Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.3390/app13127210

2023-01-01

Applied Sciences

Abstract:Software-defined networking (SDN) enables dynamic management and flexible network control by employing reactive rule installation. Due to high power consumption and cost, current OpenFlow switches only support a limited number of flow rules, which is a major limitation for deploying massive fine-grained policies. This bottleneck can be exploited by attackers to launch saturation attacks to overflow the flow table. Moreover, flow table overflow can occur in the absence of malicious attackers. To cope with this, researchers have developed many proposals to relieve the load under benign conditions. Among them, the dynamic timeout mechanism is one of the most effective solutions. We notice that when the SDN controller adopts dynamic timeouts, existing flow table saturation attacks can fail, or even expose the attackers, due to inaccurate inferring results. In this paper, we extract the common features of dynamic timeout strategies and propose an advanced flow table saturation attack. We explore the definition of flow rule lifetime and use a timing-based side-channel to infer the timeout of flow rules. Moreover, we leverage the dynamic timeout mechanisms to proactively interfere with the decision of timeout values and perform an attack. We conduct extensive experiments in various settings to demonstrate its effectiveness. We also notice that some replacement strategies work differently when the controller assigns dynamic timeouts. The experiment results show that the attack can incur significant network performance degradation and carry out the attack in a stealthy manner.

Yi Shen,Chunming Wu,Qiumei Cheng,Dezhang Kong

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00122

2020-01-01

Abstract:Software-Defined Networking (SDN) is an emerging network platform, which decouples the control and data planes. As the most popular southbound protocol and standard, OpenFlow converts network forwarding policies to rule entries and stores them in the flow table. However, the capacity of the flow table is restricted, which can lead to table-overflow if the space is inefficiently used. In this paper, we propose an adaptive flow table management scheme (AFTM) on the control plane, which combines assigning dynamic timeout and proactive eviction to manage the limited flow table resources. The timeout assignment module and the proactive eviction module are not independent parts but work collaboratively. The timeout assignment module sets suitable timeouts for rule entries according to flow characteristics, so that entries of short-lived flows are quickly removed while entries of flows with large packet intervals are retained. When the table space is insufficient, the proactive eviction module removes rule entries to protect the flow table from table-overflow. In our design, the eviction thresholds and parameters in both modules can be adaptively adjusted according to the network load. Experimental results show that AFTM can effectively manage the flow table resource and reduce the number of packet drop rates by up to 81% compared with existing schemes.

Li Qing,Huang Nanyang,Wang Dingmin,Li Xiaowen,Jiang Yong,Song Zhendong

DOI: https://doi.org/10.1109/TNSM.2018.2890754

2019-01-01

IEEE Transactions on Network and Service Management

Abstract:Software-defined networking (SDN) has enabled flexible control over the network by leveraging data plane programming languages such as OpenFlow. However, this fine-grained control is potentially at odds with data plane performance due to the high storage load and limited flow table space of SDN switches. Wildcard rules and timeout mechanisms are the main approaches to relieve the load. However, wildcard rules introduce the rule dependency problem, which poses obstacles to preserve the semantics of network policies and design the timeout mechanism. Therefore, exploiting the limited flow table effectively as well as designing a safe timeout mechanism become the main challenge. In this paper, we propose HQTimer: a hybrid Q-learning-based timeout mechanism in SDN. HQTimer employs a hybrid timeout mechanism and a Q-learning-based adaptation logic. HQTimer is safe, as its timeout mechanism ensures the forwarding logic is not violated by the rule dependency problem. HQTimer is adaptive, as it assigns different timeout values to different rules according to the traffic dynamics and the data plane performance based on Q-learning. The extensive experiments based on real and synthetic workloads show that HQTimer achieves both a higher table-hit rate and a lower overflow number compared with existing timeout mechanisms. Specifically, in contrast to a well-tuned, static idle timeout mechanism, HQTimer improves the table-hit rate from 97.6% to 99.4% while decreasing the overflow number by 83.8%. © 2018 IEEE.

Qing Li,Nanyang Huang,Dingmin Wang,Xiaowen Li,Yong Jiang,Zhendong Song

DOI: https://doi.org/10.1109/TNSM.2018.2890754

2019-01-01

IEEE Transactions on Network and Service Management

Abstract:Software-defined networking (SDN) has enabled flexible control over the network by leveraging data plane programming languages such as OpenFlow. However, this fine-grained control is potentially at odds with data plane performance due to the high storage load and limited flow table space of SDN switches. Wildcard rules and timeout mechanisms are the main approaches to relieve the load. However, wildcard rules introduce the rule dependency problem, which poses obstacles to preserve the semantics of network policies and design the timeout mechanism. Therefore, exploiting the limited flow table effectively as well as designing a safe timeout mechanism become the main challenge. In this paper, we propose HQTimer: a hybrid <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Q}$ </tex-math></inline-formula> -learning-based timeout mechanism in SDN. HQTimer employs a hybrid timeout mechanism and a <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Q}$ </tex-math></inline-formula> -learning-based adaptation logic. HQTimer is safe, as its timeout mechanism ensures the forwarding logic is not violated by the rule dependency problem. HQTimer is adaptive, as it assigns different timeout values to different rules according to the traffic dynamics and the data plane performance based on <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Q}$ </tex-math></inline-formula> -learning. The extensive experiments based on real and synthetic workloads show that HQTimer achieves both a higher table-hit rate and a lower overflow number compared with existing timeout mechanisms. Specifically, in contrast to a well-tuned, static idle timeout mechanism, HQTimer improves the table-hit rate from 97.6% to 99.4% while decreasing the overflow number by 83.8%.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Jinyuan Zhang,Xuanbo Huang,Jian Li,Kaiping Xue,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/hpsr54439.2022.9831366

2022-01-01

Abstract:In Software-Defined Networking (SDN), the controllers implement flexible and scalability networking policies by installing different flow rules. Each rule matches a specific class of flows, instructs the switches to execute actions, and then expires when they finish their tasks. OpenFlow introduces the timeout mechanism to manage these flow rules. However, finding a reasonable timeout value becomes a difficult problem for the network managers. When a relatively small timeout value is given to an elephant flow, the rule expires early, introducing extra cost for the controller and long latency for the matching flow, respectively. On the contrary, a large timeout value for a mice flow makes a rule occupy the switch memory too long, wasting the caching memory and causing the flow table prone to overflow. Therefore, it is necessary to allocate appropriate timeouts for different flows dynamically. In this paper, we achieve this goal with real-time traffic monitoring and heuristic algorithms. By considering different network loads and designing corresponding dynamic timeout algorithms for different scenarios, we make full use of the advantages of SDN to improve the utilization rate of the switch memory and save the controller resources. Further, we implement our scheme in a simulation SDN platform and evaluate the algorithms with the public datasets. Experiments show that our scheme has low control overhead and is memory efficient compared with current mechanisms.

Xianfeng Li,Yan Huang

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00248

2019-01-01

Abstract:In Software-Defined Network (SDN), OpenFlow implements fine-grained network policy by installing rules in the switch flow table. Limited by memory capacity, inactive flows have to be evicted from the flow table to make room for newer flows. Currently, OpenFlow uses the fixed timeout mechanism to manage the flow table. This may result in poor utilization of the flow table. In this paper, driven by an in-depth analysis on network traffic characteristics, we propose a novel flow table architecture with two-stage timeout mechanism to better identify and keep useful flow entries. First, each flow rule is installed into the primary table with a timeout calculated by the SDN controller. Each flow rule in the primary table is expected to be hit by a packet within its timeout, and then renew its timeout to receive more packets. Upon violation of this expectation, a timeout will expire, and the flow will be shelved onto the Inactive Flow Queue (IFQ). The IFQ provides a second chance for a flow to be promoted back to the primary table if a packet of this flow arrives before its eviction from the IFQ. With this design, this two-stage flow table keeps retiring the most useless flows. In particular, it enables shortlived flows to be evicted as soon as possible to avoid waste of flow table resources, and enables active flows to be better retained with the help of the IFQ. Experimental results using real network packet traces show 60% higher hit ratio than current OpenFlow with the same overall table size.

Huikang Zhu,Hongbo Fan,Xuan Luo,Yaohui Jin

DOI: https://doi.org/10.1109/INM.2015.7140363

2015-01-01

Abstract:Software Defined Networks (SDN) such as OpenFlow provides better network management for data center by decoupling control plane from data plane. Current OpenFlow controllers install flow rules with a fixed timeout after which the switch automatically removes the rules from its flow table. However, this fixed timeout has shown many disadvantages. For flows with short packet interval, the timeout may be too large so that flow rules stay in the flow table for too long time and result in unnecessary occupation of flow table; for flows with long packet interval or periodic flows, the timeout may be too short, hence producing too many packet-in events and causing overload on the controller. In this paper, we propose the Intelligent Timeout Master, which can assign suitable timeout to different flows according to their characteristics, as well as conduct a feedback control to adjust the max timeout value according to the current flow table occupation, in an effort to avoid flow table overflow. In our experiments, we use real traffic trace and the result confirms that our Intelligent Timeout Master performs quite well in reducing the number of packet-in events as well as flow table occupation.

Lei Wang,Qing Li,Yong Jiang,Yu Wang,Richard Sinnott,Jianping Wu

DOI: https://doi.org/10.1016/j.comnet.2018.07.027

IF: 5.493

2018-01-01

Computer Networks

Abstract:Software Defined Networking (SDN) enables network innovation and brings flexibility by separation of the control and data planes and logically centralized control. However, this network paradigm complicates flow rule management. Current approaches generally install rules reactively after table misses or pre-installs them by flow prediction. Such approaches consume nontrivial network resources during interactions between the controller and switches (especially for maintaining consistency). In this paper, we explore an intelligent rule management scheme (IRMS), which extends the one-big-switch model and employs a hybrid rule management approach. To achieve this, we first transform all rules into path-based and node-based rules. Path-based rules are pre-installed whilst the paths for flows are selected at the edge switches of the network. To maintain consistency of forwarding paths, we update path-based rules as a whole and employ a lazy update policy. Node-based rules are optimally partitioned into disjoint chunks by an intelligent partition algorithm and organized hierarchically in the flow table. In this way, we significantly reduce the interaction cost between the control and data planes. This scheme enforces an efficient sliding window policy to enhance the hit rate for the installed chunks. We evaluate our scheme by comprehensive experiments. The results show that IRMS reduces the total flow entries by more than 71% on average and the update time by over 56%. IRMS also reduces the flow setup requests by more than one order of magnitude.

Liang Xie,Zhifeng Zhao,Yifan Zhou,Gang Wang,Qianlan Ying,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2014.6992181

2014-01-01

Abstract:Software Defined Network (SDN) is undergoing an increasingly high popularity among various schemes of networking deployment. The main advantage of SDN lies in its flexibility in controlling network traffic, which arises from decoupling the control plane and the data plane of network devices. However, despite of the valuable merits of SDN, the outage of data forwarding should not be ignored. The drawback mainly results from the length limitation of switch flow tables, the congestion between controllers and switches, and the deficiency of the controller capacity, which are all closely related to the timeout mechanism of flow table. In our study, the deficiency of SDN system will be analyzed explicitly. Moreover, we propose an adaptive control mechanism aiming at optimizing the idle timeout reset of flow tables and cooperation between controllers and switches. Our mechanism achieves higher matching ratio of flow tables as well as alleviates the congestion in the control channel, enabling more fluent data forwarding in SDN.

Nathan Harris,Sajad Khorsandroo

DOI: https://doi.org/10.1007/s10922-024-09815-x

2024-03-23

Journal of Network and Systems Management

Abstract:OpenFlow-compliant commodity switches face challenges in efficiently managing flow rules due to the limited capacity of expensive high-speed memories used to store them. The accumulation of inactive flows can disrupt ongoing communication, necessitating an optimized approach to flow rule timeouts. This paper proposes Delayed Dynamic Timeout (DDT), a Reinforcement Learning-based approach to dynamically adjust flow rule timeouts and enhance the utilization of a switch's flow table(s) for improved efficiency. Despite the dynamic nature of network traffic, our DDT algorithm leverages advancements in Reinforcement Learning algorithms to adapt and achieve flow-specific optimization objectives. The evaluation results demonstrate that DDT outperforms static timeout values in terms of both flow rule match rate and flow rule activity. By continuously adapting to changing network conditions, DDT showcases the potential of Reinforcement Learning algorithms to effectively optimize flow rule management. This research contributes to the advancement of flow rule optimization techniques and highlights the feasibility of applying Reinforcement Learning in the context of SDN.

computer science, information systems,telecommunications

Xiang-yang ZHU,Bing CHEN

DOI: https://doi.org/10.3969/j.issn.1673-629X.2016.12.003

2017-01-01

Abstract:The timeout mechanism and capacity limitation of flow table in OpenFlow switches,together with the traffic characteristics in data centers,have brought scalability problems in the application of Software-Defined Network ( SDN) . Due to the frequent and repeat-able routing request invocations by mice flows and flow table timeouts,the SDN control plane and OpenFlow secure channel will become the performance bottleneck of whole SDN architecture,and thus cannot provide QoS guaranteed services according to network resources and business requests. Two improvement measures are put forward from two aspects. The switches are configured with destination address oriented wildcard flow table entries for mice flows,making that most of mice flows are handled by forwarding plane directly without ask-ing control plane. A dynamic-index hash cache layer is added between the control plane and the forwarding plane,and flow table entries will be put into the cache layer when they are evicted from flow table because of timeout or other reasons,which can avoid repeatable rou-ting calculations. Experimental results show that wildcard flow table entries can effectively reduce the network delay and the number of flow table entries,and the cache strategy proposed has higher hit rate and looking up speed.

Junjie Xie,Deke Guo,Xiaozhou Li,Yulong Shen,Xiaohong Jiang

DOI: https://doi.org/10.1109/jsac.2018.2815358

IF: 16.4

2018-01-01

IEEE Journal on Selected Areas in Communications

Abstract:To enable the network softwarization, network function virtualization (NFV) and software defined networking (SDN) are integrated to jointly manage and utilize the network resource and virtualized network functions (VNFs). For a network flow resulting from any NFV application, an associated switch would send a routing request to the controller in SDN. The controller then generates and configures a routing path to dynamically steer the flow across appropriate VNFs or service function chains. This process, however, exhibits a skew distribution of response latency with a long tail. Cutting the long-tail latency of response is critical to enable the network softwarization, yet difficult to achieve due to many factors, such as the limited capacities and the load imbalance among controllers. In this paper, we reveal that such flow requests still experience the long-tail response latency, even using the up-to-date controller-to-switch assignment mechanism. To tackle this essential problem, we first propose a light-weight and load-aware switch-to-controller selection scheme to cut the long-tail response latency under the simple scenario of homogeneous controllers, and then design a general delay-aware switch-to-controller selection scheme to fundamentally cut the long-tail response latency for the more complicated heterogeneous controller scenario with performance fluctuations. The comprehensive evaluations indicate that our two new switch-to-controller selection schemes can significantly reduce the long-tail latency and provide higher system throughput.

Pengzhan Wang,Liusheng Huang,Hongli Xu,Bing Leng,Hansong Guo

DOI: https://doi.org/10.1109/glocom.2014.7417386

2014-01-01

Abstract:Software Defined Network (SDN) is facilitating rapid innovation of network by providing a programmable network infrastructure. However, managing SDN flow rules, especially among multiple modules and administrators, has become complex and error-prone. Different controller modules with diverse objectives may be installed on the SDN controller, which can lead to anomalies among policies and rules. In this paper, we propose ADRS(Anomaly Detecting and Resolving for SDN) to solve this problem. Firstly, we analyse the rule-level anomalies that may occur in SDN based on OpenFlow protocol. Then we present an interval tree model for rapid rule scanning and a share model for network privilege allocating. By applying these models, we provide an automatic algorithm to detect and resolve the anomalies among SDN modules. Moreover, a rule-recovery mechanism is presented to avoid modification faults. We also implement and evaluate our system in the OpenDayLight controller.

Rui Li,Yu Pang,Jin Zhao,Xin Wang

DOI: https://doi.org/10.1145/3337821.3337896

2019-01-01

Abstract:Software Defined Networking (SDN) enables flexible flow control by deploying fine-grained rules in OpenFlow switches. Modern commodity switches usually use TCAM to store these rules and perform high-speed parallel lookups. Though efficient, the TCAM capacity is limited because TCAM is expensive in cost and power-hungry. The explosive growth in the number of rules has exacerbated the limitation of TCAM. There have been considerable efforts in implementing hybrid flow tables with both TCAM and RAM, where the high-speed TCAM is regarded as a cache to store the most popular rules and the cheap RAM is used to handle cache miss. The primary challenges for designing hybrid TCAM/RAM flow tables lie in how to improve cache hit rate and how to handle wildcard rule dependency when allocating rules between TCAM and RAM.

Huawei Huang,Peng Li,Song Guo,Baoliu Ye

DOI: https://doi.org/10.1109/iwqos.2014.6914313

2014-01-01

Abstract:Software-Defined Network (SDN) is a promising network paradigm that separates the control plane and data plane in the network. It has shown great advantages in simplifying network management such that new functions can be easily supported without physical access to the network switches. However, Ternary Content Addressable Memory (TCAM), as a critical hardware storing rules for high-speed packet processing in SDN-enabled devices, can be supplied to each device with very limited quantity because it is expensive and energy-consuming. To efficiently use TCAM resources, we propose a rule multiplexing scheme, in which the same set of rules deployed on each node apply to the whole flow of a session going through but towards different paths. Based on this scheme, we study the rule placement problem with the objective of minimizing rule space occupation for multiple unicast sessions under QoS constraints. We formulate the optimization problem jointly considering routing engineering and rule placement under both existing and our rule multiplexing schemes. Finally, extensive simulations are conducted to show that our proposals significantly outperform existing solutions.

Vasileios Klimis,George Parisis,Bernhard Reus

DOI: https://doi.org/10.48550/arXiv.2008.06149

2022-01-15

Abstract:Software-defined networking (SDN) enables advanced operation and management of network deployments through (virtually) centralised, programmable controllers, which deploy network functionality by installing rules in the flow tables of network switches. Although this is a powerful abstraction, buggy controller functionality could lead to severe service disruption and security loopholes, motivating the need for (semi-)automated tools to find, or even verify absence of, bugs. Model checking SDNs has been proposed in the literature, but none of the existing approaches can support dynamic network deployments, where flow entries expire due to timeouts. This is necessary for automatically refreshing (and eliminating stale) state in the network (termed as soft-state in the network protocol design nomenclature), which is important for scaling up applications or recovering from failures. In this paper, we extend our model (MoCS) to deal with timeouts of flow table entries, thus supporting soft state in the network. Optimisations are proposed that are tailored to this extension. We evaluate the performance of the proposed model in UPPAAL using a load balancer and firewall in network topologies of varying size.

Networking and Internet Architecture

Shaoke Xi,Kai Bu,Wensen Mao,Xiaoyu Zhang,Kui Ren,Xinxin Ren

DOI: https://doi.org/10.1109/tnet.2022.3194970

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Reliable Software-Defined Networking (SDN) should mitigate forwarding anomalies due to cross-plane rule inconsistencies. Most existing countermeasures either inject probe packets to infer forwarding correctness or collect packet traces to detect forwarding anomalies. They, however, cannot detect or filter forwarding anomalies for production packets in real time. In this paper, we propose RuleOut as the first attempt to automatically throttle SDN forwarding anomalies. It disambiguates dependent rules via augmenting their matching fields with unique tags. Leveraging source routing, we further bind each packet with the tag sequence corresponding to rules the packet should match. RuleOut thus renders each packet to match at most one rule on each switch. This completely addresses the root cause of forwarding ambiguity. To implement RuleOut, we develop a non-overlapping rule dependency graph, a series of algorithms for incremental rule update and tag generation upon it, and various optimization techniques toward scalability and efficiency. We prototype RuleOut on the Ryu controller and Open vSwitch and evaluate its performance over public rule sets such as Stanford, Internet2, and Airtel1. RuleOut can use tags of only several bits long to disambiguate thousands to millions of rules and generate tags fairly fast within a few milliseconds.

CHEN Yan,WEN Xitao,LENG Xue,YANG Bo,Li Erran Li,ZHENG Peng,HU Chengchen

DOI: https://doi.org/10.19729/j.cnki.1673-5188.2018.04.004

2018-01-01

Abstract:Benefited from the design of separating control plane and data plane,software defined networking（SDN）is widely concerned and applied.Its quick response capability to network events with changes in network policies enables more dynamic management of data center networks.Although the SDN controller architecture is increasingly optimized for swift policy updates,the data plane,especially the prevailing ternary content-addressable memory（TCAM）based flow tables on physical SDN switches,remains unoptimized for fast rule updates,and is gradually becoming the primary bottleneck along the policy update pipeline.In this paper,we present RuleTris,the first SDN update optimization framework that minimizes rule update latency for TCAM-based switches.RuleTris employs the dependency graph（DAG）as the key abstraction to minimize the update latency.RuleTris efficiently obtains the DAGs with novel dependency preserving algorithms that incrementally build rule dependency along with the compilation process.Then,in the guidance of the DAG,RuleTris calculates the TCAM update schedules that minimize TCAM entry moves,which are themain cause of TCAM update inefficiency.In evaluation,RuleTris achieves a median of＜12 ms and 90-percentile of＜15ms the end-to-end perrule update latency on our hardware prototype,outperforming the state-of-the-art composition compiler CoVisor by～20 times.

Huawei Huang,Song Guo,Peng Li,Weifa Liang,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tpds.2015.2431684

IF: 5.3

2016-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Software-defined networking (SDN) is an emerging network paradigm that simplifies network management by decoupling the control plane and data plane, such that switches become simple data forwarding devices and network management is controlled by logically centralized servers. In SDN-enabled networks, network flow is managed by a set of associated rules that are maintained by switches in their local Ternary Content Addressable Memories (TCAMs) which support high-speed parallel lookup on wildcard patterns. Since TCAM is an expensive hardware and extremely power-hungry, each switch has only limited TCAM space and it is inefficient and even infeasible to maintain all rules at local switches. On the other hand, if we eliminate TCAM occupation by forwarding all packets to the centralized controller for processing, it results in a long delay and heavy processing burden on the controller. In this paper, we strive for the fine balance between rule caching and remote packet processing by formulating a minimum weighted flow provisioning ( MWFP) problem with an objective of minimizing the total cost of TCAM occupation and remote packet processing. We propose an efficient offline algorithm if the network traffic is given, otherwise, we propose two online algorithms with guaranteed competitive ratios. Finally, we conduct extensive experiments by simulations using real network traffic traces. The simulation results demonstrate that our proposed algorithms can significantly reduce the total cost of remote controller processing and TCAM occupation, and the solutions obtained are nearly optimal.