A Packet-In Message Filtering Mechanism for Protection of Control Plane in OpenFlow Switches

Daisuke KOTANI  Yasuo OKABE  

Publication
IEICE TRANSACTIONS on Information and Systems   Vol.E99-D   No.3   pp.695-707
Publication Date: 2016/03/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2015EDP7256
Type of Manuscript: PAPER
Category: Information Network
Keyword: 
network security,  software-defined networking,  OpenFlow,  

Full Text: PDF(668KB)
>>Buy this Article


Summary: 
Protecting control planes in networking hardware from high rate packets is a critical issue for networks under operation. One common approach for conventional networking hardware is to offload expensive functions onto hard-wired offload engines as ASICs. This approach is inadequate for OpenFlow networks because it restricts a certain amount of flexibility for network control that OpenFlow tries to provide. Therefore, we need a control plane protection mechanism in OpenFlow switches as a last resort, while preserving flexibility for network control. In this paper, we propose a mechanism to filter out Packet-In messages, which include packets handled by the control plane in OpenFlow networks, without dropping important ones for network control. Switches record values of packet header fields before sending Packet-In messages, and filter out packets that have the same values as the recorded ones. The controllers set the header fields in advance whose values must be recorded, and the header fields are selected based on controller design. We have implemented and evaluated the proposed mechanism on a prototype software switch, concluding that it dramatically reduces CPU loads on switches while passes important Packet-In messages for network control.