










Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A concise overview of software defined networking (sdn) and network functions virtualization (nfv), outlining key components, architectures, and protocols. It includes definitions of essential terms such as virtual network functions (vnfs), network functions virtualization infrastructure (nfvi), and nfv management and orchestration (nfv-mano). Additionally, it covers various openstack modules and networking concepts like vpns, vlans, and overlay networks, offering a foundational understanding of modern network virtualization technologies. The document also touches on security protocols like ssl and ipsec, and interface types such as southbound and northbound interfaces, making it a valuable resource for students and professionals in the field.
Typology: Exams
1 / 18
This page cannot be seen from the preview
Don't miss anything!











NFV Components Virtual Network Functions (VNFs) Network Functions Virtualization Infrastructure (NFVI) NFV Management and Orchestration (NFV-MANO) NFV Management and Orchestration (NFV-MANO) Consists of all functional blocks, data repositories, reference points, and interfaces that are used for managing and orchestrating VNFs and the NFVI. Network Functions Virtualization Infrastructure (NFVI) Is the entirety of the hardware and software components that build the environment where VNFs are deployed. Virtual Network Functions (VNFs) Are the software implementations of network functions. Open Platform for NFV (OPNFV) Created by the Linux Foundation in 2014 and is a collaborative open-source platform that seeks to develop NFV and shape its evolution. OpenStack An open-source cloud computing platform that has high market penetration that includes a collection of interoperable modules that are used to orchestrate large pools of compute, storage, and networking resources. Nova OpenStack compute module, is used to create and delete compute instances as required. Glance OpenStack module that synchronizes and maintains VM images across the com pute cluster.
Keystone Module that provides authentication for accessing all OpenStack services. Cinder OpenStack module that provides block storage used as storage volumes for VMs. Swift OpenStack module that provides object storage that is used to store large amounts of static data in a cluster. Neutron or networking, OpenStack module that allows the different compute instances and storage nodes to communicate with each other. Horizon OpenStack module provides a GUI dashboard, and is by far the most widely deployed management module. Heat OpenStack module that helps expedite orchestration of applications across multiple compute instances by using templates. Celiometer OpenStack module that monitors the NFVI and helps identify bottlenecks and resource optimization opportunities. Ironic OpenStack module that is a provisioning tool for baremetal installation of compute capabilities instead of VMs in OpenStack. Congress OpenStack module that is a policy management framework for the OpenStack environment. Network Functions Virtualization (NFV) Moved network functions from stand-alone appliances to software running on any server, reducing the time-to-market for products. Software-Defined Networks (SDN) This architecture decouples the network control and forwarding functions enabling the
UDP port number 68 Destination port of a DHCP client ioctl interface Linux Bridge Configuration offers an interface that can be used to create and destroy bridges in the operating system, and it can also add network interfaces and remove existing network interfaces to / from the bridge. sysfs-based interface Linux Bridge Configuration allows the management of bridge and bridge port specific parameters. Virtual Network a mapping of the entire or subset of networking resources to a specific protocol layer. Network Virtualization (NV) Defined by the ability to create logical, virtual networks that are decoupled from the underlying network hardware to ensure the network can better integrate with and support increasingly virtual environments. Two most common forms of NVs Protocol-based virtual networks Virtual networks that are based on virtual devices Virtual Private Networks (VPNs) protocol-based virtual networks usually built on tunneling protocols, which consists of multiple remote end-points (typically routers, VPN gateways of software clients) joined by some sort of tunnel over another network, usually a third-party net work. Virtual LANs (VLANs) Protocol-based virtual networks that are logical local area networks (LANs) based on physical LANs Virtual Private LAN Services (VPLS) A specific type of Multipoint VPN that is divided into Trans parent LAN Services (TLS) and Ethernet Virtual Connection Services. Virtualization Refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms, storage devices, and computer network resources.
Replication To create multiple instances of the resource Isolation To separate the uses which clients make of the underlying resources Overlay network It describes a computer network that is built on top of another network. Virtual Network Embedding (VNE) problem How to optimally allocate virtual networks and their associated networking resources. hub a physical-layer device where a frame is passed along or broadcast to every one of its ports. It does not matter that the frame is only destined for one port. switch Responsible for connecting several network links to each other, creating a Local Area Network (LAN). a data-link layer device that keeps a record of the MAC addresses of all the devices connected to it and with this information it can identify which system is sitting on which port. As the result, when a frame is received, it knows exactly which port to send the frame to, without significantly increasing network response times. bridge A device that separates two or more network segments within one logical network. Open vSwitch (OVS) A multi-layer software switch licensed under the open source Apache 2 license. Linux bridge A native function on Linux kernel with layer-2 capabilities, which can be considered as an Ethernet Hub OpenFlow Allows a controller to add, remove, update, monitor, and obtain statistics on flow tables and their flows , as well as to divert selected packets to the controller and to inject packets from the controller into the switch.
Southbound Interface (SBI) Allows the controller to communicate, interact and manage the forwarding elements. East / Westbound interfaces Are meant for communication between groups or federations of controllers. Northbound Interface (NBI) Enables applications in the application layer to program the controllers by making abstract data models and other functionalities available to them. Unified control plane of an SDN Consists of one or more SDN con trollers that use open APIs to exert control over the underlying vSwitches or forwarding devices. Data plane in SDN Tasked with enabling the transfer of data from the sender to the receiver(s). OpenFlow Defined by the ONF, is a protocol between the control and forwarding layers of an SDN architecture, and is by far the most widespread implementation of SDN. SDN Controllers The brains of the SDN operation that lies between the data plane devices on one end, and high level applications on the other. Takes the responsibility of establishing every flow in the network by installing flow entries on switch devices. NOX Was among the fi rst publicly available OpenFlow controller. OpenDaylight (ODL) An open-source SDN controller that has been available since 2014. It is a modular multi-protocol SDN control ler that is widely deployed in the industry. Open Virtual Switch (OVS) Open-source implementation of a distributed programmable virtual multi-layer switch. Generally consist of flow tables, with each flow entry having match conditions and associated actions. Communicates with the controller using a secure channel, and generally uses the OpenFlow protocol. Routing Control Platform (RCP) Proposed in for the provisioning of inter-domain routing over a BGP network. Routing
is done as a separate entity. Control from physically distributed entities in a domain is logically centralized in a control plane. SoftRouter Presented with the aim of separation of control and forwarding elements called Control Element (CE) and Forwarding Element (FE), respectively. The control functionality is provided by using a centralized server, i.e., a CE that might be many hops away from the FE. RouteFlow Project initially named as QuagFlow, which aimed to provide IP routing as Router-as- a-Service in a virtualized environment. Considered the basic architecture to control routing in SDNs. Virtual Router System (VRS) Virtual router instances communicate with a Point-Of-Presence (POP) and follow a star topology, in which a single core node is connected to Customer Edge Gateways (CEG) linked through Intermediate Nodes (INs). Vulnerability A weakness or gap in a security system that can be either exploited by attackers or caused by malfunctioning system components. Threat The possibility of exploration of vulnerabilities that can lead to something bad happening, and it emphasizes the qualitative of potential damages due to explored vulnerabilities. Attack An action triggered by deploying an attacking method, when a vulnerability is exploited to actually realize a threat. Risk The quantifiable likelihood of loss due to a realized threat , and it emphasizes the quantitative of potential damages. The source of attacks Two types of attackers based on their origins called inside attacker (or insider) and outside attacker (or out sider).
Exploitation This implies actual detonation of the attack, such as the exploit running on the system. Installation The attacker may install malware on the victim. Command & Control (C&C) This implies that once a system is compromised and / or infected, the system has to call home. Actions on Objectives Once the cyber attackers establish access to the organization, they then execute actions to achieve their objectives / goal. Network mapping The study of the connectivity of networks at the layer 3 on a TCP / IP network. Vulnerability scanning An inspection of the potential points of exploit on a computer or network to identify security holes. Penetration testing Attempts to identify insecure business processes, insecure system settings, or other weaknesses. Frewall (FW) A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks. Host A computer system attached to a network. Network Address Translation (NAT) A procedure by which a router changes data in packets to modify the network addresses. This allows a router to conceal the addresses of network hosts on one side of it. Perimeter network A network added between a protected network and an external network in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ.
Proxy A program that deals with external servers on behalf of internal clients Intrusion Prevention System (IPS) a network security / threat prevention technology that examines network traffic flows to detect and prevent vulner ability exploits. Intrusion Detection System (IDS) a network security technology originally built for detecting vulnerability exploits against a target application or computer. host-based logging This approach minimizes the network traffic by transfer ring logs into a centralized log server; however, it incurs significant manage ment overhead to retrieve logging data from individual hosts. centralized logging Individual hosts or networking devices send their logs to a centralized logging service for log management and analysis. decentralized logging Usually built on centralized logging solutions, in which multiple centralized-logging systems can be established to handle specific applications to address the scalability issues. Centralized logging interdependent services Collect logs Transport Store Analyze Alerting Log Collection Centralized logging interdendent service that uses one of two basic approaches
SDLC Operations and Maintenance Phase Configuration management and control Continuous monitoring SDLC Disposition Phase Information preservation Media sanitization Hardware and software disposal Secure Boot technology that can help maintain validation and assurance of Boot Integrity. Provides assurance that the code loaded in VNF execution environment is authentic, and has not been tampered with. TAP or SPAN port IDS solutions will often use to analyze a copy of the inline traffic stream (and thus ensuring that IDS does not impact inline network performance). Resource isolation methods physical segregation of hardware resources rate-limiting the usage of VNF resources Divide resources scheduling mechanism (round-robin/fair-queue) bastion host Attached to the perimeter network and this host is the main point of contact for incoming connections from the outside world. SDN Security mechanisms Replication Diversity Automated Recovery Dynamic Device Association Controller-Switch trust Controller-App plane trust Security domains Side-channel attacks Data-plane attack where the attacker can observe the processing time of the control plane in order to learn the network configuration. VM-FW-R NIST 800-125B recommendation that states in virtualized environments with VMs
running delay sensitive applications, virtual firewalls should be deployed for traffic flow control instead of physical fi rewalls VM-FW-R NIST 800-125B recommendation that states in virtualized environments with VMs running I / O intensive applications, kernel- based virtual firewalls should be deployed instead of subnet- level virtual firewalls, VM-FW-R NIST 800-125B recommendation that states for both subnet-level and kernel-based virtual firewalls, it is preferable if the firewall is integrated with a virtualization management platform rather than being accessible only through a stand alone console. VM-FW-R NIST 800-125B recommendation that states for both subnet-level and kernel-based virtual firewalls, it is preferable that the firewall supports rules using higher - level components or abstractions (e.g., security group) in addition to the basic 5-tuple (source / destination IP address, source / destination ports, protocol). Chef a configuration management tool written in Ruby and uses a pure Ruby, domain- specific language (DSL) for writing system configuration "recipes" These recipes which are grouped together and called a cookbook for easier management, describe a series of resources in an optimal state Ansible An open-source suite of tools for software provisioning, configuration management, and application deployment agentless and relies on temporary remote connections (over standard SSH by default) without installing agents on the controlled node. Works with "playbooks" which are configuration files written in YAML and are used to store automation instructions. Puppet Most well-known and matured configuration management tool Uses specific modules written in either using its own declarative language or a Ruby DSL (domain-specific language) for configuration management.
Control layer Represents the centralized SDN controller software that acts as the brain of the software-defined network. Communicates with Application layer via NBI and the Infrastructure layer via SBI. Infrastructure layer is made up of the physical switches in the network. These switches forward the network traffic to their destinations and communicates with control layer via SBI. physical network Visible and physically presented to connect physical computers. logical network A virtual representation of a network that appears to the user as an entirely separate and self-contained network even though it might physically be only a portion of a larger network or a local area network. overlay network A virtual network of nodes and logical links that are built on top of an existing network with the purpose of implementing a net work service that is not available in the existing network. Address Resolution Protocol (ARP) A communication protocol used for discovering the link layer address, such as a MAC address, associated with a given network layer address, typically an IPv4 address. Role-based access control (RBAC) Concept that is used to create differentiated access based on entitlement to administer a network device or controller VNFM (VNF Manager) Responsible for basic lifecycle management operations such as create / update / delete, platform aware NFV load optimization, health monitoring, auto-scaling and VNF configuration management operations. NFV Catalog Consists of VNF Descriptors, Network Service Descriptors and VNF Forwarding Graph Descriptors NFVO (NFV Orchestrator) Responsible for VIM resource check and allocation, SFC management using VNF
Forwarding Graph descriptor, VNF placement policy, network service deployment using decomposed VNFs. Security mechanism - Replication Can help in dealing with cases of controller or application failures due to a high volume of traf fi c or software vulnerabilities. Security mechanism - Diversity Improves the robustness and intrusion tolerance. The use of diverse controllers can help reduce lateral movement of an attacker and cascading system failures caused by common vulnerabilities. Security mechanism - Automated Recovery In the case of security attacks, leading to service disruption, the proactive and reactive security recovery mecha nisms can help in maintaining optimal service availability. Security mechanism - Dynamic Device Association Helps in dealing with faults (crash or Byzantine). Other advantages include load balancing feature provided by diverse controllers (reduced service latency). Security mechanism - Controller-Switch Trust A trust establishment mechanism between the controller and switch is important to deal with cases of fake flows being inserted by malicious switches. Security mechanism - Controller-App Plane Trust Controller and application plane components should use autonomic trust management mecha nisms based on mutual-trust and delegated trust (3rd part such as the Certi fi cate Authority to establish trust). Security mechanism - Security Domains Help in segmenting the network into different levels of trust, and containment of the threats to only the affected section in the SDN framework. Clustering Adds a layer of defense against the controller being a single point of failure by having one or more controllers in an active / standby scenario. MTD - Shuffling Involves rearrangement of resources at various layers. Some examples include migration of VM from one physical server to another, application migration, instruction set randomization (ISR), etc.