Paper Citations

@inproceedings {mustard-hotcloud2019,
 author = {Craig Mustard and Fabian Ruffy and Anny Gakhokidze and Ivan Beschastnikh and Alexandra Fedorova},
 title = {Jumpgate: In-Network Processing as a Service for Data Analytics},
 booktitle = {11th {USENIX} Workshop on Hot Topics in Cloud Computing (HotCloud 19)},
 year = {2019},
 address = {Renton, WA},
 publisher = {{USENIX} Association},
 abstract = {
  In-network processing, where data is processed by special-purpose devices as it 
  passes overthe network, is showing great promise at improving application performance,
  in particular for data analytics tasks. However, analytics and in-network processing
  are not yet integrated and widely deployed. This paper presents a vision for providing
  in-network processing as a service to data analytics frameworks, and outlines benefits,
  remaining challenges, and our current research directions towards realizing this vision.

 title={Iroko: A Framework to Prototype Reinforcement Learning for Data Center
 Traffic Control},
 author={Ruffy, Fabian and Przystupa, Michael and Beschastnikh, Ivan},
 booktitle={Neural Information Processing Systems 2018},
 abstract = {
  Recent networking research has identified that data-driven congestion control
  (CC) can be more efficient than traditional CC in TCP. Deep reinforcement
  learning (RL), in particular, has the potential to learn optimal network
  policies. However, RL suffers from instability and over-fitting, deficiencies
  which so far render it unacceptable for use in datacenter networks.
  In this paper, we analyze the requirements for RL to succeed in the datacenter
  context. We present a new emulator, Iroko, which we developed to support
  different network topologies, congestion control algorithms, and deployment
  scenarios. Iroko interfaces with the OpenAI gym toolkit, which allows for fast
  and fair evaluation of different RL and traditional CC algorithms under the
  same conditions. We present initial benchmarks on three deep RL algorithms
  compared to TCP New Vegas and DCTCP. Our results show that these algorithms
  are able to learn a CC policy which exceeds the performance of TCP New Vegas
  on a dumbbell and fat-tree topology. We make our emulator open-source and
  publicly available:

 title={Linux Network Programming with P4},
 author={Tu, William and Ruffy, Fabian and Budiu, Mihai},
 booktitle={Linux Plumbers Conference 2018},
 abstract = {
  P4 is a domain-specific language for implementing network data-planes. The P4
  abstraction allows programmers to write network protocols in a generalized
  fashion, without needing to know the configuration specifics of the targeted
  data-plane. The extended Berkeley Packet Filter (eBPF) is a safe virtual
  machine for executing sand-boxed programs in the Linux kernel. eBPF, and its
  extension the eXpress Data Path (XDP), effectively serve as programmable
  data-planes of the kernel. P4C-XDP is a project combining the performance of
  XDP with the generality and usability of P4. In this document, we describe
  how P4 can be translated into eBPF/XDP. We review the fundamental limitations
  of both technologies, analyze the performance of several generated XDP
  programs, and discuss problems we have faced while working on this new

 title={VNF chain allocation and management at data center scale},
 author={Kodirov, Nodir and Bayless, Sam and Ruffy, Fabian and Beschastnikh,
  Ivan and Hoos, Holger H and Hu, Alan J},
 booktitle={Proceedings of the 2018 Symposium on Architectures for Networking
  and Communications Systems},
 abstract = {
  Recent advances in network function virtualization have prompted the research
  community to consider data-center-scale deployments. However, existing tools,
  such as E2 and SOL, limit VNF chain allocation to rack-scale and provide
  limited support for management of allocated chains. We define a narrow API to
  let data center tenants and operators allocate and manage arbitrary VNF chain
  topologies, and we introduce NetPack, a new stochastic placement algorithm,
  to implement this API at data-center-scale. We prototyped the resulting
  system, dubbed Daisy, using the Sonata platform. In data-center-scale
  simulations on realistic scenarios and topologies that are orders of magnitude
  larger than prior work, we achieve in all cases an allocation density within
  96% of a recently introduced, theoretically complete, constraint-solver-based
  placement engine, while being 82x faster on average. In detailed emulation
  with real packet traces, we find that Daisy performs each of our six API
  calls with at most one second of throughput drop.

 title={VNF chain abstraction for cloud service providers},
 author={Kodirov, Nodir and Bayless, Sam and Ruffy, Fabian and Beschastnikh,
  Ivan and Hoos, Holger H and Hu, Alan J},
 booktitle={Proceedings of the 2018 Symposium on Architectures for Networking
  and Communications Systems},
 abstract = {
  We propose a VNF chain abstraction to decouple a tenant's view of the VNF
  chain from the cloud provider's implementation. We motivate the benefits of
  such an abstraction for the cloud provider as well as the tenants, and outline
  the challenges a cloud provider needs to address to make the chain abstraction
  practical. We describe the design requirements and report on our initial

 title={A STRIDE-based Security Architecture for Software-Defined Networking},
 author={Ruffy, Fabian and Hommel, Wolfgang and von Eye, Felix},
 booktitle={Proceedings of the Fifteenth International Conference on Networks},
 abstract = {While the novelty of Software-Defined Networking (SDN) - the
  separation of network control and data planes - is appealing and simple enough
  to foster massive vendor support, the resulting impact on the security of
  communication networks infrastructures and their management may be tremendous.
  The paradigm change affects the entire networking architecture. It involves new
  IP-based management communication protocols, and introduces newly engineered,
  potentially immature and vulnerable implementations in both network components
  and SDN controllers. In this paper, the well-known STRIDE threat model is
  applied to the generic SDN concepts as a basis for the design of a secure SDN
  architecture. The key elements are presented in detail along with a discussion
  of potentially fundamental security flaws in the current SDN concepts.