Yi Shen,Chunming Wu,Qiumei Cheng,Dezhang Kong

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00122

2020-01-01

Abstract:Software-Defined Networking (SDN) is an emerging network platform, which decouples the control and data planes. As the most popular southbound protocol and standard, OpenFlow converts network forwarding policies to rule entries and stores them in the flow table. However, the capacity of the flow table is restricted, which can lead to table-overflow if the space is inefficiently used. In this paper, we propose an adaptive flow table management scheme (AFTM) on the control plane, which combines assigning dynamic timeout and proactive eviction to manage the limited flow table resources. The timeout assignment module and the proactive eviction module are not independent parts but work collaboratively. The timeout assignment module sets suitable timeouts for rule entries according to flow characteristics, so that entries of short-lived flows are quickly removed while entries of flows with large packet intervals are retained. When the table space is insufficient, the proactive eviction module removes rule entries to protect the flow table from table-overflow. In our design, the eviction thresholds and parameters in both modules can be adaptively adjusted according to the network load. Experimental results show that AFTM can effectively manage the flow table resource and reduce the number of packet drop rates by up to 81% compared with existing schemes.

Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.3390/app13127210

2023-01-01

Applied Sciences

Abstract:Software-defined networking (SDN) enables dynamic management and flexible network control by employing reactive rule installation. Due to high power consumption and cost, current OpenFlow switches only support a limited number of flow rules, which is a major limitation for deploying massive fine-grained policies. This bottleneck can be exploited by attackers to launch saturation attacks to overflow the flow table. Moreover, flow table overflow can occur in the absence of malicious attackers. To cope with this, researchers have developed many proposals to relieve the load under benign conditions. Among them, the dynamic timeout mechanism is one of the most effective solutions. We notice that when the SDN controller adopts dynamic timeouts, existing flow table saturation attacks can fail, or even expose the attackers, due to inaccurate inferring results. In this paper, we extract the common features of dynamic timeout strategies and propose an advanced flow table saturation attack. We explore the definition of flow rule lifetime and use a timing-based side-channel to infer the timeout of flow rules. Moreover, we leverage the dynamic timeout mechanisms to proactively interfere with the decision of timeout values and perform an attack. We conduct extensive experiments in various settings to demonstrate its effectiveness. We also notice that some replacement strategies work differently when the controller assigns dynamic timeouts. The experiment results show that the attack can incur significant network performance degradation and carry out the attack in a stealthy manner.

Jinyuan Zhang,Xuanbo Huang,Jian Li,Kaiping Xue,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/hpsr54439.2022.9831366

2022-01-01

Abstract:In Software-Defined Networking (SDN), the controllers implement flexible and scalability networking policies by installing different flow rules. Each rule matches a specific class of flows, instructs the switches to execute actions, and then expires when they finish their tasks. OpenFlow introduces the timeout mechanism to manage these flow rules. However, finding a reasonable timeout value becomes a difficult problem for the network managers. When a relatively small timeout value is given to an elephant flow, the rule expires early, introducing extra cost for the controller and long latency for the matching flow, respectively. On the contrary, a large timeout value for a mice flow makes a rule occupy the switch memory too long, wasting the caching memory and causing the flow table prone to overflow. Therefore, it is necessary to allocate appropriate timeouts for different flows dynamically. In this paper, we achieve this goal with real-time traffic monitoring and heuristic algorithms. By considering different network loads and designing corresponding dynamic timeout algorithms for different scenarios, we make full use of the advantages of SDN to improve the utilization rate of the switch memory and save the controller resources. Further, we implement our scheme in a simulation SDN platform and evaluate the algorithms with the public datasets. Experiments show that our scheme has low control overhead and is memory efficient compared with current mechanisms.

Dezhang Kong,Chunming Wu,Yi Shen,Xiang Chen,Hongyan Liu,Dong Zhang

DOI: https://doi.org/10.1109/globecom48099.2022.10001437

2022-01-01

Abstract:One of the most important components of Software-Defined Networking (SDN) is the flow table. It receives flow rules from the controller and uses them to handle network traffic. However, a flow table can only store a few thousand flow rules, which makes it an attractive target for table overflow attacks. These attacks force the controller to populate the flow table with a large number of meaningless flow rules, which prevents normal flows from finding matching rules and therefore having to be reported to the controller. It results in a significant latency overhead, degrading the performance of the whole network. In this paper, we present a key characteristic of table overflow attacks: even though attackers can change some critical attack parameters (e.g., attack speed) to avoid detection, proactive flows from the attacked port always occupy a stable proportion in the flow table regardless of the attack form. In light of this finding, we propose TableGuard, a novel security mechanism that uses the proactive flow rule number as the detection metric and applies a statistical approach to help filter malicious flows. The experiments demonstrate that TableGuard can mitigate both high-rate and low-rate table overflow attacks. Compared with existing defenses, TableGuard has the best mitigation performance and the minimal overhead on normal flows.

Boyang Zhou,Wen Gao,Chunming Wu,Bin Wang,Ming Jiang,Yansong Wang

DOI: https://doi.org/10.1007/978-3-319-13326-3_39

2014-01-01

Abstract:The Software-Defined Networking (SDN) separates the control plane from the data plane to increase the flexibility. In the data plane, the unavailability of data forwarding is a common problem preventing a switch from configuring a new arrival flow into its flow table. When the burst flows arrived at the switch, the flow table can be consumed, causing the unavailability occurred. However, the problem is more complicated than in Internet due to the limited channel bandwidth for detecting the table usage. Hence, we propose a transparent core layer in the controller. The mechanism of the layer improves the availability in such way, configuring switches adapting to arrival patterns of flows to prevent the resource of switch exceeding its limit. This paper introduces the design and mechanisms of the layer as well as their algorithms. We further use a real flow trace from a Internet core router to evaluate the performance of layer. By emulating on on miniNet-HiFi, the results demonstrate that the layer can smooth the burst flows without making the flow table exceeding its size, without the layer, the switch lost 8% ingress flows. Meanwhile, the control throughput is lowered by 25.8% than before.

Siyi Qiao,Chengchen Hu,Xiaohong Guan,Jianhua Zou

DOI: https://doi.org/10.1145/2934872.2959063

2018-01-01

Abstract:SDN has become the wide area network technology, which the academic and industry most concerned about.The limited table sizes of today’s SDN switches has turned to the most prominent short planks in the network design implementation. TCAM based flow table can provide an excellent matching performance while it really costs much. Even the flow table overflow cannot be prevented by a fixed-capacity flow table. In this paper, we design FTS(Flow Table Sharing) mechanism that can improve the performance disaster caused by overflow. We demonstrate that FTS reduces both control messages quantity and RTT time by two orders of magnitude compared to current state-of-the-art OpenFlow table-miss handler.

Dingmin Wang,Qing Li,Lei Wang,Richard O. Sinnott,Yong Jiang

DOI: https://doi.org/10.1109/infcomw.2017.8116383

2017-01-01

Abstract:Software Defined Networks (SDN) enables flexible flow control by installing policy rules into switches. However, one of the challenges is the dependencies between rules, which is generated due to the rules overlapping in filed space with different priorities. To keep the forwarding correctness and avoid complicated scenarios caused by the asynchronous removal, controllers usually adopt a hard timeout mechanism. However, such mechanism is inflexible for evolving and dynamic network flows. A large timeout may waste the switch memory, while a short timeout may cause multiple requests (Packet-in events) to occur for the same flow. To handle such rule dependencies flexibly, we propose a hybrid timeout mechanism. When a table miss occurs, we adaptively assign an idle timeout to the table-miss flow rule, and dependent rules are assigned with no timeout, which allow them to be removed using a proactive eviction strategy. We conduct extensive experiments using real packet traces from data centers. The experimental results show that our hybrid mechanism significantly reduces the number of table misses and the flow table occupation, while adapting quickly to changes of network flows.

Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.2139/ssrn.4129904

2022-01-01

Abstract:Download This Paper Open PDF in Browser Add Paper to My Library Share: Permalink Using these links will ensure access to this page indefinitely Copy URL Copy DOI

Nathan Harris,Sajad Khorsandroo

DOI: https://doi.org/10.1007/s10922-024-09815-x

2024-03-23

Journal of Network and Systems Management

Abstract:OpenFlow-compliant commodity switches face challenges in efficiently managing flow rules due to the limited capacity of expensive high-speed memories used to store them. The accumulation of inactive flows can disrupt ongoing communication, necessitating an optimized approach to flow rule timeouts. This paper proposes Delayed Dynamic Timeout (DDT), a Reinforcement Learning-based approach to dynamically adjust flow rule timeouts and enhance the utilization of a switch's flow table(s) for improved efficiency. Despite the dynamic nature of network traffic, our DDT algorithm leverages advancements in Reinforcement Learning algorithms to adapt and achieve flow-specific optimization objectives. The evaluation results demonstrate that DDT outperforms static timeout values in terms of both flow rule match rate and flow rule activity. By continuously adapting to changing network conditions, DDT showcases the potential of Reinforcement Learning algorithms to effectively optimize flow rule management. This research contributes to the advancement of flow rule optimization techniques and highlights the feasibility of applying Reinforcement Learning in the context of SDN.

computer science, information systems,telecommunications

Xianfeng Li,Haoran Sun,Yan Huang

DOI: https://doi.org/10.1007/s10922-024-09824-w

2024-06-19

Journal of Network and Systems Management

Abstract:Software-defined networks (SDN) rely on flow tables to forward packets from different flows with different policies. To speed up packet forwarding, the rules in the flow table should reside in the forwarding plane as much as possible to reduce the chances of consulting the SDN controller, which is a slow process. The rules are usually cached in the forwarding plane with a Ternary Content Addressable Memory (TCAM) device. However, a TCAM has limited capacity, because it is expensive and power-hungry. As a result, wise caching of a subset of flow rules in TCAM is needed. In this paper, we address two related issues that affect caching efficiency: rules to be cached and rules to be replaced . For the first issue, caching an active rule hit by a flow may need to cache inactive rules due to rule dependency. We propose a two-stage caching architecture called CRAFT, which reduces inactive rules in cache by cutting down long dependent chains and by partitioning rules with massive dependent rules into non-overlapping sub-rules. For the second issue, unawareness of the flow traffic characteristics may evict heavy hitters instead of mice flows. We propose RRTC to address this issue, which is a rule replacement policy taking the real-time network traffic characteristics into consideration. By recognizing the heavy hitters and protecting their matching rules in TCAM, RRTC performs better than least recently used(LRU) policy in terms of cache hit ratio. Simulation results show that our combined rule caching and replacement framework outperforms previous work considerably.

computer science, information systems,telecommunications

Li Qing,Huang Nanyang,Wang Dingmin,Li Xiaowen,Jiang Yong,Song Zhendong

DOI: https://doi.org/10.1109/TNSM.2018.2890754

2019-01-01

IEEE Transactions on Network and Service Management

Abstract:Software-defined networking (SDN) has enabled flexible control over the network by leveraging data plane programming languages such as OpenFlow. However, this fine-grained control is potentially at odds with data plane performance due to the high storage load and limited flow table space of SDN switches. Wildcard rules and timeout mechanisms are the main approaches to relieve the load. However, wildcard rules introduce the rule dependency problem, which poses obstacles to preserve the semantics of network policies and design the timeout mechanism. Therefore, exploiting the limited flow table effectively as well as designing a safe timeout mechanism become the main challenge. In this paper, we propose HQTimer: a hybrid Q-learning-based timeout mechanism in SDN. HQTimer employs a hybrid timeout mechanism and a Q-learning-based adaptation logic. HQTimer is safe, as its timeout mechanism ensures the forwarding logic is not violated by the rule dependency problem. HQTimer is adaptive, as it assigns different timeout values to different rules according to the traffic dynamics and the data plane performance based on Q-learning. The extensive experiments based on real and synthetic workloads show that HQTimer achieves both a higher table-hit rate and a lower overflow number compared with existing timeout mechanisms. Specifically, in contrast to a well-tuned, static idle timeout mechanism, HQTimer improves the table-hit rate from 97.6% to 99.4% while decreasing the overflow number by 83.8%. © 2018 IEEE.

Bing Xiong,Rengeng Wu,Jinyuan Zhao,Zhuofan Liao,Jin Wang

DOI: https://doi.org/10.1109/access.2019.2942208

IF: 3.9

2019-01-01

IEEE Access

Abstract:As a novel network paradigm, Software Defined Networking (SDN) decouples control logic functions from data forwarding devices, and introduces a separate control plane to manipulate underlying switches via southbound interfaces like OpenFlow. This paradigm offers numerous benefits for wide area networks (WAN), like promoting application performance and reducing deployment costs, but poses serious challenges on the storage resources and lookup performance of large-scale flow tables in OpenFlow switches. This paper is thus motivated to propose an efficient differentiated storage architecture for large-scale flow tables in OpenFlow-based software-defined WAN. Firstly, we investigate into the impact of wildcards in match fields on the packet-in-batch feature within a flow based on network traffic locality. Then, packet flows are dynamically distinguished into active ones and idle ones in terms of their short-term states. Subsequently, we store the match fields of active flows and idle flows respectively in TCAM and SRAM, and the content fields of both types of flows in DRAM, to effectively relieve the insufficiency of TCAM capacity. Finally, we evaluate the performance of our proposed flow table storage architecture with real network traffic traces by experiments. The experimental results indicate that our proposed storage architecture with the active/idle flow differentiation obviously outperforms the traditional one applying the elephant/mice flow differentiation in terms of TCAM hit rates and average flow table access time.

Rui Li,Yu Pang,Jin Zhao,Xin Wang

DOI: https://doi.org/10.1145/3337821.3337896

2019-01-01

Abstract:Software Defined Networking (SDN) enables flexible flow control by deploying fine-grained rules in OpenFlow switches. Modern commodity switches usually use TCAM to store these rules and perform high-speed parallel lookups. Though efficient, the TCAM capacity is limited because TCAM is expensive in cost and power-hungry. The explosive growth in the number of rules has exacerbated the limitation of TCAM. There have been considerable efforts in implementing hybrid flow tables with both TCAM and RAM, where the high-speed TCAM is regarded as a cache to store the most popular rules and the cheap RAM is used to handle cache miss. The primary challenges for designing hybrid TCAM/RAM flow tables lie in how to improve cache hit rate and how to handle wildcard rule dependency when allocating rules between TCAM and RAM.

Qing Li,Nanyang Huang,Dingmin Wang,Xiaowen Li,Yong Jiang,Zhendong Song

DOI: https://doi.org/10.1109/TNSM.2018.2890754

2019-01-01

IEEE Transactions on Network and Service Management

Abstract:Software-defined networking (SDN) has enabled flexible control over the network by leveraging data plane programming languages such as OpenFlow. However, this fine-grained control is potentially at odds with data plane performance due to the high storage load and limited flow table space of SDN switches. Wildcard rules and timeout mechanisms are the main approaches to relieve the load. However, wildcard rules introduce the rule dependency problem, which poses obstacles to preserve the semantics of network policies and design the timeout mechanism. Therefore, exploiting the limited flow table effectively as well as designing a safe timeout mechanism become the main challenge. In this paper, we propose HQTimer: a hybrid <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Q}$ </tex-math></inline-formula> -learning-based timeout mechanism in SDN. HQTimer employs a hybrid timeout mechanism and a <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Q}$ </tex-math></inline-formula> -learning-based adaptation logic. HQTimer is safe, as its timeout mechanism ensures the forwarding logic is not violated by the rule dependency problem. HQTimer is adaptive, as it assigns different timeout values to different rules according to the traffic dynamics and the data plane performance based on <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Q}$ </tex-math></inline-formula> -learning. The extensive experiments based on real and synthetic workloads show that HQTimer achieves both a higher table-hit rate and a lower overflow number compared with existing timeout mechanisms. Specifically, in contrast to a well-tuned, static idle timeout mechanism, HQTimer improves the table-hit rate from 97.6% to 99.4% while decreasing the overflow number by 83.8%.

Zehua Guo,Ruoyan Liu,Yang Xu,Andrey Gushchin,Anwar Walid,H. Jonathan Chao

DOI: https://doi.org/10.1016/j.comnet.2017.04.046

IF: 5.493

2017-01-01

Computer Networks

Abstract:The emerging Software-Defined Networking (SDN) enables network innovation and flexible control for network operations. A key component of SDN is the flow table at each switch, which stores flow entries that define how to process the received flows. In a network that has a large number of active flows, flow tables at switches can be easily overflowed, which could cause blocking of new flows or eviction of entries of some active flows. The eviction of active flow entries, however, can severely degrade the network performance and overload the SDN controller. In this paper, we propose SofTware-defined Adaptive Routing (STAR), an online routing scheme that efficiently utilizes limited flow-table resources to maximize network performance. In particular, STAR detects real-time flow-table utilization of each switch, intelligently evicts expired flow entries when needed to accommodate new flows, and selects routing paths for new flows based on flow-table utilizations of switches across the network. Simulation results based on the Spanish backbone network show that, STAR outperforms existing schemes by decreasing the controller’s workload for routing new flows by about 87%, reducing packet delay by 49%, and increasing average throughput by 123% on average when the flow-table resource is scarce.

Kun Qiu,Jing Yuan,Jin Zhao,Xin Wang,Stefano Secci,Xiaoming Fu

DOI: https://doi.org/10.1109/ICDCS.2018.00093

2018-01-01

Abstract:With an increasing demand for flexible management in software-defined networks (SDNs), it becomes critical to minimize the network policy update time. Although major SDN controllers are now optimized for rapid network update at the control plane, there is still room for data plane optimization in terms of update time, when using TCAM-based physical SDN commodity-off-the-shelf switches. A slow update directly affects network performance creating bottlenecks. To minimize flow entry update time, a dependency graph, a kind of DAG (directed acyclic graph), can be used for the access management of flow entries at the switch. Thanks to the DAG, unnecessary entry movements, which are the main factor slowing down flow entry updates, can be avoided. However, existing algorithms show limitations when updates become very frequent. We propose a new flow entry update algorithm, called FastRule, that exploits a greedy strategy with an efficient data structure to accelerate flow entry update with a DAG approach. Moreover, we also adjust our algorithm for other flow table layouts to make it scalable. We elaborate on the correctness of FastRule and test our algorithm using a hardware switch. Compared with existing algorithms, the evaluation shows that our algorithm is about 100x faster than state-of-the-art solutions with a flow table of 1k line size.

Liang Xie,Zhifeng Zhao,Yifan Zhou,Gang Wang,Qianlan Ying,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2014.6992181

2014-01-01

Abstract:Software Defined Network (SDN) is undergoing an increasingly high popularity among various schemes of networking deployment. The main advantage of SDN lies in its flexibility in controlling network traffic, which arises from decoupling the control plane and the data plane of network devices. However, despite of the valuable merits of SDN, the outage of data forwarding should not be ignored. The drawback mainly results from the length limitation of switch flow tables, the congestion between controllers and switches, and the deficiency of the controller capacity, which are all closely related to the timeout mechanism of flow table. In our study, the deficiency of SDN system will be analyzed explicitly. Moreover, we propose an adaptive control mechanism aiming at optimizing the idle timeout reset of flow tables and cooperation between controllers and switches. Our mechanism achieves higher matching ratio of flow tables as well as alleviates the congestion in the control channel, enabling more fluent data forwarding in SDN.

Kun Qiu,Jing Yuan,Jin Zhao,Xin Wang,Stefano Secci,Xiaoming Fu

DOI: https://doi.org/10.1109/jsac.2019.2894235

IF: 16.4

2019-01-01

IEEE Journal on Selected Areas in Communications

Abstract:With an increasing demand for flexible management in software-defined networks (SDNs), it becomes critical to minimize the network policy update time. Although major SDN controllers are now optimized for rapid network update at the control plane, there is still room for data plane optimization in terms of update time, when using TCAM-based physical SDN commodity-off-the-shelf switches. A slow update directly affects network performance and creates bottlenecks. To minimize the flow entry update time, a dependency graph, a kind of directed acyclic graph (DAG), can be used for the access management of flow entries at the switch. Thanks to the DAG, unnecessary entry movements, which are the main factor slowing down flow entry updates, can be avoided. However, existing algorithms show limitations when updates become very frequent. We propose a new flow entry update algorithm, called FastRule, that exploits a greedy strategy with an efficient data structure to accelerate flow entry update with a DAG approach. Moreover, we also adjust our algorithm for other flow table layouts to make it scalable. We elaborate on the correctness of FastRule and test our algorithm using a hardware switch. Compared with existing algorithms, the evaluation shows that our algorithm is about $100 \times $ faster than state-of-the-art solutions with a flow table of $1k$ size.

Junjie Xie,Deke Guo,Xiaozhou Li,Yulong Shen,Xiaohong Jiang

DOI: https://doi.org/10.1109/jsac.2018.2815358

IF: 16.4

2018-01-01

IEEE Journal on Selected Areas in Communications

Abstract:To enable the network softwarization, network function virtualization (NFV) and software defined networking (SDN) are integrated to jointly manage and utilize the network resource and virtualized network functions (VNFs). For a network flow resulting from any NFV application, an associated switch would send a routing request to the controller in SDN. The controller then generates and configures a routing path to dynamically steer the flow across appropriate VNFs or service function chains. This process, however, exhibits a skew distribution of response latency with a long tail. Cutting the long-tail latency of response is critical to enable the network softwarization, yet difficult to achieve due to many factors, such as the limited capacities and the load imbalance among controllers. In this paper, we reveal that such flow requests still experience the long-tail response latency, even using the up-to-date controller-to-switch assignment mechanism. To tackle this essential problem, we first propose a light-weight and load-aware switch-to-controller selection scheme to cut the long-tail response latency under the simple scenario of homogeneous controllers, and then design a general delay-aware switch-to-controller selection scheme to fundamentally cut the long-tail response latency for the more complicated heterogeneous controller scenario with performance fluctuations. The comprehensive evaluations indicate that our two new switch-to-controller selection schemes can significantly reduce the long-tail latency and provide higher system throughput.

Xuya Jia,Yong Jiang,Zehua Guo,Zhenwei Wu

DOI: https://doi.org/10.1109/lcn.2016.96

2016-01-01

Abstract:Software-Defined Networking (SDN) allows flexible and efficient management of networks. However, the limited capacity of flow tables in SDN switches hinders the deployment of SDN. In this paper, we propose a novel routing scheme to improve the efficiency of flow tables in SDNs. To efficiently use the routing scheme, we formulate an optimization problem with the objective to maximize the number of flows in the network, constrained by the limited flow table space in SDN switches. The problem is NP-hard, and we propose the K Similar Greedy Tree (KSGT) algorithm to solve it. We evaluate the performance of KSGT against "traditional" SDN solutions with real-world topologies and traffic. The results show that, compared to the existing solutions, KSGT can reduce about 60% of flow entries when processing the same amount of flows, and improve about 25% of the successful installation and forwarding flows under the same flow table space.