Scrolls
5 min read
On this page

Software-Defined Networking

SDN Architecture

SDN Three-Layer Architecture

SDN decouples the control plane (routing decisions) from the data plane (packet forwarding), centralizing network intelligence in a software controller.

Three-Layer Model

+---------------------------+
|    Application Layer       |  (network apps: firewall, load balancer, TE)
|    Northbound API (REST)   |
+---------------------------+
|    Control Layer           |  (SDN controller / NOS)
|    Southbound API (OF/P4)  |
+---------------------------+
|    Data/Infrastructure     |  (switches, routers - forwarding only)
+---------------------------+

Key Properties

Property Description
Centralized control Logically centralized controller has global network view
Programmability Network behavior defined in software, not device firmware
Open interfaces Standardized APIs between layers
Abstraction Applications operate on abstract network model

Benefits and Challenges

Benefits:

  • Rapid innovation in control logic without vendor firmware changes.
  • Global optimization using complete topology and traffic knowledge.
  • Simplified management through automation and programmability.
  • Vendor-neutral forwarding hardware.

Challenges:

  • Controller scalability and availability (single point of failure if not distributed).
  • Latency of control plane interactions for reactive forwarding.
  • Security of the controller (attractive attack target).
  • Migration from legacy infrastructure.

OpenFlow

OpenFlow (v1.0 through v1.5) is the original and most widely known southbound protocol for SDN.

OpenFlow Switch Model

A switch contains one or more flow tables, each with flow entries:

Flow Entry:
  Match Fields | Priority | Counters | Instructions | Timeouts | Cookie

Match fields (subset): ingress port, Ethernet src/dst/type, VLAN ID, IP src/dst, IP protocol, TCP/UDP src/dst port, MPLS label.

Instructions/Actions:

  • OUTPUT(port) - forward to a port
  • DROP - discard packet
  • SET_FIELD - modify header fields
  • GROUP - apply group table entry (multicast, ECMP, failover)
  • GOTO_TABLE(n) - continue processing at table n

Pipeline Processing

Packet In → Table 0 → Table 1 → ... → Table N → Execute Action Set
            (match?)   (match?)         (match?)
              ↓ miss      ↓ miss           ↓ miss
           Table-miss  Table-miss       Table-miss
           entry       entry            entry

If no match and no table-miss entry: packet dropped. Table-miss can send to controller (Packet-In message).

OpenFlow Messages

Category Messages
Controller→Switch Features Request, Flow Mod, Packet Out, Barrier
Switch→Controller Packet In, Flow Removed, Port Status, Error
Symmetric Hello, Echo Request/Reply

OpenFlow Limitations

  • Fixed match fields (not extensible without protocol revision).
  • Limited programmability of the data plane itself.
  • Performance overhead of Packet-In for unknown flows.
  • Complexity of multi-table pipelines.

SDN Controllers

ONOS (Open Network Operating System)

  • Designed for service provider and mission-critical networks.
  • Distributed architecture using Atomix for distributed state management.
  • Intent framework: applications express desired connectivity, ONOS computes forwarding rules.
  • Written in Java; supports OpenFlow, gNMI, P4Runtime, NETCONF.

OpenDaylight (ODL)

  • Modular, plugin-based architecture using OSGi/Karaf.
  • Model-Driven Service Abstraction Layer (MD-SAL) for unified data model.
  • Supports a wide range of southbound protocols.
  • Strong enterprise and service provider ecosystem.

Comparison

Feature ONOS OpenDaylight
Target SP/carrier-grade Enterprise/multi-protocol
Clustering Built-in (Atomix/Raft) Akka-based clustering
Intent framework Core feature Available via plugins
Community ON.Lab / Linux Foundation Linux Foundation
Data store Distributed, strongly consistent In-memory + persistence

Controller Scalability

Distributed controllers partition the network among instances:

  • Flat distribution: Each controller manages a subset of switches; synchronizes state.
  • Hierarchical: Local controllers handle fast decisions; root controller handles global policy.
  • Typical capacity: single instance handles 1-6 million flow setups/second (varies by implementation).

P4: Programming Protocol-Independent Packet Processors

P4 is a domain-specific language for programming the data plane, making the forwarding behavior itself programmable (not just the flow rules).

P4 Architecture

P4 Program → P4 Compiler → Target-specific binary
                              ↓
                         Programmable Switch
                         (ASIC, FPGA, SmartNIC, software)

Core P4 Abstractions

// 1. Header definitions
header ipv4_t {
    bit<4>  version;
    bit<4>  ihl;
    bit<8>  tos;
    bit<16> totalLen;
    bit<16> identification;
    bit<3>  flags;
    bit<13> fragOffset;
    bit<8>  ttl;
    bit<8>  protocol;
    bit<16> hdrChecksum;
    bit<32> srcAddr;
    bit<32> dstAddr;
}

// 2. Parser (state machine)
parser MyParser(packet_in pkt, out headers hdr) {
    state start {
        pkt.extract(hdr.ethernet);
        transition select(hdr.ethernet.etherType) {
            0x0800: parse_ipv4;
            default: accept;
        }
    }
    state parse_ipv4 {
        pkt.extract(hdr.ipv4);
        transition accept;
    }
}

// 3. Match-action tables
table ipv4_lpm {
    key = { hdr.ipv4.dstAddr: lpm; }
    actions = { forward; drop; }
    size = 1024;
}

// 4. Control flow (apply tables)
apply { ipv4_lpm.apply(); }

// 5. Deparser (reassemble packet)

P4 vs. OpenFlow

Aspect OpenFlow P4
Header awareness Fixed set of known headers User-defined arbitrary headers
Forwarding model Vendor-defined pipeline Programmer-defined pipeline
New protocols Requires spec update Just write new parser/tables
Target OpenFlow-compatible switches Any programmable target

Network Functions Virtualization (NFV)

NFV replaces dedicated network appliances (firewalls, load balancers, NATs) with software running on commodity servers.

NFV Architecture (ETSI)

+-------------------------------------------+
|  OSS/BSS                                  |
+-------------------------------------------+
|  NFV Orchestrator (NFVO)                  |
|    ├── VNF Manager (VNFM)                 |
|    └── Virtual Infrastructure Manager (VIM)|
+-------------------------------------------+
|  NFVI: compute, storage, network          |
|  (servers, switches, hypervisors)         |
+-------------------------------------------+
  • VNF (Virtual Network Function): Software implementation of a network function (e.g., vFirewall, vRouter).
  • NFVI: Infrastructure that hosts VNFs.
  • MANO: Management and Orchestration framework.

Performance Considerations

  • Traditional kernel networking is too slow for VNFs at line rate.
  • Solutions: DPDK (kernel bypass), SR-IOV (hardware-assisted I/O), SmartNICs.
  • Container-based VNFs (CNFs) replacing VM-based for lower overhead.

Service Function Chaining (SFC)

SFC steers traffic through an ordered sequence of network functions.

Traffic → Classifier → Firewall → IDS → Load Balancer → Destination
                        (SF1)      (SF2)     (SF3)

NSH (Network Service Header) - RFC 8300

| NSH Base | Service Path | Service Index | Metadata |
           (24-bit SPI)    (8-bit SI)
  • SPI (Service Path Identifier): Identifies the chain.
  • SI (Service Index): Decremented at each SF; indicates position in chain.
  • SFC-aware SFs process and decrement SI; SFC-unaware SFs use a proxy.

Intent-Based Networking (IBN)

IBN abstracts network configuration into high-level business intent, automating the translation to device-level configuration.

IBN Workflow

Intent: "Server A must be able to reach Database B on port 3306 with encrypted traffic"
   ↓
Translation Engine (decomposes intent into network policies)
   ↓
Activation (configures switches, firewalls, VPNs)
   ↓
Assurance (continuously monitors compliance, remediates drift)

Intent Levels

Level Example
Business "Finance department traffic is isolated"
Service "VLAN 100 has no path to VLAN 200 except via firewall"
Network "ACL on switch X port 5 deny traffic from 10.0.1.0/24 to 10.0.2.0/24"

Network Verification

Formal methods applied to ensure network correctness.

Approaches

Tool/Approach Method Checks
Header Space Analysis (HSA) Models forwarding as geometric operations on header space Reachability, loops, isolation
Veriflow Real-time verification of rule insertions Invariant violations on updates
Batfish Configuration analysis (offline) Reachability, routing correctness
Minesweeper SMT-based analysis of control plane Policy compliance under all failures
P4v Verification of P4 programs Data plane program correctness

Data Plane vs. Control Plane Verification

  • Data plane: Verify the forwarding state at a point in time (fast, snapshot-based).
  • Control plane: Verify that routing protocols produce correct forwarding under all possible failures (more thorough, computationally expensive).

Practical Verification Checks

  • Reachability: Can host A reach host B?
  • Isolation: Can VLAN X traffic never reach VLAN Y?
  • Loop freedom: Are there any forwarding loops?
  • Black holes: Are any destinations unreachable?
  • Waypointing: Does traffic always traverse a required middlebox?
  • Equivalence: Do two configurations produce identical forwarding behavior?