591 research outputs found
Dataplane Specialization for High-performance OpenFlow Software Switching
OpenFlow is an amazingly expressive dataplane program-
ming language, but this expressiveness comes at a severe
performance price as switches must do excessive packet clas-
sification in the fast path. The prevalent OpenFlow software
switch architecture is therefore built on flow caching, but
this imposes intricate limitations on the workloads that can
be supported efficiently and may even open the door to mali-
cious cache overflow attacks. In this paper we argue that in-
stead of enforcing the same universal flow cache semantics
to all OpenFlow applications and optimize for the common
case, a switch should rather automatically specialize its dat-
aplane piecemeal with respect to the configured workload.
We introduce ES WITCH , a novel switch architecture that
uses on-the-fly template-based code generation to compile
any OpenFlow pipeline into efficient machine code, which
can then be readily used as fast path. We present a proof-
of-concept prototype and we demonstrate on illustrative use
cases that ES WITCH yields a simpler architecture, superior
packet processing speed, improved latency and CPU scala-
bility, and predictable performance. Our prototype can eas-
ily scale beyond 100 Gbps on a single Intel blade even with
complex OpenFlow pipelines
A new lookup model for multiple flow tables of open flow with implementation and optimization considerations
This is the author accepted manuscript. The final version is available from IEEE via the DOI in this record.Open Flow has become the key standard for the southbound interface of software defined networking. The single flow table of Open Flow implementation can lead to fast storage space growth, and finally cause table-overflow, the multiple flow tables can address this problem and provide greater efficiency and flexibility. Through analyzing the potential deployment challenges of Open Flow, this paper proposes a new lookup model with implementation and optimization considerations for multiple flow tables in an Open Flow switch. With the developed lookup model, the original single flow table is split into multiple sub-flow tables, and the fields in each sub-flow table are further divided into several categories according to different field types. Preliminary simulation results demonstrate that the proposed solution can effectively reduce the storage space of flow tables
SDNsec: Forwarding Accountability for the SDN Data Plane
SDN promises to make networks more flexible, programmable, and easier to
manage. Inherent security problems in SDN today, however, pose a threat to the
promised benefits. First, the network operator lacks tools to proactively
ensure that policies will be followed or to reactively inspect the behavior of
the network. Second, the distributed nature of state updates at the data plane
leads to inconsistent network behavior during reconfigurations. Third, the
large flow space makes the data plane susceptible to state exhaustion attacks.
This paper presents SDNsec, an SDN security extension that provides
forwarding accountability for the SDN data plane. Forwarding rules are encoded
in the packet, ensuring consistent network behavior during reconfigurations and
limiting state exhaustion attacks due to table lookups. Symmetric-key
cryptography is used to protect the integrity of the forwarding rules and
enforce them at each switch. A complementary path validation mechanism allows
the controller to reactively examine the actual path taken by the packets.
Furthermore, we present mechanisms for secure link-failure recovery and
multicast/broadcast forwarding.Comment: 14 page
Toward Network-based DDoS Detection in Software-defined Networks
To combat susceptibility of modern computing systems to cyberattack, identifying and disrupting malicious traffic without human intervention is essential. To accomplish this, three main tasks for an effective intrusion detection system have been identified: monitor network traffic, categorize and identify anomalous behavior in near real time, and take appropriate action against the identified threat. This system leverages distributed SDN architecture and the principles of Artificial Immune Systems and Self-Organizing Maps to build a network-based intrusion detection system capable of detecting and terminating DDoS attacks in progress
Evolving SDN for Low-Power IoT Networks
Software Defined Networking (SDN) offers a flexible and scalable architecture
that abstracts decision making away from individual devices and provides a
programmable network platform. However, implementing a centralized SDN
architecture within the constraints of a low-power wireless network faces
considerable challenges. Not only is controller traffic subject to jitter due
to unreliable links and network contention, but the overhead generated by SDN
can severely affect the performance of other traffic. This paper addresses the
challenge of bringing high-overhead SDN architecture to IEEE 802.15.4 networks.
We explore how traditional SDN needs to evolve in order to overcome the
constraints of low-power wireless networks, and discuss protocol and
architectural optimizations necessary to reduce SDN control overhead - the main
barrier to successful implementation. We argue that interoperability with the
existing protocol stack is necessary to provide a platform for controller
discovery and coexistence with legacy networks. We consequently introduce
{\mu}SDN, a lightweight SDN framework for Contiki, with both IPv6 and
underlying routing protocol interoperability, as well as optimizing a number of
elements within the SDN architecture to reduce control overhead to practical
levels. We evaluate {\mu}SDN in terms of latency, energy, and packet delivery.
Through this evaluation we show how the cost of SDN control overhead (both
bootstrapping and management) can be reduced to a point where comparable
performance and scalability is achieved against an IEEE 802.15.4-2012 RPL-based
network. Additionally, we demonstrate {\mu}SDN through simulation: providing a
use-case where the SDN configurability can be used to provide Quality of
Service (QoS) for critical network flows experiencing interference, and we
achieve considerable reductions in delay and jitter in comparison to a scenario
without SDN
Outsmarting Network Security with SDN Teleportation
Software-defined networking is considered a promising new paradigm, enabling
more reliable and formally verifiable communication networks. However, this
paper shows that the separation of the control plane from the data plane, which
lies at the heart of Software-Defined Networks (SDNs), introduces a new
vulnerability which we call \emph{teleportation}. An attacker (e.g., a
malicious switch in the data plane or a host connected to the network) can use
teleportation to transmit information via the control plane and bypass critical
network functions in the data plane (e.g., a firewall), and to violate security
policies as well as logical and even physical separations. This paper
characterizes the design space for teleportation attacks theoretically, and
then identifies four different teleportation techniques. We demonstrate and
discuss how these techniques can be exploited for different attacks (e.g.,
exfiltrating confidential data at high rates), and also initiate the discussion
of possible countermeasures. Generally, and given today's trend toward more
intent-based networking, we believe that our findings are relevant beyond the
use cases considered in this paper.Comment: Accepted in EuroSP'1
- …