Chen Sun,Jun Bi,Haoxian Chen,Hongxin Hu,Zhilong Zheng,Shuyong Zhu,Chenghui Wu

DOI: https://doi.org/10.1109/tnet.2017.2726550

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:As the prevailing technique of software-defined networking (SDN), open flow introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, open flow only provides a simple "match-action" paradigm and lacks the functionality of stateful forwarding for the SDN data plane, which limits its ability to support advanced network applications. Heavily relying on SDN controllers for all state maintenance incurs both scalability and performance issues. In this paper, we propose a novel stateful data plane architecture (SDPA) for the SDN data plane. A co-processing unit, forwarding processor (FP), is designed for SDN switches to manage state information through new instructions and state tables. We design and implement an extended open flow protocol to support the communication between the controller and FP. To demonstrate the practicality and feasibility of our approach, we implement both software and hardware prototypes of SDPA switches, and develop a sample network function chain with stateful firewall, domain name system (DNS) reflection defense, and heavy hitter detection applications in one SDPA-based switch. Experimental results show that the SDPA architecture can effectively improve the forwarding efficiency with manageable processing overhead for those applications that need stateful forwarding in SDN-based networks.

Jun Bi,Shuyong Zhu,Chen Sun,Guang Yao,Hongxin Hu

DOI: https://doi.org/10.1109/MNET.2016.7474342

IF: 10.294

2016-01-01

IEEE Network

Abstract:A recent trend known as NFV attempts to replace dedicated hardware appliances with generic compute, storage, and network resources. NFV based on SDN can extend programmability and flexibility features of advanced network functions. Many of these network functions, however, need concrete state information to effectively process network flows. However, OpenFlow only provides a simple "match-action" paradigm and lacks the function of stateful processing in the SDN data plane, which limits its support of advanced network functions. Heavily relying on SDN controllers for all state maintenance incurs both scalability and performance issues. In this article, we propose a novel SDPA for the SDN data plane. A co-processing unit, the forwarding processor, is designed for SDN switches to manage state information through new instructions and state tables. We demonstrate the practicality and feasibility of our approach through a proof-of-concept implementation of VNFs, a stateful firewall based on SDPA. Experimental results show that VNFs which need to process state information can be supported well by the SDPA architecture, and the forwarding efficiency is improved.

Shuyong Zhu,Jun Bi,Chen Sun

2014-01-01

Abstract:Software Defined Networking (SDN) is a new network architecture where network control is decoupled from forwarding and is directly programmable. However, existing techniques provide limited support for stateful forwarding in SDN data plane. Relying on the controller for all state maintaining gives rise to scalability and performance issues. In this paper, we present Stateful Forwarding Abstraction (SFA) in SDN data plane. And we design a co-processing unit in SDN switches named Forwarding Processor (FP). It can deal with state information in data plane and its instructions can be flexibly extended to meet application requirements. Through SFA, we implement stateful network processing on the datapath which covers a full range of Layer 4 to Layer 7 services. We validate its performance based on IPsec. The experiment result proves that the forwarding efficiency is greatly improved.

Boyang Zhou,Wen Gao,Chunming Wu,Bin Wang,Ming Jiang,Yansong Wang

DOI: https://doi.org/10.1007/978-3-319-13326-3_39

2014-01-01

Abstract:The Software-Defined Networking (SDN) separates the control plane from the data plane to increase the flexibility. In the data plane, the unavailability of data forwarding is a common problem preventing a switch from configuring a new arrival flow into its flow table. When the burst flows arrived at the switch, the flow table can be consumed, causing the unavailability occurred. However, the problem is more complicated than in Internet due to the limited channel bandwidth for detecting the table usage. Hence, we propose a transparent core layer in the controller. The mechanism of the layer improves the availability in such way, configuring switches adapting to arrival patterns of flows to prevent the resource of switch exceeding its limit. This paper introduces the design and mechanisms of the layer as well as their algorithms. We further use a real flow trace from a Internet core router to evaluate the performance of layer. By emulating on on miniNet-HiFi, the results demonstrate that the layer can smooth the burst flows without making the flow table exceeding its size, without the layer, the switch lost 8% ingress flows. Meanwhile, the control throughput is lowered by 25.8% than before.

Boyang Zhou,Haifeng Zhou,Wen Gao,Xiaoyan Hong,Bin Wang,Chunming Wu

DOI: https://doi.org/10.1109/infcomw.2014.6849221

2014-01-01

Abstract:Software-Defined Networking (SDN) opens the configuring interfaces for the data plane to improve its flexibility[1]. In the data plane, the switches are partitioned into multiple domains. Each domain is dynamically configured by its controller. The domains are physically connected via the border switches. In the control plane, each controller supports multiple services. Each service runs the same control program at multiple controllers in a distributed manner.

Zhuge Bin,Wang Baoxia,Wang Yining,Wu Chunming,Yao Minhui

DOI: https://doi.org/10.11959/j.issn.1000-0801.2015207

2015-01-01

Abstract:Firstly，the concept of SDN applications was proposed from the perspective of users payment for allocating network resources.Secondly，with the comparison between traditional desktop application programming and network programming，the advantage of SDN programming was described.Thirdly，the concept of software defined price （SDP）was introduced.Based on the characteristics of SDN applications，the framework of SDP-based SDN application so as to apply to the OpenDaylight open source project was designed.Finally，an implementation of creating a virtual tenant network based on SDP was showed.The results of experiment present that the users can choose their desired virtual tenant according to the mechanism of SDP.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Chen Sun,Jun Bi,Hongxin Hu,Zhilong Zheng

DOI: https://doi.org/10.1109/icnp.2016.7784476

2016-01-01

Abstract:As the de facto data plane technique of Software-Defined Networking (SDN), OpenFlow introduces significant programmability to enable innovative network applications. However, the simple OpenFlow data plane only maintains flow-level counters and lacks an efficient mechanism to manage network-level states, which limits its support for advanced state-aware applications. Regularly pulling whole state information from the data plane to the controller might incur untimely response to important network-level states such as CPU exhaustion, switch overload, etc and cause unnecessary traffic. To address above challenges, we introduce a novel Network-level State Management Architecture (NeSMA) to efficiently support advanced network-level state-aware applications by exploiting the opportunity of SDN central control. The data plane could be configured to check state regularly and report to the controller when triggered by state transitions. We design both sequential and parallel composition methods to deal with complex network-level states in NeSMA. To demonstrate the feasibility of our approach, we implement a software prototype of NeSMA, based on which we develop a data-center flow scheduling application. Experimental results show that NeSMA can process network-level states with low network resource consumption and high scalability without compromising packet forwarding efficiency.

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Shaofei Tang,Hui Liang,Min Wang,Tingyu Li,Zuqing Zhu

DOI: https://doi.org/10.1109/ICCCN52240.2021.9522342

2021-01-01

Abstract:In this work, we try to combine software-defined networking (SDN), in-band network telemetry (INT), and data analytics to realize a novel closed-loop network automation system. To architect the data plane, we jointly consider P4-based and protocol-oblivious forwarding (POF) based programmable data plane switches (PDP-SWs) to build a generic programmable data plane (G-PDP), such that the two types of PDP-SWs can benefit each other mutually to overcome their own drawbacks. In the control plane, we expand ONOS to ensure that it can effectively manage the PDP-SWs in the G-PDP. We also design and implement data analyzers (DAs) in its data analytics subsystem, and deploy them distributedly in the G-PDP to alleviate the burden of data processing in the control plane. Our proposal is demonstrated experimentally with a network system prototype that consists of six PDP-SWs, and the results confirm that it can realize closed-loop network automation effectively and balance the tradeoff between flexibility and performance properly.

Kai Bu,Kaiwen Zhu,Yi Zheng,Yuanyuan Yang,Yutian Yang,Linfeng Cheng

DOI: https://doi.org/10.1016/j.comnet.2018.10.006

IF: 5.493

2018-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) has greatly boosted the productivity of data center networking and cloud computing. It introduces a central controller to take over most functions that otherwise reside in distributed forwarding devices. Such a centralized design, however, tends to make the control channel a bottleneck due to bandwidth fatigue. Only when this bottleneck is addressed can SDN greater benefit networking and computing infrastructures. Existing work saves control channel bandwidth at the expense of losing flow visibility. This paper designs and implements FastLane, a framework for bandwidth-efficient yet throughput-boosting SDN flow setup without sacrificing global flow visibility. FastLane informs only one on-path switch of a flow’s forwarding path while switches themselves cooperate to complete flow setup. FastLane thus keeps minimum traffic for flow setup in the control channel and leaves the rest to the data plane. We optimize the switch selection toward minimizing flow setup latency. To leverage the saved bandwidth for setting up more flows and therefore achieving higher throughput, we propose delegating certain flow setups from ingress to en-route switches. We prototype FastLane by modifying FloodLight controller and Open vSwitch. The results demonstrate FastLane’s benefits to higher SDN throughput with limited switching fabric overhead.

Quanying Sun,Yuhan Xue,Shengru Li,Zuqing Zhu

DOI: https://doi.org/10.1109/access.2017.2767640

IF: 3.9

2017-01-01

IEEE Access

Abstract:Software-defined networking (SDN) is a promising technology that can resolve the challenges faced by vehicular networks. However, the OpenFlow-based SDN implementations can only provide a protocol-dependent data plane. This can restrict the effectiveness of software-defined vehicular networks, since special-purpose protocols that have not been standardized in OpenFlow specifications are used frequently in vehicular networks. To address this issue, this paper studies how to realize a protocol independent data plane by leveraging the protocol oblivious forwarding (POF). Specifically, we present the design of a software-based POF switch (PVS) that supports runtime protocol customization in principle. We implement PVS in a switch box, and propose a flow table management scheme to ensure high-throughput packet forwarding. The experimental results verify that PVS can achieve line-rate packet forwarding at 10 Gbps when the packets' size is 512 B, and the proposed flow table management scheme is effective.

Liang Xie,Zhifeng Zhao,Yifan Zhou,Gang Wang,Qianlan Ying,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2014.6992181

2014-01-01

Abstract:Software Defined Network (SDN) is undergoing an increasingly high popularity among various schemes of networking deployment. The main advantage of SDN lies in its flexibility in controlling network traffic, which arises from decoupling the control plane and the data plane of network devices. However, despite of the valuable merits of SDN, the outage of data forwarding should not be ignored. The drawback mainly results from the length limitation of switch flow tables, the congestion between controllers and switches, and the deficiency of the controller capacity, which are all closely related to the timeout mechanism of flow table. In our study, the deficiency of SDN system will be analyzed explicitly. Moreover, we propose an adaptive control mechanism aiming at optimizing the idle timeout reset of flow tables and cooperation between controllers and switches. Our mechanism achieves higher matching ratio of flow tables as well as alleviates the congestion in the control channel, enabling more fluent data forwarding in SDN.

Wonkyu Han,Hongxin Hu,Ziming Zhao,Adam Doupé,Gail-Joon Ahn,Kuang-Ching Wang,Juan Deng

DOI: https://doi.org/10.1145/2914642.2914643

2016-01-01

Abstract:OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of OpenFlow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).

Qi Li,Xiaoyue Zou,Qun Huang,Jing Zheng,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2018.2810880

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Like traditional IP networking, the emerging Software-Defined Networking (SDN) technology is vulnerable to sophisticated attacks against packets and their forwarding behaviors. However, existing proposals of packet forwarding verification for IP networking cannot be directly applied to the current SDN deployment due to the limited functionalities and resources in commercial off-the-shelf (COTS) SDN switches. We propose DynaPFV, a dynamic packet forwarding verification mechanism that is capable of detecting various sophisticated attacks against packet forwarding. DynaPFV leverages the controllability of SDN to examine both packets and flow statistics across a network of switches to detect violation of packet integrity and forwarding behaviors. To mitigate the verification overhead, DynaPFV dynamically adjusts the rates of packet sampling and flow statistics collection based on the prior detection results in order to preserve the verification accuracy. Furthermore, DynaPFV makes changes to the SDN controller only, and is directly deployable atop COTS SDN switches without modifications. We conduct theoretical analysis on the trade-off between performance and accuracy in our dynamic verification approach. We further prototype DynaPFV using the open-source Floodlight controller, and evaluate our DynaPFV prototype using Mininet simulations and hardware testbed experiments. DynaPFV achieves over 97 percent of verification accuracy only with less than 5 percent of throughput degradation and less than 10 percent of additional forwarding delays.

Daoyun Hu,Shengru Li,Huibai Huang,Wenjian Fang,Zuqing Zhu

DOI: https://doi.org/10.1109/access.2016.2600619

IF: 3.9

2016-01-01

IEEE Access

Abstract:It is known that software-defined networking (SDN) can support effective traffic engineering (TE) with the global view of networks. Hence, OpenFlow was used to realize flow-based TE. However, there is a tradeoff between the volume of installed flow entries and the granularity of TE. Moreover, the protocol-dependent nature of OpenFlow might limit the flexibility and adaptivity of TE. In this paper, we leverage the protocol-oblivious forwarding technology that can make each switch work as a protocol-independent white box and utilize its forwarding plane programmability to design a novel flexible flow converging (F-FC) scheme for realizing SDN-based fine-grained TE. Specifically, we design both the network system and the F-FC algorithms running on it and conduct experiments to demonstrate that our proposed scheme can not only reduce the volume of installed flow entries in switches but also realize fine-grained TE to achieve better utilization on network bandwidth.

Zhang Peng,Chen Xiangning,Ge Yun,Jin Lin

DOI: https://doi.org/10.1049/cje.2016.06.004

IF: 1.019

2016-01-01

Chinese Journal of Electronics

Abstract:After studying the routing and forwarding process of network stream and the implementation of SDN, we propose a retractable management model for flow table. A structure with parallel tables and synthesis processing is proposed according to the feature of SDN and traditional network. The parallel tables share the same storage resources. Thanks to the separation of data plane and control plane, control plane owns more computing resources than traditional device. It evaluates the role of nodes and the action of network flows, makes adjustment according to the historical and current information and streamlines flow tables by consolidating and simplifying old flow entries. Through simulation, it is proved that the realized method can defend offensive traffic while ensuring the safety of accessing and forwarding, especially existing blocking attack.

Gao Shang,Peng Zhe,Xiao Bin,Hu Aiqun,Ren Kui

DOI: https://doi.org/10.1109/infocom.2017.8057009

2017-01-01

Abstract:The separated control and data planes in software-defined networking (SDN) with high programmability introduce a more flexible way to manage and control network traffic. However, SDN will experience long packet delay and high packet loss rate when the communication link between two planes is jammed by SDN-aimed DoS attacks with massive table-miss packets. In this paper, we propose FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks to mitigate DoS attacks. It stands between the controller platform and other controller apps, and can protect both the data and control plane resources by leveraging three new techniques: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to identify attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. All designs of FloodDefender conform to the OpenFlow policy, requiring no additional devices. We implement a prototype of FloodDefender and evaluate its performance in both software and hardware environments. Experimental results show that FloodDefender can efficiently mitigate the SDN-aimed DoS attacks, incurring less than 0.5% CPU computation to handle attack traffic, only 18ms packet delay and 5% packet loss rate under attacks.

Andrea Bianco,Paolo Giaccone,Seyedaidin Kelki,Nicolas Mejia Campos,Stefano Traverso,Tianzhu Zhang

DOI: https://doi.org/10.1109/icc.2017.7997297

2017-01-01

Abstract:The novel “stateful” approach in Software Defined Networking (SDN) provides programmable processing capabilities within the switches to reduce the interaction with the SDN controller and thus improve the scalability and the performance of the network. In our work we consider specifically the stateful extension of OpenFlow that was recently proposed, called Open-State, that allows to program simple state machines in almost-standard OpenFlow switches. We consider a reactive traffic control application that reacts to the traffic flows which are identified in real-time by a generic traffic classification engine. We devise an architecture in which an OpenState-enabled switch sends the minimum number of packets to the traffic classifier, in order to minimize the load on the classifier and improve the scalability of the approach. We design two stateful approaches to minimize the memory occupancy in the flow tables of the switches. Finally, we validate experimentally our solutions and estimate the required memory for the flow tables.

Menghao Zhang,Guanyu Li,Lei Xu,Jiasong Bai,Mingwei Xu,Guofei Gu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2020.3040773

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-Defined Networking (SDN) continues to be deployed spanning from enterprise data centers to cloud computing with the proliferation of various SDN-enabled hardware switches and dynamic control plane applications. However, state-of-the-art SDN-enabled hardware switches have rather limited downlink message processing capability, especially for Flow-Mod and Statistic Query, which may not suffice the huge need of dynamic control plane applications. In this paper, we systematically study the interactions between the control plane applications and the data plane switches, and present two new attacks, namely Control Plane Reflection Attacks, to exploit the limited processing capability of SDN-enabled hardware switches. The reflection attacks adopt direct and indirect data plane events to force the control plane to issue massive expensive downlink messages towards SDN switches. Moreover, we propose a two-phase probing-triggering attack strategy, which makes the reflection attacks much more efficient and powerful. Experiments on a testbed with 3 different physical OpenFlow switches demonstrate that the attacks can lead to catastrophic results such as hurting the establishment of new flows and even disruption of connection between SDN controller and switches. To mitigate such attacks, we present several countermeasures from different perspectives. In particular, we propose a novel, systematical defense framework, SwitchGuard, to detect anomalies of downlink messages and prioritize these messages based on a novel monitoring granularity, i.e., host-application pair (HAP). Implementations and evaluations demonstrate that SwitchGuard can effectively reduce the latency for legitimate hosts and applications under the control plane reflection attacks with only minor overheads.