This issue of the journal “Modeling and Analysis of Information Systems” contains extended versions of selected reports presented at the 2nd International Scientific and Technical Conference “Modern Network Technologies 2018” (MoNeTec-2018), which was held on October 25-26, 2018 in Moscow, in Skolkovo Institute of Science and Technology (Skoltech). It was attended by representatives of the international scientific community, research units and corporations, start-ups, industry and business in Russia, development institutions and government bodies in the field of computer networks, network resources virtualization and cloud computing.
The organizers and sponsors of the scientific IT forum were Skoltech, M.V. Lomonosov Moscow State University, Center for Applied Research of Computer Networks, Innopolis University, FGAU GNII ITT “Informika”, JSC “Concern Avtomatika”, Joint Institute for Nuclear Research, Institute of Electrical and Electronics Engineers (IEEE) and others.
The conference was aimed at joint discussion of topical issues of research, development and implementation of modern telecommunication technologies based on the technology of building modern computer networks and information infrastructures SDN and NFV. SDN (Software Defined Networking) is a data network in which the network management level is separated from the data transfer devices and implemented programmatically. The key principles of software-configured networks are separation of data transfer and data management, centralization of network management using unified software, virtualization of physical network resources.
Subjects of the conference reflected the following areas:
- construction of modern computer networks;
- service virtualization in SDN;
- applications of modern network technologies;
- organization of cloud computing;
- applications of cloud technologies.
The conference Program Committee includes leading scientists and developers from more than 10 countries of the world. The leadership of the Program Committee was carried out by:
- R.L. Smeliansky, Corr. Member of the Russian Academy of Sciences, Professor of M.V. Lomonosov Moscow State University (Chairman);
- A.P. Kuleshov, Academician of the Russian Academy of Sciences, President of the Skolkovo Institute of Science and Technology (Co-Chair).
Currently, the world has begun to put into practice the key technologies of SDN and NFV for building modern computer networks and information infrastructures in general, but there are still many problems for study, development and implementation. The articles in this issue of the journal reflect to some extent these problems.

Network function virtualization (NFV) is a promising technique of high quality, flexible and scalable service for telecommunication companies clients and for enterprise data center clients. One of the important capabilities of this technique is providing a virtual service as a combination of multiple virtual functions. There are two types of virtual functions: those intended for a single customer (su-VF) and those that can serve multiple users (mu-VF). In case when output of mu-VF is chained with inputs of several different su-VFs, there is a need for a mechanism of identification and separation of users network flows passing through mu-VF to allocate them correctly between inputs of su-VFs in the NFV infrastructure. In the cloud environment, it is not always possible to use VLAN tags, IP and MAC addresses for that. In this paper, we consider the problem of identification of network traffic coming from a certain user inside an NFV platform and present a solution implemented in C2 MANO-platform.

Modern onboard equipment complexes (OEC) utilize AFDX and FC-AE-ASM-RT switched networks implementing a virtual link-based approach to real-time data transfer. The main drawback of these networks is their limited or absent support for dynamic reconfiguration of virtual links, which makes impossible the dynamical recomposition of OEC operation modes, particularly in case of multiple equipment failures. To remove these drawbacks, in this paper an approach is proposed to use software-defined networks (SDN) as onboard real-time networks. The proposed approach is based on implementation of a virtual link-based technology (similar to those used in AFDX and FC-AE-ASMRT) in an SDN supporting OpenFlow 1.3 protocol. The approach was implemented as a functional prototype and experimentally evaluated in a virtual network environment based on Ofsoftswitch13 software SDN switches and RUNOS controller. The experiments indicated that the proposed data exchange scheme allows the transfer of messages within the given limits on delay and jitter, and does not allow violation of constraints on a virtual link bandwidth. The experiments also confirmed that dynamic reconfiguration of virtual links in SDN does not interrupt the data transfer through unchanged virtual links. An important direction for future work is development of algorithms for dynamic creation of virtual link routes in course of OEC reconfiguration. The final goal of the work is to create an SDN-based network technology supporting both real-time data transfer and automatic network reconfiguration in case of OEC mode change, including parrying multiple failures.

The paper proposes the architecture and basic requirements for a network processor for OpenFlow switches of software-defined networks. An analysis of the architectures of well-known network processors is presented − NP-5 from EZchip (now Mellanox) and Tofino from Barefoot Networks. The advantages and disadvantages of two different versions of network processor architectures are considered: pipeline-based architecture, the stages of which are represented by a set of general-purpose processor cores, and pipeline-based architecture whose stages correspond to cores specialized for specific packet processing operations. Based on a dedicated set of the most common use case scenarios, a new architecture of the network processor unit (NPU) with functionally specialized pipeline stages was proposed. The article presents a description of the simulation model of the NPU of the proposed architecture. The simulation model of the network processor is implemented in C ++ languages using SystemC, the open-source C++ library. For the functional testing of the obtained NPU model, the described use case scenarios were implemented in C. In order to evaluate the performance of the proposed NPU architecture a set of software products developed by KM211 company and the KMX32 family of microcontrollers were used. Evaluation of NPU performance was made on the basis of a simulation model. Estimates of the processing time of one packet and the average throughput of the NPU model for each scenario are obtained.

Nowadays new innovative approaches based on the technology of software defined networks (SDN) are gaining popularity in the field of computer networks (CN). SDN provide a flexible approach to the processing and control of data flows in CN by separating the control plane and data plane, as well as centralizing the representation of the entire network. In this paper, we propose a software infrastructure and a visual web-oriented environment (SIVE) for dynamic control of data flows in campus SDN based on OpenFlow protocol. It was proposed to use the SIVE as an integrated segment of the campus network of Ryazan State Radio Engineering University. The aim of the work is the development of the SIVE architecture in the form of UML class diagram description, as well as the creation of software methods for organizing effective network interaction of various software systems in SDN based on OpenFlow protocol. A hardware-software test bench based on HP Aruba 2920-24G equipment was developed to confirm the efficiency and reliability of the proposed SIVE. The offered SIVE is the basis for the development of a large class of software systems and SDN components based on OpenFlow protocol.

A firewall is the main classic tool for monitoring and managing the network traffic on a local network. Its task is to compare the network traffic passing through it with the established security rules. These rules, which are often also called security policy, can be defined both before and during the operation of the firewall. Managing the security policy of large corporate networks is a complex task. In order to properly implement it, firewall filtering rules must be written and organized neatly and without errors. In addition, the process of changing or inserting new rules should be performed only after a careful analysis of the relationship between the rules being modified or inserted, as well as the rules that already exist in the security policy. In this article, the authors consider the classification of relations between security policy rules and also give the definition of all sorts of conflicts between them. In addition, the authors present a new efficient algorithm for detecting and resolving collisions in firewall rules by the example of the Floodlight SDN controller.

As part of the study, existing solutions aimed at ensuring the security of the network perimeter of the multi-cloud platform were considered. It is established that the most acute problem is the effective formation of rules on firewalls. Existing approaches do not allow optimizing the list of rules on nodes that control access to the network. The aim of the study is to increase the effectiveness of firewall tools by conflict-free optimization of security rules and the use of a neural network approach in software-defined networks. The proposed solution is based on the sharing of intelligent mathematical approaches and modern technologies of virtualization of network functions. In the course of experimental studies, a comparative analysis of the traditional means of rule formation, the neural network approach, and the genetic algorithm was carried out. It is recommended to use the multilayer perceptron neural network classifier for automatic construction of network security rules since it gives the best results in terms of performance. It is also recommended to reduce the size of the firewall security rule list using the Kohonen network, as this tool shows the best performance. A conflict-free optimization algorithm was introduced into the designed architecture, which produces finite optimization by ranking and deriving the most common exceptions from large restrictive rules, which allows increasing protection against attacks that are aimed at identifying security rules at the bottom of the firewall list. On the basis of the proposed solution, the adaptive firewall module was implemented as part of the research.

The architecture of the high availability distributed control plane for SDN/OpenFlow networks are considered. High availability is achieved by redundancy of controller instances, active switch-controller communications, computing resources and tools for a controller instance failure and overloading detection and recovery. The proactive backup controller allocation algorithm which allows to minimize the time to repair in the case of a single controller instance failure is discussed. The algorithm for controller load-balancing allows dynamically reconfigure the control plane with a minimum number of switch control transfer operations to avoid controller instance overloading. The initial experimental results of the proposed algorithms for the HA distributed SDN control plane are described.

Software-Defined Networking (SDN) is a network architecture that introduces a physical separation of data-plane from control-plane. It implements a new way of analyzing network statistics through counters installed on forwarding rules. These counters measure the number of packets processed by these rules and represent per-flow network statistics. In order to get information about the number of packets from different flows SDN applications can install additional forwarding rules, sole purpose of which is to count packets with specific headers. But in order to produce a full network statistics analysis these applications may install a large amount of forwarding rules thus limiting the space in the forwarding table for other applications. So we need algorithms to minimize the number of such rules. In this paper, we consider the problem of minimizing the number of forwarding rules installed on SDN switches by applications that analyze network statistics. We introduce a heuristic algorithm that creates a reduced representation for sets of rules installed in the network. The experimental results show that this algorithm reduces the number of rules by at least 2.2 times on uniformly distributed random input.

«Common criteria» (ISO 15408) is a universally recognized and broadly applicable approach to information security solutions management and evaluation. «Common criteria» leans on developing a shared conceptual basis for key security solution modules including protection profiles and security targets. Conceptual basis development implies defining the following elements: security objectives and assumptions (for the environment and the object), threats and security policies, as well as functional and assurance requirements. The specifics of SDN (software defined network) security solutions is largely driven by fundamental architectural principles of SDN technology itself − primarily by the separation of control and data flows, − and by conditions imposed by Open Flow protocol application. However, proactive (threats and policies), passive (objectives and assumptions) and reactive (requirements) aspects of security management remain highly relevant for this type of security solutions. This paper discusses the Common Criteria application specifics for assessing the SDN security and practical MTUCI (Moscow Technical University of Communications and Informatics) experience in the development of the protection profile. A new class of network attacks on SDN switches and controllers can involve either data or control components. In addition to traditional vulnerabilities, centralization of management functions paves way for new security threats by isolating controller activity and administrative message exchange. Therefore, identifying and analyzing threats, policies and requirements specific to SDN control module security becomes an emerging priority.

The computing paradigm based on the giant-like DC is replaced by a new paradigm. The urgency of this shift is caused by the requirements of new applications that actively use video, real-time interactivity, new mobile communication technologies, which today cannot be implemented without the usage of cloud computing and virtualization based on SDN&NFV technologies. The presentation considers the requirements dictated by these applications, outlines the architecture of this new paradigm which we call Hierarchical Edge Computing (HEC). Attention is focused on the fact that all these applications are distributed, become more and more real-time applications and require guaranteed quality of service in the networking operation. The main scientific problems that need to be solved for implementing this new paradigm are discussed.

It is known that the demultiplexing of the individual traffic flow into several independent transport subflows can increase the speed of it. This statement is true for a single flow but its truth for the massive case, when demultiplexing technics are applied to all traffic flows in the network of a single Internet Service Provider (ISP), is not obvious. The question arises, what impact the massive demultiplexing of traffic flows will have on the whole ISP network bandwidth. In this paper, this question is considered for the static case, when each flow is demultiplexed statically, i.e. every flow before its launching is demultiplexed into the same number of subflows. We developed a mathematical model that was used to construct a simulation model in order to obtain more accurate estimates of the network performance with and without flow demultiplexing. Using simulation model, network properties are defined, under which the demultiplexing of traffic flows is justified. We proved the correctness of the obtained results by emulating a network load based on a protocol stack virtualization for the same input. We considered various routing policies that can be used for massive demultiplexing. Special attention is paid to algorithms that allow you to build routes with minimal intersections, since using the nonintersecting routes with non-optimal cost can increase the network performance. The routes constructed with these algorithms were used both for the network performance analysis with demultiplexed flows and in the case of balancing non-demultiplexed flows.