Lloyd Chivige: R093439Q

1. Discuss the benefits of OpenFlow’s central-control model that are worth preserving,
and which could be tossed overboard to lighten the load

The centralised OpenFlow controller simplifies the task of network management offering the
capabilities of centrally applying policies from a central point eliminating the arduous task of
visiting all nodes on the network.

Comparing with conventional networks whereby one would visit all nodes implementing a policy,
SDN offers the flexibility to apply by just a mouse click thereby minimising the chances of making
errors to very insignificant levels. In the same way, OpenFlow can provide globally optimal
admission control and flow-routing in support of QoS policies, in cases where a hop-by-hop QoS
mechanism cannot always provide global optimality.
In contrary one should not be blinded to think that all flow setups should be managed by a central
controller. Specifically, one would argue that microflows can be divided into three different classes:
security-sensitive flows, which may require central management to maintain security properties;
significant flows, which should be handled centrally to maintain global QoS and congestion
properties; and normal flows, whose configuration can be delegated to individual switches.

The central controller has a holistic view of the whole network hence offering the universal
optimal management of network traffic

Regardless of whether the controller should be involved in admission-control decisions at the start
of certain flows, in order to properly manage the performance of a network, the controller needs to
know about the current loads on network elements. (This assumes that we want to exploit statistical
multiplexing gain, rather than strictly controlling flow admission to prevent oversubscription.)
Further, the controller may need to know which flows are creating loads on certain links, so as to
possibly re-route or throttle problematic flows, and to forecast future network loads. For example,
NOX “can utilize real-time information about network load to install flows on uncongested links.”

When the network control plane is implemented in software like the centralised OpenFlow,
rather than firmware, administrators can manage network traffic more dynamically and at a
more granular level. This was not possible with traditional networks. However it is also key to
think of the possibility of a threat to attack the software and the magnitude of such an incident. The
 Lloyd Chivige: R093439Q

malicious software thrives in software and this may mean the whole control system may be affected
in no time.

Another benefit of OpenFlow switches is that they are relatively simple and future proof, since
policy is managed by controller software, unlike in traditional networks whereby it was
managed by switch hardware or firmware: surely, it’s a property worth maintaining. We believe
that our DevoFlow proposal, while adding some complexity to the design, maintains a reasonable
balance of switch simplicity vs. system performance, and may actually simplify the task of a switch
designer who seeks a high-performance implementation

2. Citing any 2 layer two (bridging) and layer three (routing) protocols explain how the distributed
intelligence concept is performed in Software Defined Networks.
Layer two (bridging) protocol

Shortest-Path Bridging (SPB) and BGP-LS (Border Gateway Protocol-Link State) are examples of
bridging and routing protocols in SDN.

SPB is a computer networking technology intended to simplify the creation and configuration of
networks, while enabling multipath routing. Within SDN, which has distributed intelligence
Shortest Path Bridging (SPB) delivers traffic on the shortest path available and enables network
virtualization in carrier grade networks and data centres. This new protocol was developed to
address the challenges with the conventional STP for example slow convergence. With SPB
intelligence, SDNS became Scalable, fast-converging with multi-path fabric. With the IS-IS
(Intermediate System to Intermediate System) shortest-path calculations are straightforward in
SDNs

BGP-LS (Border Gateway Protocol-Link State) is a routing protocol in SDN networks. Like other
routing protocols it is essential in determining how the nodes are connecting to each other. This
BGP-LS specifically is a protocol that is used to carry the link-state information and making it
accessible to external entities such as to SDN networks. The BGP-LS is an excellent secure resilient
alternative to OpenFlow in SDNs. The BGP_LS protocol is considered a distributed intelligence
transfer protocol between the SDN controller and the forwarding devices. This is because it links
the SDN controller with the forwarding devices in distributed SDN system until the packet reaches
 Lloyd Chivige: R093439Q

its intended destination. Value brought by the BGP-LS in SDNs include: Integration between SDNs
and legacy networks, exception routing and forwarding and Distributed Denial of service mitigation

3. State and explain any three SDN in-line network functions.

I. Intrusion detection systems (IDS) and intrusion prevention systems
II. load balancers and
III. firewalls are examples of SDN inline network functions
Intrusion detection and Intrusion prevention Systems - The role of Intrusion detection
system is to in inspect and analyse packets for unwanted and possibly malicious traffic. An
example of this system is Neptune which can use supervised learning on network flow
statistics to train and classify live traffic. If there is a threat detected on inspected traffic
action is consequently taken. The system is used to detect and analyse both inbound and
outbound network traffic for malicious activities. An intrusion prevention system (IPS) can
be aligned with IDS by proactively inspecting a system's incoming traffic to mitigate
harmful requests.

Load balancing in SDNs separate the physical network control plane from the data plane.
Most if not all of the load balancing techniques in SDN networks involve some packet
inspection and also choosing the destination in order to equally distribute the load across the
entire set of servers. This eventually leads to discovery of the best pathway and servers for
the fastest delivery of requests.

Firewalls are an essential elements of SDN network security just like they are on
conventional networks. The major role of this feature is to filter and scan the traffic in and
out of the network with the ability to block or admit network data traffic flows according to
pre-defined rules. The decision is reached after a packet is deeply inspected and the filtering
rules may include source of destination IP addresses, protocol used.

4. Using a diagram(s) describe the SDN operation. [20]

 Lloyd Chivige: R093439Q

SDN Diagram
SDN Operation
SDNs provide for Openness and programmability of the network
At the centre of an SDN network there is Network Operating system (NOS) also called SDN
controller. The SDN controller is a logical entity that receives instructions or requirements from the
SDN application layer and relays them to the networking components. The NOS has core services
such as interfacing with network devices and also to provide a programmable interface to the
network applications. Some services include topology services, inventory services, statistics
services and host tracking. Topology services manage how forwarding devices connect to one
another. Inventory service is for recording all SDN enabled devices and record basic information
about them. Statistics services is for reading counters of all forwarding devices while host tracker
is for locating where IP and MAC addresses of hosts are located on the network

On the south side of the SDN network we have network forwarding devices or the Infrastructure
layer. The role of forwarding devices include receiving packets and take actions on those packets
and update counters. The action may be to drop packets, modifying packet headers and also sending
packets out through a single or multi ports. Instructions on how to handle traffic comes from the
control
 Lloyd Chivige: R093439Q

At the top there is the application layer/ plane where one finds applications which are network
focused. Applications can build an abstracted view of the network by collecting information from
the controller for decision-making purposes. Network applications can serve a wide range of
functionalities. They can be customised/programmed to suit organisation’s needs. If an organisation
desires a specific network behaviour they can develop an application for that for example security
or traffic management

Northbound Interface- Normally a RESTful interface allowing user standard https calls towards the
controller. This is the interface linking the controller with the application plane
Southbound interface- This is where the OpenFlow protocol is found enabling communication
between controllers and switches and other network nodes

With this SDN architecture, network is an elastic resource and allows for traffic slicing for different
workloads for example different traffic on the southbound can be channelled to different SDN
controllers. On the northbound different traffic types can be handled simultaneously by different
applications.

Packet flow process _ When a packet is received by a forwarding device, it queries the controller
what to do with the packet. Either to forward, modify or to drop the packet. After this is done the
forwarding devices caches this information for future references and no more need to check with
the controller resulting in quick transmission in future. This process happens with all the forwarding
devices until the packet reaches the destination

5. Concisely explain the Ships in the Night OpenFlow architecture.

Ships in the night (SIN) is a switch hybridisation approach anchored on the idea that each side of
the switch (Open Flow and conventional) thinks it is alone, with no cooperation or coordination of
their actions. This means that there is no interaction of OpenFlow and legacy control-planes, and
the respective data-planes are also isolated. ONF is behind the idea of Ships in the night whereby
they proposed a hybrid programmable forwarding plane (HPFP). With Ships in the night approach,
the switch applies Traffic Separation soon after ingress into two separate domains which maybe
OpenFlow and legacy networks traffic. Ships in the night can be considered a conservative and
practical strategy for a migration path of network switch architectures, where new OpenFlow
functionalities are incorporated to existing legacy equipment. The two common approaches are
 Lloyd Chivige: R093439Q

either decoupling traffic by port (OpenFlow defined ports and Non-OpenFlow defined ports). The
second approach is either to separate traffic by VLAN (OpenFlow defined VLANs vs Non-
OpenFlow defined VLANs). There are some vendor architectures which even went on to have SIN
architectures stretching to offer even three segregation criterion which are per-port, per-VLAN and
per-flow segregation for example with the HP Procurve. The diagram below represents an SDN
Hybrid approach such as the Ships in the night whereby one can have a combination of both legacy
network traffic (From legacy routers) and also OpenFlow traffic by the Hybrid SDN switch

Advantages of Ships in the night architecture

 Simple to implement
 The SDN controller can easily implement load-balancing at high data rates by just
directing different flows to different hosts
 Simplified traffic isolation
 It also allows for the development of new services and ideas all in software on the SDN
controller
Disadvantages
 Very hard (or impossible) to share information between Nodes connected to OpenFlow
Ports/VLANs and nodes connected to Non-OpenFlow Ports/VLANs.
 In the most common case, of VLAN-based separation, users usually can't use VLANs
at all, they can potentially get into or out of the OpenFlow network contrary to desired
result

REFs:

Asma Ben Letaifa, in Advances in Computers, 2019. SSIM and ML based QoE enhancement approach in SDN context

SDxCentral Studios March 13, 2015 5:52 AM. Understanding the SDN Architecture - SDN Control Plane & SDN Data Plane