HeS‐CoP: Heuristic switch‐controller placement scheme for distributed SDN controllers in data center networks

Software‐defined networking (SDN) has been widely researched and used to manage large‐scale networks such as data center networks (DCNs). An early stage of SDN controller experienced low responsiveness, low scalability, and low reliability. To solve these problems, distributed SDN controllers have been proposed. The concept of distributed SDN controllers distributes control messages among multiple SDN controllers. However, distributed SDN controllers must assign a master controller for each networking devices. Most previous studies, however, did not consider the characteristics of DCNs. Thus, they are not suitable to operate in DCNs. In this paper, we propose HeS‐CoP, a heuristic switch‐controller placement scheme for distributed SDN controllers in DCNs. With the control traffic load and CPU load, HeS‐CoP decides when our scheme should be performed in DCNs. To show the feasibility of HeS‐CoP, we designed and implemented an orchestrator that contains our proposed scheme and then evaluated our proposed scheme. As a result, our proposed scheme well distributes the control traffic load, decreases the average CPU load, and reduces the packet delay.     

FMD: A DoS mitigation scheme based on flow migration in software‐defined networking

Software‐defined networking (SDN) emerges as the next generation of networking architecture, aiming to improve the network manageability and adaptability. However, because of the centralized control policy, SDN is liable to suffering from the denial of service attack in both the data plane and the control plane. To resist the attack and prevent the network from being paralyzed, we propose a novel mitigation scheme named flow migration defense, which uses a slave controller as a substitution to endure flooding requests mitigated from the master controller. Considering the special case that the normal requests may be regarded as the malicious ones, these requests are reforwarded back to the master controller on the basis of the round‐robin scheduling. To prevent the master controller from being flooded by the reforwarded requests, we design the adaptive rate adjustment method to adjust the reforwarding rate. Compared with multilevel feedback queue and FloodDefender, simulations demonstrate that flow migration defense can mitigate the SDN‐aimed denial of service attack efficiently with a better performance in terms of request response time, packet loss rate, and mitigation time.     

层次型多中心的SDN控制器部署

软件定义网络(SDN)通过转发与控制分离,借助控制面的集中化实现网络的灵活性和开放性.控制器部署是SDN部署运行的基础和前提.针对层次型多中心SDN的控制器部署问题,该文采用多层k路划分方法实现大规模SDN网络的区域划分,将传统的SDN多控制器直接部署转化为区域划分和域内控制器部署,同时通过减少图划分的域间割边数以降低SDN跨域流数量以提高流表构建效率.通过实验验证,较其他传统方法,该文提出的层次型多中心控制器部署方法可有效减少网络通信代价,降低流表构建代价.     

SDN跨层回环攻击的检测与防御

软件定义网络（Software Define Network,SDN）将控制层和数据层进行分离,给网络带来灵活性、开放性以及可编程性.然而,分离引入了新的网络安全问题.我们发现通过构造特定规则可以构造跨层回环攻击,使得数据包在控制器和交换机之间不断循环转发.跨层回环会造成控制器拥塞,并导致控制器无法正常工作.现有的策略一致性检测方案并不能检测跨层回环攻击.为此,本文提出了一种实时检测和防御跨层回环的方法.通过构造基于Packet-out的转发图分析规则路径,从而快速检测和防御回环.我们在开源控制器Floodlight上实现了我们提出的回环检测和防御方案,并在Mininet仿真器上对其性能进行了评估,结果表明本方案能够实时检测并有效防御跨层回环攻击.     

Stateful firewall‐enabled software‐defined network with distributed controllers: A network performance study

SummarySoftware‐defined network (SDN) is constructed by decoupling the control and data plane from the forwarding devices. The control plane operations are managed by centralized or distributed controllers, and the data plane operation is managed by respective forwarding devices. SDN provides an easy and efficient management solutions for software‐programmed consolidated middlebox in virtual machines. Additionally, SDN with centralized controller faces complications like scalability, network bottle neck, and single point failure. In this study, a stateful inspection firewall acts as a middlebox in distributed SDN‐controlled network. The controller is programmed with a failure detection and recovery mechanism to provide reliability and redundancy and enhance the overall performance of the network. The objective of stateful firewall on SDN architecture is to secure the network by monitoring the current connections and maintain its state information until the connection is active. In this paper, the performance of firewall‐enabled SDN with centralized and distributed controllers are measured, compared, and analyzed. The experiments are done using POX controller, and the results are verified by Mininet network emulation tool. The results show that the stateful firewall‐enabled SDN with distributed controller network improves the security, reliability, availability, and overall performance of the network. In the proposed SDN, average network throughput is improved by 43%, average network delay is reduced by 4%, average channel utilization is increased by 40%, average network overhead is reduced by 26%, and average network response time is reduced by 23%.     

软件定义网络中可靠性优化控制器的位置研究(英)

By decoupling control plane and data plane,Software-Defined Networking(SDN) approach simplifies network management and speeds up network innovations.These benefits have led not only to prototypes,but also real SDN deployments.For wide-area SDN deployments,multiple controllers are often required,and the placement of these controllers becomes a particularly important task in the SDN context.This paper studies the problem of placing controllers in SDNs,so as to maximize the reliability of SDN control networks.We present a novel metric,called expected percentage of control path loss,to characterize the reliability of SDN control networks.We formulate the reliability-aware control placement problem,prove its NP-hardness,and examine several placement algorithms that can solve this problem.Through extensive simulations using real topologies,we show how the number of controllers and their placement influence the reliability of SDN control networks.Besides,we also found that,through strategic controller placement,the reliability of SDN control networks can be significantly improved without introducing unacceptable switch-to-controller latencies.     

DDoS protection with stateful software‐defined networking

Distributed denial of service (DDoS) attacks represent one of the most critical security challenges facing network operators. Software‐defined networking (SDN) permits fast reactions to such threats by dynamically enforcing simple forwarding/blocking rules as countermeasures. However, the centralization of the control plane requires that the SDN controller, besides network management operations, should also collect information to identify and mitigate the security menaces. A major drawback of this approach is that it may overload the controller and the control channel. On the other hand, stateful SDN represents a new concept, developed to improve reactivity and offload the controller by delegating local treatments to the switches. In this article, we embrace this paradigm to protect end‐hosts from DDoS attacks. We propose StateSec, a novel approach based on in‐switch processing capabilities to detect and mitigate flooding threats. StateSec monitors packets matching configurable traffic features without resorting to the controller. By feeding an entropy‐based detection algorithm with such monitoring features, it detects and mitigates several threats such as (D)DoS with high accuracy. We implemented StateSec in an SDN platform comparing it with state‐of‐the‐art approaches. We show that StateSec is far more efficient: It achieves very accurate detection levels, reducing at the same time the control plane overhead. We have also evaluated the memory footprint of StateSec for a possible use in production. Finally, we deployed StateSec over a real network to tune its parameters and assess its suitability to real‐world deployments.     

A virtualized infrastructure to offer network mapping functionality in SDN networks

The separation of control and forwarding planes in software‐defined networking (SDN) networks is a key issue of the SDN technology. This feature and the existence of the SDN controller allow the developing of dynamic, adaptable and manageable networks, networks that require adequate services, and applications. However, the separation of these planes prevents the use of existing powerful tools that were coded considering traditional networks. In this paper, we make use of the potential of network virtualization (NV) technologies to propose the use of a virtualized infrastructure that makes possible the incorporation of these existing services and/or applications to an SDN network, without the need for programming additional and complex software modules in the SDN controller. Thus, in this paper, NV is not employed to develop a network managed by SDN but to broaden and give support to the SDN control layer. As an example, we describe the incorporation of nmap (a versatile and powerful tool widely used by security experts for network exploration) into the SDN framework. It is only necessary to develop a simple control plane service that thanks to the proposed virtualized infrastructure allows the inclusion of this powerful management application. The result offers the complete functionality of the nmap utility to the network administrators, who control the SDN network through the out‐of‐band control plane. In addition, a northbound REST API has been defined to offer the main functionality of the tool (host discovery, port scanning, and operating system detection) to the application layer.     

VNF-Consensus: A virtual network function for maintaining a consistent distributed software-defined network control plane

Software-defined networks (SDN) usually rely on a centralized controller, which has limited availability and scalability by definition. Although a solution is to employ a distributed control plane, the main issue with this approach is how to maintain the consistency among multiple controllers. Consistency should be achieved with as low impact on network performance as possible and should be transparent for controllers, without requiring any change of the SDN protocols. In this work, we propose VNF-Consensus, a virtual network function that implements Paxos to ensure strong consistency among controllers of a distributed control plane. In our solution, controllers can perform their control plane activities without having to execute the expensive tasks required to keep consistency. Experimental results are presented showing the cost and benefits of the proposed solution, in particular in terms of low controller overhead.     

Dynamic switch migration with noncooperative game towards control plane scalability in SDN

As software‐defined networking (SDN) is a logically centralized technology, the control plane scalability in SDN is increasingly important with the network scale increasing. Load balancing and maximizing resource utilization are very critical to the control plane in SDN, while switch migration is an effective approach to achieve these two performance metrics. However, switch migration is NP‐hard problem because it belongs to the problem of combinatorial optimization. To avoid the NP‐hard problem, we propose a switch migration scheme by adopting noncooperative game to improve the control plane scalability in SDN. First, we design a novel load balancing monitoring scheme to detect the load imbalance between controllers and trigger migrating switches. Then, we use noncooperative game among controllers to decide switch migration to get the maximizing overall profits. Last, we prove that our proposed approach can get Pareto optimality. Extensive simulations prove that our method is able to achieve a more scalable control plane with load balancing and maximizing resource utilization.     

TILAK: A token‐based prevention approach for topology discovery threats in SDN

Software‐defined networks (SDNs) decouple the data plane from the control plane. Thus, it provides logically centralized visibility of the entire networking infrastructure to the controller. It enables the applications running on top of the control plane to innovate through network management and programmability. To envision the centralized control and visibility, the controller needs to discover the networking topology of the entire SDN infrastructure. However, discovering and maintaining a global view of the underlying network topology is a challenging task because of (i) frequently changing network topology caused by migration of the virtual machines in the data centers, mobile, end hosts and change in the number of data plane switches because of technical faults or network upgrade; (ii) lack of authentication mechanisms and scarcity in SDN standards; and (iii) availability of security solutions during topology discovery process. To this end, the aim of this paper is threefold. First, we investigate the working methodologies used to achieve global view by different SDN controllers, specifically, POX, Ryu, OpenDaylight, Floodlight, Beacon, ONOS, and HPEVAN. Second, we identify vulnerabilities that affect the topology discovery process in the above controller implementation. In particular, we provide a detailed analysis of the threats namely link layer discovery protocol (LLDP) poisoning, LLDP flooding, and LLDP replay attack concerning these controllers. Finally, to countermeasure the identified risks, we propose a novel mechanism called TILAK which generates random MAC destination addresses for LLDP packets and use this randomness to create a flow entry for the LLDP packets. It is a periodic process to prevent LLDP packet‐based attacks that are caused only because of lack of verification of source authentication and integrity of LLDP packets. The implementation results for TILAK confirm that it covers targeted threats with lower resource penalty.     

Automatic rule installation in case of policy change in software defined networks

Software Defined Networking (SDN) has emerged recently as a new network architecture. It implements both control and management planes at centralized controller and data plane at forwarding devices. Therefore, SDN helps to simplify network management and improves network programmability. Changes in network policies occur frequently by making modifications at controller. However, in existing approaches, the rules installed at switches before policy change at controller are not modified. This can cause violation of network policy by packets. To address this problem, this paper presents a new approach that stores the rules generated at controller. After detecting the change in policy, the proposed approach finds the rules that will be affected by policy change by examining stored rules at controller. Then the affected rules are removed from the forwarding devices. Simulation results reveal that our proposed approach provides less packets violation ratio and normalized traffic overhead as compared to existing approach. Therefore, the proposed approach increases network performance and efficiency.     

SDI: a multi-domain SDN mechanism for fine-grained inter-domain routing

Software-defined networking (SDN) scheme decouples network control plane and data plane, which can improve the flexibility of traffic management in networks. OpenFlow is a promising implementation instance of SDN scheme and has been applied to enterprise networks and data center networks in practice. However, it has less effort to spread SDN control scheme over the Internet to conquer the ossification of inter-domain routing. In this paper, we further innovate to the SDN inter-domain routing inspired by the OpenFlow protocol. We apply SDN flow-based routing control to inter-domain routing and propose a fine-granularity inter-domain routing mechanism, named SDI (Software Defined Inter-domain routing). It enables inter-domain routing to support the flexible routing policy by matching multiple fields of IP packet header. We also propose a method to reduce redundant flow entries for inter-domain settings. And, we implement a prototype and deploy it on a multi-domain testbed.     

SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking

In software‐defined networking (SDN), TCP SYN flooding attack is considered as one of the most effective attacks to perform control plane and target server saturation. In this attack, an attacker generates a large number of malicious SYN requests, and because of the absence of the forwarding rules, the data plane switches have to forward these SYN messages to the controller. This excessive forwarding causes congestion over the communication channel between a data plane and control plane, and it also exhausts computational resources at both the planes. In this paper, we propose a novel countermeasure called SYN‐Guard to detect and prevent SYN flooding in SDN networks. We fully implement SYN‐Guard on the SDN controller to validate the incoming TCP connection requests. The controller installs forwarding rules for the SYN requests that successfully clear the validation test of SYN‐Guard. The host of the fake SYN request is detected, and SYN‐Guard prevents it from sending any further SYN requests to the data plane switch. The performance evaluation done using the simulation results shows that SYN‐Guard exhibits low side effect for genuine TCP requests, and when compared with standard SDN and state‐of‐art proposals, it reduces the average response time up to 21% during an ongoing SYN flooding attack.     

基于流量工程的软件定义网络控制资源优化机制

针对软件定义网络(SDN)分布式控制平面中由于网络分域管理所引发的控制扩张问题,该文提出了一种基于流量工程的SDN控制资源优化(TERO)机制。首先基于数据流的路径特征对流请求的控制资源消耗进行分析,指出通过调整控制器和交换机的关联关系可以降低控制资源消耗。然后将控制器关联过程分为两个阶段:先设计了最小集合覆盖算法来快速求解大规模网络中控制器关联问题;在此基础上,引入联合博弈策略来优化控制器和交换机的关联关系以减少控制资源消耗和控制流量开销。仿真结果表明,与现有的控制器和交换机就近关联机制相比,该文机制能在保证较低控制流量开销的前提下,节省约28%的控制资源消耗。     

ONVisor: Towards a scalable and flexible SDN‐based network virtualization platform on ONOS

Network virtualization (NV) technologies have attracted a lot of attention as an essential solution for future networking infrastructure. The NV enables multiple tenants to share the same physical infrastructure and to create independent virtual networks (VNs) by decoupling the physical network in terms of topology, address, and control functions. One feasible way to realize full NV involves considering solutions based on the software‐defined networking (SDN) paradigm using its programmability. The SDN contributes many benefits to both network operations and management including programmability, agility, elasticity, and flexibility. There are several SDN‐based NV solutions; however, they suffered from a lack of scalability, high availability. Also, they have high latency between control and data plane because of proxy‐based architecture. In this thesis, we introduce a new NV platform, named Open Network Hypervisor (ONVisor). The design objectives include, among the features, (1) multitenancy, (2) scalability, (3) flexibility, (4) isolated VNs, and (5) VN federation. ONVisor was designed and implemented by extending Open Network Operating System, an open‐source SDN controller. The main features of ONVisor are (1) isolated control and data plane per VN, (2) support of distributed operations, (3) extensible translators, (4) on‐platform VN application development and execution, and (5) support of heterogenous SDN data‐plane implementations. Several experiments are conducted on various test scenarios in different test environments in terms of control and data plane performance compared to nonvirtualized SDN network. The results show that ONVisor can provide VNs a little bit lower control plane performance and similar data plane performance.     

一种在软件定义网络中的新型无泛洪服务发现机制(英)

The low-cost,self-configuration capability and "plug-and-play" feature of Ethernet establishes its dominant position in the local area networks(LAN).However,it is hard to extend to large scale because of the legacy broadcast-based service discovery mechanism.Therefore,to solve this problem,a new split network architecture named Software-Defined Networking(SDN) is introduced in this paper,and a novel floodless service discovery mechanism(FSDM)for SDN is designed.For the FSDM,the widespread broadcast messages for Dynamic Host Configuration Protocol(DHCP) and Address Resolution Protocol(ARP) are considered especially,respectively.Then the DHCP relay and ARP proxy are proposed to handle DHCP broadcast messages and ARP broadcast messages,respectively.The proposed FSDM in this paper can eliminate flooding completely,reserve the autoconfiguration characteristics.Particularly,there is no need to change the existing hardware,software and protocols of hosts for the proposed scheme.Finally,the simulation results are demonstrated to show that our proposed model allows redundant links existed in network and has the property of scalability,which can significantly reduce network traffic in data plane and control traffic in control plane,and decrease the overhead of control plane.     

SO-CPP: Sailfish optimization-based controller placement in IoT-enabled software-defined wireless sensor networks

One of the expanding network topologies that is frequently utilized to improve network development by successfully separating the control plane and data plane is software-defined networking (SDN). In order to function inside complex sensor networks, the SDWSN system frequently relies on centralized controller logic that pulls global network information. In wireless sensor networks (WSNs), using several SDN controllers is known as a promising strategy due to reliability and performance considerations. However, using numerous controllers increases the synchronization overhead between the controllers. Consequently, it is a difficult research challenge to discover the best placement of SDN controllers to enhance the performance of a WSN, subject to the maximum number of controllers calculated based on the synchronization overhead. This research introduces a novel technique to overcome the controller placement problem (CPP) by optimizing multi-constraints within the sensor networks. For selecting the optimal controllers and placing them in an optimal location, a novel sailfish optimization (SO) strategy is introduced that can enhance the search space and maintain optimal global values throughout the iteration. Then, node clustering is performed using the fuzzy-C-means (FCM) clustering technique, which can reduce energy consumption and path delay within the network. The overall latency obtained by the proposed method is about 0.51 and 0.56 ms, and a total run time of 4 ms for both single sink and multi-sink, respectively. The proposed method is implemented in the MATLAB platform, and different performance metrics are analyzed and compared with existing techniques.     

Balanced multiple controllers placement with latency and capacity bound in software-defined network

Software-defined network (SDN) used a network architecture which separates the control plane and data plane. The control logic of SDN was implemented by the controller. Because controller's capacity was limited, in large scale SDN networks, single controller can not satisfy the requirement of all switches. Multiple controllers were needed to han-dle all data flows. By the reason that the latency between controller and switch would significantly affect the forwarding of new data flow, the rational placement of controllers would effectively improve the performance of entire network. By partition the network into multiple sub domains, on the base of spectral clustering, a method that added a balanced de-ployment object function into k-means was given and a balanced multiple controllers placement algorithm in SDN net-works which has the latency and capacity limitations was proposed. In this approach, a penalty function was introduced in the algorithm to avoid isolation nodes appearing. The simulations show that this algorithm can balance partition the net-work, keep the latency between controller and switch small and keep loads balancing between controllers.     

Toward manageable middleboxes in software‐defined networking

Software‐defined networking (SDN) acts as a centralized management unit, especially in a network with devices that operate under the transport layer of the OSI model. However, when a network with layer 7 middleboxes (MBs) is considered, current SDNs exhibit limitations. As such, to achieve a real‐centralized management unit, a new architecture is required that decouples the data and control planes of all network devices. In this report, we propose such a complementary architecture to the current SDN in which SDN‐enabled MBs are included along with contemporary SDN‐enabled switches. The management unit of this architecture improves network performance and reduces routing cost by considering the status of the MBs during flow forwarding. This unit consists of the following two parts: an SDN controller (SDNC) and a middlebox controller (MBC). The latter selects the best MBs for each flow and the former determines the best path according to its routing algorithm and provides information via the MBC. The results show that the proposed architecture improved performance because the utilization of all network devices including MBs is manageable.