Xitao Wen,Kai Bu,Bo Yang,Yan Chen,Li Erran Li,Xiaolin Chen,Jianfeng Yang,Xue Leng

DOI: https://doi.org/10.1109/tnet.2017.2686443

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) promises unprecedentedly flexible network management but it is susceptible to forwarding faults. Such faults originate from data-plane rules with missing faults and priority faults. Yet existing fault detection ignores priority faults, because they are not discovered on commercial switches until recently. In this paper, we present RuleScope, a more comprehensive solution for inspecting SDN forwarding. RuleScope offers a series of accurate and efficient algorithms for detecting and troubleshooting rule faults. They inspect forwarding behavior using customized probe packets to exercise data-plane rules. The detection algorithm exposes not only missing faults but also priority faults and the troubleshooting algorithm uncover actual forwarding states of data-plane flow tables. Both of them help track real-time forwarding status and benefit reliable network monitoring. Furthermore, toward fast inspection of dynamic networks, we propose incremental algorithms for rapidly evolving network policies to amortize detection and troubleshooting overhead without sacrificing accuracy. Experiments with our prototype on the Ryu SDN controller and Pica8 P-3297 switch show that the RuleScope achieves accurate fault detection on 320-entry flow tables with a cost of 1500+ probe packets within 16 s.

Kai Bu,Xitao Wen,Bo Yang,Yan Chen,Li Erran Li,Xiaolin Chen

DOI: https://doi.org/10.1109/infocom.2016.7524333

2016-01-01

Abstract:Software-Defined Networking (SDN) promises un-precedentedly flexible network management but it is susceptible to forwarding faults. Such faults originate from data-plane rules with missing faults and priority faults. Yet existing fault detection ignores priority faults because they are not discovered on commercial switches until recently. In this paper, we present RuleScope, a more comprehensive solution for inspecting SDN forwarding. RuleScope offers a series of accurate and efficient algorithms for detecting and troubleshooting rule faults. They inspect forwarding behavior using customized probe packets to exercise data-plane rules. The detection algorithm exposes not only missing faults but also priority faults. Beyond simply detecting rule faults, the troubleshooting algorithms uncover actual data-plane flow tables. They help track real-time forwarding status and benefit reliable network monitoring. We explore various techniques for enhancing algorithm efficiency without sacrificing inspection accuracy. Experiments with our prototype on the Ryu SDN controller and Pica8 P-3297 switch show that RuleScope achieves accurate and efficient forwarding inspection with limited bandwidth and packet-switching overhead.

Kun Qiu,Jing Yuan,Jin Zhao,Xin Wang,Stefano Secci,Xiaoming Fu

DOI: https://doi.org/10.1109/jsac.2019.2894235

IF: 16.4

2019-01-01

IEEE Journal on Selected Areas in Communications

Abstract:With an increasing demand for flexible management in software-defined networks (SDNs), it becomes critical to minimize the network policy update time. Although major SDN controllers are now optimized for rapid network update at the control plane, there is still room for data plane optimization in terms of update time, when using TCAM-based physical SDN commodity-off-the-shelf switches. A slow update directly affects network performance and creates bottlenecks. To minimize the flow entry update time, a dependency graph, a kind of directed acyclic graph (DAG), can be used for the access management of flow entries at the switch. Thanks to the DAG, unnecessary entry movements, which are the main factor slowing down flow entry updates, can be avoided. However, existing algorithms show limitations when updates become very frequent. We propose a new flow entry update algorithm, called FastRule, that exploits a greedy strategy with an efficient data structure to accelerate flow entry update with a DAG approach. Moreover, we also adjust our algorithm for other flow table layouts to make it scalable. We elaborate on the correctness of FastRule and test our algorithm using a hardware switch. Compared with existing algorithms, the evaluation shows that our algorithm is about $100 \times $ faster than state-of-the-art solutions with a flow table of $1k$ size.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Kun Qiu,Jing Yuan,Jin Zhao,Xin Wang,Stefano Secci,Xiaoming Fu

DOI: https://doi.org/10.1109/ICDCS.2018.00093

2018-01-01

Abstract:With an increasing demand for flexible management in software-defined networks (SDNs), it becomes critical to minimize the network policy update time. Although major SDN controllers are now optimized for rapid network update at the control plane, there is still room for data plane optimization in terms of update time, when using TCAM-based physical SDN commodity-off-the-shelf switches. A slow update directly affects network performance creating bottlenecks. To minimize flow entry update time, a dependency graph, a kind of DAG (directed acyclic graph), can be used for the access management of flow entries at the switch. Thanks to the DAG, unnecessary entry movements, which are the main factor slowing down flow entry updates, can be avoided. However, existing algorithms show limitations when updates become very frequent. We propose a new flow entry update algorithm, called FastRule, that exploits a greedy strategy with an efficient data structure to accelerate flow entry update with a DAG approach. Moreover, we also adjust our algorithm for other flow table layouts to make it scalable. We elaborate on the correctness of FastRule and test our algorithm using a hardware switch. Compared with existing algorithms, the evaluation shows that our algorithm is about 100x faster than state-of-the-art solutions with a flow table of 1k line size.

Jiangyuan Yao,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu

DOI: https://doi.org/10.1109/ICNP.2014.37

2014-01-01

Abstract:Existing tools for Software-Defined Networking (SDN) data plane testing can be classified into two classes: white box and black-box. For the former, all or part of source codes should be accessed. But for testers outside the manufacturers, the accessing of source code is impossible or very difficult in most cases, especially for hardware devices. For the latter, test cases are manually developed, which cannot ensure the coverage. In this paper, we present a model based black-box systematic testing method for SDN data plane. We propose a new model, Pipelined Extended Finite State Machine (Pi-EFSM), to specify the multiple-level pipeline of SDN data plane. For the Pi-EFSM model, we present a 3-phase systematic test generation approach. By using a hierarchical test generation strategy, the proposed test generation method can alleviate state space explosion to some extent. Our test generation method can achieve the systematic coverage towards the elements of the model. We apply our method in the testing of Open Flow switches (specification version 1.3.0). We build a Pi-EFSM model for Open Flow switches and derive the executable test sequences. Some implementation faults and specification confusions are exposed when we test two switches, Open switch 2.1.0 and CPqD Open Flow 1.3 Software Switch.

Hui Li,Ting Huang,Tong Yang,Wenjun Li,Gong Zhang

DOI: https://doi.org/10.1145/3342280.3342331

2019-01-01

Abstract:To support fast rule updates in SDN, the Open vSwitch uses a variant of Tuple Space Search (TSS) for flow table lookups, which is less efficient than decision trees on packet classifications. In this poster, we present our latest work on building fast flow table engine in Open vSwitch, which achieves high-speed table lookups and fast rule updates simultaneously. By mapping rules into tree nodes dynamically, a very limited TSS-assisted balanced trees can be generated without the trouble of rule replications. Preliminary experimental results show that using ClassBench, our work has comparable update performance to the TSS algorithm in Open vSwitch, while achieving almost an order-of-magnitude improvement on lookup performance over TSS on average.

Shaoke Xi,Kai Bu,Wensen Mao,Xiaoyu Zhang,Kui Ren,Xinxin Ren

DOI: https://doi.org/10.1109/tnet.2022.3194970

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Reliable Software-Defined Networking (SDN) should mitigate forwarding anomalies due to cross-plane rule inconsistencies. Most existing countermeasures either inject probe packets to infer forwarding correctness or collect packet traces to detect forwarding anomalies. They, however, cannot detect or filter forwarding anomalies for production packets in real time. In this paper, we propose RuleOut as the first attempt to automatically throttle SDN forwarding anomalies. It disambiguates dependent rules via augmenting their matching fields with unique tags. Leveraging source routing, we further bind each packet with the tag sequence corresponding to rules the packet should match. RuleOut thus renders each packet to match at most one rule on each switch. This completely addresses the root cause of forwarding ambiguity. To implement RuleOut, we develop a non-overlapping rule dependency graph, a series of algorithms for incremental rule update and tag generation upon it, and various optimization techniques toward scalability and efficiency. We prototype RuleOut on the Ryu controller and Open vSwitch and evaluate its performance over public rule sets such as Stanford, Internet2, and Airtel1. RuleOut can use tags of only several bits long to disambiguate thousands to millions of rules and generate tags fairly fast within a few milliseconds.

Yu Zhou,Jun Bi,Yunsenxiao Lin,Yangyang Wang,Dai Zhang,Zhaowei Xi,Jiamin Cao,Chen Sun

DOI: https://doi.org/10.1145/3326285.3329040

2019-01-01

Abstract:P4 and programmable data planes bring significant flexibility to network operation but are inevitably prone to various faults. Some faults, like P4 program bugs, can be verified statically, while some faults, like runtime rule faults, only happen to running network devices, and they are hardly possible to handle before deployment. Existing network testing systems can troubleshoot runtime rule faults via injecting probes, but are insufficient for programmable data planes due to large overheads or limited fault coverage. In this paper, we propose P4Tester, a new network testing system for troubleshooting runtime rule faults on programmable data planes. First, P4Tester proposes a new intermediate representation based on Binary Decision Diagram, which enables efficient probe generation for various P4-defined data plane functions. Second, P4Tester offers a new probe model that uses source routing to forward probes. This probe model largely reduces rule fault detection overheads, i.e. requiring only one server to generate probes for large networks and minimizing the number of probes. Moreover, this probe model can test all table rules in a network, achieving full fault coverage. Evaluation based on real-world data sets indicates that P4Tester can efficiently check all rules in programmable data planes, generate 59% fewer probes than ATPG and Pronto, be faster than ATPG by two orders of magnitude, and troubleshoot multiple rule faults within one second on BMv2 and Tofino.

Peng Zhang,Hui Wu,Dan Zhang,Qi Li

DOI: https://doi.org/10.1109/tnet.2020.2977006

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:Software defined networking (SDN) reshapes the ossified network architectures, by decoupling the control plane and data plane. Due to such a decoupling, SDN assumes that rules issued by the control plane are always correctly enforced by the data plane. However, this assumption breaks as an adversary can prevent the data plane from enforcing the rules, by exploiting the vulnerabilities of switch OS and control channel. The serious consequence is that packets may deviate from their original paths, thereby violating critical security policies like access control. To this end, this paper introduces rule enforcement verification (REV), which enables the controller to check whether switches have correctly enforced the rules that it issues. Since using message authentication code (MAC) can incur heavy switch-to-controller traffic, we propose the compressive MAC, which lets switches compress MACs before reporting to the controller, thereby significantly reducing the bandwidth cost. Finally, we propose a heuristic flow selection algorithm, which allows the controller to verify much less flows for rule coverage. We implement REV based on Open vSwitch with DPDK, and use experiments to show: (1) by using compressive MAC, REV achieves a 97% reduction in switch-to-controller traffic, and an $8\times $ increase in verification throughput; (2) by using the heuristic flow selection algorithm, REV can reduce the number of flows to verify by 40%-60%.

Bohan Zhao,Jin Zhao,Xin Wang,Tilman Wolf

DOI: https://doi.org/10.1109/tnsm.2019.2947217

2019-01-01

Abstract:Software-defined networking (SDN) provides flexible network control, which has enabled new, more complex network control mechanisms. These approaches impose high demands on flow updates in OpenFlow switches. Existing SDN controllers and firmware have been optimized for high-speed network updates, but specific switch implementations differ in their behavior. Previous optimization schemes for updates ignore the diversity of instruction types and switch behavior. In this paper, we present RuleTailor, an efficient, measurement-based optimization framework for SDN flow updates, to overcome these limitations. In contrast to other measurement-based optimization frameworks, RuleTailor uses new techniques, such as instruction type transformation, pseudo deletion, and match field distance, which can work in both the control plane and the data plane. Our evaluation shows that RuleTailor achieves a performance of fewer than 12 milliseconds per update in a content-addressable flow table with 1k entries, outperforming the state-of-the-art measurement-based framework, Tango, by a factor of 10.

Lei Wang,Qing Li,Yong Jiang,Yu Wang,Richard Sinnott,Jianping Wu

DOI: https://doi.org/10.1016/j.comnet.2018.07.027

IF: 5.493

2018-01-01

Computer Networks

Abstract:Software Defined Networking (SDN) enables network innovation and brings flexibility by separation of the control and data planes and logically centralized control. However, this network paradigm complicates flow rule management. Current approaches generally install rules reactively after table misses or pre-installs them by flow prediction. Such approaches consume nontrivial network resources during interactions between the controller and switches (especially for maintaining consistency). In this paper, we explore an intelligent rule management scheme (IRMS), which extends the one-big-switch model and employs a hybrid rule management approach. To achieve this, we first transform all rules into path-based and node-based rules. Path-based rules are pre-installed whilst the paths for flows are selected at the edge switches of the network. To maintain consistency of forwarding paths, we update path-based rules as a whole and employ a lazy update policy. Node-based rules are optimally partitioned into disjoint chunks by an intelligent partition algorithm and organized hierarchically in the flow table. In this way, we significantly reduce the interaction cost between the control and data planes. This scheme enforces an efficient sliding window policy to enhance the hit rate for the installed chunks. We evaluate our scheme by comprehensive experiments. The results show that IRMS reduces the total flow entries by more than 71% on average and the update time by over 56%. IRMS also reduces the flow setup requests by more than one order of magnitude.

Qi Li,Yanyu Chen,Patrick P. C. Lee,Mingwei Xu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2018.2853593

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) utilizes a centralized controller to distribute packet processing rules to network switches. However, rules are often generated by the applications developed by different organizations, so they may conflict with each other in data plane and lead to violations with security rules. The problem is similar to firewall conflicts in IP networks. Rule conflict resolution should incur negligible process delay, such that all rules can he correctly and safely enforced in the data plane in real time. However, since SDN allows users to use more than 35 fields to specify rules (including field transition rules), it is much more complicated to prevent enforcement of SDN rules from violating with security rules than to resolve firewall rule violation, and in particular, field transition rules are enforced. Therefore, it is extremely difficult to resolve such rule conflicts in real time before the rules are installed in SDN data plane. In this paper, we investigate the rule conflict problem in SDN and identify new covert channel attacks due to rule conflicts. To the end, we propose the covert channel defender (CCD) that prevents covert channel attacks by verifying and resolving rule conflicts. Specifically, CCD tracks all rule insertion and modification messages from applications running on the controller. It analyzes the correlation among rules based on multiple packet header fields and resolves any identified rule conflict in real time before rule installation. We implement CCD with the Floodlight controller and evaluate its performance with the real-world Stanford topology. We show that CCD can efficiently detect and prevent rule conflicts in the data plane that may raise covert channels within hundreds of microseconds and brings small overhead to the packet delivery.

Yangyang Wang,Jun Bi,Keyao Zhang

DOI: https://doi.org/10.1007/s11432-015-1057-7

2017-01-01

Science China Information Sciences

Abstract:SDN provides an approach to create desired network forwarding plane by programming applications. For a large-scale SDN network comprised of multiple domains and running multiple controller applications, it is difficult to measure and diagnose the problems of flow tables in data plane. Tracing the forwarding path of SDN is one of effective way for data plane state measurement. Previously proposed methods for debugging SDN were applied to a single administrative domain. There is less effort to trace the flow entries of the data plane in large-scale multi-domain SDN networks. In this paper, we propose a method of software defined data plane tracing in large-scale multi-domain SDN networks. Our method can trace forwarding paths, and get the matched flow entries and other customized trace information. We present the designs compatible with OpenFlow 1.0 and 1.3 switches. The performance and deployment effect are evaluated by simulation test and analysis. It shows that our method has better performance than traditional IP traceroute, and its deployment at about 20% of AS nodes can enable 70% of AS paths to be traceable.

Xin Wang,Cheng Wang,Changjun Jiang,Lei Yang,Zhong Li,Xiaobo Zhou

DOI: https://doi.org/10.48550/arXiv.1503.05646

2015-03-19

Abstract:Internet of Vehicles (IoV) has recently gained considerable attentions from both industry and research communities since the development of communication technology and smart city. However, a proprietary and closed way of operating hardwares in network equipments slows down the progress of new services deployment and extension in IoV. Moreover, the tightly coupled control and data planes in traditional networks significantly increase the complexity and cost of network management. By proposing a novel architecture, called Software-Defined Internet of Vehicles (SDIV), we adopt the software-defined network (SDN) architecture to address these problems by leveraging its separation of the control plane from the data plane and a uniform way to configure heterogeneous switches. However, the characteristics of IoV introduce the very challenges in rule installation due to the limited size of Flow Tables at OpenFlow-enabled switches which are the main component of SDN. It is necessary to build compact Flow Tables for the scalability of IoV. Accordingly, we develop a rule optimization approach for real-time query service in SDIV. Specifically, we separate wired data plane from wireless data plane and use multicast address in wireless data plane. Furthermore, we introduce a destination-driven model in wired data plane for reducing the number of rules at switches. Experiments show that our rule optimization strategy reduces the number of rules while keeping the performance of data transmission.

Networking and Internet Architecture

Qing Li,Nanyang Huang,Yong Jiang,Richard O. Sinnott,Mingwei Xu

DOI: https://doi.org/10.1109/ICDCS47774.2020.00077

2020-01-01

Abstract:Data plane programming languages enable administrators of Software-Defined Networks (SDNs) to perform fine-grained flow control by compiling high-level policies into low-level rules and deploying rules in the data plane. However, it is difficult to scale the data plane with the dynamics of network traffic and the limited storage space of switches. In this paper, we propose a lazy OpenFlow Rule Placement (ORP) framework to enforce control polices and scale the SDN data plane by placing and reusing wildcard rules. We provide an offline rule placement scheme to meet performance objectives under real-world constraints. To handle dynamic traffic and perform incremental rule updates, we design an online matching rule deployment algorithm to place rules in polynomial time and prove it to be conditionally-optimal. Furthermore, to address the rule dependency problem during online rule placement, we extend the algorithm to deploy dependent rules and present lightweight heuristics to guarantee the fast reaction to the new flows. Extensive experiments are conducted on diverse network topologies and datasets to show that the lazy ORP framework significantly reduces the storage cost, improves data plane scalability and is flexible enough to accomplish different optimization goals.

Peng Zhang,Shimin Xu,Zuoru Yang,Hao Li,Qi Li,Huanzhao Wang,Chengchen Hu

DOI: https://doi.org/10.1109/icdcs.2018.00085

2018-01-01

Abstract:A crucial requirement for Software Defined Network (SDN) is that data plane forwarding behaviors should always agree with control plane policies. Such requirement cannot be met when there are forwarding anomalies, where packets deviate from the paths specified by the controller. Most anomaly detection methods for SDN install dedicated rules to collect statistics of each flow, and check whether the statistics conform to the flow conservation principle. Such per-flow detection methods have a limited detection scope: they look at one flow each time, thus can only check a limited number of flows simultaneously. In addition, dedicated rules for statistics collection can impose a large overhead on flow tables of SDN switches. To this end, this paper presents FOCES, a network-wide forwarding anomaly detection method in SDN. Different from previous methods, FOCES applies a new kind of flow conservation principle at network wide, and can check forwarding behaviors of all flows in the network simultaneously, without installing any dedicated rules. Experiments show FOCES can achieve a detection precision higher than 90% for four network topologies, even when packet loss rates are as high as 10%.

Qing Li,Kun Zhao,Yong Jiang,Mingwei Xu,Shu-Tao Xia

DOI: https://doi.org/10.1016/j.comnet.2015.09.025

IF: 5.493

2015-01-01

Computer Networks

Abstract:In Software Defined Networks (SDN), the configuration inconsistency during updates is one main source of network instability. Even if the validity of the initial and final configurations is guaranteed, the interim complex and inconstant network states might cause routing conflicts and transmission disruption. Therefore, an efficient updating scheme with configuration consistency is required. Current schemes well guarantee the packet-level consistent update, but perform poorly for the flow-level case. In this paper, we present a Smart Approach of Rule Division (SARD) for fast flow-level consistent update in SDN. We first provide a simplified mathematical model of the network. Based on this model, we then propose SARD to guarantee the flow-level consistency during configuration updates. In SARD, the controller (1) collects the information of existing flows; (2) computes K optimal prefixes covering these flows, meanwhile with the minimized space; (3) installs the new rule and K old sub-rules with lower and higher priorities respectively. SARD preserves the flow-level consistent property and accelerates the process of configuration update in SDN. We evaluate the performance of SARD by comprehensive experiments. The results show that our scheme reduces the transition time to about 10% of the current method of periodical direct division.

Qi Li,Yunpeng Liu,Zhuotao Liu,Peng Zhang,Chunhui Pang

DOI: https://doi.org/10.1109/icc.2016.7510990

IF: 5.3

2021-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Packet forwarding anomaly is an abnormal network state where flows are forwarded along wrong paths. Current practice of forwarding anomaly detection in Software Defined Networks (SDN) is achieved by sending probing packets or analyzing flow statistics. However, these approaches are not effective and efficient. For example, the probing approaches cannot capture all attacks, and the statistics approaches induce high communication overheads since they collect statistics of all flows. In order to address these issues, we propose a novel scheme called FADE. FADE detects forwarding anomalies by accurately analyzing flow statistics of a minimal set of flows. It generates a small number of dedicated flow rules associated with these flows to accurately measure their statistics. Moreover, it controls the installing and timeout of these dedicated flow rules so that all dedicated flow rules generated for the same flow operate on the same set of packets. Therefore, it achieves high efficiency and accuracy in anomaly detection. We prototype FADE and implement it as an application in Opensource controller, Floodlight, and evaluate the performance by Mininet experiments. The experiment results show that FADE can detect almost all forwarding anomalies and only reduces the throughput by 4%.

Kai Bu,Minyu Weng,Junze Bao,Zhenchao Lin,Zhikui Xu

DOI: https://doi.org/10.1109/icdcsw.2016.16

2016-01-01

Abstract:This paper explores a RIGHT framework for reliable policy enforcement in Software-Defined Networking (SDN). Current SDN uses overlapping rules with common matching packets. Even if a packet's expectant rule is inactive, it might hit another rule and experience incorrect yet unnoticed processing. This leads to inconsistency between control plane and data plane, that is, unreliable policy enforcement. RIGHT advocates three adaptations to respectively mitigate, detect, and correct packet processing errors. It is challenging for RIGHT to maintain both accuracy and efficiency. We explore lightweight modifications to current SDN policy enforcement toward better reliability. For example, we decouple rules and priorities through tagging to mitigate matching ambiguity. We also use exact-match rules to efficiently, correctly process packets in the same micro-flow. RIGHT can remedy mis-forwarded packets as well. We expect that a comprehensive design and deployment of RIGHT helps ensure correct per-packet processing in real time for SDN.