Lin Chanting,Wu Chunming,Huang Min,Wen Zhenyu,Zheng Qiuhua

DOI: https://doi.org/10.1109/cc.0.7560881

2016-01-01

China Communications

Abstract:The OpenFlow implementations (SDNs) have been deployed increasingly on varieties of networks in research institutions as well as commercial institutions. To develop an OpenFlow implementation, it is required to understand the performance of the network. A few benchmark tools (e.g., Cbench and OFlops) can be used to measure the network performance, while these tools take considerable time to simulate traffic behaviors and generate the required results, therefore extending the development time. In this paper, we present an analytical model, which is based on stochastic network calculus theory, for evaluating the performance of switch to controller. The previous studies show that stochastic network calculus can provide realistic emulation of real network traffic behaviors. Our model is evaluated by using both simulation tool and realistic testbed. The results show the stochastic network calculus based analysis model can realistically measure the network performance of the end-to-end properties between controller and switch.

Raphaël Ollando,Seung Yeob Shin,Lionel C. Briand

2024-11-13

Abstract:Controllers for software-defined networks (SDNs) are centralised software components that enable advanced network functionalities, such as dynamic traffic engineering and network virtualisation. However, these functionalities increase the complexity of SDN controllers, making thorough testing crucial. SDN controllers are stateful, interacting with multiple network devices through sequences of control messages. Identifying stateful failures in an SDN controller is challenging due to the infinite possible sequences of control messages, which result in an unbounded number of stateful interactions between the controller and network devices. In this article, we propose SeqFuzzSDN, a learning-guided fuzzing method for testing stateful SDN controllers. SeqFuzzSDN aims to (1) efficiently explore the state space of the SDN controller under test, (2) generate effective and diverse tests (i.e., control message sequences) to uncover failures, and (3) infer accurate failure-inducing models that characterise the message sequences leading to failures. In addition, we compare SeqFuzzSDN with three extensions of state-of-the-art (SOTA) methods for fuzzing SDNs. Our findings show that, compared to the extended SOTA methods, SeqFuzzSDN (1) generates more diverse message sequences that lead to failures within the same time budget, and (2) produces more accurate failure-inducing models, significantly outperforming the other extended SOTA methods in terms of sensitivity.

Software Engineering

Jinwoo Kim,Minjae Seo,Eduard Marin,Seungsoo Lee,Jaehyun Nam,Seungwon Shin

DOI: https://doi.org/10.1109/tifs.2024.3402967

IF: 7.231

2024-06-26

IEEE Transactions on Information Forensics and Security

Abstract:Distributed SDN (Software-Defined Networking) controllers have rapidly become an integral element of Wide Area Networks (WAN), particularly within SD-WAN, providing scalability and fault-tolerance for expansive network infrastructures. However, the architecture of these controllers introduces new potential attack surfaces that have thus far received inadequate attention. In response to these concerns, we introduce Ambusher, a testing tool designed to discover vulnerabilities within protocols used in distributed SDN controllers. Ambusher achieves this by leveraging protocol state fuzzing, which systematically finds attack scenarios based on an inferred state machine. Since learning states from a cluster is complicated, Ambusher proposes a novel methodology that extracts a single and relatively simple state machine, achieving efficient state-based fuzzing. Our evaluation of Ambusher, conducted on a real SD-WAN deployment spanning two campus networks and one enterprise network, illustrates its ability to uncover 6 potential vulnerabilities in the widely used distributed controller platform.

computer science, theory & methods,engineering, electrical & electronic

Apoorv Shukla,Said Jawad Saidi,Stefan Schmid,Marco Canini,Thomas Zinner,Anja Feldmann

DOI: https://doi.org/10.1109/TNSM.2019.2955790

2020-05-02

Abstract:The conventional wisdom is that a software-defined network (SDN) operates under the premise that the logically centralized control plane has an accurate representation of the actual data plane state. Unfortunately, bugs, misconfigurations, faults or attacks can introduce inconsistencies that undermine correct operation. Previous work in this area, however, lacks a holistic methodology to tackle this problem and thus, addresses only certain parts of the problem. Yet, the consistency of the overall system is only as good as its least consistent part. Motivated by an analogy of network consistency checking with program testing, we propose to add active probe-based network state fuzzing to our consistency check repertoire. Hereby, our system, PAZZ, combines production traffic with active probes to periodically test if the actual forwarding path and decision elements (on the data plane) correspond to the expected ones (on the control plane). Our insight is that active traffic covers the inconsistency cases beyond the ones identified by passive traffic. PAZZ prototype was built and evaluated on topologies of varying scale and complexity. Our results show that PAZZ requires minimal network resources to detect persistent data plane faults through fuzzing and localize them quickly while outperforming baseline approaches.

Networking and Internet Architecture

Andrea Bianco,Paolo Giaccone,Seyedaidin Kelki,Nicolas Mejia Campos,Stefano Traverso,Tianzhu Zhang

DOI: https://doi.org/10.1109/icc.2017.7997297

2017-01-01

Abstract:The novel “stateful” approach in Software Defined Networking (SDN) provides programmable processing capabilities within the switches to reduce the interaction with the SDN controller and thus improve the scalability and the performance of the network. In our work we consider specifically the stateful extension of OpenFlow that was recently proposed, called Open-State, that allows to program simple state machines in almost-standard OpenFlow switches. We consider a reactive traffic control application that reacts to the traffic flows which are identified in real-time by a generic traffic classification engine. We devise an architecture in which an OpenState-enabled switch sends the minimum number of packets to the traffic classifier, in order to minimize the load on the classifier and improve the scalability of the approach. We design two stateful approaches to minimize the memory occupancy in the flow tables of the switches. Finally, we validate experimentally our solutions and estimate the required memory for the flow tables.

Chen Sun,Jun Bi,Hongxin Hu,Zhilong Zheng

DOI: https://doi.org/10.1109/icnp.2016.7784476

2016-01-01

Abstract:As the de facto data plane technique of Software-Defined Networking (SDN), OpenFlow introduces significant programmability to enable innovative network applications. However, the simple OpenFlow data plane only maintains flow-level counters and lacks an efficient mechanism to manage network-level states, which limits its support for advanced state-aware applications. Regularly pulling whole state information from the data plane to the controller might incur untimely response to important network-level states such as CPU exhaustion, switch overload, etc and cause unnecessary traffic. To address above challenges, we introduce a novel Network-level State Management Architecture (NeSMA) to efficiently support advanced network-level state-aware applications by exploiting the opportunity of SDN central control. The data plane could be configured to check state regularly and report to the controller when triggered by state transitions. We design both sequential and parallel composition methods to deal with complex network-level states in NeSMA. To demonstrate the feasibility of our approach, we implement a software prototype of NeSMA, based on which we develop a data-center flow scheduling application. Experimental results show that NeSMA can process network-level states with low network resource consumption and high scalability without compromising packet forwarding efficiency.

Gereltsetseg Altangerel,Tugsjargal Chuluuntsetseg,Dashdorj Yamkhin

DOI: https://doi.org/10.48550/arXiv.2112.10387

2021-12-20

Abstract:The IP network is time-consuming for configuration and troubleshooting because it requires access to every device command line interface (CLI) or Graphical User Interface (GUI). In other words, the control plane (gathering information to forward data) and data plane (data forwarding plane) are run on every intermediary device. To solve this problem, the software defined network emerged and separated the control plane (done by software) from the data plane (done by hardware) [1]. In addition, the control plane is operated in the central point named the controller. There are many controller software programs in simulation and production network environments. In this paper, we compare three open source controllers called POX, Floodlight and Opendaylight (ODL) in simulation network created by MININET SDN emulation program in terms of TCP and UDP throughput and average Round Trip Time (RTT) of the first packet of the flow in the mesh and tree topology.

Networking and Internet Architecture,Performance

Yuanjun Dai,An Wang,Yang Guo,Songqing Chen

DOI: https://doi.org/10.1145/3559759

IF: 5.3

2023-02-23

ACM Transactions on Internet Technology

Abstract:Distributed denial of service (DDoS) attacks have been prevalent on the Internet for decades. Albeit various defenses, they keep growing in size, frequency, and duration. The new network paradigm, Software-defined networking (SDN), is also vulnerable to DDoS attacks. SDN uses logically centralized control, bringing the advantages in maintaining a global network view and simplifying programmability. When attacks happen, the control path between the switches and their associated controllers may become congested due to their limited capacity. However, the data plane visibility of SDN provides new opportunities to defend against DDoS attacks in the cloud computing environment. To this end, we conduct measurements to evaluate the throughput of the software control agents on some of the hardware switches when they are under attacks. Then, we design a new mechanism, called Scotch , to enable the network to scale up its capability and handle the DDoS attack traffic. In our design, the congestion works as an indicator to trigger the mitigation mechanism. Scotch elastically scales up the control plane capacity by using an Open vSwitch-based overlay. Scotch takes advantage of both the high control plane capacity of a large number of vSwitches and the high data plane capacity of commodity physical switches to increase the SDN network scalability and resiliency under abnormal (e.g., DDoS attacks) traffic surges. We have implemented a prototype and experimentally evaluated Scotch . Our experiments in the small-scale lab environment and large-scale GENI testbed demonstrate that Scotch can elastically scale up the control channel bandwidth upon attacks.

computer science, information systems, software engineering

Gupta, Neelam,Tanwar, Sarvesh,Badotra, Sumit

DOI: https://doi.org/10.1007/s10586-024-04535-y

2024-05-14

Cluster Computing

Abstract:Software-defined networking (SDN) is a new way of designing and managing networks. The central SDN controller serves as the network's brain in the control plane. This paper compares the performance of OpenDayLight (ODL) and Ryu SDN controllers by installing the most stable version of the controllers on a realistic test environment, Mininet, on which several other SDN controllers are built. The sFlow and snort tools have been used to compare the performance of the two controllers for a variety of different workloads. Tests were carried out by launching Distributed Denial of Service (DDoS) attacks on the host, stopping them, and then examining the outcomes. Experimental results show that the ODL controller is more effective than the Ryu controller in dealing with DDoS attacks on the SDN network. DDoS attacks are detected using Mininet analysis and the tools Snort and sFlow. The results also show that both controllers perform better in terms of flow setup latency and load shedding performance compared to the Ryu controller. The ODL controller exceeds the Ryu controller in levels of jitter, and its computational complexity outperforms the Ryu controller in terms of processing power. Based on these test findings, it can be concluded that both controllers perform equally well in terms of jitter and ODL is more reliable than Ryu.

computer science, information systems, theory & methods

Xiangxin Kong,Zhiliang Wang,Xingang Shi,Xia Yin

DOI: https://doi.org/10.1109/ISCC.2013.6755002

2013-01-01

Abstract:Software-defined networking (SDN) is an emerging network architecture and OpenFlow is one of the representative works in SDN. As a possible approach towards future network, it has been introduced into a lot of application scenarios. Although SDN/OpenFlow have a lot of advantages, it is still debatable that whether they can manipulate a significant amount of real-life traffic when they are deployed in a large-scale ISP (Internet Service Provider) network. However, there are few studies of performance evaluation of SDN/OpenFlow system with real-life traffic. In this paper we present OFSim, an event-driven OpenFlow simulator that supports the performance evaluation of OpenFlow system with packet-level real-life traffic traces. We use OFSim to perform evaluations with real-life ISP traffic and experimental results show that: (i) Current OpenFlow switch implementations cannot meet the need of real-life ISP traffic; (ii) Although the issue of controller scalability exists, greater performance bottleneck may be located in the current OpenFlow switches, and the flow table entry installation delay is a more pressing issue. This study can be helpful to better understand the performance bottleneck of OpenFlow system under the scenario in an ISP network.

Xuanbo Huang,Kaiping Xue,Yitao Xing,Dingwen Hu,Ruidong Li,Qibin Sun

DOI: https://doi.org/10.1109/mass50613.2020.00048

2020-01-01

Abstract:The whole Software-Defined Networking (SDN) system might be out of service when the control plane is overloaded by control plane saturation attacks. In this attack, a malicious host can manipulate massive table-miss packets to exhaust the control plane resources. Even though many studies have focused on this problem, systems still suffer from more influenced switches because of centralized mitigation policies, and long recovery delay because of the remaining attack flows. To solve these problems, we propose FSDM, a Fast recovery Saturation attack Detection and Mitigation framework. For detection, FSDM extracts the distribution of Control Channel Occupation Rate (CCOR) to detect the attack and locates the port that attackers come from. For mitigation, with the attacker’s location and distributed Mitigation Agents, FSDM adopts different policies to migrate or block attack flows, which influences fewer switches and protects the control plane from resource exhaustion. Besides, to reduce the system recovery delay, FSDM equips a novel functional module called Force_Checking, which enables the whole system to quickly clean up the remaining attack flows and recovery faster. Finally, we conducted extensive experiments, which show that, with the increasing of attack PPS (Packets Per Second), FSDM only suffers a minor recovery delay increase. Compared with traditional methods without cleaning up remaining flows, FSDM saves more than 81% of ping RTT under attack rate ranged from 1000 to 4000 PPS, and successfully reduced the delay of 87% of HTTP requests time under large attack rate ranged from 5000 to 30000 PPS.

Nhu-Ngoc Dao,Joongheon Kim,Minho Park,Sungrae Cho

DOI: https://doi.org/10.1371/journal.pone.0160375

IF: 3.7

2016-08-05

PLoS ONE

Abstract:The convergent communication network will play an important role as a single platform to unify heterogeneous networks and integrate emerging technologies and existing legacy networks. Although there have been proposed many feasible solutions, they could not become convergent frameworks since they mainly focused on converting functions between various protocols and interfaces in edge networks, and handling functions for multiple services in core networks, e.g., the Multi-protocol Label Switching (MPLS) technique. Software-defined networking (SDN), on the other hand, is expected to be the ideal future for the convergent network since it can provide a controllable, dynamic, and cost-effective network. However, SDN has an original structural vulnerability behind a lot of advantages, which is the centralized control plane. As the brains of the network, a controller manages the whole network, which is attractive to attackers. In this context, we proposes a novel solution called adaptive suspicious prevention (ASP) mechanism to protect the controller from the Denial of Service (DoS) attacks that could incapacitate an SDN. The ASP is integrated with OpenFlow protocol to detect and prevent DoS attacks effectively. Our comprehensive experimental results show that the ASP enhances the resilience of an SDN network against DoS attacks by up to 38%.

Puzhuo Liu,Yaowen Zheng,Zhanwei Song,Dongliang Fang,Shichao Lv,Limin Sun

DOI: https://doi.org/10.1016/j.sysarc.2022.102483

IF: 5.836

2022-06-01

Journal of Systems Architecture

Abstract:Programmable controllers, critical components in Industrial Control Systems (ICS), are the bridge between cyberspace and physical world. With the development of the Industrial Internet of Things (IIoT), they are no longer physically isolated, allowing remote hackers to exploit vulnerabilities to attack them. However, due to the high degree of privatization and the complicated work flow of programmable controllers, the existing work is not suitable for discovering programmable controller vulnerabilities. In our research, we propose a traffic-driven protocol fuzzing approach for programmable controllers. Specifically, we perform proprietary protocol fuzzing on the network daemon by selecting seeds and guiding states of the device. In the fuzzing process, in addition to monitoring the network status, an oscilloscope is also used to automatically monitor the status of underlying control services. The triggering of these vulnerabilities invalidate the control of actuators by programmable controllers and directly affect the physical world. Moreover, it is extremely difficult to recover compromised devices to normal production tasks. We evaluated our prototype on 15 real-world programmable controllers from six popular manufacturers. We found 26 vulnerabilities based on analysis results, 20 of which can directly cause physical control services to crash.

computer science, software engineering, hardware & architecture

P. Golda Jeyasheeli,V. Nahshon Vanahpeter,M. Dhanush Holla

DOI: https://doi.org/10.1007/s11276-024-03660-1

IF: 2.701

2024-02-17

Wireless Networks

Abstract:With the basic principle of separating control and data planes, software defined networking (SDN) has emerged as a promising paradigm. The separation generates a variety of scaling concerns (e.g., higher reaction time, overhead on the controller). As more nodes are connected in the SDN, the routing process becomes tedious. The traditional reactive method of routing provides dynamic link finding through network state information, which leads to high computation overhead on the SDN controller and low link utilization and throughput. The proactive method in the source path routing method (SPRM) simply provides one backup path for routing. But this is not efficient in handling link failures. Our focus is on reducing the memory overhead caused by link failures in the data and control plane, through the proposed modified source path routing model (SPRM) technique. This method also improves the execution time by making the proactive phase compute k paths and allowing the reactive phase to choose an efficient path from the pre-installed k paths, thereby choosing a backup path which is next best efficient for routing. Our simulation studies show an improvement of 22.5% in link utilization and throughput in the presence of link failures for the proposed method.

computer science, information systems,telecommunications,engineering, electrical & electronic

Christopher Metter,Valentin Burger,Zheng Hu,Ke Pei,Florian Wamser

DOI: https://doi.org/10.1109/atnac.2018.8615342

2018-01-01

Abstract:Network monitoring is a complex task and is always a trade-off between granularity of information and the performance impact of the monitoring itself on the network. SDN controllers, such as the ONOS SDN controller make this challenge easier as they can supply centralized information over the whole network. In our previous work, we analyzed the builtin detection mechanism of ONOS and revealed a lack of detection performance and the vulnerability of this process to jitter. These results have also been verified by measurements. In this paper, we present an active probing extension for the ONOS SDN controller that overcomes these shortcomings by emitting probing packets that are transmitted through the network. Packet loss is detected by calculating statistics of a list which contains data from previous packets. The evaluation by the means of measurements proves the benefits in terms of detection performance and controller load of this application. Furthermore, our extension is able to detect jitter in the data plane and to automatically adapt the probing process to these conditions.

Chen Sun,Jun Bi,Haoxian Chen,Hongxin Hu,Zhilong Zheng,Shuyong Zhu,Chenghui Wu

DOI: https://doi.org/10.1109/tnet.2017.2726550

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:As the prevailing technique of software-defined networking (SDN), open flow introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, open flow only provides a simple "match-action" paradigm and lacks the functionality of stateful forwarding for the SDN data plane, which limits its ability to support advanced network applications. Heavily relying on SDN controllers for all state maintenance incurs both scalability and performance issues. In this paper, we propose a novel stateful data plane architecture (SDPA) for the SDN data plane. A co-processing unit, forwarding processor (FP), is designed for SDN switches to manage state information through new instructions and state tables. We design and implement an extended open flow protocol to support the communication between the controller and FP. To demonstrate the practicality and feasibility of our approach, we implement both software and hardware prototypes of SDPA switches, and develop a sample network function chain with stateful firewall, domain name system (DNS) reflection defense, and heavy hitter detection applications in one SDPA-based switch. Experimental results show that the SDPA architecture can effectively improve the forwarding efficiency with manageable processing overhead for those applications that need stateful forwarding in SDN-based networks.

Dipan Das,Bibhudatta Sahoo,Sharmistha Roy,Sagarika Mohanty

DOI: https://doi.org/10.1080/03772063.2024.2394606

IF: 1.8768

2024-09-01

IETE Journal of Research

Abstract:With the ongoing digital transformation, the requirement for seamless & agile network connectivity has increased. This has necessitated the transformation from traditional networking to Software-Defined Network. With SDN, the network resources/infrastructure can be made more robust and programmable to accommodate the varying demand. Software-Defined Network (SDN) is now being used by data centers, cloud computing environments, and service providers for efficient handling of network requests. The objective of SDN can be achieved through the performance of the controllers. We have considered POX, Ryu, and ODL controllers to evaluate the performance using the Mininet tool and D-ITG (Distributed Internet Traffic Generator) script. Performance is evaluated using custom topology i.e. Fat tree topology. Several performance metrics (such as Delay, Jitter, Bitrate, Packet rate, Loss-burst size, and Percentage of Packets dropped) are considered and the behaviors of the controllers are monitored during experimentation by flooding the switches with several data packets. It has been observed that the POX controller performs better compared to Ryu and ODL for the Fat tree topology. From the experimental results, it is observed that the average delay of ODL is approximately 50% more than the POX controller and approximately 80% more delay occurred in the Ryu controller in comparison to the POX controller. Similarly average packet dropped percentage of POX is 20% less than Ryu and ODL controllers. Also, it has been observed that the average jitter in POX is almost 50% less in comparison to ODL and 90% less in comparison to the Ryu controller.

telecommunications,engineering, electrical & electronic

Zixuan Ma,Yuqi Zhang,Ruibang You,Chen Li

DOI: https://doi.org/10.1109/cscwd57460.2023.10152559

2023-01-01

Abstract:Software-Defined Networking (SDN) decouples the data plane from the control plane, enabling centralized control and open programmability of the network. OpenFlow flow rules are the key carrier for the SDN application to configure and manage the data plane through the control plane, and the processing efficiency of flow rules of the SDN controller in the control plane is critical as it will directly impact the instantaneity of configuring and managing the data plane. Currently, the controller increases the processing efficiency of flow rules by means of multi-threaded parallel processing. However, in the experiments of the widely used SDN controller ONOS, we found a new bottleneck in the parallel processing of flow rules that causes the performance gains from parallelism to be offset. Therefore, in this paper, we locate the bottleneck and analyze its causes through source code analysis and timestamp tests, propose a parallel event queue to resolve the bottleneck, and implement it in ONOS. Experiments show that our improved ONOS effectively resolves the bottleneck problem and achieves an average 3.57x improvement in the processing efficiency of flow rules compared to the original ONOS.

Qi Li,Xiaoyue Zou,Qun Huang,Jing Zheng,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2018.2810880

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Like traditional IP networking, the emerging Software-Defined Networking (SDN) technology is vulnerable to sophisticated attacks against packets and their forwarding behaviors. However, existing proposals of packet forwarding verification for IP networking cannot be directly applied to the current SDN deployment due to the limited functionalities and resources in commercial off-the-shelf (COTS) SDN switches. We propose DynaPFV, a dynamic packet forwarding verification mechanism that is capable of detecting various sophisticated attacks against packet forwarding. DynaPFV leverages the controllability of SDN to examine both packets and flow statistics across a network of switches to detect violation of packet integrity and forwarding behaviors. To mitigate the verification overhead, DynaPFV dynamically adjusts the rates of packet sampling and flow statistics collection based on the prior detection results in order to preserve the verification accuracy. Furthermore, DynaPFV makes changes to the SDN controller only, and is directly deployable atop COTS SDN switches without modifications. We conduct theoretical analysis on the trade-off between performance and accuracy in our dynamic verification approach. We further prototype DynaPFV using the open-source Floodlight controller, and evaluate our DynaPFV prototype using Mininet simulations and hardware testbed experiments. DynaPFV achieves over 97 percent of verification accuracy only with less than 5 percent of throughput degradation and less than 10 percent of additional forwarding delays.

Shuyong Zhu,Jun Bi,Chen Sun,Chenghui Wu,Hongxin Hu

DOI: https://doi.org/10.1109/icnp.2015.45

2015-01-01

Abstract:As the prevailing technique of Software-Defined Networking (SDN), OpenFlow introduces significant programmability, granularity and flexibility for many network applications to effectively manage and process network flows. However, OpenFlow only provides a simple "match-action" paradigm and lacks the function of stateful forwarding for SDN data plane, which limits it to support advanced network applications. Heavily relying on SDN controllers for all state maintenance incurs both scalability and performance issues. In this paper, we propose a novel Stateful Data Plane Architecture (SDPA) for SDN data plane. A co-processing unit, Forwarding Processor (FP), is designed for SDN switches to manage state information through new instructions and state tables. We design and implement an extended OpenFlow protocol to implement the communication between the controller and FP. To demonstrate the practicality and feasibility of our approach, we implement both software and hardware prototypes of SDPA switches, and develop a sample network function chain with stateful firewall, DNS reflection attack defense and NAT applications in one SDPA-based switch. Experimental results show that the SDPA architecture can effectively improve the forwarding efficiency with manageable processing overhead for those applications that need stateful forwarding in SDN-based networks.