Yadong Zhou,Hao Li,Kaiyue Chen,Tian Pan,Kun Qian,Kai Zheng,Bin Liu,Peng Zhang,Yazhe Tang,Chengchen Hu

DOI: https://doi.org/10.1016/j.jnca.2021.103307

IF: 7.574

2022-03-01

Journal of Network and Computer Applications

Abstract:Software Defined Networking (SDN) enables flexible network management with a well-defined abstraction between control and data plane. In this way, operators could issue the policies, e.g., forwarding path, flow counting and rate limiting, from the control plane, which will be enforced by the flow table rules in the data plane. However, multiple active policies with the same priority will potentially trigger conflicts among policies with overlapped flow space, causing the flow table explosion. In contrast to the local switch conflict resolution schemes proposed by previous works, this paper tackles the same problem from a different angle and resolves the policy conflict problem by coordinating all switches under a global centralized view. Specifically, we propose COnflict RAzor (CORA), which tremendously reduces the storage cost of conflicting policies leveraging the global network information obtained in the controller. The basic idea of CORA is migrating policies causing large explosions across the network if necessary, while keeping the semantics equivalence. We prove CORA’s NP hardness and propose a heuristic to efficiently search a near-optimal policy migration strategy. Our experiments demonstrate that, CORA can effectively reduce the flow table storage occupation by averagely 79.8% within less than 40 s, which is 47.9% more efficient than the state-of-the-art.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Shengliang Deng,Xiuxian Guan,Zekai Sun,Shixiong Zhao,Tianxiang Shen,Xusheng Chen,Tianyang Duan,Yuexuan Wang,Jia Pan,Yanjun Wu,Libo Zhang,Heming Cui

DOI: https://doi.org/10.1109/jiot.2022.3140400

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In coordinated robotic learning, multiple robots share the same wireless channel for communication, and bring together latency-sensitive (LS) network flows for control and bandwidth-hungry (BH) flows for distributed learning. Unfortunately, existing wireless network supporting systems cannot coordinate these two network flows to meet their own requirements: 1) prioritized contention systems (e.g., EDCA) prevent LS messages from timely acquiring the wireless channel because multiple wireless network interface cards (WNICs) with BH messages are contending for the channel 2) global planning systems (e.g., SchedWiFi) have to reserve a notable time window in the shared channel for each LS flow, suffering from severe bandwidth degradation (up to 42%). We present the coordinated preemption method to meet both requirements for LS flows and BH flows. Globally (among multiple robots), coordinated preemption eliminates unnecessary contention of BH flows by making them transmit in a round-robin manner, such that LS flows have the highest chance to win the contention against BH flows, without sacrificing overall bandwidth from the perspective of coordinated robotic learning applications. Locally (within the same robot), coordinated preemption in real time predicts the periodic transmission of LS flows from the upper application and conservatively limits packets of BH flows buffered in the WNIC only before LS packets arriving, reducing the bandwidth devoted to preemption. COORP, our implementation of coordinated preemption, reduced the violation of latency requirements from 53.9% (EDCA) to 8.8% (comparable to SchedWiFi). Regarding learning quality, COORP achieved a comparable (at times the same) learning reward with EDCA, which grew up to 76% faster than SchedWiFi.

Jie Cui,Sheng Zhou,Hong Zhong,Yan Xu,Kewei Sha

DOI: https://doi.org/10.1109/ICCCN.2018.8487415

2018-01-01

Abstract:Software-defined Networking (SDN) brings new vitality to traditional network technology as its nice property of network programmability makes our network more open and flexible. By using interfaces of SDN controllers, different applications with diverse network functions can deploy their needed flow rules into SDN switches. However, some of these flow rules would probably produce conflicts that result in invalidation of network functions and cause security issues. To address this issue, we design a novel approach, Transaction-based flow rule Conflict Detection and Resolution (TCDR), which can isolate the flow rules of different network functions to avoid interference between different network functions. Meanwhile, our proposed method introduces a transaction-based authentication to guarantee the legality of flow rules. Finally, we implement a prototype of our solution, and evaluate its effectiveness and efficiency. The performance evaluation shows that TCDR can reject illegal flow rules and avoid many flow rule conflicts with a small overhead.

Shaoke Xi,Jiaqi Gao,Mengqi Liu,Jiamin Cao,Fuliang Li,Kai Bu,Kui Ren,Minlan Yu,Dennis Cai,Ennan Zhai

2024-10-30

Abstract:With the growing performance requirements on networked applications, there is a new trend of offloading stateful network applications to SmartNICs to improve performance and reduce the total cost of ownership. However, offloading stateful network applications is non-trivial due to state operation complexity, state resource consumption, and the complicated relationship between traffic and state. Naively partitioning the program by state or traffic can result in a suboptimal partition plan with higher CPU usage or even packet drops. In this paper, we propose Cora, a compiler and runtime that offloads stateful network applications to SmartNIC-accelerated hosts. Cora compiler introduces an accurate performance model for each SmartNIC and employs an efficient compiling algorithm to search the offloading plan. Cora runtime can monitor traffic dynamics and adapt to minimize CPU usage. Cora is built atop Netronome Agilio and BlueField 2 SmartNICs. Our evaluation shows that for the same throughput target, Cora can propose partition plans saving up to 94.0% CPU cores, 1.9 times more than baseline solutions. Under the same resource constraint, Cora can accelerate network functions by 44.9%-82.3%. Cora runtime can adapt to traffic changes and keep CPU usage low.

Networking and Internet Architecture,Computation and Language

Kai Bu,Minyu Weng,Junze Bao,Zhenchao Lin,Zhikui Xu

DOI: https://doi.org/10.1109/icdcsw.2016.16

2016-01-01

Abstract:This paper explores a RIGHT framework for reliable policy enforcement in Software-Defined Networking (SDN). Current SDN uses overlapping rules with common matching packets. Even if a packet's expectant rule is inactive, it might hit another rule and experience incorrect yet unnoticed processing. This leads to inconsistency between control plane and data plane, that is, unreliable policy enforcement. RIGHT advocates three adaptations to respectively mitigate, detect, and correct packet processing errors. It is challenging for RIGHT to maintain both accuracy and efficiency. We explore lightweight modifications to current SDN policy enforcement toward better reliability. For example, we decouple rules and priorities through tagging to mitigate matching ambiguity. We also use exact-match rules to efficiently, correctly process packets in the same micro-flow. RIGHT can remedy mis-forwarded packets as well. We expect that a comprehensive design and deployment of RIGHT helps ensure correct per-packet processing in real time for SDN.

Qi Li,Yanyu Chen,Patrick P. C. Lee,Mingwei Xu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2018.2853593

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) utilizes a centralized controller to distribute packet processing rules to network switches. However, rules are often generated by the applications developed by different organizations, so they may conflict with each other in data plane and lead to violations with security rules. The problem is similar to firewall conflicts in IP networks. Rule conflict resolution should incur negligible process delay, such that all rules can he correctly and safely enforced in the data plane in real time. However, since SDN allows users to use more than 35 fields to specify rules (including field transition rules), it is much more complicated to prevent enforcement of SDN rules from violating with security rules than to resolve firewall rule violation, and in particular, field transition rules are enforced. Therefore, it is extremely difficult to resolve such rule conflicts in real time before the rules are installed in SDN data plane. In this paper, we investigate the rule conflict problem in SDN and identify new covert channel attacks due to rule conflicts. To the end, we propose the covert channel defender (CCD) that prevents covert channel attacks by verifying and resolving rule conflicts. Specifically, CCD tracks all rule insertion and modification messages from applications running on the controller. It analyzes the correlation among rules based on multiple packet header fields and resolves any identified rule conflict in real time before rule installation. We implement CCD with the Floodlight controller and evaluate its performance with the real-world Stanford topology. We show that CCD can efficiently detect and prevent rule conflicts in the data plane that may raise covert channels within hundreds of microseconds and brings small overhead to the packet delivery.

Chunlin Yang,Yong Jiang,Yang Liu,Lei Wang

DOI: https://doi.org/10.1109/ISCC.2018.8538522

2018-01-01

Abstract:Software-Defined Networks (SDN) enable flexible flow control by caching policy rules into switches. Compared with exact-match rules caching, wildcard rules caching can better preserve the flow table space at switches. Due to the existence of overlap among different priority wildcard rules, only caching the matched wildcard rule will incur semantic errors. In order to address this problem, previous schemes install multiple wildcard rules for each cache miss. In this paper, we propose a new wildcard rules caching system for SDN named Caching Non-Overlapping Rules (CNOR). The non-overlapping rule set is generated by an algorithm that is similar to leaf pushing. Our scheme only installs one nonoverlapping wildcard rule for each cache miss. Compared with previous schemes, our scheme improves the cache hit ratio of rules and reduces bandwidth consumption between the controller and switches.

Pengzhan Wang,Liusheng Huang,Hongli Xu,Bing Leng,Hansong Guo

DOI: https://doi.org/10.1109/glocom.2014.7417386

2014-01-01

Abstract:Software Defined Network (SDN) is facilitating rapid innovation of network by providing a programmable network infrastructure. However, managing SDN flow rules, especially among multiple modules and administrators, has become complex and error-prone. Different controller modules with diverse objectives may be installed on the SDN controller, which can lead to anomalies among policies and rules. In this paper, we propose ADRS(Anomaly Detecting and Resolving for SDN) to solve this problem. Firstly, we analyse the rule-level anomalies that may occur in SDN based on OpenFlow protocol. Then we present an interval tree model for rapid rule scanning and a share model for network privilege allocating. By applying these models, we provide an automatic algorithm to detect and resolve the anomalies among SDN modules. Moreover, a rule-recovery mechanism is presented to avoid modification faults. We also implement and evaluate our system in the OpenDayLight controller.

Shaoke Xi,Kai Bu,Wensen Mao,Xiaoyu Zhang,Kui Ren,Xinxin Ren

DOI: https://doi.org/10.1109/tnet.2022.3194970

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Reliable Software-Defined Networking (SDN) should mitigate forwarding anomalies due to cross-plane rule inconsistencies. Most existing countermeasures either inject probe packets to infer forwarding correctness or collect packet traces to detect forwarding anomalies. They, however, cannot detect or filter forwarding anomalies for production packets in real time. In this paper, we propose RuleOut as the first attempt to automatically throttle SDN forwarding anomalies. It disambiguates dependent rules via augmenting their matching fields with unique tags. Leveraging source routing, we further bind each packet with the tag sequence corresponding to rules the packet should match. RuleOut thus renders each packet to match at most one rule on each switch. This completely addresses the root cause of forwarding ambiguity. To implement RuleOut, we develop a non-overlapping rule dependency graph, a series of algorithms for incremental rule update and tag generation upon it, and various optimization techniques toward scalability and efficiency. We prototype RuleOut on the Ryu controller and Open vSwitch and evaluate its performance over public rule sets such as Stanford, Internet2, and Airtel1. RuleOut can use tags of only several bits long to disambiguate thousands to millions of rules and generate tags fairly fast within a few milliseconds.

Qing Li,Kun Zhao,Yong Jiang,Mingwei Xu,Shu-Tao Xia

DOI: https://doi.org/10.1016/j.comnet.2015.09.025

IF: 5.493

2015-01-01

Computer Networks

Abstract:In Software Defined Networks (SDN), the configuration inconsistency during updates is one main source of network instability. Even if the validity of the initial and final configurations is guaranteed, the interim complex and inconstant network states might cause routing conflicts and transmission disruption. Therefore, an efficient updating scheme with configuration consistency is required. Current schemes well guarantee the packet-level consistent update, but perform poorly for the flow-level case. In this paper, we present a Smart Approach of Rule Division (SARD) for fast flow-level consistent update in SDN. We first provide a simplified mathematical model of the network. Based on this model, we then propose SARD to guarantee the flow-level consistency during configuration updates. In SARD, the controller (1) collects the information of existing flows; (2) computes K optimal prefixes covering these flows, meanwhile with the minimized space; (3) installs the new rule and K old sub-rules with lower and higher priorities respectively. SARD preserves the flow-level consistent property and accelerates the process of configuration update in SDN. We evaluate the performance of SARD by comprehensive experiments. The results show that our scheme reduces the transition time to about 10% of the current method of periodical direct division.

Bo Yan,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/jsac.2018.2871296

IF: 16.4

2018-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Enforcing network policies is critical for service deployments over software-defined networks (SDN). Most existing studies suggest proactively compiling policies into flow entries in the data plane and updating the installed entries when necessary. With a growing amount of applications, taking a proactive approach may overflow underlying switch memory. Meanwhile, certain policies can be frequently updated. Such updates may propagate across configurations in the network, leading to a long time for correctness validation. To improve both the scalability and the flexibility of SDN policy enforcement, we advocate reactively deploying network policies in the data plane. To this end, we propose a network-wide policy enforcement framework named BigMaC. BigMaC advertises a neat policy model for network managers to specify various network policies as rules. It then caches the rules as flow entries in the switches reactively on demand. One major challenge for the BigMaC design is to guarantee the consistency of defined policies and cached entries in the network. To maintain consistency with efficient table usage and simple updates, we group rules into buckets and perform rule caching in the unit of buckets. With trace-driven simulations, we verify that BigMaC can significantly save table space and reduce update complexity compared to prior proposals.

Zixuan Ma,Yuqi Zhang,Ruibang You,Chen Li

DOI: https://doi.org/10.1109/cscwd57460.2023.10152559

2023-01-01

Abstract:Software-Defined Networking (SDN) decouples the data plane from the control plane, enabling centralized control and open programmability of the network. OpenFlow flow rules are the key carrier for the SDN application to configure and manage the data plane through the control plane, and the processing efficiency of flow rules of the SDN controller in the control plane is critical as it will directly impact the instantaneity of configuring and managing the data plane. Currently, the controller increases the processing efficiency of flow rules by means of multi-threaded parallel processing. However, in the experiments of the widely used SDN controller ONOS, we found a new bottleneck in the parallel processing of flow rules that causes the performance gains from parallelism to be offset. Therefore, in this paper, we locate the bottleneck and analyze its causes through source code analysis and timestamp tests, propose a parallel event queue to resolve the bottleneck, and implement it in ONOS. Experiments show that our improved ONOS effectively resolves the bottleneck problem and achieves an average 3.57x improvement in the processing efficiency of flow rules compared to the original ONOS.

Long Luo,Hongfang Yu,Shouxi Luo

DOI: https://doi.org/10.48550/arXiv.1611.09011

2017-04-27

Abstract:The OpenFlow-based SDN is widely studied to better network performance through planning fine-grained paths. However, being designed to configure path hop-by-hop, it faces the scalability issue that both the flow table overhead and path setup delay are unacceptable for large-scale networks. In this paper, we propose PACO, a framework based on Source Routing to address that problem through quickly pushing paths into the packet header at network edges and pre-installing few rules at the network core. The straightforward implementation of SR is inefficient as it would incur too many path labels; other efficient approaches would sacrifice path flexibility (e.g., DEFO). To implement SR efficiently and flexibly, PACO presents each path as a concatenation of pathlets and introduces algorithms to compute pathlets and concatenate paths with minimum path labels. Our extensive simulations confirm the scalability of PACO as it saves the flow table overhead up to 94% compared with OpenFlow-SDN solutions and show that PACO outperforms SR-SDN solutions by supporting more than 40% paths with few label overhead.

Networking and Internet Architecture

Yangming Zhao,Kai Chen,Wei Bai,Minlan Yu,Chen Tian,Yanhui Geng,Yiming Zhang,Dan Li,Sheng Wang

DOI: https://doi.org/10.1109/INFOCOM.2015.7218408

2015-01-01

Abstract:In the data flow models of today's data center applications such as MapReduce, Spark and Dryad, multiple flows can comprise a coflow group semantically. Only completing all flows in a coflow is meaningful to an application. To optimize application performance, routing and scheduling must be jointly considered at the level of a coflow rather than individual flows. However, prior solutions have significant limitation: they only consider scheduling, which is insufficient. To this end, we present Rapier, a coflow-aware network optimization framework that seamlessly integrates routing and scheduling for better application performance. Using a small-scale testbed implementation and large-scale simulations, we demonstrate that Rapier significantly reduces the average coflow completion time (CCT) by up to 79.30% compared to the state-of-the-art scheduling-only solution, and it is readily implementable with existing commodity switches.

Xitao Wen,Bo Yang,Yan Chen,Chengchen Hu,Yi Wang,Bin Liu,Xiaolin Chen

DOI: https://doi.org/10.1109/dsn.2016.20

2016-01-01

Abstract:The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications (apps). Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this paper, we present SDNShield, a permission control system that helps network administrators to express and enforce only the minimum required privileges to individual controller apps. SDNShield achieves this goal through (i) fine-grained SDN permission abstractions that allow accurate representation of app behavior boundary, (ii) automatic security policy reconciliation that incorporates security policies specified by administrators into the requested app permissions, and (iii) a lightweight thread-based controller architecture for controller/app isolation and reliable permission enforcement. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.

Qing Li,Nanyang Huang,Yong Jiang,Richard O. Sinnott,Mingwei Xu

DOI: https://doi.org/10.1109/ICDCS47774.2020.00077

2020-01-01

Abstract:Data plane programming languages enable administrators of Software-Defined Networks (SDNs) to perform fine-grained flow control by compiling high-level policies into low-level rules and deploying rules in the data plane. However, it is difficult to scale the data plane with the dynamics of network traffic and the limited storage space of switches. In this paper, we propose a lazy OpenFlow Rule Placement (ORP) framework to enforce control polices and scale the SDN data plane by placing and reusing wildcard rules. We provide an offline rule placement scheme to meet performance objectives under real-world constraints. To handle dynamic traffic and perform incremental rule updates, we design an online matching rule deployment algorithm to place rules in polynomial time and prove it to be conditionally-optimal. Furthermore, to address the rule dependency problem during online rule placement, we extend the algorithm to deploy dependent rules and present lightweight heuristics to guarantee the fast reaction to the new flows. Extensive experiments are conducted on diverse network topologies and datasets to show that the lazy ORP framework significantly reduces the storage cost, improves data plane scalability and is flexible enough to accomplish different optimization goals.

Xianfeng Li,Haoran Sun,Yan Huang

DOI: https://doi.org/10.1007/s10922-024-09824-w

2024-06-19

Journal of Network and Systems Management

Abstract:Software-defined networks (SDN) rely on flow tables to forward packets from different flows with different policies. To speed up packet forwarding, the rules in the flow table should reside in the forwarding plane as much as possible to reduce the chances of consulting the SDN controller, which is a slow process. The rules are usually cached in the forwarding plane with a Ternary Content Addressable Memory (TCAM) device. However, a TCAM has limited capacity, because it is expensive and power-hungry. As a result, wise caching of a subset of flow rules in TCAM is needed. In this paper, we address two related issues that affect caching efficiency: rules to be cached and rules to be replaced . For the first issue, caching an active rule hit by a flow may need to cache inactive rules due to rule dependency. We propose a two-stage caching architecture called CRAFT, which reduces inactive rules in cache by cutting down long dependent chains and by partitioning rules with massive dependent rules into non-overlapping sub-rules. For the second issue, unawareness of the flow traffic characteristics may evict heavy hitters instead of mice flows. We propose RRTC to address this issue, which is a rule replacement policy taking the real-time network traffic characteristics into consideration. By recognizing the heavy hitters and protecting their matching rules in TCAM, RRTC performs better than least recently used(LRU) policy in terms of cache hit ratio. Simulation results show that our combined rule caching and replacement framework outperforms previous work considerably.

computer science, information systems,telecommunications

Bo Yan,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/tnet.2018.2815983

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-Defined Networking enables flexible flow control by caching rules at OpenFlow switches. Wildcard rule caching enables management of traffic aggregates, reduces flow setup queries, and simplifies policy management. However, to guarantee correct packet matching, some rules that depend on the requested rule need to be cached as well, which leads to unnecessary flow table bloat and potential overflow. We have proposed a scheme called CAching rules in Buckets (CAB) to mitigate the dependency issue by partitioning the field space into buckets and caching rules associated with the requested buckets. In this paper, we propose the Adaptive Cache ManagEment (ACME) for CAB, which dynamically adjusts the sizes and shapes of buckets according to incoming traffic to achieve more efficient flow table utilization. The improvement also includes preloading rules that span a wide field space to reduce bandwidth usage in the control channel. We formalize the caching policies for CAB-ACME to guarantee the semantic correctness of packet classification. We evaluate the performance of CAB-ACME through software-based simulations and a prototype built with the OpenDaylight controller and hardware switches from multiple vendors. The results show that, compared with other rule caching schemes, CAB-ACME reduces the cache miss rate by one order of magnitude and the control channel bandwidth usage by a half. ACME also helps maintain a steadier performance under dynamic traffic changes compared with the baseline CAB design.

Pengcheng Xiong,Xin He,Hakan Hacigumus,Prashant Shenoy

DOI: https://doi.org/10.1109/hotweb.2015.10

2015-01-01

Abstract:MapReduce is a popular choice for executing analytic workloads over large datasets on clusters of commodity machines. Due to the distributed nature of such systems, network resource bottlenecks can adversely affect performance, especially when multiple applications share the network. One of the significant barriers to reducing the occurrence and impact of such bottlenecks is the current separation between MapReduce and network management and routing. Fortunately, the emergence of software-defined networking (SDN) is removing the barriers to cooperation between Hadoop and the network. To explore the opportunity this creates, we focus on how we can use the capabilities of SDN to create a more collaborative relationship between MapReduce and the network underneath. We demonstrate the effectiveness of this collaboration through the implementation of and experiments with a system we call Cormorant. Experimental results show up to 38% improvement for analytic query performance, beyond the benefits achievable by independently optimizing MapReduce schedulers and network flow schedulers.

Jiaqi Zheng,Bo Li,Chen Tian,Klaus-Tycho Foerster,Stefan Schmid,Guihai Chen,Jie Wu,Rui Li

DOI: https://doi.org/10.1109/JSAC.2019.2906741

IF: 16.4

2019-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Software-Defined Networks (SDNs) introduce great flexibilities in how packet routes can be defined and changed over time, and enable a more fine-grained and adaptive traffic engineering. The recently introduced support for more accurate synchronization in SDNs further improves the degree of control an operator can have over the packets’ forwarding paths, and also allows to avoid disruptions and inconsistencies during network updates, i.e., during the rerouting of flows. However, how to optimally exploit such technology <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">algorithmically</italic> — to efficiently schedule the update of multiple flows in such timed SDNs — while accounting for possible interference and congestion, is not well-understood today. We, in this paper, initiate the study of the fundamental problem of how to reroute the updates of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">multiple</italic> network flows in a synchronized SDN in a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">congestion-free</italic> manner. We rigorously prove that the problem is NP-hard for flows of unit size and network links with unit delay. We also show that a greedy approach to update the network can delay the update significantly. Our main contribution is the first solution to this problem: Chronicle. Our approach is based on time-extended network construction and the resource dependency graph, which is implemented by Openflow 1.5 using the <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">scheduled bundles feature</italic> . The evaluation results show that Chronicle can reduce the makespan by 63% and reduce the number of changed rules by 50% compared to state-of-the-art.