A multilevel Bit Vector minimization method for fast online detection of conflicting flow entries in OpenFlow table
Introduction
Software Defined Networking (SDN) [1], [2] is a network paradigm in which the control plane is separated from the data plane and the control functionality is delegated to a centralized controller. This scheme manages the network operations in a global view of the network status and dynamically configures all network devices. Moreover, the network management policies can be updated quickly to react to current flow activities and globally regulate the network states. This means that SDN provides highly flexible and agile programmability to better manage the network [3].
OpenFlow [4] is a well-known protocol designed for SDN that abstracts network communications as flows to be processed by network elements. In this protocol, each forwarding instruction is derived from a flow entry whose value in each field is set by the controller to process incoming packets. The selection of the flow entry is based on a set of predefined match rules that are statically or dynamically programmed by the controller. In the static scheme, flow entries are predefined and permanently stored in the flow table of each switch. However, the limited capacity of the ternary content-addressable memory (TCAM) [5] in a switch cannot afford to store the large amount of flow entries necessary to regulate the operation of a large network. On the other hand, the flow entries in the dynamic scheme are installed only when the first packet of a new request arrives at a switch. The controller computes a path for this new request and then installs the associated flow entries into the flow table of the switch. The controller becomes very busy in this scheme when new requests arrive frequently. In OpenFlow, flow entries match incoming packets in priority order that the first matched entry in the flow table is selected. Each flow entry contains a set of match fields to be matched with corresponding header fields in an incoming packet, a priority for matching precedence, and an action field that designates the actions to be taken on the packet when this flow entry is fully matched with the incoming packet. The match fields could be a source network, destination network, protocol, port or similar data. However, the selected flow entry is explicitly undefined if there are multiple matching flow entries with the same highest priority. This often happens in multi-tenant data centers since multiple flow entries with the same priority can be set for different applications. For example, tenant A and tenant B establish a tunnel between themselves for single hop communication in a multi-tenant environment. If another application running on the SDN controller inserts policies to implement deep packet inspection (DPI), all traffic between tenant A and tenant B may be dropped since the encrypted traffic involves conflicts with DPI standard. Clearly, there is an inherent conflict between flow rules inserted by different applications running on the SDN controller. Moreover, an incoming packet may match more than one flow entry due to the phenomenon of intra-table dependency among flow entries [6]. Different incoming packets may incur different conflicting flow entries under intra-table dependency. Forwarding packets by the first-match scheme may not always produce the best outcome. For instance, given two flow entries and , which the priority of is lower than that of and the address space of is included in the address space of . The rule is never invoked since incoming packets always get processed using since its higher priority. This situation is called shadowing that is a serious issue since it shows a conflict in a firewall policy [7]. Currently, Open vSwitch (OvS) [8] is a widely used open-source OpenFlow software switch that uses tuple space search algorithm for packet classification, but the above conflicts may also exist in searching flow tables if no matching is found in megaflow cache and microflow cache. Thus, an efficient online conflict detection procedure needs to be executed for each incoming packet to flag the conflicts to network administrators. In addition, the SDN controller may frequently update the service provisioning policies that are specified in flow entries, and then deliver the updated flow entries to the switches in a large OpenFlow-based environment. This also needs online conflict detection for the new and existing flow entries to avoid producing a fatal impact on specific services. For a large flow table, the conflict detection will be very time consuming. A high-performance, low-cost detection algorithm is therefore needed.
The Bit Vector algorithm (BV) [9] has been widely applied to packet classifications that are frequently invoked in various network management functions, including firewalls, routing, and service differentiation. According to the classification result, a packet classifier refers to a rule database to identify which rule and action should be applied to an arriving packet [10]. An Aggregated Bit Vector algorithm (ABV) [11], [12] was proposed to improve the performance of the BV by reducing the length of the bit vector using rules aggregation. Additionally, the authors’ previous study [13] has defined an ordered tree structure, called a matching tree, to represent the relationships of all flow entries in each match field. The previous study also explored the possibility of using BV and ABV-based algorithms to resolve the conflict detection problem between flow entries. A Reduced Bit Vector algorithm (RBV) was also presented to improve the performance of using the matching tree structure for conflict detection [13]. However, these algorithms suffer some performance challenges. Thus, in this study, a new graph-based multilevel redundancy reduction scheme is developed to construct more compact matching trees for a large flow table. Then, a higher-performance online conflict detection algorithm, the Compact Bit Vector algorithm (CBV), is proposed. This algorithm aims to address the following three essential performance issues regarding conflict detection: search speed, memory consumption, and flow entry update time. Through extensive mathematical performance analysis and simulations, the CBV has been proven to have the advantages of 1) developing a highly compact matching tree structure based on a multilevel redundancy reduction scheme and 2) implementing an efficient and flexible conflict detection procedure for a large and frequently updated flow table; it requires much less search time, less memory space, and a lower incremental update time than other algorithms.
The rest of this paper is organized as follows. In Section 2, some related approaches are introduced. In Section 3, the problem of conflict detection in OpenFlow is formulated. Then, the structure of the matching tree, the multilevel redundancy reduction scheme, and the CBV conflict detection algorithm are presented. In Section 4, the CBV is evaluated from various performance aspects. In addition, extensive simulations are conducted to compare the performance between the BV, ABV, and CBV in Section 5. Conclusions are finally drawn in Section 6.
Section snippets
Related work
There have been some conflict detection methods proposed for OpenFlow for different purposes. A hash-trie based method and an ontology-based method were proposed by S. Natarajan et al. [14]. The former adopts a divide-and-conquer strategy. For the match fields of each flow entry, each prefix-type field is represented in a radix trie structure and each exact value field is represented in a hash trie structure. All results are then combined to detect the conflicting flow entries by using a table
Detection of conflicting flow entries on packet matching
In this section, we first formulate the problem of conflict detection in OpenFlow. Then, we present the structure of the matching tree, the conflict detection algorithms which are based on the existing packet classification methods of BV and ABV, and the proposed CBV conflict detection algorithm. Table 1 shows the definition of symbols used in this paper.
Construction of matching trees
The cost for the construction of matching trees is a one-time overhead. For a flow table, the BV, ABV, and CBV construct the same number () of matching trees. Thus, we can only analyze and compare their cost on the construction of a single matching tree.
BV algorithm. This method does not execute any reduction process. The computational cost for constructing a matching tree is dominated by the matching cost between the match nodes and flow entries to generate EVs, i.e., , which is
Simulation settings
In this section, extensive simulations are conducted to evaluate and compare the performance of the BV, ABV, and CBV in terms of the construction cost of matching trees, the computational time for conflict detection, and the update cost for a flow entry. Referring to [14], [15], [25], [26] [27], the conflict detection scheme is suggested to be implemented in the control plane, or in a detection layer between the control plane and the forwarding plane. Therefore, the simulations are implemented
Concluding remarks
In this paper, a well-formulated graph-based multilevel redundancy reduction scheme is developed to construct highly compact matching trees for a flow table. Moreover, a high-performance and low-cost CBV algorithm is proposed for the online detection of conflicting flow entries when matching with incoming packets. The proposed redundancy reduction scheme first explores and exploits the covering and potential conflict relations between flow entries of a given flow table to significantly reduce
CRediT authorship contribution statement
Yau-Hwang Kuo: Conceptualization, Methodology, Supervision. Jen-Sheng Tsai: Methodology, Software. TszKwong Leung: Software.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
This work is supported in part by the Ministry of Science and Technology of Taiwan under Grants 109-2221-E-006-186-MY3.
References (28)
- et al.
Fast and scalable conflict detection for packet classifier
Comput. Netw.
(2003) - et al.
A survey of software-defined networking: Past, present, and future of programmable networks
IEEE Commun. Surveys Tutor.
(2014) - et al.
A survey on software-defined networking
IEEE Commun. Surveys Tutor.
(2015) - et al.
A survey and a layered taxonomy of software-defined networking
IEEE Commun. Surveys Tutor.
(2014) - et al.
Openflow: Enabling innovation in campus networks
ACM SIGCOMM Comput. Commun. Rev.
(2008) - et al.
Independent transient plane design for protection in openflow-based networks
IEEE/OSA J. Opt. Commun. Networking
(2015) - et al.
Towards a security-enhanced firewall application for openflow networks
Cyberspace Saf. Secur.
(2013) - E.S. Al-Shaer, H.H. Hamed, Firewall policy advisor for anomaly discovery and rule editing, in: Proceedings of the 8th...
- OpenvSwitch. [Online]. Available:...
- et al.
Algorithms for packet classification
IEEE Network
(2001)