Visible to the public Protecting SDN controller with per-flow buffering inside OpenFlow switches

TitleProtecting SDN controller with per-flow buffering inside OpenFlow switches
Publication TypeConference Paper
Year of Publication2017
AuthorsAtli, A. V., Uluderya, M. S., Tatlicioglu, S., Gorkemli, B., Balci, A. M.
Conference Name2017 IEEE International Black Sea Conference on Communications and Networking (BlackSeaCom)
Keywordsbuffer\_id feature, centralized controller, computer network security, control channel, control logic, control plane, control systems, data plane, denial of service, denial-of-service attacks, DoS attacks, DPDK, Floods, heavy control traffic conditions, individually buffered packets, IP networks, Monitoring, Open vSwitch, OpenFlow, OpenFlow protocol, OpenFlow switches, OpenFlow traffic, packet-in flood, per-flow buffering, process control, Protocols, pubcrawl, Resiliency, routers, Scalability, SDN controller, SDN security, Servers, software defined networking, standards-compliant protocol, statistical analysis, switch flow tables, switch memory, table-miss, telecommunication control, telecommunication network routing, telecommunication switching, telecommunication traffic, working principles

Software Defined Networking (SDN) is a paradigm shift that changes the working principles of IP networks by separating the control logic from routers and switches, and logically centralizing it within a controller. In this architecture the control plane (controller) communicates with the data plane (switches) through a control channel using a standards-compliant protocol, that is, OpenFlow. While having a centralized controller creates an opportunity to monitor and program the entire network, as a side effect, it causes the control plane to become a single point of failure. Denial of service (DoS) attacks or even heavy control traffic conditions can easily become real threats to the proper functioning of the controller, which indirectly detriments the entire network. In this paper, we propose a solution to reduce the control traffic generated primarily during table-miss events. We utilize the buffer\_id feature of the OpenFlow protocol, which has been designed to identify individually buffered packets within a switch, reusing it to identify flows buffered as a series of packets during table-miss, which happens when there is no related rule in the switch flow tables that matches the received packet. Thus, we allow the OpenFlow switch to send only the first packet of a flow to the controller for a table-miss while buffering the rest of the packets in the switch memory until the controller responds or time out occurs. The test results show that OpenFlow traffic is significantly reduced when the proposed method is used.

Citation Keyatli_protecting_2017