1,474 research outputs found
SDNsec: Forwarding Accountability for the SDN Data Plane
SDN promises to make networks more flexible, programmable, and easier to
manage. Inherent security problems in SDN today, however, pose a threat to the
promised benefits. First, the network operator lacks tools to proactively
ensure that policies will be followed or to reactively inspect the behavior of
the network. Second, the distributed nature of state updates at the data plane
leads to inconsistent network behavior during reconfigurations. Third, the
large flow space makes the data plane susceptible to state exhaustion attacks.
This paper presents SDNsec, an SDN security extension that provides
forwarding accountability for the SDN data plane. Forwarding rules are encoded
in the packet, ensuring consistent network behavior during reconfigurations and
limiting state exhaustion attacks due to table lookups. Symmetric-key
cryptography is used to protect the integrity of the forwarding rules and
enforce them at each switch. A complementary path validation mechanism allows
the controller to reactively examine the actual path taken by the packets.
Furthermore, we present mechanisms for secure link-failure recovery and
multicast/broadcast forwarding.Comment: 14 page
Transiently Consistent SDN Updates: Being Greedy is Hard
The software-defined networking paradigm introduces interesting opportunities
to operate networks in a more flexible, optimized, yet formally verifiable
manner. Despite the logically centralized control, however, a Software-Defined
Network (SDN) is still a distributed system, with inherent delays between the
switches and the controller. Especially the problem of changing network
configurations in a consistent manner, also known as the consistent network
update problem, has received much attention over the last years. In particular,
it has been shown that there exists an inherent tradeoff between update
consistency and speed. This paper revisits the problem of updating an SDN in a
transiently consistent, loop-free manner. First, we rigorously prove that
computing a maximum (greedy) loop-free network update is generally NP-hard;
this result has implications for the classic maximum acyclic subgraph problem
(the dual feedback arc set problem) as well. Second, we show that for special
problem instances, fast and good approximation algorithms exist
SDN Access Control for the Masses
The evolution of Software-Defined Networking (SDN) has so far been
predominantly geared towards defining and refining the abstractions on the
forwarding and control planes. However, despite a maturing south-bound
interface and a range of proposed network operating systems, the network
management application layer is yet to be specified and standardized. It has
currently poorly defined access control mechanisms that could be exposed to
network applications. Available mechanisms allow only rudimentary control and
lack procedures to partition resource access across multiple dimensions.
We address this by extending the SDN north-bound interface to provide control
over shared resources to key stakeholders of network infrastructure: network
providers, operators and application developers. We introduce a taxonomy of SDN
access models, describe a comprehensive design for SDN access control and
implement the proposed solution as an extension of the ONOS network controller
intent framework
Fast network configuration in Software Defined Networking
Software Defined Networking (SDN) provides a framework to dynamically adjust and re-program the data plane with the use of flow rules. The realization of highly adaptive SDNs with the ability to respond to changing demands or recover after a network failure in a short period of time, hinges on efficient updates of flow rules. We model the time to deploy a set of flow rules by the update time at the bottleneck switch, and formulate the problem of selecting paths to minimize the deployment time under feasibility constraints as a mixed integer linear program (MILP). To reduce the computation time of determining flow rules, we propose efficient heuristics designed to approximate the minimum-deployment-time solution by relaxing the MILP or selecting the paths sequentially. Through extensive simulations we show that our algorithms outperform current, shortest path based solutions by reducing the total network configuration time up to 55% while having similar packet loss, in the considered scenarios. We also demonstrate that in a networked environment with a certain fraction of failed links, our algorithms are able to reduce the average time to reestablish disrupted flows by 40%
SNAP: Stateful Network-Wide Abstractions for Packet Processing
Early programming languages for software-defined networking (SDN) were built
on top of the simple match-action paradigm offered by OpenFlow 1.0. However,
emerging hardware and software switches offer much more sophisticated support
for persistent state in the data plane, without involving a central controller.
Nevertheless, managing stateful, distributed systems efficiently and correctly
is known to be one of the most challenging programming problems. To simplify
this new SDN problem, we introduce SNAP.
SNAP offers a simpler "centralized" stateful programming model, by allowing
programmers to develop programs on top of one big switch rather than many.
These programs may contain reads and writes to global, persistent arrays, and
as a result, programmers can implement a broad range of applications, from
stateful firewalls to fine-grained traffic monitoring. The SNAP compiler
relieves programmers of having to worry about how to distribute, place, and
optimize access to these stateful arrays by doing it all for them. More
specifically, the compiler discovers read/write dependencies between arrays and
translates one-big-switch programs into an efficient internal representation
based on a novel variant of binary decision diagrams. This internal
representation is used to construct a mixed-integer linear program, which
jointly optimizes the placement of state and the routing of traffic across the
underlying physical topology. We have implemented a prototype compiler and
applied it to about 20 SNAP programs over various topologies to demonstrate our
techniques' scalability
- …