A Sophisticated Packet Forwarding Scheme with Deep Packet Inspection in an OpenFlow Switch

Network administrators can make their own programmable network by using an SDN infrastructure with the OpenFlow protocol. Through the OpenFlow protocol, a SDN controller instructs an OpenFlow switch to perform specific actions, such as service chaining, according to header fields of incoming packets. Our main goal is to support an extended view of the OpenFlow architecture by inspecting not only the packet header but also the payload information in the packets. For this purpose, we address a sophisticated packet forwarding scheme using DPI to inspect effectively all incoming packets. According to the results of our experiments, we choose the inside of a virtual switch as the most suitable position of the DPI module. In our scheme, there are a log server, a monitoring application, and DPI function for monitoring and managing network traffic. When the DPI module detects a predefined string pattern of bits in an incoming packet, the switch sends the matching information to the log server that stores logs that contain the detected pattern and resource usage. Then, the monitoring application periodically gathers log information on the log server to compare that information with predefined network policies. Finally, we show that the packets are dealt with in a more effective and efficient way in our sophisticated packet forwarding scheme.

[1]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[2]  Raouf Boutaba,et al.  Elastic virtual network function placement , 2015, 2015 IEEE 4th International Conference on Cloud Networking (CloudNet).

[3]  Roberto Bifulco,et al.  ClickOS and the Art of Network Function Virtualization , 2014, NSDI.

[4]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[5]  Anat Bremler-Barr,et al.  Deep Packet Inspection as a Service , 2014, CoNEXT.

[6]  Mathieu Bouet,et al.  Cost-based placement of vDPI functions in NFV infrastructures , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[7]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[8]  Aziz Mohaisen,et al.  A Survey on Deep Packet Inspection for Intrusion Detection Systems , 2008, ArXiv.

[9]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[10]  Keh-Yih Su,et al.  An Efficient Algorithm for Matching Multiple Patterns , 1993, IEEE Trans. Knowl. Data Eng..

[11]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.