Research and innovative services for a flexible network in Baden-Württemberg

In order to provide end users a familiar quality of experience the underlying network has to be equipped with new innovative technologies and solutions. The state project bwNET2.0 aims to leverage new innovative approaches in order to support the expansion and modernization of the BelWü network and university networks.

Work Packages

Monitoring

The monitoring approaches developed in the predecessor projects bwNetFlow and bwNET2020+, as well as the solutions already implemented in production, will be further developed. These will be extended to address the new requirements of the project and coordinated closely with the other work packages. Key aspects include enhancing the performance and quality assurance of the flow pipeline, deploying high-performance sensors for unsampled flows, exploring new possibilities for analysis and configuration, and providing datasets for the other work packages, including data management.

Attack Detection and Mitigation

This work package focuses on developing automated methods for detecting and mitigating network attacks to ensure resilient and secure operations in campus networks and BelWü. Both preventive approaches – using threat intelligence and honeypots – and reactive, ML-based detection methods such as HollywooDDoS are investigated. These innovative solutions aim to provide scalable, resource-efficient, and autonomous defense, even under high data rates. A passive ML experimentation platform enables real-world testing without impacting live network operations.

Network Softwarization and Intelligent Traffic Control

One of the key challenges in managing large-scale communication networks is the ever-growing volume of transmitted data, along with increasingly high-performance application demands. To address this, Working Package 3 explores innovative techniques built based on network softwarization, the decoupling of software from hardware, using technologies such as Software-Defined Networking (SDN), Network Function Virtualization (NFV), and programmable data planes. These enable the development of flexible, software-based components that achieve high performance even on commodity or existing hardware, with applications including real-time monitoring at terabit speeds and autonomous threat mitigation. Furthermore, intelligent traffic management based on Network Digital Twin using cutting-edge machine learning techniques allows for proactive control of network congestion and more sophisticated traffic control. When combined by segment routing, which enables explicit path selection through the network, and digital twins, which simulate network behavior for planning and optimization, these technologies form a powerful foundation for applications with high demands on throughput, reliability, and latency.

Access Control

Following a zero trust approach, AP4 investigates how to strictly maintain least privilege and isolation in an end-to-end way from the client, through the network, to the service while maintaining continuous authentication, and easy administration of the system through multi-tenancy. To this end, we examine how network-wide access policies can be enforced all the way from the client to secure access to network services, ensuring that users and their devices can access only the services they need at any given time for their current specific role. This already involves isolation within end devices and isolation of network flows in the network, but also considers firewall configurations. Overall, our approach minimizes the attack surface available to compromised devices or network. In addition, we aim to better scrutinize authenticity of communication through continuous authentication based on machine-learning of typical user-behavior. Beyond, we investigate how access policies are expressed as natural language intents, making them ready for multi-tenant scenarios, where, for example, local administrators manage part of the policy. As example use-case, we investigate multi-tenant firewalls. Finally, we investigate how to apply privacy-enhancing technologies to provide sender-recipient anonymity even in particularly challenging local area networks where network administration staff has high access and performance and latency are particularly challenging Our overall goal is to provide users with automated, secure, and privacy-friendly network access.

Technology Scouting and Research Infrastructure

With Technology Scouting, innovative, new, untested, and still not widely adopted hardware and software technologies are identified and tested for their suitability in enhancing existing network concepts. Given the rapid development cycles in network technology, the project responds flexibly to current advancements. Throughout the entire project duration, the explored topics are regularly adjusted to explore new trends and requirements. Potential topics include the evaluation of novel network interfaces and components featuring specialized programmable packet processors, offloading functions, or specialized ASICs.

Related Projects

The project partners are able to build up on extensive experience and successful cooperation from the previous projects bwNET2020+, bwNET100G+, bwNET100G+ Extension and bwNetFlow.

Project Partners

In the bwNET2.0 project, research groups and data center operators work closely together. At each location there are data center employees as well as scientific employees at the participating institutes who are responsible for working on the project. Another employee supports the project directly from BelWü.