Dynamic switch migration with noncooperative game towards control plane scalability in SDN

As software‐defined networking (SDN) is a logically centralized technology, the control plane scalability in SDN is increasingly important with the network scale increasing. Load balancing and maximizing resource utilization are very critical to the control plane in SDN, while switch migration is an effective approach to achieve these two performance metrics. However, switch migration is NP‐hard problem because it belongs to the problem of combinatorial optimization. To avoid the NP‐hard problem, we propose a switch migration scheme by adopting noncooperative game to improve the control plane scalability in SDN. First, we design a novel load balancing monitoring scheme to detect the load imbalance between controllers and trigger migrating switches. Then, we use noncooperative game among controllers to decide switch migration to get the maximizing overall profits. Last, we prove that our proposed approach can get Pareto optimality. Extensive simulations prove that our method is able to achieve a more scalable control plane with load balancing and maximizing resource utilization.     

基于OpenFlow的SDN控制平面可扩展性综述

OpenFlow发展之初,主要是为了校园网络研究人员设计其创新网络架构提供真实的实验平台,形成一种新的网络构架SDN。随着其应用范围的增加,遇到的问题逐渐显现出来,尤其是可扩展性方面。文中介绍了OpenFlow的产生背景、特点及发展现状,以及几种较为典型的SDN控制器模型和控制平面框架,并对SDN可扩展性方面遇到的问题及解决方案进行了分析,并概述了其今后的发展方向。     

ONVisor: Towards a scalable and flexible SDN‐based network virtualization platform on ONOS

Network virtualization (NV) technologies have attracted a lot of attention as an essential solution for future networking infrastructure. The NV enables multiple tenants to share the same physical infrastructure and to create independent virtual networks (VNs) by decoupling the physical network in terms of topology, address, and control functions. One feasible way to realize full NV involves considering solutions based on the software‐defined networking (SDN) paradigm using its programmability. The SDN contributes many benefits to both network operations and management including programmability, agility, elasticity, and flexibility. There are several SDN‐based NV solutions; however, they suffered from a lack of scalability, high availability. Also, they have high latency between control and data plane because of proxy‐based architecture. In this thesis, we introduce a new NV platform, named Open Network Hypervisor (ONVisor). The design objectives include, among the features, (1) multitenancy, (2) scalability, (3) flexibility, (4) isolated VNs, and (5) VN federation. ONVisor was designed and implemented by extending Open Network Operating System, an open‐source SDN controller. The main features of ONVisor are (1) isolated control and data plane per VN, (2) support of distributed operations, (3) extensible translators, (4) on‐platform VN application development and execution, and (5) support of heterogenous SDN data‐plane implementations. Several experiments are conducted on various test scenarios in different test environments in terms of control and data plane performance compared to nonvirtualized SDN network. The results show that ONVisor can provide VNs a little bit lower control plane performance and similar data plane performance.     

浅谈软件定义网络中数据平面的通用性和控制平面的可扩展性(英)

The control and data planes are decoupled in software-defined networking(SDN),which enables both planes to evolve independently,and brings about many advantages such as high flexibility,programmability,and rapid implementation of new network protocols.However,in order to improve the scalability of the control plane at present,some control functionalities are added to the data plane,which is probably to impact on the generality of the data plane.The key challenge of adding control functionalities to the data plane is to strike a careful balance between the generality of the data plane and the scalability of the control plane.We propose some basic principles that both control and data planes should comply with,based on the evolutionary trend of SDN.Moreover,we take two approaches for reference according to the principles,viewed from the control messages in OpenFlow-based SDN.Our evaluations demonstrate that the approaches can maintain the generality of the data plane and improve the scalability of the control plane.     

SDN技术和产业分析及运营商应对策略建议

软件定义网络（SDN）提出了一种全新的网络设计理念,强调控制与转发的分离以及网络的可编程,实现网络架构的开放。SDN正和云计算一道重塑互联网网络模型和产业结构。介绍了SDN的基本概念、本质及特征,分析了SDN核心技术体系及其产业发展现状,从运营商视角探讨了SDN对未来网络的影响,并给出了相应的应用建议。     

Stateful firewall‐enabled software‐defined network with distributed controllers: A network performance study

SummarySoftware‐defined network (SDN) is constructed by decoupling the control and data plane from the forwarding devices. The control plane operations are managed by centralized or distributed controllers, and the data plane operation is managed by respective forwarding devices. SDN provides an easy and efficient management solutions for software‐programmed consolidated middlebox in virtual machines. Additionally, SDN with centralized controller faces complications like scalability, network bottle neck, and single point failure. In this study, a stateful inspection firewall acts as a middlebox in distributed SDN‐controlled network. The controller is programmed with a failure detection and recovery mechanism to provide reliability and redundancy and enhance the overall performance of the network. The objective of stateful firewall on SDN architecture is to secure the network by monitoring the current connections and maintain its state information until the connection is active. In this paper, the performance of firewall‐enabled SDN with centralized and distributed controllers are measured, compared, and analyzed. The experiments are done using POX controller, and the results are verified by Mininet network emulation tool. The results show that the stateful firewall‐enabled SDN with distributed controller network improves the security, reliability, availability, and overall performance of the network. In the proposed SDN, average network throughput is improved by 43%, average network delay is reduced by 4%, average channel utilization is increased by 40%, average network overhead is reduced by 26%, and average network response time is reduced by 23%.     

VNF-Consensus: A virtual network function for maintaining a consistent distributed software-defined network control plane

Software-defined networks (SDN) usually rely on a centralized controller, which has limited availability and scalability by definition. Although a solution is to employ a distributed control plane, the main issue with this approach is how to maintain the consistency among multiple controllers. Consistency should be achieved with as low impact on network performance as possible and should be transparent for controllers, without requiring any change of the SDN protocols. In this work, we propose VNF-Consensus, a virtual network function that implements Paxos to ensure strong consistency among controllers of a distributed control plane. In our solution, controllers can perform their control plane activities without having to execute the expensive tasks required to keep consistency. Experimental results are presented showing the cost and benefits of the proposed solution, in particular in terms of low controller overhead.     

软件定义网络中可靠性优化控制器的位置研究(英)

By decoupling control plane and data plane,Software-Defined Networking(SDN) approach simplifies network management and speeds up network innovations.These benefits have led not only to prototypes,but also real SDN deployments.For wide-area SDN deployments,multiple controllers are often required,and the placement of these controllers becomes a particularly important task in the SDN context.This paper studies the problem of placing controllers in SDNs,so as to maximize the reliability of SDN control networks.We present a novel metric,called expected percentage of control path loss,to characterize the reliability of SDN control networks.We formulate the reliability-aware control placement problem,prove its NP-hardness,and examine several placement algorithms that can solve this problem.Through extensive simulations using real topologies,we show how the number of controllers and their placement influence the reliability of SDN control networks.Besides,we also found that,through strategic controller placement,the reliability of SDN control networks can be significantly improved without introducing unacceptable switch-to-controller latencies.     

TPAAD: Two-phase authentication system for denial of service attack detection and mitigation using machine learning in software-defined network

Software-defined networking (SDN) has received considerable attention and adoption owing to its inherent advantages, such as enhanced scalability, increased adaptability, and the ability to exercise centralized control. However, the control plane of the system is vulnerable to denial-of-service (DoS) attacks, which are a primary focus for attackers. These attacks have the potential to result in substantial delays and packet loss. In this study, we present a novel system called Two-Phase Authentication for Attack Detection that aims to enhance the security of SDN by mitigating DoS attacks. The methodology utilized in our study involves the implementation of packet filtration and machine learning classification techniques, which are subsequently followed by the targeted restriction of malevolent network traffic. Instead of completely deactivating the host, the emphasis lies on preventing harmful communication. Support vector machine and K-nearest neighbours algorithms were utilized for efficient detection on the CICDoS 2017 dataset. The deployed model was utilized within an environment designed for the identification of threats in SDN. Based on the observations of the banned queue, our system allows a host to reconnect when it is no longer contributing to malicious traffic. The experiments were run on a VMware Ubuntu, and an SDN environment was created using Mininet and the RYU controller. The results of the tests demonstrated enhanced performance in various aspects, including the reduction of false positives, the minimization of central processing unit utilization and control channel bandwidth consumption, the improvement of packet delivery ratio, and the decrease in the number of flow requests submitted to the controller. These results confirm that our Two-Phase Authentication for Attack Detection architecture identifies and mitigates SDN DoS attacks with low overhead.     

Dynamic switch migration towards a scalable SDN control plane

Distributed control plane is a promising approach to scalable software‐defined networking (SDN). Live migration of switches from controllers that are overloaded to those that are underutilized may be a solution to handle peak switch traffic using available control resource. However, such migration has to be performed with a well‐designed mechanism to fully utilize available resources in all three resource dimensions: CPU, bandwidth, and memory. In this article, we first provide a resource model for SDN and reduce the switch migration decision to a centralized resource utilization maximization problem under constraints of CPU, bandwidth, and memory. Second, we show that the problem of maximizing resource utilization in an SDN is equivalent to that of maximizing game players' profits in the context of non‐cooperative game theory. Taking controllers and switches as game players and commodities respectively, the player policy is how to migrate switches among the control plane. Finally, we implement a proof of concept, called GAME‐Switch Migration (GAME‐SM). The numerical experiments using Mininet emulator validate nice properties of our game model in enhancing the performance of control plane in SDN. Copyright © 2016 John Wiley & Sons, Ltd.     

基于可编程数据平面的南向协议研究

由于传统网络设备固化且依赖于物理基础设施,难以适应智能化网络的需求。为提高网络的智能化,开放网络的可编程能力,软件定义网络和可编程数据平面应运而生。文章介绍了软件定义网络、可编程数据平面,及其所对应的南向协议,包括OpenFlow协议及其所存在的问题,P4Runtime协议的优势。然后用Mininet软件搭建了网络仿真对P4Runtime的优势进行验证。仿真实验表明,在可编程数据平面协议无关的基础上,P4Runtime作为控制平面和数据平面之间的南向协议,提供了基于Python的交互式和脚本两种下流表方式,与SDN传统下流表方式相比具有更高的灵活性和扩展性,更易于管理人员对网络进行统一管理。为运营商、数据中心等应用场景提供了新的控制管理方案。     

一种在软件定义网络中的新型无泛洪服务发现机制(英)

The low-cost,self-configuration capability and "plug-and-play" feature of Ethernet establishes its dominant position in the local area networks(LAN).However,it is hard to extend to large scale because of the legacy broadcast-based service discovery mechanism.Therefore,to solve this problem,a new split network architecture named Software-Defined Networking(SDN) is introduced in this paper,and a novel floodless service discovery mechanism(FSDM)for SDN is designed.For the FSDM,the widespread broadcast messages for Dynamic Host Configuration Protocol(DHCP) and Address Resolution Protocol(ARP) are considered especially,respectively.Then the DHCP relay and ARP proxy are proposed to handle DHCP broadcast messages and ARP broadcast messages,respectively.The proposed FSDM in this paper can eliminate flooding completely,reserve the autoconfiguration characteristics.Particularly,there is no need to change the existing hardware,software and protocols of hosts for the proposed scheme.Finally,the simulation results are demonstrated to show that our proposed model allows redundant links existed in network and has the property of scalability,which can significantly reduce network traffic in data plane and control traffic in control plane,and decrease the overhead of control plane.     

面向SDN的数据中心网络更新研究综述

近年来,由于软件定义网络(SDN)的控制平面与数据平面分离、集中式控制的特点,被广泛应用于数据中心网络(DCN).分四个部分对DCN更新的相关研究进行了综述.首先,介绍了DCN和SDN的基本概念及研究现状;随后,详细说明了传统DCN在更新方面遇到的缺陷;其次,重点讨论了基于SDN的数据中心网络(SD-DCN)更新场景的研究现状与存在的不足,同时指出了一些方案存在的缺点;最后,对基于SDN的数据中心网络未来研究方向进行了展望,以期为SD-DCN的研究与应用提供一定的参考.     

一种提供电信级QoS的IP网络体系架构

本文将IP业务网络系统按照功能分为三个平面:承载面、信令面和业务面.承载面承载媒体与信令流,信令面完成各种控制功能,应用面是媒体资源服务器.承载面使用MPLS技术,进行带宽预规划,满足需要QoS的业务,并在接入层完成对用户接入及流量的各种控制功能.互联网业务则走普通的IP路由.从而实现基于IP网络,既能提供保证电信级QoS的业务,同时支持普通互联网业务的网络体系结构,具有良好的网络与业务扩展性.     

一种SDN中基于熵值计算的异常流量检测方法

摘要：软件定义网络（software defined networking,SDN）是一种新型网络创新架构,其分离了控制平面与转发平面,使得网络管理更为灵活。借助SDN控制与转发分离的思想,在SDN基础上引入一个集中式安全中心,在数据平面设备上采集数据,用于对网络流量进行分析,通过熵值计算和分类算法判断异常流量行为。对于检测到的网络异常情况,安全中心通过与SDN控制器的接口通告SDN控制器上的安全处理模块,进行流表策略的下发,进而缓解网络异常行为。通过本系统可以在不影响SDN控制器性能的情况下,快速检测网络中的异常行为,并通过SDN下发流表策略对恶意攻击用户进行限制,同时对SDN控制器进行保护。     

Dynamic control plane management for software‐defined networks

Software‐defined network (SDN) is an emerging network paradigm that allows flexible network management by providing programmability from a separated control plane. Because of the centralized management scheme that SDN adopts, intensive control plane overhead incurs as the scale of SDN increases. The control plane overhead is mainly caused by a massive amount of control messages generated during data plane monitoring and reactive flow instantiation. By far, very few works have addressed the overhead issue on reaction flow instantiation; therefore, we mainly focus on alleviating such overhead in this work. To achieve this goal, we propose a new control plane management (CPMan) method. CPMan aims to realize the following two objectives: first, reduce the number of control messages exchanged through the control channel and second, evenly distribute the control workload across multiple controllers to mitigate the potential performance bottleneck. To realize the former, we propose a lightweight feedback loop‐based control scheme, whereas for the latter, we propose a dynamic switch‐to‐controller (DSC) placement scheme. To show the feasibility of our proposal, we implemented a prototype of the two proposed schemes on top of a carrier‐grade SDN controller and validated its performance in an emulated network. We achieved approximately 57.13% overhead reduction with feedback loop‐based control scheme, while achieved approximately 98.68% balance ratio with DSC placement scheme. Copyright © 2016 John Wiley & Sons, Ltd.     

SDN多控制器一致性的量化研究

针对SDN网络中多控制器的一致性问题,提出了一种量化的研究方法,为控制层的东西向扩展提供更为精准有效的共享网络视图方法。首先,结合SDN的特性,给出了控制器之间一致性、性能以及可用性的度量指标,建立通用的量化分析模型。其次,针对其中3类典型的一致性问题进行了量化研究,明确了其取得最优值的条件,为一致性参数的配置提供了参考。最后,通过仿真实验对该量化方法进行验证。实验结果表明,该量化方法能够有效提高SDN控制层的性能和可用性。     

Research on software-defined network and the security defense technology

Software-defined network (SDN) separated the traditional control plane from the data plane,formed a centralized controller,opened up the network programming interface,simplified network management,promoted network innovation and optimized network operation.However,SDN's “three-layer two-interface” architecture increased the network attack surface,resulting in many new security issues.The development,characteristics and working principle of SDN were first introduced,and the existing security problems from the application layer,the northbound interface,the control plane,the southbound interface,the data plane were summarized respectively.Secondly,the latest research progress and existing solutions were discussed.Finally,SDN current and future security challenges were summarized,and the future SDN security development direction was looked forward to.     

软件定义网络在电力数据通信网中的应用研究

软件定义网络（Software Defined Network,SDN）是一种全新的网络架构,它的设计理念是将网络的控制平面与数据转发平面分离,并实现可编程化控制.Openflow由美国斯坦福大学于2007年提出,它提供了标准化的接口,采用流表控制方式,将传统网络通信设备的数据转发和路由控制功能分离,是实现SDN的关键技术.从技术内涵、设备模型等方面对SDN进行了深入研究,同时研究了电力数据通信网的实际需求和现存问题,最后对软件定义网络在电力数据通信网中的应用进行了讨论.     

Balanced multiple controllers placement with latency and capacity bound in software-defined network

Software-defined network (SDN) used a network architecture which separates the control plane and data plane. The control logic of SDN was implemented by the controller. Because controller's capacity was limited, in large scale SDN networks, single controller can not satisfy the requirement of all switches. Multiple controllers were needed to han-dle all data flows. By the reason that the latency between controller and switch would significantly affect the forwarding of new data flow, the rational placement of controllers would effectively improve the performance of entire network. By partition the network into multiple sub domains, on the base of spectral clustering, a method that added a balanced de-ployment object function into k-means was given and a balanced multiple controllers placement algorithm in SDN net-works which has the latency and capacity limitations was proposed. In this approach, a penalty function was introduced in the algorithm to avoid isolation nodes appearing. The simulations show that this algorithm can balance partition the net-work, keep the latency between controller and switch small and keep loads balancing between controllers.