Research On Flow Rule Conflict Detection Method For SDN

Software-Defined Networking(SDN)has brought tremendous vitality to computer networks.It completely decouples the control plane and data plane of the traditional distribution network and uses a logically centralized controller to control the entire distributed data plane,which achieves centralized network configuration to improve the efficiency of network management and reduce the complexity of the network configuration.The SDN allows the applications to flexibly control and modify the packets in the data plane.As networks become larger,various applications work on a single network,which is possible for a plurality of different applications to control the same packet at the same time.At this case,the packet processing appears chaotic.In SDN,the applications manipulate the packets by formulating the flow rules,so the above case of the confusing packet processing is called the flow rule conflict.This thesis studies the conflicts of flow rules in SDN,fully investigates the research status at home and abroad,and analyzes the target problems in detail,and proposes the following two solutions.(1)Transaction-based flow rule conflict detection and resolution.The conflicts of flow rules in SDN may cause mutual interference and failure of different network functions.This thesis proposes a transaction-based flow rule conflict detection and resolution(TCDR)for this problem.TCDR proposes a concept of flow rule transaction.A flow rule transaction represents a set of flow rules that complete a certain network function,and this set of flow rules is atomic in operation,that is,deployed together,updated together,and deleted together.Based on the flow rule transaction,TCDR adopts a transaction-based flow rule conflict analysis algorithm(TRCA)to ensure the independence of network functions.In addition,malicious applications actively generate conflicting flow rules to attack the network,so strengthening application layer security is also an important way to reduce flow rule conflicts.TCDR has proposed a transaction-based authentication scheme to authenticate applications and more fine-grained network functions,ensuring the security of the source of flow rules.Based on the open source Floodlight controller,the TCDR system prototype was implemented.Through experimental test and performance evaluation,it is proved that the scheme has good feasibility and effectiveness.(2)Queryable flow rule conflict detection scheme.Since the flow rule conflict detection is mainly performed in the controller,it is inevitable to bring more burden to the controller when the network scale becomes larger.For this problem,this thesis proposes a queryable flow rule conflict detection and resolution scheme(QCDR).The QCDR that is built in controller provides a query interface for the applications and converts the flow rules in the network into a flow rule text,which allows the applications to use the regular expression to query the flow rules in the network.When receiving the query of the applications,the controller converts the regular expression into a corresponding deterministic finite state automaton and then matches the flow rule text.On this basis,when the applications formulate the flow rule,it can actively query the flow rules in the network,and the flow rule conflicts can be detected locally in the application.This can make the applications have the ability to avoid sending conflicting flow rules to the controller as much as possible,which greatly reduces the burden of the controller in detecting flow rule conflicts.Based on the prototype of the TCDR system,this thesis further implements the QCDR related model,then conducts experimental tests and performance evaluation.The experiment shows that QCDR can effectively suppress the increase of the controller resource consumption in the process of flow rule conflict detection when the number of flow rules increases.