FOUM: A flow-ordered consistent update mechanism for software-defined networking in adversarial settings

摘要

Due to the asynchronous and distributed nature of the data plane, consistent configuration updating across multiple switches is a challenging issue in Software-Defined Networking (SDN). The existing version-stamping-based mechanism (VSM) could guarantee per-packet consistency, but this mechanism is designed for non-adversarial settings and can be compromised easily by a malicious attacker. In this paper, we propose an efficient flow-ordered update mechanism that aims to provide per-packet consistency in adversarial settings. Our proposal does not need to stamp data packets with the configuration version, and is robust against both the packet-tampering and packet-dropping attacks. It outperforms a naive mechanism that simply patches VSM using digital signatures in three aspects: First, the switches in this mechanism only need to sign and verify a single control packet, which significantly improves the packet processing time. Second, it avoids keeping both old and new policies on switches during the update, and thus achieves better space efficiency. Third, it reduces the time delay for new policies to come into force. We evaluate our mechanism on a self-constructed SDN testbed and the results demonstrate high efficiency.