Detection of Flow Violation in Distributed SDN Controller

Software Defined Network (SDN) paradigm has revolutionized the way enterprise networks are designed by separating the control and data plane. It introduces a programmable network architecture which enables rapid and open innovation in different network functions that are allowed to install flow rules in forwarding elements via protocols like OpenFlow. Packet processing also becomes easier due to availability of packet information across different layers. But all these benefits may turn into great challenges because of the use of some features in OpenFlow. One of them, the setfield feature is widely used by network functions like firewall, router, load balancer etc. to modify packet header while in transit. Like distributed firewall setup, where rule in one firewall may conflict with that of other, in SDN, if multiple controller is used for individual networks or subnetwork within an organization, then change in flow rule in one controller may conflict with flow rules in other controller. Un-monitored management of flow may cause packets to loop through switches in single or multiple network, adversely affecting the network performance. In this paper, we introduce a mechanism using a directed graph representation to detect forwarding rules that cause forwarding loop, direct or indirect flow violation in a distributed controller environment. This helps network administrators to avoid possible security breaches, network congestion or even complete network failure caused by misconfiguration in security policies in different subnetworks.

[1]  Vinod Yegneswaran,et al.  Model checking invariant security properties in OpenFlow , 2013, 2013 IEEE International Conference on Communications (ICC).

[2]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[3]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[4]  Robert Robere,et al.  A Dynamic Algorithm for Loop Detection in Software Defined Networks , 2012 .

[5]  Nick Feamster,et al.  The road to SDN: an intellectual history of programmable networks , 2014, CCRV.

[6]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[7]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[8]  E. Al-Shaer,et al.  Firewall Policy Advisor for anomaly discovery and rule editing , 2003, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003..

[9]  Qi Gao,et al.  FlowChecker: Detecting Bugs in MPI Libraries via Message Flow Checking , 2010, 2010 ACM/IEEE International Conference for High Performance Computing, Networking, Storage and Analysis.

[10]  Alan Jeffrey,et al.  Model Checking Firewall Policy Configurations , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[11]  Errin W. Fulp,et al.  Towards Optimal Firewall Rule Ordering Utilizing Directed Acyclical Graphs , 2009, 2009 Proceedings of 18th International Conference on Computer Communications and Networks.