Please wait a minute...
Front. Inform. Technol. Electron. Eng.  2016, Vol. 17 Issue (7): 634-646    DOI: 10.1631/FITEE.1500321
    
A secure and high-performance multi-controller architecture for software-defined networking
Huan-zhao Wang, Peng Zhang, Lei Xiong, Xin Liu, Cheng-chen Hu
Department of Computer Science and Technology, Xi'an Jiaotong University, Xi'an 710049, China; Science and Technology on Information Transmission and Dissemination in Communication Networks Laboratory, Shijiazhuang 050081, China; MOE Key Laboratory for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an 710049, China
Download:   PDF(0KB)
Export: BibTeX | EndNote (RIS)      

Abstract  Controllers play a critical role in software-defined networking (SDN). However, existing single-controller SDN architectures are vulnerable to single-point failures, where a controller’s capacity can be saturated by flooded flow requests. In addition, due to the complicated interactions between applications and controllers, the flow setup latency is relatively large. To address the above security and performance issues of current SDN controllers, we propose distributed rule store (DRS), a new multi-controller architecture for SDNs. In DRS, the controller caches the flow rules calculated by applications, and distributes these rules to multiple controller instances. Each controller instance holds only a subset of all rules, and periodically checks the consistency of flow rules with each other. Requests from switches are distributed among multiple controllers, in order to mitigate controller capacity saturation attack. At the same time, when rules at one controller are maliciously modified, they can be detected and recovered in time. We implement DRS based on Floodlight and evaluate it with extensive emulation. The results show that DRS can effectively maintain a consistently distributed rule store, and at the same time can achieve a shorter flow setup time and a higher processing throughput, compared with ONOS and Floodlight.

Key wordsSoftware-defined networking (SDN)      Security      Multi-controller      Distributed rule store     
Received: 07 October 2015      Published: 05 July 2016
CLC:  TP393  
Cite this article:

Huan-zhao Wang, Peng Zhang, Lei Xiong, Xin Liu, Cheng-chen Hu. A secure and high-performance multi-controller architecture for software-defined networking. Front. Inform. Technol. Electron. Eng., 2016, 17(7): 634-646.

URL:

http://www.zjujournals.com/xueshu/fitee/10.1631/FITEE.1500321     OR     http://www.zjujournals.com/xueshu/fitee/Y2016/V17/I7/634


一种安全、高性能的软件定义网络多控制器体系结构

目的:控制器在软件定义网络(software-defined networking,SDN)中扮演着至关重要的角色。然而现有的SDN控制器体系结构存在单点失效、响应时延较大等问题。本文提出一种名为分布式数据存储(distributed rule store,DRS)的SDN多控制器体系结构,预先计算流表规则,并分布式缓存在不同控制器实例上。如此,每个控制器仅存储其中的一部分规则,且来自交换机的请求被分配到不同的控制器进行并行处理,从而达到减小响应时延,解决单点失效的目的。
创新点:提出一种名为DRS的软件定义网络多控制器体系结构;通过实验证明该控制器体系结果对于已有的ONOS和Floodlight控制器,数据流建立的时间更短、吞吐量更大。
方法:在控制器中预先计算网络中的流表规则,利用分布式哈希表将这些规则存储在不同的控制器实例上。每个控制器周期性地检查其他控制器中规则的完整性,防止单个控制器上规则的失效和篡改。当交换机请求流表时,系统根据控制器当前负载,将请求分配到相应控制器进行处理。
结论:本文提出的多控制体系结构可以有效保证分布式规则存储的一致性(图5);相对于已有的ONOS和Floodlight控制器,数据流建立的时间更短(图6、7),吞吐量更大(图8);多个控制器实例的负载相对均衡(图9、10)。

关键词: 软件定义网络,  安全,  多控制器,  分布式规则存储 
[1] Hui-fang YU , Bo YANG. Low-computation certificateless hybrid signcryption scheme[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(7): 928-940.
[2] Zhen-hua YUAN , Chen CHEN, Xiang CHENG , Guo-cheng LV, Liu-qing YANG , Ye JIN. Correlated channel model-based secure communications in dual-hop wireless communication networks[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(6): 796-807.
[3] He-hao NIU, Bang-ning ZHANG, Dao-xing GUO, Yu-zhen HUANG, Ming-yue LU. Joint cooperative beamforming and artificial noise design for secure AF relay networks with energy-harvesting eavesdroppers[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(6): 850-862.
[4] Yue-bin LUO, Bao-sheng WANG, Xiao-feng WANG, Bo-feng ZHANG. A keyed-hashing based self-synchronization mechanism for port address hopping communication[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(5): 719-728.
[5] Hui Zhao, You-yu Tan, Gao-feng Pan, Yun-fei Chen. Ergodic secrecy capacity of MRC/SC in single-input multiple-output wiretap systems with imperfect channel state information[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(4): 578-590.
[6] Gaurav Bansod, Narayan Pisharoty, Abhijit Patil. BORON: an ultra-lightweight and low power encryption design for pervasive computing[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(3): 332-345.
[7] En-zhong Yang, Lin-kai Zhang, Zhen Yao, Jian Yang. A video conferencing system based on SDN-enabled SVC multicast[J]. Front. Inform. Technol. Electron. Eng., 2016, 17(7): 672-681.
[8] Gang Xiong, Yu-xiang Hu, Le Tian, Ju-long Lan, Jun-fei Li, Qiao Zhou. A virtual service placement approach based on improved quantum genetic algorithm[J]. Front. Inform. Technol. Electron. Eng., 2016, 17(7): 661-671.
[9] Mingjie Feng, Shiwen Mao, Tao Jiang. Enhancing the performance of future wireless networks with software-defined networking[J]. Front. Inform. Technol. Electron. Eng., 2016, 17(7): 606-619.
[10] Shui-qing Gong, Jing Chen , Qiao-yan Kang, Qing-wei Meng, Qing-chao Zhu , Si-yi Zhao. An efficient and coordinated mapping algorithm in virtualized SDN networks[J]. Front. Inform. Technol. Electron. Eng., 2016, 17(7): 701-716.
[11] Peng Xiao, Zhi-yang Li, Song Guo, Heng Qi, Wen-yu Qu, Hai-sheng Yu. A K self-adaptive SDN controller placement for wide area networks[J]. Front. Inform. Technol. Electron. Eng., 2016, 17(7): 620-633.
[12] Gui-lin CAI, Bao-sheng WANG, Wei HU, Tian-zuo WANG. Moving target defense: state of the art and characteristics[J]. Front. Inform. Technol. Electron. Eng., 2016, 17(11): 1122-1153.
[13] Hong-jiang Lei, Imran Shafique Ansari, Chao Gao, Yong-cai Guo, Gao-feng Pan, Khalid A. Qaraqe. Secrecy performance analysis of single-input multiple-output generalized-K fading channels[J]. Front. Inform. Technol. Electron. Eng., 2016, 17(10): 1074-1084.
[14] Guang-jia Song, Zhen-zhou Ji. Anonymous-address-resolution model[J]. Front. Inform. Technol. Electron. Eng., 2016, 17(10): 1044-1055.
[15] Kuo-Hui Yeh. A lightweight authentication scheme with user untraceability[J]. Front. Inform. Technol. Electron. Eng., 2015, 16(4): 259-271.