Elsevier

Computer Communications

Volume 167, 1 February 2021, Pages 31-47
Computer Communications

A multilevel Bit Vector minimization method for fast online detection of conflicting flow entries in OpenFlow table

https://doi.org/10.1016/j.comcom.2020.12.008Get rights and content

Abstract

OpenFlow implements flow-based control over switches with improved network management performance. However, a packet may match more than one flow entry due to the intra-table dependency phenomenon among flow entries. Moreover, different packets may incur different conflicting flow entries under the intra-table dependency. Forwarding packets by the first-match scheme for prioritized flow entries may not always produce the best outcome. Thus, an online conflict detection procedure executed for each incoming packet is needed to flag the conflicts to network administrators. In addition, the SDN controller may frequently update the service provisioning policies that are specified in the flow entries and deliver them to the switches in a large OpenFlow-based environment. This needs a high-performance conflict detection mechanism to support real-time updating. However, performing conflict detection within a large flow table will be very time consuming. This paper first develops a graph-based multilevel redundancy reduction scheme to construct highly compact matching trees that will be used in conflict detection for a large flow table. Then, a conflict detection algorithm with higher performance and lower cost, the Compact Bit Vector algorithm (CBV), is proposed. The performance of the CBV has been validated through an extensive mathematical performance analysis followed by simulations, with good results in terms of requiring less time for the search, lower memory requirement and lower incremental updating time. Obviously, the CBV is very suitable for the conflict detection task of a large and frequently updated flow table.

Introduction

Software Defined Networking (SDN) [1], [2] is a network paradigm in which the control plane is separated from the data plane and the control functionality is delegated to a centralized controller. This scheme manages the network operations in a global view of the network status and dynamically configures all network devices. Moreover, the network management policies can be updated quickly to react to current flow activities and globally regulate the network states. This means that SDN provides highly flexible and agile programmability to better manage the network [3].

OpenFlow [4] is a well-known protocol designed for SDN that abstracts network communications as flows to be processed by network elements. In this protocol, each forwarding instruction is derived from a flow entry whose value in each field is set by the controller to process incoming packets. The selection of the flow entry is based on a set of predefined match rules that are statically or dynamically programmed by the controller. In the static scheme, flow entries are predefined and permanently stored in the flow table of each switch. However, the limited capacity of the ternary content-addressable memory (TCAM) [5] in a switch cannot afford to store the large amount of flow entries necessary to regulate the operation of a large network. On the other hand, the flow entries in the dynamic scheme are installed only when the first packet of a new request arrives at a switch. The controller computes a path for this new request and then installs the associated flow entries into the flow table of the switch. The controller becomes very busy in this scheme when new requests arrive frequently. In OpenFlow, flow entries match incoming packets in priority order that the first matched entry in the flow table is selected. Each flow entry contains a set of match fields to be matched with corresponding header fields in an incoming packet, a priority for matching precedence, and an action field that designates the actions to be taken on the packet when this flow entry is fully matched with the incoming packet. The match fields could be a source network, destination network, protocol, port or similar data. However, the selected flow entry is explicitly undefined if there are multiple matching flow entries with the same highest priority. This often happens in multi-tenant data centers since multiple flow entries with the same priority can be set for different applications. For example, tenant A and tenant B establish a tunnel between themselves for single hop communication in a multi-tenant environment. If another application running on the SDN controller inserts policies to implement deep packet inspection (DPI), all traffic between tenant A and tenant B may be dropped since the encrypted traffic involves conflicts with DPI standard. Clearly, there is an inherent conflict between flow rules inserted by different applications running on the SDN controller. Moreover, an incoming packet may match more than one flow entry due to the phenomenon of intra-table dependency among flow entries [6]. Different incoming packets may incur different conflicting flow entries under intra-table dependency. Forwarding packets by the first-match scheme may not always produce the best outcome. For instance, given two flow entries fei and fej, which the priority of fei is lower than that of fej and the address space of fei is included in the address space of fej. The rule fei is never invoked since incoming packets always get processed using fej since its higher priority. This situation is called shadowing that is a serious issue since it shows a conflict in a firewall policy [7]. Currently, Open vSwitch (OvS) [8] is a widely used open-source OpenFlow software switch that uses tuple space search algorithm for packet classification, but the above conflicts may also exist in searching flow tables if no matching is found in megaflow cache and microflow cache. Thus, an efficient online conflict detection procedure needs to be executed for each incoming packet to flag the conflicts to network administrators. In addition, the SDN controller may frequently update the service provisioning policies that are specified in flow entries, and then deliver the updated flow entries to the switches in a large OpenFlow-based environment. This also needs online conflict detection for the new and existing flow entries to avoid producing a fatal impact on specific services. For a large flow table, the conflict detection will be very time consuming. A high-performance, low-cost detection algorithm is therefore needed.

The Bit Vector algorithm (BV) [9] has been widely applied to packet classifications that are frequently invoked in various network management functions, including firewalls, routing, and service differentiation. According to the classification result, a packet classifier refers to a rule database to identify which rule and action should be applied to an arriving packet [10]. An Aggregated Bit Vector algorithm (ABV) [11], [12] was proposed to improve the performance of the BV by reducing the length of the bit vector using rules aggregation. Additionally, the authors’ previous study [13] has defined an ordered tree structure, called a matching tree, to represent the relationships of all flow entries in each match field. The previous study also explored the possibility of using BV and ABV-based algorithms to resolve the conflict detection problem between flow entries. A Reduced Bit Vector algorithm (RBV) was also presented to improve the performance of using the matching tree structure for conflict detection [13]. However, these algorithms suffer some performance challenges. Thus, in this study, a new graph-based multilevel redundancy reduction scheme is developed to construct more compact matching trees for a large flow table. Then, a higher-performance online conflict detection algorithm, the Compact Bit Vector algorithm (CBV), is proposed. This algorithm aims to address the following three essential performance issues regarding conflict detection: search speed, memory consumption, and flow entry update time. Through extensive mathematical performance analysis and simulations, the CBV has been proven to have the advantages of 1) developing a highly compact matching tree structure based on a multilevel redundancy reduction scheme and 2) implementing an efficient and flexible conflict detection procedure for a large and frequently updated flow table; it requires much less search time, less memory space, and a lower incremental update time than other algorithms.

The rest of this paper is organized as follows. In Section 2, some related approaches are introduced. In Section 3, the problem of conflict detection in OpenFlow is formulated. Then, the structure of the matching tree, the multilevel redundancy reduction scheme, and the CBV conflict detection algorithm are presented. In Section 4, the CBV is evaluated from various performance aspects. In addition, extensive simulations are conducted to compare the performance between the BV, ABV, and CBV in Section 5. Conclusions are finally drawn in Section 6.

Section snippets

Related work

There have been some conflict detection methods proposed for OpenFlow for different purposes. A hash-trie based method and an ontology-based method were proposed by S. Natarajan et al. [14]. The former adopts a divide-and-conquer strategy. For the match fields of each flow entry, each prefix-type field is represented in a radix trie structure and each exact value field is represented in a hash trie structure. All results are then combined to detect the conflicting flow entries by using a table

Detection of conflicting flow entries on packet matching

In this section, we first formulate the problem of conflict detection in OpenFlow. Then, we present the structure of the matching tree, the conflict detection algorithms which are based on the existing packet classification methods of BV and ABV, and the proposed CBV conflict detection algorithm. Table 1 shows the definition of symbols used in this paper.

Construction of matching trees

The cost for the construction of matching trees is a one-time overhead. For a flow table, the BV, ABV, and CBV construct the same number (d) of matching trees. Thus, we can only analyze and compare their cost on the construction of a single matching tree.

BV algorithm. This method does not execute any reduction process. The computational cost for constructing a matching tree is dominated by the matching cost between the match nodes and flow entries to generate EVs, i.e., Onm×nf, which is

Simulation settings

In this section, extensive simulations are conducted to evaluate and compare the performance of the BV, ABV, and CBV in terms of the construction cost of matching trees, the computational time for conflict detection, and the update cost for a flow entry. Referring to [14], [15], [25], [26] [27], the conflict detection scheme is suggested to be implemented in the control plane, or in a detection layer between the control plane and the forwarding plane. Therefore, the simulations are implemented

Concluding remarks

In this paper, a well-formulated graph-based multilevel redundancy reduction scheme is developed to construct highly compact matching trees for a flow table. Moreover, a high-performance and low-cost CBV algorithm is proposed for the online detection of conflicting flow entries when matching with incoming packets. The proposed redundancy reduction scheme first explores and exploits the covering and potential conflict relations between flow entries of a given flow table to significantly reduce

CRediT authorship contribution statement

Yau-Hwang Kuo: Conceptualization, Methodology, Supervision. Jen-Sheng Tsai: Methodology, Software. TszKwong Leung: Software.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

This work is supported in part by the Ministry of Science and Technology of Taiwan under Grants 109-2221-E-006-186-MY3.

References (28)

  • BaboescuF. et al.

    Fast and scalable conflict detection for packet classifier

    Comput. Netw.

    (2003)
  • NunesB.A.A. et al.

    A survey of software-defined networking: Past, present, and future of programmable networks

    IEEE Commun. Surveys Tutor.

    (2014)
  • XiaW. et al.

    A survey on software-defined networking

    IEEE Commun. Surveys Tutor.

    (2015)
  • JarrayaY. et al.

    A survey and a layered taxonomy of software-defined networking

    IEEE Commun. Surveys Tutor.

    (2014)
  • McKeownN. et al.

    Openflow: Enabling innovation in campus networks

    ACM SIGCOMM Comput. Commun. Rev.

    (2008)
  • KitsuwanN. et al.

    Independent transient plane design for protection in openflow-based networks

    IEEE/OSA J. Opt. Commun. Networking

    (2015)
  • WangJ. et al.

    Towards a security-enhanced firewall application for openflow networks

    Cyberspace Saf. Secur.

    (2013)
  • E.S. Al-Shaer, H.H. Hamed, Firewall policy advisor for anomaly discovery and rule editing, in: Proceedings of the 8th...
  • OpenvSwitch. [Online]. Available:...
  • GuptaP. et al.

    Algorithms for packet classification

    IEEE Network

    (2001)
  • LiJ. et al.

    Scalable packet classification using bit vector aggregating and folding

  • BaboescuF. et al.

    Scalable packet classification

    IEEE/ACM Trans. Netw.

    (2005)
  • C. Lo, P. Wu, Y. Kuo, Flow entry conflict detection scheme for software-defined network, in: Proceedings of the 2015...
  • S. Natarajan, X. Huang, T. Wolf, Efficient conflict detection in flow-based virtualized networks, in: Proceedings of...
  • View full text