Liron Schiff

Provable data plane connectivity with local fast failover: introducing openflow graph algorithms

Modern software-defined networks support the implementation of in-network failover mechanisms: mechanisms to quickly re-establish connectivity in the data plane without the interaction of the software controller. Interestingly, however, not much is known today about how to make use of these mechanisms. This paper shows a very strong result: there exist failover implementations for OpenFlow that achieve a maximal robustness, in the sense that connectivity is always ensured as long as the underlying physical network is connected. In particular, we show that the problem of computing failover tables is related to graph search, and present three different algorithms achieving different tradeoffs, in terms of the number of required failover rules, the number of tags, as well as the resulting path lengths. Our work can also be seen as a first attempt to implement classic graph algorithms in OpenFlow.

In-Band Synchronization for Distributed SDN Control Planes

Control planes of forthcoming Software-Defined Networks (SDNs) will be distributed: to ensure availability and fault-tolerance, to improve load-balancing, and to reduce overheads, modules of the control plane should be physically distributed. However, in order to guarantee consistency of network operation, actions performed on the data plane by different controllers may need to be synchronized, which is a nontrivial task. In this paper, we propose a synchronization framework for control planes based on atomic transactions, implemented in-band, on the data-plane switches. We argue that this in-band approach is attractive as it keeps the failure scope local and does not require additional out-of-band coordination mechanisms. It allows us to realize fundamental consensus primitives in the presence of controller failures, and we discuss their applications for consistent policy composition and fault-tolerant control-planes. Interestingly, by using part of the data plane configuration space as a shared memory and leveraging the match-action paradigm, we can implement our synchronization framework in todays standard OpenFlow protocol, and we report on our proof-of-concept implementation.

Impossibility of a Quantum Speed-Up with a Faulty Oracle

We consider Grovers unstructured search problem in the setting where each oracle call has some small probability of failing. We show that no quantum speed-up is possible in this case.

PRI: Privacy Preserving Inspection of Encrypted Network Traffic

Traffic inspection is a fundamental building block of many security solutions today. For example, to prevent the leakage or exfiltration of confidential insider information, as well as to block malicious traffic from entering the network, most enterprises today operate intrusion detection and prevention systems that inspect traffic. However, the state-of-the-art inspection systems do not reflect well the interests of the different involved autonomous roles. For example, employees in an enterprise, or a company outsourcing its network management to a specialized third party, may require that their traffic remains confidential, even from the system administrator. Moreover, the rules used by the intrusion detection system, or more generally the configuration of an online or offline anomaly detection engine, may be provided by a third party, e.g., a security research firm, and can hence constitute a critical business asset which should be kept confidential. Today, it is often believed that accounting for these additional requirements is impossible, as they contradict efficiency and effectiveness. We in this paper explore a novel approach, called Privacy Preserving Inspection (PRI), which provides a solution to this problem, by preserving privacy of traffic inspection and confidentiality of inspection rules and configurations, and e.g., also supports the flexible installation of additional Data Leak Prevention (DLP) rules specific to the company.

Ground Control to Major Faults: Towards a Fault Tolerant and Adaptive SDN Control Network

To provide high availability and fault-tolerance, SDN control planes should be distributed. However, distributed control planes are challenging to design and bootstrap, especially if to be done in-band, without dedicated control network, and without relying on legacy protocols. This paper promotes a distributed systems approach to build and maintain connectivity between a distributed control plane and the data plane. In particular, we make the case for a self-stabilizing distributed control plane, where from any initial configuration, controllers self-organize, and quickly establish a communication channel among themselves. Given the resulting managed control plane, arbitrary network services can be implemented on top. This paper presents a model for the design of such self-stabilizing control planes, and identifies fundamental challenges. Subsequently, we present techniques which can be used to solve these challenges, and implement a plug & play distributed control plane which supports automatic topology discovery and management, as well as flexible controller membership: controllers can be added and removed dynamically. Interestingly, we argue that our approach can readily be implemented in todays OpenFlow protocol. Moreover, our approach comes with interesting security features.

Detecting heavy flows in the SDN match and action model

Abstract Efficient algorithms and techniques to detect and identify large flows in a high throughput traffic stream in the SDN match-and-action model are presented. This is in contrast to previous work that either deviated from the match and action model by requiring additional switch level capabilities or did not exploit the SDN data plane. Our construction has two parts; (a) new methods to efficiently sample in an SDN match and action model, (b) new and efficient algorithms to detect large flows efficiently and in a scalable way, in the SDN model. Our large flow detection methods provide high accuracy and present a good and practical tradeoff between switch - controller traffic, and the number of entries required in the switch flow table. Based on different parameters, we differentiate between heavy flows, elephant flows and bulky flows and present efficient algorithms to detect flows of the different types. Additionally, as part of our heavy flow detection scheme, we present sampling methods to sample packets with arbitrary probability p per packet or per byte that traverses an SDN switch. Finally, we show how our algorithms can be adapted to a distributed monitoring SDN setting with multiple switches, and easily scale with the number of monitoring switches.

Outsmarting Network Security with SDN Teleportation

Software-defined networking is considered a promising new paradigm, enabling more reliable and formally verifiable communication networks. However, this paper shows that the separation of the control plane from the data plane, which lies at the heart of Software-Defined Networks (SDNs), introduces a new vulnerability which we call teleportation. An attacker (e.g., a malicious switch in the data plane or a host connected to the network) can use teleportation to transmit information via the control plane and bypass critical network functions in the data plane (e.g., a firewall), and to violate security policies as well as logical and even physical separations. This paper characterizes the design space for teleportation attacks theoretically, and then identifies four different teleportation techniques. We demonstrate and discuss how these techniques can be exploited for different attacks (e.g., exfiltrating confidential data at high rates), and also initiate the discussion of possible countermeasures. Generally, and given todays trend toward more intent-based networking, we believe that our findings are relevant beyond the use cases considered in this paper.

Study the Past If You Would Define the Future: Implementing Secure Multi-party SDN Updates

A highly available and robust control plane is a critical prerequisite for any Software-Defined Network (SDN) providing dependability guarantees. While there is a wide consensus that the logically centralized SDN controller should be physically distributed, today, we do not have a good understanding of how to design such a distributed and robust control plane. This is problematic, given the potentially large influence an SDN controller has on the network state compared to the distributed legacy protocols: the control plane can be an attractive target for a malicious attack. This paper initiates the study of distributed SDN control planes which are resilient to malicious controllers, for example controllers which have been compromised by a cyber attack. We introduce an adversarial control plane model and observe that approaches based on redundancy or threshold cryptography are insufficient, as incomplete or out-dated information about the network state introduces vulnerabilities. The approach presented in this paper is based on the insight that a control plane resilient to malicious behavior requires a basic notion of memory, and must be history-aware. In particular, we propose an in band approach, implemented on the SDN switch, to efficiently coordinate the different controller actions, and guarantee correct network updates even in the presence of malicious behavior. In our approach, the switch maintains a digest of the controller state and history, and only implements the update after verifying that a majority of controllers agree to the change. Our solution is not only robust but also, compared to existing consensus protocols such as Paxos, light-weight.

ORange: Multi Field OpenFlow based Range Classifier

Configuring range based packet classification rules in network switches is crucial to all network core functionalities, such as firewalls and routing. However, OpenFlow, the leading management protocol for SDN switches, lacks the interface to configure range rules directly and only provides mask based rules, named flow entries. In this work we present, ORange, the first solution to multi dimensional range classification in OpenFlow. Our solution is based on paradigms used in state of the art non-OpenFlow classifiers and is designed in a modular fashion allowing future extensions and improvements. We consider switch space utilization as well as atomic updates functionality, and in the network context we provide flow consistency even if flows change their entrance point to the network during policy updates, a property we name cross-entrance consistency. Our scheme achieves remarkable results and is easy to deploy.

The Show Must Go On: Fundamental Data Plane Connectivity Services for Dependable SDNs

Abstract Software-defined network (SDN) architectures raise the question of how to deal with situations where the indirection via the control plane is not fast enough or not possible. In order to provide a high availability, connectivity, and robustness, dependable SDNs must support basic functionality also in the data plane. In particular, SDNs should implement functionality for inband network traversals, e.g., to find failover paths in the presence link failures. This paper shows that robust inband network traversal schemes for dependable SDNs are feasible, and presents three fundamentally different mechanisms: simple stateless mechanisms, efficient mechanisms based on packet tagging, and mechanisms based on dynamic state at the switches. We show how these mechanisms can be implemented in today’s SDNs and discuss different applications.