With the popularization of software defined networks, switch migration as an important network management strategy has attracted increasing attention. Most existing switch migration strategies only consider local conditions and simple load thresholds, without fully considering the overall optimization and dynamics of the network. Therefore, this article proposes a switch migration algorithm based on global optimization. This algorithm adds a load prediction module to the migration model, determines the migration controller, and uses an improved whale optimization algorithm to determine the target controller and its surrounding controller set. Based on the load status of the controller and the traffic priority of the switch to be migrated, the optimal migration switch set is determined. The experimental results show that compared to existing schemes, the algorithm proposed in this paper improves the average flow processing efficiency by 15% to 40%, reduces switch migration times, and enhances the security of the controller.

Industrial networks need to provide reliable communication services, usually in a redundant transmission (RT) manner. In the past few years, several device-redundancy-based, layer 2 solutions have been proposed. However, with the evolution of industrial networks to the Industrial Internet, these methods can no longer work properly in the non-redundancy, layer 3 environments. In this paper, an SDN-based reliable communication framework is proposed for the Industrial Internet. It can provide reliable communication guarantees for mission-critical applications while servicing non-critical applications in a best-effort transmission manner. Specifically, it first implements an RT-based reliable communication method using the Industrial Internet's link-redundancy feature. Next, it presents a redundant synchronization mechanism to prevent end systems from receiving duplicate data. Finally, to maximize the number of critical flows in it (an NP-hard problem), two ILP-based routing & scheduling algorithms are also put forward. These two algorithms are optimal (Scheduling with Unconstrained Routing, SUR) and suboptimal (Scheduling with Minimum length Routing, SMR). Numerous simulations are conducted to evaluate its effectiveness. The results show that it can provide reliable, duplicate-free services to end systems. Its reliable communication method performs better than the conventional best-effort transmission method in terms of packet delivery success ratio in layer 3 networks. In addition, its scheduling algorithm, SMR, performs well on the experimental topologies (with average quality of 93% when compared to SUR), and the time overhead is acceptable.

One of the features of a software-defined network (SDN) is a logically centralized control plane hosting one or more SDN controllers. As SDN controller placement can impact network performance, it is widely studied as the controller placement problem (CPP). For a cost-effective network design, network providers need to minimize the number of SDN controllers used in the network since each SDN controller incurs installation and maintenance costs. Moreover, the network providers need to deal with the failure of SDN controllers. Existing studies that consider SDN controller failures use the scheme of connecting each SDN switch to one Master controller and one or more Slave controllers. The problem with this scheme is that the computing capacity of each SDN controller cannot be used efficiently since one SDN controller handles the load of all SDN switches connected to it. The number of SDN controllers required can be reduced by distributing the load of each SDN switch among multiple SDN controllers. This paper proposes a controller placement model that allows the distribution against SDN controller failures. The proposed model determines the ratios of computing capacity demanded by each SDN switch on the SDN controllers connected to it. The proposed model also determines the number and placement of SDN controllers and the assignment of each SDN switch to SDN controllers. Controller placement is determined so that a network provider can continue to manage all SDN switches if no more than a certain number of SDN controller failures occur. We develop two load distribution methods: split and even-split. We formulate the proposed model with each method as integer linear programming problems. Numerical results show that the proposed model reduces the number of SDN controllers compared to a benchmark model; the maximum reduction ratio is 38.8% when the system latency requirement between an SDN switch and an SDN controller is 100[ms], the computing capacity of each SDN controller is 6 × 106[packets/s], and the maximum number of SDN controllers that can fail at the same time is one.

OpenFlow is a widely adopted implementation of the Software-Defined Networking (SDN) architecture. Since conventional network monitoring systems are unable to cope with OpenFlow networks, researchers have developed various monitoring systems tailored for OpenFlow networks. However, these existing systems either rely on a specific controller framework or an API, both of which are not part of the OpenFlow specification, and thus limit their applicability. This article proposes a transparent and low-overhead monitoring system for OpenFlow networks, referred to as Opimon. Opimon monitors the network topology, switch statistics, and flow tables in an OpenFlow network and visualizes the result through a web interface in real-time. Opimon monitors a network by interposing a proxy between the controller and switches and intercepting every OpenFlow message exchanged. This design allows Opimon to be compatible with any OpenFlow switch or controller. We tested the functionalities of Opimon on a virtual network built using Mininet and a large-scale international OpenFlow testbed (PRAGMA-ENT). Furthermore, we measured the performance overhead incurred by Opimon and demonstrated that the overhead in terms of latency and throughput was less than 3% and 5%, respectively.

The need of telecommunications operators to reduce Capital and Operational Expenditures in networks which traffic is continuously growing has made them search for new alternatives to simplify and automate their procedures. Because of the different transport network segments and multiple layers, the deployment of end-to-end services is a complex task. Also, because of the multiple vendor existence, the control plane has not been fully homogenized, making end-to-end connectivity services a manual and slow process, and the allocation of computing resources across the entire network a difficult task. The new massive capacity requested by Data Centers and the new 5G connectivity services will urge for a better solution to orchestrate the transport network and the distributed computing resources. This article presents and demonstrates a Network Slicing solution together with an end-to-end service orchestration for transport networks. The Network Slicing solution permits the co-existence of virtual networks (one per service) over the same physical network to ensure the specific service requirements. The network orchestrator allows automated end-to-end services across multi-layer multi-domain network segments making use of the standard Transport API (TAPI) data model for both l0 and l2 layers. Both solutions will allow to keep up with beyond 5G services and the higher and faster demand of network and computing resources.

Large-scale disasters can lead to a severe damage or destruction of optical transport networks including the data-plane (D-plane) and control and management-plane (C/M-plane). In addition to D-plane recovery, quick recovery of the C/M-plane network in modern software-defined networking (SDN)-based fiber optical networks is essential not only for emergency control of surviving optical network resources, but also for quick collection of information related to network damage/survivability to enable the optimal recovery plan to be decided as early as possible. With the advent of the Internet of Things (IoT) technologies, low energy consumption, and low-cost IoT devices have been more common. Corresponding long-distance networking technologies such as low-power wide-area (LPWA) and LPWA-based mesh (LPWA-mesh) networks promise wide coverage sensing and environment data collection capabilities. We are motivated to take an infrastructure-less IoT approach to provide long-distance, low-power and inexpensive wireless connectivity and create an emergency C/M-plane network for early disaster recovery. In this paper, we investigate the feasibility of fiber networks C/M-plane recovery using an IoT-based extremely narrow-band, and lossy links system (FRENLL). For the first time, we demonstrate a field-trial experiment of a long-latency/loss tolerable SDN C/M-plane that can take advantage of widely available IoT resources and easy-to-create wireless mesh networks to enable the timely recovery of the C/M-plane after disaster.

In the coming smart-home era, more and more household electrical appliances are generating more and more sensor data and transmitting them over the home networks, which are often connected to Internet through Point-to-Point Protocol over Ethernet (PPPoE) for desirable authentication and accounting. However, according to our knowledge, high-speed commercial home PPPoE router is still absent for a home network environment. In this paper, we first introduce and evaluate our programmable platform FLARE-DPDK for ease of programming network functions. Then we introduce our effort to build a compact 10Gbps software FLARE PPPoE router on a commercial mini-PC. In our implementation, the control plane is implemented with Linux PPPoE software for authentication-like signaling control. The data plane is implemented over FLARE-DPDK platform, where we get packets from physical network interfaces directly bypassing Linux kernel and distribute packets to multiple CPU cores for data processing in parallel. We verify our software PPPoE router in both lab and production network environment. The experimental results show that our FLARE software PPPoE router can achieve much higher throughput than a commercial PPPoE router tested in a production environment.

Software-defined networking (SDN) technology enables us to flexibly configure switches in a network. Previously, distributed SDN control methods have been discussed to improve their scalability and robustness. Distributed placement of controllers and backing up each other enhance robustness. However, these techniques do not include an emergency measure against large-scale failures such as network separation induced by disasters. In this study, we first propose a network partitioning method to create a robust control plane (C-Plane) against large-scale failures. In our approach, networks are partitioned into multiple sub-networks based on robust topology coefficient (RTC). RTC denotes the probability that nodes in a sub-network isolate from controllers when a large-scale failure occurs. By placing a local controller onto each sub-network, 6%-10% of larger controller-switch connections will be retained after failure as compared to other approaches. Furthermore, we discuss reactive emergency reconstruction of a distributed SDN C-plane. Each node detects a disconnection to its controller. Then, C-plane will be reconstructed by isolated switches and managed by the other substitute controller. Meanwhile, our approach reconstructs C-plane when network connectivity recovers. The main and substitute controllers detect network restoration and merge their C-planes without conflict. Simulation results reveal that our proposed method recovers C-plane logical connectivity with a probability of approximately 90% when failure occurs in 100 node networks. Furthermore, we demonstrate that the convergence time of our reconstruction mechanism is proportional to the network size.

Software-defined networking (SDN) has rapidly emerged as a promising new technology for future networks and gained considerable attention from both academia and industry. However, due to the separation between the control plane and the data plane, the SDN controller can easily become the target of denial-of service (DoS) attacks. To mitigate DoS attacks in OpenFlow networks, our solution, MinDoS, contains two key techniques/modules: the simplified DoS detection module and the priority manager. The proposed architecture sends requests into multiple buffer queues with different priorities and then schedules the processing of these flow requests to ensure better controller protection. The results show that MinDoS is effective and adds only minor overhead to the entire SDN/OpenFlow infrastructure.

In this paper, we posit that, in future mobile network, network softwarization will be prevalent, and it becomes important to utilize deep machine learning within network to classify mobile traffic into fine grained slices, by identifying application types and devices so that we can apply Quality-of-Service (QoS) control, mobile edge/multi-access computing, and various network function per application and per device. This paper reports our initial attempt to apply deep machine learning for identifying application types from actual mobile network traffic captured from an MVNO, mobile virtual network operator and to design the system for classifying it to application specific slices.

Distributed control plane architecture has been employed in software-defined data center networks to improve the scalability of control plane. However, since the flow space is partitioned by assigning switches to different controllers, the network topology is also partitioned and the rule setup process has to invoke multiple controllers. Besides, the control load balancing based on switch migration is heavyweight. In this paper, we propose a lightweight load partition method which decouples the flow space from the network topology. The flow space is partitioned with hosts rather than switches as carriers, which supports fine-grained and lightweight load balancing. Moreover, the switches are no longer needed to be assigned to different controllers and we keep all of them controlled by each controller, thus each flow request can be processed by exactly one controller in a centralized style. Evaluations show that our scheme reduces rule setup costs and achieves lightweight load balancing.

The centralized controller of SDN enables a global topology view of the underlying network. It is possible for the SDN controller to achieve globally optimized resource composition and utilization, including optimized end-to-end paths. Currently, resource composition in SDN arena is usually conducted in an imperative manner where composition logics are explicitly specified in high level programming languages. It requires strong programming and OpenFlow backgrounds. This paper proposes declarative path composition, namely Compass, which offers a human-friendly user interface similar to natural language. Borrowing methodologies from Semantic Web, Compass models and stores SDN resources using OWL and RDF, respectively, to foster the virtualized and unified management of the network resources regardless of the concrete controller platform. Besides, path composition is conducted in a declarative manner where the user merely specifies the composition goal in the SPARQL query language instead of explicitly specifying concrete composition details in programming languages. Composed paths are also reused based on similarity matching, to reduce the chance of time-consuming path composition. The experiment results reflect the applicability of Compass in path composition and reuse.

Today's enterprise, data-center, and internet-service-provider networks deploy different types of network devices, including switches, routers, and middleboxes such as network address translation and firewalls. These devices are vertically integrated monolithic systems. Software-defined networking (SDN) and network function virtualization (NFV) are promising technologies for dis-aggregating vertically integrated systems into components by using “softwarization”. Software-defined networking separates the control plane from the data plane of switch and router, while NFV decouples high-layer service functions (SFs) or Network Functions (NFs) implemented in the data plane of a middlebox and enables the innovation of policy implementation by using SF chaining. Even though there have been several survey studies in this area, this area is continuing to grow rapidly. In this paper, we present a recent survey of this area. In particular, we survey research activities in the areas of re-architecting middleboxes, state management, high-performance platforms, service chaining, resource management, and trouble shooting. Efforts in these research areas will enable the development of future virtual-network-function platforms and innovation in service management while maintaining acceptable capital and operational expenditure.

In recent years, software-defined networking (SDN), which performs centralized network management with software, has attracted much attention. Although packets are transmitted based on flow entries in SDN switches, the number of flow entries that the SDN switches can handle is limited. To overcome this difficulty, this paper proposes a flow-based routing method that performs flexible routing control with a small number of flow entries. The proposed method provides mixed integer programming. It assigns common paths to flows that can be aggregated at intermediate switches, while considering the utilization of network links. Because it is difficult for mixed integer programming to compute large-scale problems, the proposed method also provides a heuristic algorithm for them. Through numerical experiments, this paper shows that the proposed method efficiently reduces both the number of flow entries and the loads of congested links.

Focused on network reconnaissance, eavesdropping, and DoS attacks caused by static routing policies, this paper designs a random routing mutation architecture based on the OpenFlow protocol, which takes advantages of the global network view and centralized control in a software-defined network. An entropy matrix of network traffic characteristics is constructed by using volume measurements and characteristic measurements of network traffic. Random routing mutation is triggered according to the result of network anomaly detection, which using a wavelet transform and principal component analysis to handle the above entropy matrix for both spatial and temporal correlations. The generation of a random routing path is specified as a 0-1 knapsack problem, which is calculated using an improved ant colony algorithm. Theoretical analysis and simulation results show that the proposed method not only increases the difficulty of network reconnaissance and eavesdropping but also reduces the impact of DoS attacks on the normal communication in an SDN network.

SDN (Software-Defined Networking) enables software applications to program individual network devices dynamically and therefore control the behavior of the network as a whole. Incomplete programming and/or inconsistency with the network policy of SDN software applications may lead to verification issues. The objective of this paper is to describe the formal modeling that uses the process algebra called pACSR and then suggest a method to verify the firewall application running on top of the SDN controller. The firewall rules are translated into a pACSR process which acts as the specification, and packet's behaviors in SDN are also translated to a pACSR process which is a role as the implementation. Then we prove the correctness by checking whether the parallel composition of two pACSR processes is deadlock-free. Moreover, in the case of network topology changes, our verification can be directly applied to check whether any mismatches or inconsistencies will occur.

Named Data Networking (NDN) has emerged as an alternative to traditional IP-based networking for the achievement of Information-Centric Networking (ICN). Currently, most NDN is deployed over IP networks, but such an overlay deployment increases the transport network overhead due to the use of dual network control planes (NDN routing and IP routing). Software-Defined Networking (SDN) can be used to mitigate the network overhead by forwarding NDN packets without the use of IP routing. However, to deploy NDN over SDN, a variable NDN content name needs to be mapped to a fixed-size match field in an OpenFlow switch flow table. For efficient support of such a mapping task, we propose a new architecture that uses dual name for content: content name and Name Tag. The Name Tag is derived from the corresponding content name and is a legitimate IPv6 address. By using the proposed Name Tag, the SDN with an NDN control application can transport an IPv6 packet that encapsulates an NDN packet for an NDN name-based routing. We emulate the proposed architecture using Mininet and verify that it is feasible.

Although SDN provides desirable characteristics such as the manageability, flexibility and extensibility of the networks, it has a considerable disadvantage in its reliability due to its centralized architecture. To protect SDN-enabled networks under large-scale, unexpected link failures, we propose ResilientFlow that deploys distributed modules called Control Channel Maintenance Module (CCMM) for every switch and controllers. The CCMMs makes switches able to maintain their own control channels, which are core and fundamental part of SDN. In this paper, we design, implement, and evaluate the ResilientFlow.

Network virtualization environments (NVEs) are emerging to meet the increasing diversity of demands by Internet users where a virtual network (VN) can be constructed to accommodate each specific application service. In the future Internet, diverse service providers (SPs) will provide application services on their own VNs running across diverse infrastructure providers (InPs) that provide physical resources in an NVE. To realize both efficient resource utilization and good QoS of each individual service in such environments, SPs should perform adaptive control on network and computational resources in dynamic and competitive resource sharing, instead of explicit and sufficient reservation of physical resources for their VNs. On the other hand, two novel concepts, software-defined networking (SDN) and network function virtualization (NFV), have emerged to facilitate the efficient use of network and computational resources, flexible provisioning, network programmability, unified management, etc., which enable us to implement adaptive resource control. In this paper, therefore, we propose an architectural design of network orchestration for enabling SPs to maintain QoS of their applications aggressively by means of resource control on their VNs efficiently, by introducing virtual network provider (VNP) between InPs and SPs as 3-tier model, and by integrating SDN and NFV functionalities into NVE framework. We define new north-bound interfaces (NBIs) for resource requests, resource upgrades, resource programming, and alert notifications while using the standard OpenFlow interfaces for resource control on users' traffic flows. The feasibility of the proposed architecture is demonstrated through network experiments using a prototype implementation and a sample application service on nation-wide testbed networks, the JGN-X and RISE.

The availability is an important issue of software-defined networking (SDN). In this paper, the experiments based on a SDN testbed showed that the resource utilization of the data plane and control plane changed drastically when DDoS attacks happened. This is mainly because the DDoS attacks send a large number of fake flows to network in a short time. Based on the observation and analysis, a DDoS defense mechanism based on legitimate source and destination IP address database is proposed in this paper. Firstly, each flow is abstracted as a source-destination IP address pair and a legitimate source-destination IP address pair database (LSDIAD) is established by historical normal traffic trace. Then the proportion of new source-destination IP address pair in the traffic per unit time is cumulated by non-parametric cumulative sum (CUSUM) algorithm to detect the DDoS attacks quickly and accurately. Based on the alarm from the non-parametric CUSUM, the attack flows will be filtered and redirected to a middle box network for deep analysis via south-bound API of SDN. An on-line updating policy is adopted to keep the LSDIAD timely and accurate. This mechanism is mainly implemented in the controller and the simulation results show that this mechanism can achieve a good performance in protecting SDN from DDoS attacks.