-Security from Ruhr-University Bochum.

 

Editor:

EditorNeil Davies

Neil Davies is an expert in resolving the practical and theoretical challenges of large scale distributed and high-performance computing. He is a computer scientist, mathematician and hands-on software developer who builds both rigorously engineered working systems and scalable demonstrators of new computing and networking concepts. His interests center around scalability effects in large distributed systems, their operational quality, and how to manage their degradation gracefully under saturation and in adverse operational conditions. This has lead to recent work with Ofcom on scalability and traffic management in national infrastructures.

Throughout his 20-year career at the University of Bristol he was involved with early developments in networking, its protocols and their implementations. During this time he collaborated with organizations such as NATS, Nuclear Electric, HSE, ST Microelectronics and CERN on issues relating to scalable performance and operational safety. He was also technical lead on several large EU Framework collaborations relating to high performance switching.  Mentoring PhD candidates is a particular interest; Neil has worked with CERN students on the performance aspects of data acquisition for the ATLAS experiment, and has ongoing collaborative relationships with other institutions.

 

IEEE Softwarization - March 2018
A collection of short technical articles

How Software Defined Wide Area Networking (SD-WAN) Provides Reliable Voice and Video Services Over the Internet

By Jason Gintert, Wan Dynamics

For as long as organizations have tried to make real-time services like voice or video work over Internet Protocol (IP) network pipes, there have been very basic requirements in order to make said services operate effectively. The first requirement for these sensitive applications was a dedicated, business class network line to carry this traffic. A business class circuit was paramount to reliability and uptime required for crucial services like voice or video. This type of network access has low latency characteristics which keeps the amount of time it takes to forward the voice traffic low so that conversations are not made off kilter by long delays.


Network Slicing and Blockchain to Support the Transformation of Connectivity Services in the Manufacturing Industry

By Nicolas Bihannic, Orange Labs; Thierry Lejkin, Orange Labs; Isabelle Finkler, Orange Business Services  and Alexis Frerejean, Orange Business Services

In the 3GPP vision, “network slicing enables the operator to create networks customized to provide optimized solutions for different market scenarios which demand diverse requirements, e.g. in the areas of functionality, performance and isolation” [1]. Network slicing can be fully implemented with the combination of three properties: network softwarization, a better granularity in the definition of functions composing the 5G system, and a larger distribution of datacenters especially at the edge of networks.


The Diamond Approach for SDN Security

By Angelo Liguori, Huawei, German Research Center; and Marcel Winandy, Huawei, German Research Center

Software Defined Networking (SDN) has attracted a lot of interest in both academia and industry, and it has started to be adopted in real system implementations. SDN emerged as a new concept with the intent of enabling central programmability of the network, although it can be traced back to earlier concepts like Active Networks, Network Control Point, and Routing Control Platform [1,2,3]. SDN is based on the idea of decoupling the control plane from the data plane, introducing a logically centralized control with open interfaces, and providing an API on abstractions of the network elements to program their forwarding behaviour [4]. SDN opens new opportunities for telecommunications and network operators as well as enterprise networks by providing effective means for fast infrastructure provisioning and dynamic reconfiguration of networks.

Network Slicing and Blockchain to Support the Transformation of Connectivity Services in the Manufacturing Industry

Nicolas Bihannic, Orange Labs, Thierry Lejkin, Orange Labs, Isabelle Finkler, Orange Business Services  and Alexis Frerejean, Orange Business Services

IEEE Softwarization, March 2018

 

Abstract—this article illustrates how a strong coupling of network slicing with Information Technologies (IT) assets can respond to the forthcoming business transformation of the manufacturing market. It is also presenting how enhanced-assurance services can be provided especially with the integration of the emerging and promising blockchain technology.

Keywords —network slicing, 5G, industry 4.0, data integrity, blockchain

 

I. Introduction

In the 3GPP vision, “network slicing enables the operator to create networks customized to provide optimized solutions for different market scenarios which demand diverse requirements, e.g. in the areas of functionality, performance and isolation” [1]. Network slicing can be fully implemented with the combination of three properties: network softwarization, a better granularity in the definition of functions composing the 5G system, and a larger distribution of datacenters especially at the edge of networks. This network capability is particularly important for addressing B2B markets, also called verticals, like industry, healthcare, smart cities and territories, smart grids, or transportations [2]. For the future of the industry, also known as the industry 4.0 or industrial Internet, the main expected gains are to enhance operational efficiency, to improve logistics and traceability, and to accelerate innovation and collaboration. Other expected benefits with process and service digitization are to customize the design and manufacturing of products, as well as to have a seamless follow-up of the product lifecycle (throughout its design, production, distribution, usage, maintenance and recycle stage) [3]. These transformations have thus an important impact on tools, objects, sensors, machines and people in the area of production. Moreover it concerns all industrial sectors and all companies irrespective of their size [4]. Lastly, all those objectives can only be fully achieved when setting data-driven processes for both connectivity and Information Technology (IT) assets management. Moreover, the integrity of those network and IT originated data is essential for Orange to engage in such business critical services as later shown in section V. The overall architecture shown in Figure 1 presents this variety of involved players and usages that result in tailored connectivity services, a strong integration of network slices with IT assets, and the need for data integrity for enhanced-assurance services and performance management.

Figure 1: Network slicing management in the overall system for the manufacturing industry

II. Building of tailored connectivity

Connectivity requirements are particularly complex for the industry 4.0 in terms of coverage footprint (e.g. indoor and outdoor), mix of technologies (e.g. based on licensed and unlicensed spectrum), and roadmap alignment with lifecycle management of connected industrial assets and goods. Indeed, manufacturing plants for a given company are likely to be located in several countries like in automotive industry [5], and the overall security must also be guaranteed across those different operator’s administrative domains. Connectivity services must also support the concept of a secure extended factory in where remote workers, external partners and even surrounding partnering factories connect to the industry plant even for usage that can be considered as critical in terms of security and safety in a business perspective.

In order to streamline internal processes from the manufacturing customer perspective, Orange is requested to support as much as possible, in such multi-country context, the reuse of the same deployment and management processes for connectivity services regardless the country. The evolution of mobile architecture towards model-driven implementation for network management and orchestration must contribute to reach this goal.

III. Enhancing network slicing value with IT assets

Connectivity and IT assets (e.g. assets/goods tracking, artificial intelligence for preventive maintenance, Push-To-Talk/Video/Data services) must be more and more integrated in the digitization journey of each vertical market. Indeed, both performance and fault indicators for connectivity must be strongly coupled with the overall IT technical chain in order to both predict in real-time the impacts of any network performance degradation and enable the factory to prepare and forecast the duration of its recovery plan. The average cost for a one-hour unplanned downtime in IT infrastructure was estimated to be from $260,000 to $492,000 for respectively virtualization leaders and followers in 2016 [6]. Finally, this is a matter of confidence: the more the network operator contributes to the intimacy of the production, the more transparent networks must be. There are then strong benefits to collaborate and share data between all players participating in the technical chain to gain in productivity and efficiency. The section V below is illustrating how blockchain-based technologies can provide a high-level of trust in data integrity and data sharing among a consortium of partners.

IV. Involvement of vertical players in network slices design and monitoring

Several vertical players intend to further engage in both the design and the monitoring of connectivity services provided by either the operator or the service integrator [7]. This collaboration during the network slicing design must then consider at least three dimensions: functional connectivity features to be activated for each type of data flows, the best location in network topology for each of those connectivity features, and management interfaces to be granted to the vertical player and potentially to its partners as well. The ability for the vertical player to monitor and even to configure some network elements of its network slices has strong impact on business agreements including the relevant security policy based on the level of trust granted to each of those external actors. Moreover, a well-adapted level of abstraction for monitoring interfaces may be needed and appreciated by any business partner that may have limited skills on connectivity setting. In this perspective, the introduction of robust intent-based components can be a valuable solution to facilitate delegation of operations towards such business partner who is now able to express what he wants.

V. Handling of enhanced-assurance services with blockchain

Network slicing should also benefit from another disruptive and promising digital technology: the blockchain. Indeed, blockchain properties are particularly relevant for B2B markets that generally embrace several partners in the end-to-end value chain of each ecosystem (e.g. both in horizontal value chain between the company, its suppliers and its customers and in vertical value chain between internal company entities [4]). Using a blockchain of consortium is then particularly well-adapted in such multi-partner context and a technology like Hyperledger [8] has also the advantage to be highly modular in terms of supported methods for handling consensus. On the one hand, mastering the edition of smart contracts will be more and more valuable in order to select the right network-oriented performance indicators to be monitored for each running slice. For instance, security-oriented smart contracts can be edited to monitor some security indicators and to conduct in-depth analysis if any security breach is detected in a given slice. The more the network slice is handling a vital service, the more exhaustive and accurate the security indicators to be monitored will be. On the other hand, the design of network slices should now also integrate the architecture of distributed ledgers that are in charge of ordering and storing in a tamper-proof way those monitored indicators. Any performance indicator stored in those distributed ledgers is timestamped and this property is highly valuable to correlate events from network and IT parts in order to provide end-to-end enhanced-assurance services. This is particularly interesting in complex technical chains that involve different connectivity providers as shown with the multi-country context in the section II. Handling of enhanced-assurance services is also requesting for certified industrial sensors and actuators which can be securely managed with blockchain-based solutions especially during their software upgrade [9].

VI. Conclusion : phasing-out the network slicing journey per vertical context

The previous issues have shown that an in-depth transformation of connectivity services is expected to correctly address business evolution on B2B markets with the advent of digitization and 5G. Network slicing is a key concept to shift from the current “one size fits all” model for mobile networks towards multiple tailored connectivity services. Moreover, a progressive introduction of network slicing has to be considered to mitigate all the technical complexity.

In the early stage, network slices should be limited in number and fully qualified by connectivity providers in order for them to commit on stringent service level agreements. Then, network slicing design should progressively gain in agility with lessons learnt from first field roll-outs.

In this second phase, more open models may be considered with either larger operations potentially granted to the business customer or the ability to build network slices from larger software appliances inventory. Data analytics about fault, performance, and security management will also be progressively automated through real-time control loops to continuously improve the efficiency of connectivity services.

Network slicing design should also advantageously include the integration of Distributed Ledger Technology (DLT) and associated smart contracts in order for the connectivity service provider(s) to prove the quality of provided connectivity at any time. Blockchain-based solutions are also interesting to succeed this end-to-end performance auditing among all involved actors in such complex technical chain.

References

[1] Study on Architecture for Next Generation System, 3GPP TR 23.799 V14.0.0

[2] 5G empowering vertical industries, 5G PPP, https://5g-ppp.eu/wp-content/uploads/2016/02/BROCHURE_5PPP_BAT2_PL.pdf

[3] Manufacturing -Transform the industrial model with IoT and data revolution, OBS, https://www.orange-business.com/en/industries/manufacturing

[4] Industry 4.0 - Opportunities and Challenges of the Industrial Internet, PwC, https://www.pwc.nl/en/assets/documents/pwc-industrie-4-0.pdf

[5] Distribution of car assembly plants in European countries, Eurofound, https://www.eurofound.europa.eu/emcc/automotivemap/index

[6] Maintaining Virtual System Uptime in Today’s Transforming IT Infrastructure, Aberdeen Group, February 2016

[7] 5G and the Factories of the Future, 5GPPP, https://5g-ppp.eu/wp-content/uploads/2014/02/5G-PPP-White-Paper-on-Factories-of-the-Future-Vertical-Sector.pdf

[8] Hyperledger - https://www.hyperledger.org/

[9] Blockchain Data Integrity, Ericsson, https://www.ericsson.com/hyperscale/cloud-infrastructure/data-centric-security/data-integrity-assurance


 

Author 1Nicolas Bihannic

Nicolas Bihannic is currently Orange expert on “Network of the Future” in Orange Labs. He received his master degree in Electronics and Telecommunication from the “Institut Supérieur d’Electronique et du Numérique” (ISEN group) in 2000. His current research interests are on business model evolution for telcos with 5G, and the introduction of new technologies like network function virtualization or blockchain for networks. E-mail: nicolas.bihannic@orange.com

 

Author 2Thierry Lejkin

Thierry Lejkin is currently Orange expert on “Network of the Future” and project manager in Orange Labs. He has a master degree in telecommunication and network architecture from the Telecom ParisTech of Paris, and also master degrees in mathematics from Pierre and Marie Curie University. He has been involved on the evolution of the fixed and mobile network architecture, and, currently, he is managing a project for the 5G+ Convergent Core network architecture definition. He holds several patents on Control plan and authentication protocols. E-mail: thierry.lejkin@orange.com

 

EditorIsabelle Finkler

Isabelle Finkler is currently in charge of the Digital Factory Program in Orange Business Services. She is graduate engineer of ENSEA –“Ecole Nationale Supérieure de l’Electronique et de ses Applications” since 1997. She aims at developing business opportunities related to digital in the area of manufacturing 4.0. She promotes current and future radio network technologies such as 4G and 5G, Internet of Things related technologies and workspace adapted to field workers. Email: isabelle.finkler@orange.com

 

EditorAlexis Frerejean

Alexis Frerejean is currently Orange service architect and network expert within Orange Business Services. He received master degree in Computer Science and Electronics and graduated from MBA in 2005. Strong of a culture of innovation following entrepreneurship in SMEs and several organizational transformation projects where successful depends of governance issues, he promotes digital factory program by Orange. E-mail: alexis.frerejean@orange.com

 

 


Editor:

EditorMubashir Rehmani

Mubashir Husain Rehmani (M’14-SM’15) received the B.Eng. degree in computer systems engineering from Mehran University of Engineering and Technology, Jamshoro, Pakistan, in 2004, the M.S. degree from the University of Paris XI, Paris, France, in 2008, and the Ph.D. degree from the University Pierre and Marie Curie, Paris, in 2011. He is currently an Assistant Professor at COMSATS Institute of Information Technology, Wah Cantt., Pakistan. He was a Postdoctoral Fellow at the University of Paris Est, France, in 2012. His current research interests include cognitive radio ad hoc networks, smart grid, wireless sensor networks, and mobile ad hoc networks. Dr. Rehmani served in the TPC for IEEE ICC 2016, IEEE GlobeCom 2016, CROWNCOM 2016, IEEE VTC Spring 2016, IEEE ICC 2015, IEEE WoWMoM 2014, IEEE ICC 2014, ACM CoNEXT Student Workshop 2013, IEEE ICC 2013, and IEEE IWCMC 2013 conferences. He is currently an Editor of the IEEE Communications Surveys and Tutorials and an Associate Editor of the IEEE Communications Magazine, IEEE Access journal, Elsevier Computers and Electrical Engineering (CAEE) journal, Elsevier Journal of Network and Computer Applications (JNCA), Ad Hoc Sensor Wireless Networks (AHSWN) journal, Springer Wireless Networks Journal, KSII Transactions on Internet and Information Systems, and the Journal of Communications and Networks (JCN). He is also serving as a Guest Editor of Elsevier Ad Hoc Networks journal, Elsevier Future Generation Computer Systems journal, IEEE Access journal, the IEEE Transactions on Industrial Informatics, Elsevier Pervasive and Mobile Computing journal and Elsevier Computers and Electrical Engineering journal. He has authored/ edited two books published by IGI Global, USA, one book published by CRC Press, USA, and one book is in progress with Wiley, U.K. He is the founding member of IEEE Special Interest Group (SIG) on Green and Sustainable Networking and Computing with Cognition and Cooperation. He received “Best Researcher of the Year 2015 of COMSATS Wah” award in 2015. He received the certificate of appreciation, “Exemplary Editor of the IEEE Communications Surveys and Tutorials for the year 2015” from the IEEE Communications Society. He received Best Paper Award from IEEE ComSoc Technical Committee on Communications Systems Integration and Modeling (CSIM), 2017.

 

How Software Defined Wide Area Networking (SD-WAN) Provides Reliable Voice and Video Services Over the Internet

Jason Gintert, Wan Dynamics

IEEE Softwarization, March 2018

 

For as long as organizations have tried to make real-time services like voice or video work over Internet Protocol (IP) network pipes, there have been very basic requirements in order to make said services operate effectively. The first requirement for these sensitive applications was a dedicated, business class network line to carry this traffic. A business class circuit was paramount to reliability and uptime required for crucial services like voice or video. This type of network access has low latency characteristics which keeps the amount of time it takes to forward the voice traffic low so that conversations are not made off kilter by long delays.

Also absolutely critical to voice or video over network pipes is an additional layer over these high quality dedicated connections, something called quality of service or QoS. QoS is a suite of bandwidth prioritization and reservation techniques that give select services fast lane access to bypass lesser classifications of traffic and also reserves bandwidth preventing exhaustion of available throughput. Most commonly, QoS is used in tandem with carrier services like an IP VPN or Multi-Protocol Label Switching (MPLS) and have been assumed by many to be the only way to reliably deliver voice services for an organization. I can affirm as a network engineer for the past few decades, this has been the case for most of my career. In order for voice to perform adequately, specific care was required to specify dedicated pipes with prioritization and if you did not perform technical due diligence, you were asking for trouble in the way of poor quality, session disconnections and general voice issues.

Then something called Software Defined Wide Area Networks or SD-WAN came along. This nascent technology space is drastically changing the way we do a lot of things on the wide area network, including managing sensitive real-time protocols that typically require QoS. Read more on what SD-WAN is here.

Let's take a look at some of the mechanisms that make SD-WAN different versus how we've implemented voice over traditional networks up until now. Though many of these techniques may not qualify specifically as QoS, they mimic the capabilities and allow for more reliable Internet based infrastructure to support real-time protocols. The combination of these techniques that have been used individually for decades, create a service greater than the sum of its parts. Features now considered fundamental aspects of most SD-WAN platforms are differentiators from the means we have used in the past to run network traffic over networks.

  1. Multi-Path Steering - SD-WAN can actively forward over multiple paths and is constantly measuring the performance characteristics and properties of each path available. Because it can very rapidly identify issues like high latency, packet loss and jitter, there are software mechanisms to quickly bypass these issues by utilizing an alternate, better performing path on the fly. 
  2. Forward Error Correction/Packet Duplication - When issues like data loss from dropped packets arise, if there is only one path available or all paths are experiencing loss, that can be a serious issue with traditional networks with little means to remediate. SD-WAN employs features such as Forward Error Correction (FEC) or packet duplication, which becomes enabled once packet loss is identified on a path.  This technique will send duplicates of each packet in the flow over a single path or over multiple paths to have greater assurance that critical data like voice or video will make it to the destination. At the other side of the session for that voice or video stream, the first packet received will be forwarded to the destination and the duplicates packets will be dropped but if packets are dropped, the duplicated packet will be used in its place.
  3. Jitter Buffering - Voice and video quality can suffer from a network condition called "jitter" which is when the information sent over the network is spaced inconsistently leading to a variable tempo for the stream. The result is audio or video that can have gaps in timing and become impaired. SD-WAN measures the gaps between the packets and can evenly space these packets on the other side providing what is called a "jitter buffer" to realign the timing of these packets to keep the video or audio stream cadence intact.  Jitter buffering has been performed before but traditionally at the application servers and endpoints (i.e. IP phones or IP video appliances).  The unique differentiator for SD-WAN  is performing this inline on the network versus relying on the end points and application servers to supply the jitter buffering.
  4. Prioritization and Queuing over Multiple Tunneled Paths - Because SD-WAN performs it's queuing and packet forwarding over something called an "overlay", the forwarding decisions for information that has the highest priority and reservation of bandwidth for applications is performed at a layer above the traditional IP interface. With this, a priority "fast pass" can be given to crucial data like voice, video or other business essential apps bi-directionally and this can be done over all paths available. These overlays are typically facilitated with tunnels over top of existing infrastructure versus on the actual underlay interfaces.  This allows user defined packet queuing and service prioritization configuration overtop of service provider links.

 

So as you can see, there are many pieces that come together to make IP based voice over broadband and Dedicated Internet Access (DIA) now possible. Our organization has played a part in designing many SD-WAN based solutions for customers and have seen it perform in the "real world" so can attest first hand, it works.  We are beginning a new era of intelligent, self-healing networks which Software Defined Networking (SDN) applications like SD-WAN will be leveraged to usher in.  Though many of the technologies leveraged by SD-WAN are not new, the way they are put together and managed by an SDN controller is and it is this combination that makes it truly powerful. It is with great confidence that I can state, SD-WAN is not a fad and it will be a fundamental piece of how organizations will build out their connectivity moving forward.

 

Author 1Jason Gintert

Having worked in Service Provider networks for nearly 20 years, Jason co-founded WAN Dynamics based on the belief that SD-WAN will be the way we build networks from now on.  Next generation networks are not only his profession, but something of a personal pursuit as well.  Jason lives in the woods outside of Cleveland with his wife, 2 girls, 2 dogs and a rabbit.

  

Editor:

EditorAlexandros Stavdas

ALEXANDROS STAVDAS: holds a B.Sc. degree in Physics from the University of Athens (Greece), M.Sc. in Optoelectronics and Laser Devices from Heriot-Watt /St. Andrews University (U.K.), and a Ph.D. from University College London (U.K). Currently, he is Professor of optical systems and networking in the Department of Informatics and Telecommunications, University of Peloponnese. He is an author of over 150 journal and conference papers. He has also served as the Technical Program Committee Chairman and a Member of the Technical Program Committees in various International Conferences. His current research interests include Future Internet Architectures, 5G convergence of heterogeneous access networks, multi-layer performance modeling, SDN/NFV, physical layer modeling of optical networks and optical packet/burst switching systems.