Flow Table Management

Source: Isyaku, B., Mohd Zahid, M. S., Bte Kamat, M., Abu Bakar, K., & Ghaleb, F. A. (2020).
Software defined networking flow table management of openflow switches performance
and security challenges: A survey. Future Internet, 12(9), 147.
 Problem
The increasing number of traffics due to the proliferation of the
Internet of Thing (IoT) devices may result in two problems:
(1) increased processing load of the controller, and
(2) insufficient space in the switches’ flow table to
accommodate the flow entries.
These problems may cause undesired network behavior and
unstable network performance, especially in large-scale networks.

How to improve the performance of Flow Table?

 Flow Table Implementation
• Flow Table is implemented using Ternary Content Addressable
Memory (TCAM).
– TCAM is a specialized high-speed memory.
– The term “ternary” refers to the memory's ability to store and
query data using three different inputs: 0, 1 and X.
– The “X” input, which is often referred to as a “don’t care” or
“wildcard” state, enables TCAM to perform broader searches
based on pattern matching, as opposed to binary CAM, which
performs exact-match searches using only 0s and 1s.
– CAM is often described as the opposite of random access
memory (RAM).
– To retrieve data on RAM, the operating system (OS) must
provide the memory address where the data is stored. Data stored
on CAM can be accessed by performing a query for the content
itself, and the memory retrieves the addresses where that data
can be found.
 Challenge
• TCAM is power-hungry, expensive, and available in limited
space or capacity that can only accommodate from 750 to
20,000 flow entries.
• Thus, the flow table is relatively small compared to the
number of required rules.
• The centralized architecture of SDN and space limitations of
the flow table introduce some performance and security issues.
OpenFlow Flow Table Memory
Management
 Timeout and Eviction Mechanisms

• When no packet matches an entry within its timeout period, it

will cause an entry to be evicted from the flow table to free
space for new incoming packets.
• Currently, there are two major methods for the OpenFlow
controller to install the timeout mechanism, idle and hard
timeout.
 Flow Rule Aggregation
• It reduces the number of required entries by merging multiple
flow entries into one aiming to preserve the original
forwarding semantic through wildcard rules.
Challenges
• The aggregation technique poses some challenges when
updating forwarding entries because of the failure in
preserving the original semantics of the rule in most cases.
• In addition, because of the diversity of switch vendor
implementation, some OpenFlow switches may not fully
support wildcard values matching fields.
 Flow Rule Split and Distribute
• Endpoint policies like firewall, load balancer rules are
enforced at edge switches.
• These policies always generate many forwarding rules.
• Due to insufficient flow table space (TCAM), a set of rules are
usually split into small sub-tables and distributed over the
network in a way that satisfies policies.
• The common objective of distributing schemes is to minimize
the number of entry rules for realizing policies in each switch.
• This way, optimization models are presented to decides which
rules to be placed on which switch while respecting memory
constraint and rule dependency.