A policy-based per-flow mobility management system design We proposed intelligent network infrastructure to provide best user experience in a heterogeneous environment. This infrastructure, leveraging SDN, NFV, and cloud-based technologies, supports user session continuity, through seamless per-flow handovers, while implementing dynamic policy management schemes. M. Kantor, G. Ormazabal, R. State, T. Engel IPTComm 2015, 6th October 2015, Chicago

Agenda Motivation Network architecture OpenFlow-enabled Multi-Mode Terminal mobile device (OF-MMT) architecture Per-flow mobility management architecture Policy engine logic architecture End-to-end network connectivity Conclusions

Motivation (1) Seamless handover! Mobile devices support a variety of network interfaces (Wi-Fi, 3G, WiMAX, LTE, ...) connect to several networks at the same time Diverse and heterogeneous network connectivity increase reliability and performance, using the links sequentially in parallel schedule intelligently applications smart selection of network access best user experience while consuming network services Mobile traffic is generated by devices that can support a variety of network interfaces (IFs), such as Wi-Fi, 3G, WiMAX, and LTE, and can connect to several networks at the same time. Such diverse and heterogeneous network connectivity may be used to increase both reliability and performance, using the links sequentially or in parallel; and intelligently schedule applications to obtain the best user experience while consuming network services. Seamless handover!

Motivation (2) Seamless handover requirements routing / rerouting reconfiguration location management address management session identification session migration smart selection of network access Network Function Virtualization (NFV) + Software Defined Networking (SDN) Seamless handover execution is a complex task that requires addressing the following aspects: routing, rerouting, reconfiguration, location management, address management, session identification, session migration, smart selection of network access. In a convergent, heterogeneous network landscape, Network Function Virtualization (NFV), along with Software Defined Networking (SDN) technology can play a key role by allowing service differentiation at a very low granularity level. NFV eliminates the dependency between a network function (NF) and the hardware it is deployed on, by creating a standardized execution environment and management interfaces for the virtualized Network Functions (vNFs). In turn, SDN technology introduces network programmability, enabling a network operator dynamic reconfiguration. SDN shifts networks from IP-based to flow-based management and control.

Network Architecture The proposed system uses the SDN paradigm for connectivity support of multi-mode (multiple heterogeneous interfaces) mobile terminals, which are OpenFlow-enabled. The system works in a fully virtualized network environment, consisting a virtualized SDN domain controller located in the cloud, a distributed and virtualized decision making control middleware policy engine, and an SDN/NFV-enabled network infrastructure. Such an approach supports and simplifies connectivity management in a scalable fashion, for many types of mobile devices, and provides context-aware and real-time adaptation to the network conditions.

OF-MMT Architecture The mobile device architecture leverages SDN client capabilities, together with virtualization of the mobile de- vice. The proposed mobile device design intelligently combines the VMI, Open vSwitch, MIH client, local SDN controller, local policy engine, and SDN monitoring agent modules, along with the concept of physical and virtual interfaces, to enable a seamless per-flow handover. Virtual Mobile Instances (VMIs) provide resources for running applications in completely separate environments. Open vSwitch is a virtual switch for hypervisors providing network connectivity to virtual machines. It maintains a flow table that defines what to do with each flow. SDN monitoring agent is responsible for monitoring and collecting per-flow parameters, such as number of sent/received packets, drop count, port statistics, etc. MIH client monitors and provides interface information useful for handover decisions, about presence or absence of available wireless networks, from simple network discovery to more complex network information within a geographical area, such as available bandwidth, network type, cost, etc., obtained by querying the MIH Information Service (MIS) database. Local policy engine logic is responsible for taking local handover decisions on OF-MMT. The policies can be specified by the user, network, VMI, or as granular as on a per-application basis.

OF-MMT’s Open vSwitch Architecture The proposed OF-MMT's Open vSwitch architecture consists of Open vSwitch integration and tunnel bridges, tap devices, and both virtual and physical interfaces. The VMIs' virtual interfaces (e.g., eth0 ) are connected via tap devices to the integration bridge. A tap device such as tap0, simulates a virtual network interface card. A pair of directly connected virtual Ethernet interfaces such as veth0, and tap0, is called a veth pair. An Ethernet frame sent from one end of a veth pair is received by the other veth end. Subsequently, each physical network interface (e.g., IF1) is attached to a separate tunnel bridge, identied as br-tun. Integration and tunnel bridges are connected through a virtual patch cable between internal Open vSwitch patch ports, which view them as normal switch ports. A local SDN controller, which manages Open vSwitch, consists of two modules: Tunnel Manager and SDN Flow Manager. These managers are responsible for setting up tunnels and managing flow entries into flow table, respectively. The tunnels are assigned to flows by SDN Flow Manager, and there is one to one correspondence between a tunnel and a flow.

Per-flow Mobility Management Architecture The general design of network assisted flow mobility management system is centered on the MCN network element, which keeps the location information of the mobile devices. The proposed per-flow mobility system assumes that flow handovers are initiated by the PE and executed by local SDN controller, with additional support from network infrastructure. The local SDN controller manages the associations between flows and tunnels, called flow bindings, to select the proper access technology to send the egress packets. The network-level component is required to manage and maintain physical IP addresses of the mobile devices, as well as to route physical packets in which the flow is tunneled.

Policy Engine Logic Architecture The proposed control middleware design, along with corresponding network infrastructure enables to control, perform, and execute adaptive, context-aware, policy-based, and seamless per-flow handover decisions. A suitable policy vector, for taking a flow handover decision, depends on a number of factors related to network, user, terminal, application, and flow requirements and constraints. Signal strenght is the most important, the next one is the cost which location, time of day. Policy vector attributes are constantly monitored for optimal network connectivity. Based on the input from MIH client and associated attribute managers, the PE evaluates the defined policy vectors against a set of prescribed policies and takes the flow handover decision. The selected components (marked in red), i.e., Location [17], Cognitive Geographical, Network, Security, and System Managers, along with the newly proposed SDN Parameter and Flow Managers (marked in green), provide relevant inputs (described below) to the Policy Engine (PE) decision-making algorithm.

End-to-end Network Connectivity SDN network attachment SDN network connectivity management Host-based mobility - tunnel establishment Per-application flow table Data transfer

SDN Network Attachment Detection of a mobile device attachment Based on mobile device's physical interface MAC address OF-enabled switch  SDN domain controller: Packet-in message SDN device access control Authentication request: SDN Flow Manager  candidate network SDN domain controller Security Manager  MAC layer credential data Network authentication and IP address assignment Local SDN controller  DHCP request IP address for physical mobile device interface Before assigning IP address  interception for network authentication procedure Security Manager  IP layer credential data Binding cache entry created at candidate network SDN domain controller Mobile device’s physical interface routable IP address Mobile device's physical interface MAC address First-hop OF-enabled switch’ s identifier Binding entry lifetime Binding cache entry forwarded to the MCN The network side is expected to detect mobile device attachment. It is based on MAC address of the physical interface. Upon attachment detection, OF-enabled switch notifies the SDN domain controller about the event by sending Packet-in message. Then, SDN Flow Manager proceeds with the SDN device authentication process. Upon successful device authentication, local SDN controller initiates DHCP request for an IP address, which is intercepted by network authentication procedure. Upon succesfull network authentication, SDN domain controller creates the corresponding binding cache entry consisting of the OFMMT's physical interface assigned routable IP address, its MAC address, identifier of the first-hop OF-enabled switch to which the physical interface is attached, and a binding lifetime. Subsequently, it forwards the binding cache entry to the MCN.

Host-based Mobility – Tunnel Establishment Virtual IP address assigned to VMI virtual interface Identifies the mobile device's VMI at the CN Remains constant independently of any IP readdressing of the mobile device's physical interfaces Tunneling mechanisms used to encapsulate VMI's applications generated packets Mapping virtual IP address to physical IP address Virtual IP address used as a source IP address Mobile device's physical interface IP stack hidden to the VMI's applications Tunnel-flow association I showed several slides the relation between virtual and physical interfaces. VMI segmented over virual environment with virtual IP addresses and there is a mapping between virtual and physical addresses. Applied overlay tunneling approach  full decoupling of the real mobile device physical interfaces and the VMIs virtual interfaces

Flows switched seamlessly without affecting any active TCP sessions Per-application Flow Table Flow handover decision: PE Flow Manager  SDN Flow Manager SDN Flow Manager tasks Selection of the physical tunnel Binding creation between the flow identifier FID and the tunnel identifier TID Creation and management of per-application flow entry in flow table When PE decides that handover should be executed, the PE Flow Manager communicates the flow handover decision to the SDN Flow Manager, which selects the physical tunnel, creates a binding between the flow identifier FID and the tunnel identifier TID, and installs the flow entry in the flow table, identified by the respective FID. The SDN Flow Manager in the local SDN controller creates and installs per-application flow entries in flow tables, as well as modifies and removes flow entries. A flow entry specifies an action to be taken on the matched packets. The action results from the PE handover decision for that flow, determining the OF-MMT's physical interface to be used for egress traffic. Flows switched seamlessly between different physical access transport networks without affecting any active TCP sessions sourced by VMI's applications!

SDN Network Connectivity Management Routable IP address assigned to physical interface IP address from mobile device’s network of the initial attachment (home domain) Several collaborating SDN domains at least one SDN domain controller per SDN domain network path between mobile devices  SDN domain controller(s) communication between SDN domain controllers  through east/westbound interface SDN domain controller  no location information outside of its own controlled domain Mobility Control Node (MCN) keeps the current location information of mobile devices randevouz point when both mobile devices are moving concurrently supports inter-domain path computation between OF-MMT and CN Inter-domain route distribution traditional routing protocols, BGP and OSPF, may be leveraged and extended The MCN is obtaining all necessary information because it has to update binding entry by sending binding update. MCN is used for inter-domain path computation. New domain SDN controller does not know the details of other domains.

Data Transfer Forwarding of flow packets in mobile device realized by the Open vSwitch kernel module follows the installed flow entry packets encapsulated in the selected tunnel sent through mobile device's physical interface towards the corresponding VMI in CN Forwarding of flow packets in the network packets transmitted through the network path

Conclusions Context-aware per-flow mobility-enabled architecture involving novel network tools afforded by SDN/NFV technology SDN architecture complemented with a control middleware abstracting networking complexity, and providing a policy-based decision making system Policies taking into account context information, providing granular network access control, on a per-application basis Provisioning of mobility capabilities by using physical to virtual address encapsulation (tunneling) Mobility execution by a simple flow table entry update Proposed approach providing user and mobile device independence, from network and access technologies

Thank you!

Flowchart

General Open vSwitch Architecture