A lightweight protocol for consistent policy update on software-defined networking with multiple controllers

https://doi.org/10.1016/j.jnca.2018.08.007Get rights and content

Abstract

Network-policy updates have to be committed in a consistent way on distributed-controller software-defined networking. Otherwise, the network may experience unexpected transitory configuration states, which compromise the performance, the security or, even, the correct operation. In this paper, we propose a scheme that provides consistent policy updates without rule conflicts and transitory states. The main contributions are: (i) a protocol that serializes policy update commitments to provide consistency; (ii) a consensus interface proposal that facilitates controller agreements about the network configuration version; and (iii) an algorithm for checking if a new policy is an update, a refinement, or if it conflicts with already installed policies. We prove that our protocol achieves a global order for all policy updates and that our algorithm correctly composes all policies. Simulation results using real network topologies show that the proposed distributed policy update scheme achieves a per-packet consistent configuration with a low control message overhead.

Introduction

Network management engages in a continuous specification of network policies that includes traffic engineering and chaining of middleboxes and network functions (Medhat et al., 2017; Han et al., 2015; Reitblatt et al., 2012). The paradigm of Software-Defined Networking (SDN) simplifies the network management as it decouples the logically centralized control plane from the distributed data plane (Levin et al., 2012; Cui et al., 2013). Control applications lie at the control plane and access a global network view, which allows defining high-level network policies that encode the expected behavior of the network (Canini et al., 2015; Akhunzada et al., 2016). Moreover, controller translates the policies into forwarding rules that configure the data plane behavior. In SDN, flow-table configurations of individual switches running on the data plane express the forwarding rules.

The network controller realization as a centralized server implies challenges to security, performance, and scalability of the network (Levin et al., 2012). On the other hand, handling policy updates on the SDN control plane is a challenge on distributed computing, in which the proper operation of the network depends on consistently reasoning about concurrent policy updates and the interaction between all applied policies on the network (Reitblatt et al., 2012; Canini et al., 2015; Brandt et al., 2016; Zhang et al., 2018).

In this paper, we propose a lightweight protocol for handling policy updates on Software-Defined Networking with a distributed control plane. The main idea is to timely achieve consensus between controllers on the deployment order of the new policies on the network. The network has to react to a policy update request in a short time lapse to be compliant with the next-generation networking requirements (I et al., 2016; Taleb et al., 2016). When concomitant policy updates arrive at different controllers, they have to agree about the installation order of all updates, and if a new update does not conflict with others. Hence, our main contributions are threefold:

  • A lightweight consistency protocol that serializes commitment of concurrent policy updates launched by different controllers,

  • An abstract consensus interface, in which controllers agree with the most current version of the network configuration,

  • A simple algorithm for checking if a new policy is an update, a refinement, or if it conflicts with other policies already installed on the network.

In preliminary works,3 we first introduced the idea of a policy update scheme for distributed control plane, in which we assume the consistency model of per-packet consistent configuration update (Han et al., 2015; Reitblatt et al., 2012; Canini et al., 2015). In this paper, we extend the policy update scheme for resisting to Byzantine faults and, also, we show the protocol convergence overhead under different fault probabilities. A per-packet consistent update is the one that a single version of the network configuration processes every in-transit packet on the network, the previous or the updated configuration, but never more than one configuration. Unlike other proposals, which consider an abstract consensus interface among the controllers (Canini et al., 2015) or a single centralized controller (Reitblatt et al., 2012; McGeer, 2012; Katta et al., 2013), we propose a lightweight consistency protocol to achieve consensus among distributed controllers as part of the policy update scheme. We prove the correctness of our proposed consistency protocol through a formal model. Our analyses show that our proposal achieves a consistent configuration in two round-trip times (RTT), with a minimum number of control messages on the network.

The remainder of the paper is as follows. In Section 2, we present the related work. Section 3 discusses the challenges of updating policies on SDN with a distributed control plane. In Section 4, we propose our consistency protocol for policy updates on software-defined networking with distributed control. Our simulation and analytical results are discussed in Section 5. Section 6 concludes the paper.

Section snippets

Related work

Upon a network-policy update, controllers send messages to switches to install flow processing rules. Although this procedure can be done sequentially, each switch may introduce different delays on processing and installing the rules. Thus, the rules installation in all switches is an asynchronous task, and it can lead to an arbitrary order of switches to finish the commitment of the new network configuration (Zhang et al., 2018; Panda et al., 2017). An in-transit packet detects a mixture of

Policy update consistency

The logically centralized network control plane, on software-defined networking, consists of an abstraction of a global network view shared by all network controllers (Levin et al., 2012). Hence, all controllers ought to have access to a consensus interface to update their global network view. In this scenario, distributed controllers may issue simultaneous policy update requests. Fig. 1 shows the probability of two or more controllers issuing a policy-update request at the same time. The

The consistency protocol

We propose a consistency protocol for updating policies on a distributed control plane on Software-Defined Networking. Our proposal assures that policies concomitantly launched by different controllers are applied in the network in a global serialized order and are appropriately composed with previous policies. Moreover, we assume the Two-Phase Update (Reitblatt et al., 2012), as the scheme of implementing the changes of the rules on the network. This assumption is essential to meet constraints

Proposal evaluation

The proposal evaluation is three-fold. First of all, we analyze our proposed consistency protocol through a formal model. Second, we simulate our protocol to investigate the message overhead and to compare with other proposals. Third, we simulate our proposed scheme for distributed network-policy update and compare it with the Two-Phase Update.

Therefore, our first evaluation aims to assert the robustness of our protocol to malicious or misconfigured nodes in the network. We consider a malicious

Conclusion

Achieving consistent network-policy updates in software-defined networking with distributed control plane is challenging. Controllers should agree in a global order to install policies on the network, and the composition of all policies should avoid conflict between new and already installed policies. In this paper, we proposed a consistency protocol that locally orders the policy installation according to an agreed global order. We also proposed a policy composition algorithm that takes

Acknowledgment

This research is supported by CNPq, CAPES, FAPERJ, and FAPESP (2015/24514-9, 2015/24485-9, and 2014/50937-1).

Diogo Menezes Ferrazani Mattos is currently a Professor at the Universidade Federal Fluminense (Niterói, Brazil). He received his degree of D. Sc. in Electrical Engineering from Universidade Federal do Rio de Janeiro, Rio de Janeiro, Brazil, in 2017. Between 2015 and 2016, he had a sandwich scholarship to work on his PhD Thesis on the LIP6 (Laboratoire d'Informatique de Paris 6) at Université Pierre et Marie Curie, Paris, France. He obtained a Master's degree in Electrical Engineering from

References (33)

  • A. Akhunzada et al.

    Secure and dependable software defined networks

    J. Netw. Comput. Appl.

    (2016)
  • R.D. Prisco et al.

    Revisiting the Paxos algorithm

    Theor. Comput. Sci.

    (2000)
  • Y. Zhang et al.

    A survey on software defined networking with multiple controllers

    J. Netw. Comput. Appl.

    (2018)
  • A. Bessani et al.

    State machine replication for the masses with BFT-SMART

  • S. Brandt et al.

    On consistent migration of flows in SDNs

  • M. Canini et al.

    A distributed and robust SDN control plane for transactional network updates

  • M. Castro et al.

    Practical byzantine fault tolerance

  • Y. Cui et al.

    Data centers as software defined networks: traffic redundancy elimination with wireless cards at routers

    IEEE J. Sel. Area. Commun.

    (2013)
  • H.T. Dang et al.

    Netpaxos: consensus at network speed

  • A.D. Ferguson et al.

    Hierarchical policies for software defined networks

  • J. Gray et al.

    Consensus on transaction commit

    ACM Trans. Database Syst.

    (2006)
  • J.H. Han et al.

    Blueswitch: enabling provably consistent configuration of network switches

  • C.L. I et al.

    New paradigm of 5G wireless internet

    IEEE J. Sel. Area. Commun.

    (2016)
  • V. Jeyakumar et al.

    Millions of little minions: using packets for low latency network programming and visibility

  • M. Kablan et al.

    Stateless network functions: breaking the tight coupling of state and processing

  • N.P. Katta et al.

    Incremental consistent updates

    • Cited by (0)

    Diogo Menezes Ferrazani Mattos is currently a Professor at the Universidade Federal Fluminense (Niterói, Brazil). He received his degree of D. Sc. in Electrical Engineering from Universidade Federal do Rio de Janeiro, Rio de Janeiro, Brazil, in 2017. Between 2015 and 2016, he had a sandwich scholarship to work on his PhD Thesis on the LIP6 (Laboratoire d'Informatique de Paris 6) at Université Pierre et Marie Curie, Paris, France. He obtained a Master's degree in Electrical Engineering from Universidade Federal do Rio de Janeiro, in 2012. He received a Computer and Information Engineer degree from the same university, in 2010 with a GPA of 9.3 over 10. His interests are in network security, new generation networking, network virtualization, software-defined networking, and Internet of the Future.

    Otto Carlos M. B. Duarte received the Electronic Engineer degree and the M. Sc. degree in Electrical Engineering from Universidade Federal do Rio de Janeiro, Brazil, in 1976 and 1981, respectively, and the Dr. Ing. degree from ENST/Paris, France, in 1985. Since 1978 he is Professor at Universidade Federal do Rio de Janeiro. In 1992/1993 he has worked at Paris 6 University, in 1995, at International Computer Science Institute (ICSI) associated to the University of California at Berkeley, and in 2014 at University of California at Berkeley, He worked several times as invited professor at Paris 6 University.

    Guy Pujolle is currently a Professor at the Pierre et Marie Curie University (Paris 6), a member of the Institut Universitaire de France. He is an editor for International Journal of Network Management, WINET, Telecommunication Systems and Editor-In-Chief of the indexed Journal Annals of Telecommunications. He was an editor for Computer Networks, Operations Research, Editor-In-Chief of Networking and Information Systems Journal, Ad Hoc Journal and several other journals. Guy Pujolle is a pioneer in high-speed networking having led the development of the first Gb/s network to be tested in 1980.

    1

    Laboratório MídiaCom - Universidade Federal Fluminense (UFF) - R. Passo da Pátria, 156 - ZIP Code 24210-240, Niterói, RJ, Brasil.

    2

    Grupo de Teleinformática e Automação - GTA - Universidade Federal do Rio de Janeiro (UFRJ) - P.O. Box: 68504 - ZIP Code 21945-972, Ilha do Fundão, Rio de Janeiro, RJ, Brasil.

    View full text
    © 2018 Elsevier Ltd. All rights reserved.