Software Defined Networking
Software Defined Networking
Software Defined Networking
An Introduction
Dr. Noman Islam
https://sites.google.com/a/nu.edu.pk/noman-islam/
http://www.facebook.com/sir.noman.islam
Problems with conventional networks
Traditional IP networks are complex and very hard to
manage.
To express the desired high-level network policies,
network operators need to configure each individual
network device separately using low-level and often
vendor-specific commands.
In addition to the configuration complexity, network
environments have to endure the dynamics of faults
and adapt to load changes.
Automatic reconfiguration and response mechanisms
are virtually non-existent in current IP networks.
Current networks are also vertically integrated:
the control and data planes are bundled together.
The control plane (that decides how to handle
network traffic) and the data plane (that forwards
traffic according to the decisions made by the
control plane) are bundled inside the networking
devices, reducing flexibility and hindering
innovation and evolution of the networking
infrastructure.
The transition from IPv4 to IPv6, started more than a
decade ago and still largely incomplete, bears witness
to this challenge, while in fact IPv6 represented merely
a protocol update.
Due to the inertia of current IP networks, a new
routing protocol can take 5 to 10 years to be fully
designed, evaluated and deployed. Likewise, a clean-
slate approach to change the Internet architecture
(e.g., replacing IP), is regarded as a daunting task
simply not feasible in practice
This situation has inflated the capital and operational
expenses of running an IP network
Software Defined Networking
Software-Defined Networking (SDN) is an emerging
paradigm that promises to change this state of affairs,
by breaking vertical integration, separating the
networks control logic from the underlying routers and
witches, promoting (logical) centralization of network
control, and introducing the ability to program the
network
With the separation of the control and data planes,
network switches become simple forwarding devices
and the control logic is implemented in a logically
centralized controller (or network operating system)
simplifying policy enforcement and network
(re)configuration and evolution
SDN makes it easier to create and introduce new
abstractions in networking, simplifying network
management and facilitating network evolution.
The controller exercises direct control over the
state in the data plane elements via this well-
defined application programming interface (API),
as depicted in Figure
The most notable example of such an API is
OpenFlow
OpenFlow
An OpenFlow switch has one or more tables of packet-
handling rules (flow table). Each rule matches a subset
of the traffic and performs certain actions (dropping,
forwarding, modifying, etc.) on the traffic.
Depending on the rules installed by a controller
application, an OpenFlow switch can instructed by
the controller behave like a router, switch, firewall, or
perform other roles (e.g., load balancer, traffic shaper,
and in general those of a middlebox).
Most vendors of commercial switches now include
support of the OpenFlow API in their equipment
Separation of concerns
An important consequence of the software-
defined networking principles is the separation of
concerns introduced between the definition of
network policies, their implementation in
switching hardware, and the forwarding of traffic.
This separation is key to the desired flexibility,
breaking the network control problem into
tractable pieces, and making it easier to create
and introduce new abstractions in networking,
simplifying network management and facilitating
network evolution and innovation.
SDN momentum was strong enough to make
Google, Facebook, Yahoo, Microsoft, Verizon,
and Deutsche Telekom fund Open Networking
Foundation (ONF) [10] with the main goal of
promotion and adoption of SDN through open
standards development.
Google, for example, has deployed a software-
defined network to interconnect its data
centers across the globe.
Computer networks can be divided in three planes of
functionality: the data, control and management planes
The data plane corresponds to the networking devices,
which are responsible for (efficiently) forwarding data. The
control plane represents the protocols used to populate the
forwarding tables of the data plane elements.
The management plane includes the software services,
such as SNMP-based tools used to remotely monitor and
configure the control functionality.
Network policy is defined in the management plane, the
control plane enforces the policy, and the data plane
executes it by forwarding data accordingly.
Traditional networks
In traditional IP networks, the control and data
planes are tightly coupled, embedded in the
same networking devices, and the whole
structure is highly decentralized.
However, the outcome is a very complex and
relatively static architecture
Network misconfigurations and related errors are
extremely common in todays networks. For
instance, more than 1000 configuration errors
have been observed in BGP routers
From a single misconfigured device may result
very undesired network behavior (including,
among others, packet losses, forwarding
loops, setting up of unintended paths, or
service contract violations).
Indeed, while rare, a single misconfigured
router is able to compromise the correct
operation of the whole Internet for hours
To support network management, a small number of
vendors offer proprietary solutions of specialized
hardware, operating systems, and control programs
(network applications).
The capital and operational cost of building and
maintaining a networking infrastructure is significant
To alleviate the lack of in-path functionalities within
the network, a myriad of specialized components and
middleboxes, such as firewalls, intrusion detection
systems and deep packet inspection engines,
proliferate in current networks.
Despite helping in-path functionalities, the net
effect of middleboxes has been increased
complexity of network design and its
operation.
Pillars of SDN
We define an SDN as a network architecture with four pillars:
The control and data planes are decoupled. Control functionality is
removed from network devices that will become simple (packet)
forwarding elements.
Forwarding decisions are flow-based, instead of destination-based.
Control logic is moved to an external entity, the socalled SDN controller or
Network Operating System (NOS). The NOS is a software platform that
runs on commodity server technology and provides the essential
resources and abstractions to facilitate the programming of forwarding
devices based on a logically centralized, abstract network view. Its purpose
is therefore similar to that of a traditional operating system.
The network is programmable through software applications running on
top of the NOS that interacts with the underlying data plane devices. This
is a fundamental characteristic of SDN, considered as its main value
proposition.
Abstractions
An SDN can be defined by three fundamental abstractions:
(i) forwarding, (ii) distribution, and (iii) specification.
The forwarding abstraction should allow any forwarding
behavior desired by the network application (the control
program) while hiding details of the underlying hardware
The distribution abstraction should shield SDN applications
from the vagaries of distributed state, making the
distributed control problem a logically centralized one.
The last abstraction is specification, which should allow a
network application to express the desired network
behavior without being responsible for implementing that
behavior itself.
Advantages of SDN
It becomes easier to program these applications since the
abstractions provided by the control platform and/or the network
programming languages can be shared.
All applications can take advantage of the same network
information (the global network view), leading (arguably) to more
consistent and effective policy decisions while re-using control
plane software modules.
These applications can take actions (i.e., reconfigure forwarding
devices) from any part of the network. There is therefore no need
to devise a precise strategy about the location of the new
functionality.
The integration of different applications becomes more
straightforward For instance, load balancing and routing
applications can be combined sequentially, with load balancing
decisions having precedence over routing policies.
Forwarding Devices (FD)
Hardware- or software-based data plane devices that
perform a set of elementary operations.
The forwarding devices have well-defined instruction
sets (e.g., flow rules) used to take actions on the
incoming packets (e.g., forward to specific ports, drop,
forward to the controller, rewrite some header). These
instructions are defined by southbound interfaces (e.g.,
OpenFlow, ForCES , Protocol- Oblivious Forwarding
(POF))and are installed in the forwarding devices by the
SDN controllers implementing the southbound
protocols
Data Plane (DP)
Forwarding devices are interconnected
through wireless radio channels or wired
cables. The network infrastructure comprises
the interconnected forwarding devices, which
represent the data plane.
Southbound Interface (SI)
The instruction set of the forwarding devices
is defined by the southbound API, which is
part of the southbound interface.
Furthermore, the SI also defines the
communication protocol between forwarding
devices and control plane elements. This
protocol formalizes the way the control and
data plane elements interact.
Control Plane (CP)
Forwarding devices are programmed by
control plane elements through well-defined
SI embodiments.
The control plane can therefore be seen as the
network brain. All control logic rests in the
applications and controllers, which form the
control plane.
Northbound Interface (NI)
The network operating system can offer an API
to application developers.
This API represents a northbound interface,
i.e., a common interface for developing
applications.
Typically, a northbound interface abstracts the
low level instruction sets used by southbound
interfaces to program forwarding devices.
Management Plane (MP)
The management plane is the set of applications
that leverage the functions offered by the NI to
implement network control and operation logic.
This includes applications such as routing,
firewalls, load balancers, monitoring, and so
forth.
Essentially, a management application defines the
policies, which are ultimately translated to
southbound-specific instructions that program
the behavior of the forwarding devices.
SDN: Bottom up perspective
Infrastructure
An SDN infrastructure, similarly to a traditional
network, is composed of a set of networking
equipment (switches, routers and middlebox
appliances).
The main difference resides in the fact that those
traditional physical devices are now simple forwarding
elements without embedded control or software to
take autonomous decisions.
The network intelligence is removed from the data
plane devices to a logically-centralized control system,
i.e., the network operating system and applications
More importantly, these new networks are built
(conceptually) on top of open and standard
interfaces (e.g., OpenFlow)
In other words, these open interfaces enable
controller entities to dynamically program
heterogeneous forwarding devices, something
difficult in traditional networks, due to the large
variety of proprietary and closed interfaces and
the distributed nature of the control plane.
SDN/ OpenFlow
In an SDN/OpenFlow architecture, there are
two main elements, the controllers and the
forwarding devices
A data plane device is a hardware or software
element specialized in packet forwarding,
while a controller is a software stack (the
network brain) running on a commodity
hardware platform.
An OpenFlow-enabled forwarding device is based on a
pipeline of flow tables where each entry of a flow table
has three parts: (1) a matching rule, (2) actions to be
executed on matching packets, and (3) counters that
keep statistics of matching packets.
Inside an OpenFlow device, a path through a sequence
of flow tables defines how packets should be handled.
When a new packet arrives, the lookup process starts
in the first table and ends either with a match in one of
the tables of the pipeline or with a miss (when no rule
is found for that packet).
If there is no default rule, the packet will be
discarded. However, the common case is to
install a default rule which tells the switch to
send the packet to the controller (or to the
normal non-OpenFlow pipeline of the switch).
The priority of the rules follows the natural
sequence number of the tables and the row
order in a flow table.
Possible actions include (1) forward the packet
to outgoing port(s), (2) encapsulate it and
forward it to the controller, (3) drop it, (4)
send it to the normal processing pipeline, (5)
send it to the next flow table or to special
tables, such as group or metering tables
introduced in the latest OpenFlow protocol.
Southbound Interfaces
Southbound interfaces (or southbound APIs) are
the connecting bridges between control and
forwarding elements
These APIs are still tightly tied to the forwarding
elements of the underlying physical or virtual
infrastructure.
As a central component of its design the
southbound APIs represent one of the major
barriers for the introduction and acceptance of
any new networking technology.
In this light, the emergence of SDN southbound
API proposals such as OpenFlow is seen as
welcome by many in the industry
OpenFlow is the most widely accepted and
deployed open southbound standard for SDN.
It provides a common specification to implement
OpenFlow-enabled forwarding devices, and for
the communication channel between data and
control plane devices (e.g., switches and
controllers).
OpenFlow messages
The OpenFlow protocol provides three information
sources for network operating systems
First, event-based messages are sent by forwarding
devices to the controller when a link or port change is
triggered
Second, flow statistics are generated by the forwarding
devices and collected by the controller.
Third, packet-in messages are sent by forwarding
devices to the controller when they do not known
what to do with a new incoming flow or because there
is an explicit send to controller action in the matched
entry of the flow table
OpenFlow is not the only available
southbound interface for SDN.
There are other API proposals such as ForCES ,
OVSDB , POF , OpFlex , OpenState , Revised
Open-Flow Library (ROFL) , Hardware
Abstraction Layer(HAL) and Programmable
Abstraction of Datapath (PAD).
POF
One of the first direct competitors of OpenFlow is
POF
With OpenFlow, switches have to understand the
protocol headers to extract the required bits to
be matched with the flow tables entries.
This parsing represents a significant burden for
data plane devices, in particular if we consider
that OpenFlow version 1.3 already contains more
than 40 header fields.
Besides this inherent complexity, backward
compatibility issues may arise every time new
header fields are included in or removed from the
protocol
In POF, packet parsing is a controller task that
results in a sequence of generic keys and table
lookup instructions that are installed in the
forwarding elements
The behavior of data plane devices is therefore
completely under the control of the SDN
controller.
OpFlex
Contrary to OpenFlow (and similar to ForCES), one of
the ideas behind OpFlex is to distribute part of the
complexity of managing the network back to the
forwarding devices, with the aim of improving
scalability.
Similar to OpenFlow, policies are logically centralized
and abstracted from the underlying implementation.
The differences between OpenFlow and OpFlex are a
clear illustration of one of the important questions to
be answered when devising a southbound interface:
where to place each piece of the overall functionality.
OpenState
OpenState proposes extended finite machines
(stateful programming abstractions) as an
extension (super-set) of the OpenFlow
match/action abstraction.
Network Hypervisors
Hypervisors enable distinct virtual machines
to share the same hardware resources.
Network hypervisors allow network engineers
to create virtual networks that are completely
decoupled and independent from the
underlying physical network.
The hypervisor enables segments of a virtual
network to be managed independently and to
be provisioned dynamically.
FlowVisor
FlowVisor is one of the early technologies to
virtualize a SDN.
Its basic idea is to allow multiple logical networks
share the same OpenFlow networking
infrastructure.
For this purpose, it provides an abstraction layer
that makes it easier to slice a data plane based on
off-the-shelf OpenFlow-enabled switches,
allowing multiple and diverse networks to co-
exist
Five slicing dimensions are considered in
FlowVisor: bandwidth, topology, traffic, device
CPU and forwarding tables.
Moreover, each network slice supports a
controller, i.e., multiple controllers can co-
exist on top of the same physical network
infrastructure.
Each controller is allowed to act only on its
own network slice.
Other proposals for network hypervisors are:
OpenVirtex, AutoSlice, AutoVFlow etc.
Network operating system/ controllers
Traditional operating systems provide
abstractions (e.g., high-level programming APIs)
for accessing lower-level devices, manage the
concurrent access to the underlying resources
(e.g., hard drive, network adapter, CPU, memory),
and provide security protection mechanisms.
In contrast, networks have so far been managed
and configured using lower level, device-specific
instruction sets and mostly closed proprietary
network operating systems (e.g., Cisco IOS and
Juniper JunOS).
For instance, nowadays designers of routing
protocols need to deal with complicated
distributed algorithms when solving
networking problems. Network practitioners
have therefore been solving the same
problems over and over again.
SDN is promised to facilitate network
management and ease the burden of solving
networking problems by means of the
logically-centralized control offered by a
network operating system (NOS)
The crucial value of a NOS is to provide
abstractions, essential services, and common
application programming interfaces (APIs) to
developers
Generic functionality as network state and network
topology information, device discovery, and
distribution of network configuration can be provided
as services of the NOS.
With NOSs, to define network policies a developer no
longer needs to care about the low-level details of data
distribution among routing elements, for instance.
Such systems can arguably create a new environment
capable of fostering innovation at a faster pace by
reducing the inherent complexity of creating new
network protocols and network applications
Centralized Vs Distributed Controller
A centralized controller is a single entity that
manages all forwarding devices of the network.
Naturally, it represents a single point of failure
and may have scaling limitations
highly concurrent systems, to achieve the
throughput required by enterprise class networks
and data centers.
These controllers are based on multi-threaded
designs to explore the parallelism of multi-core
computer architectures.
As an example, Beacon can deal with more
than 12 million flows per second by using
large size computing nodes of cloud providers
such as Amazon
Others target specific environments such as
data centers, cloud infrastructures, and carrier
grade networks.
Contrary to a centralized design, a distributed
network operating system can be scaled up to
meet the requirements of potentially any
environment, from small to large-scale
networks.
A distributed controller can be a centralized
cluster of nodes or a physically distributed set
of elements.
Most distributed controllers offer weak consistency
semantics, which means that data updates on distinct
nodes will eventually be updated on all controller nodes.
This implies that there is a period of time in which distinct
nodes may read different values (old value or new value)
for a same property.
Strong consistency, on the other hand, ensures that all
controller nodes will read the most updated property value
after a write operation.
Despite its impact on system performance, strong
consistency offers a simpler interface to application
developers.
Another common property of distributed
controllers is fault tolerance.
When one node fails, another neighbor node
should take over the duties and devices of the
failed node. So far, despite some controllers
tolerating crash failures, they do not tolerate
arbitrary failures, which means that any node
with an abnormal behavior will not be
replaced by a potentially well behaved one.
Core controller functions
The base network service functions are what we
consider the essential functionality all controllers
should provide
Functions such as topology, statistics, notifications and
device management, together with shortest path
forwarding and security mechanisms are essential
network control functionalities that network
applications may use in building its logic.
Security mechanisms are another example, as they are
critical components to provide basic isolation and
security enforcement between services and
applications
Southbound
On the lower-level of control platforms, the
southbound APIs can be seen as a layer of
device drivers.
They provide a common interface for the
upper layers, while allowing a control platform
to use different southbound APIs (e.g.,
OpenFlow, OVSDB, ForCES) and protocol
plugins to manage existing or new physical or
virtual devices (e.g., SNMP, BGP, NetConf).
On the data plane, a mix of physical devices,
virtual devices (e.g., Open vSwitch ,vRouter)
and a variety of device interfaces (e.g.,
OpenFlow, OVSDB, of-config , NetConf, and
SNMP) can co-exist.
Eastbound and Westbound
East/westbound APIs, as illustrated in Figure,
are a special case of interfaces required by
distributed controllers
The functions of these interfaces include
import/export data between controllers,
algorithms for data consistency models, and
monitoring/notification capabilities (e.g.,
check if a controller is up or notify a take over
on a set of forwarding devices).
To identify and provide common compatibility
and interoperability between different
controllers, it is necessary to have standard
east/westbound interfaces
Northbound
Current controllers offer a quite broad variety of
northbound APIs, such as ad-hoc APIs, RESTful
APIs, multi-level programming interfaces, file
systems, among other more specialized APIs such
as NVP NBAPI, and SDMN API
A second kind of northbound interfaces are those
stemming out of SDN programming languages
such as Frenetic, Nettle, NetCore , Procera ,
Pyretic , NetKAT and other query-based
languages
Northbound interfaces
A common northbound interface is still an
open issue.
Open and standard northbound interfaces are
crucial to promote application portability and
interoperability among the different the
control platforms.
A northbound API can be compared to the
POSIX standard
Language-based Virtualization
Pyretic is an interesting example of a
programming language that offers type of
high-level abstraction of network topology.
It incorporates abstraction by introducing
network objects.
These objects consist of an abstract network
topology and the sets of policies applied to it.
Network objects simultaneously hide
information and offer the required services.
Static slicing
Another form of language-based virtualization is static
slicing.
This a scheme where the network is sliced by a compiler,
based on application layer definitions.
The output of the compiler is a monolithic control program
that has already slicing definitions and configuration
commands for the network.
In such a case, there is no need for a hypervisor to
dynamically manage the network slices. Static slicing can be
valuable for deployments with specific requirements, in
particular those where higher performance and simple
isolation guarantees are preferrable to dynamic slicing.
Programming languages
Programmability in networks is starting to move from low
level machine languages such as OpenFlow (assembly) to
high-level programming languages
Assembly-like machine languages, such as OpenFlow and
POF , eessentially mimic the behavior of forwarding
devices, forcing developers to spend too much time on low-
level details rather than on the problem solve.
Raw OpenFlow programs have to deal with hardware
behavior details such as overlapping rules, the priority
ordering of rules, and data-plane inconsistencies that arise
from in-flight packets whose flow rules are under
installation
In SDNs, high-level programming languages can be
designed and used to:
1) create higher level abstractions for simplifying
the task of programming forwarding devices;
2) enable more productive and problem-focused
environments for network software
programmers, speeding up development and
innovation;
3) promote software modularization and code
reusability in the network control plane;
4) foster the development of network virtualization.
Network Applications
Network applications can be seen as the network brains.
They implement the control-logic that will be translated
into commands to be installed in the data plane, dictating
the behavior of the forwarding devices.
Take a simple application as routing as an example. The
logic of this application is to define the path through which
packets will flow from a point A to a point B.
To achieve this goal a routing application has to, based on
the topology input, decide on the path to use and instruct
the controller to install the respective forwarding rules in all
forwarding devices on the chosen path, from A to B.
Software-defined networks can be deployed
on any traditional network environment, from
home and enterprise networks to data centers
and Internet exchange points.
Such variety of environments has led to a wide
array of network applications.
Traffic engineering
The main goal of most applications is to engineer
traffic with the aim of minimizing power
consumption, maximizing aggregate network
utilization, providing optimized load balancing,
and other generic traffic optimization techniques.
Wildcards can be utilized for aggregating clients
requests based on the ranges of IP prefixes, for
instance, allowing the distribution and directing
of large groups of client requests without
requiring controller intervention for every new
flow.
In tandem, operation in reactive mode may
still be used when traffic bursts are detected.
The controller application needs to monitor
the network traffic and use some sort of
threshold in the flow counters to redistribute
clients among the servers when bottlenecks
are likely to happen.
SDN load-balancing also simplifies the placement
of network services in the network.
Every time a new server is installed, the load-
balancing service can take the appropriate
actions to seamlessly distribute the traffic among
the available servers, taking into consideration
both the network load and the available
computing capacity of the respective servers.
This simplifies network management and
provides more flexibility to network operators.
Other applications
Mobility & wireless applications
Measurement and monitoring
Security and dependability
SDN App Store
The SDN App Store owned by HP, is probably the
first SDN application market store.
Customers using HPs OpenFlow controller have
access to the online SDN App Store and are able
to select applications to be dynamically
downloaded and installed in the controller.
The idea is similar to the Android Market or the
Apple Store, making it easier for developers to
provide new applications and for customers to
obtain them.
SDN Development Tools
Mininet [53] allows an entire OpenFlow network to be
emulated on a single machine, simplifying the initial
development and deployment process.
New services, applications and protocols can first be
developed and tested on an emulation of the
anticipated deployment environment before moving to
the actual hardware. By default Mininet supports
OpenFlow v1.0, though it may be modified to support
a software switch that implements a newer release.
The ns-3 [54] network simulator supports OpenFlow
switches within its environment, though the current
version only implements OpenFlow v0.89
Research challenges
Controller and Switch Design
SDN raises significant scalability, performance,
robustness, and security challenges
Flow entries can be proactively pushed to
switches in an attempt to reduce the number
of requests to the controller
short-lived flows in switches and long-
lived flows in the controller to mitigate flow
setup delay and controller overhead.
increase or decrease the pool of controllers
based on controllers load estimates
dynamically handover switches from one
controller to another as needed
However, for increased scalability and
especially for reliability and robustness
purposes, it has been recognized that the
logically-centralized controller must be
physically distributed.
Although control and measurement are two
important components of network
management, little thought has gone into
designing APIs for measurement
Much of the current work on SDN examines or proposes
solutions within the context of a single administrative
domain which matches quite well SDNs logically
centralized control model.
However, environments whose administration is inherently
decentralized, like the Internet, call for a control plane that
is logically distributed
This will allow participating autonomous systems (ASes) to
be controlled independently by their own (logically
centralized and possibly physically distributed) controller.
Software Defined Internet
Multiple administrative domains
Controller Service Interaction
There is no standard for interactions between
controllers and network services or applications
If we think of the controller as a network operating
system, then there should be a clearly defined
interface by which applications can access the
underlying hardware (switches), co-exist and interact
with other applications, and utilize system services
(e.g. topology discovery, forwarding), without requiring
the application developer to know the implementation
details of the controller
Use of a network configuration language to express
policies.
Virtualization and Cloud Services
The demand for virtualization and cloud
services has been growing rapidly and
attracting considerable interest from industry
and academia.
The challenges it presents include rapid
provisioning, efficient resource management,
and scalability which can be addressed using
SDNs control model.