CHAPTER 4: SDN DATA PLANE AND

OPENFLOW

ITNW 4109 Innovations in Network & Security

Objectives
After studying this chapter, you should be able to
 Present an overview of the functions of the SDN data plane.
 Brief about data plane protocols
 Understand the concept of an OpenFlow Switch.
 Describe and explain the OpenFlow flow table structure.
 Understand the basic messages of the OpenFlow protocol.
SDN Data Plane
 The SDN data plane (referred as the infrastructure layer) is where network
forwarding devices perform the transport and processing of data according
to decisions made by the SDN control plane.

 The important characteristic of the network devices in an SDN network is

that these devices perform a simple forwarding function, without
embedded software to make autonomous decisions.
Data Plane Functions
 Figure 4.2 illustrates the
functions performed by the data
plane network devices (also
called switches).
 The principal functions of the
network device are the
following:
 Control support function
 Data forwarding function
Data Plane Functions
 The network device in Figure 4.2 is shown
with three I/O ports:

 one providing control communication with

an SDN controller, and two for the input and
output of data packets.

 This is a simple example. The network

device may have multiple ports to
communicate with multiple SDN controllers,
and may have more than two I/O ports for
packet flows into and out of the device.
Data Plane Functions
 Control support function:
Interacts with the SDN control
layer to support programmability
via resource-control interfaces.

 The switch communicates with

the controller and the controller
manages the switch via the
OpenFlow protocol.
Data Plane Functions
 Data forwarding function:
Accepts incoming data flows
from other network devices and
end systems and
 forwards them along the data
forwarding paths that have been
computed and established
according to the rules defined by
the SDN applications.
Data Plane Functions
 These forwarding rules used by the
network device are embodied in
forwarding tables that indicate for
given categories of packets what
the next hop in the route should be.

 In addition to simple forwarding of

a packet, the network device can
alter the packet header before
forwarding, or discard the packet.
Data Plane Functions
 As shown, arriving packets may
be placed in an input queue,
awaiting processing by the
network device, and forwarded
packets are generally placed in
an output queue, awaiting
transmission.
Data Plane Protocols
 Figure 4.2 suggests the protocols
supported by the network device.
 Data packet flows consist of streams of IP
packets.
 It may be necessary for the forwarding
table to define entries based on fields in
upper-level protocol headers, such as
TCP, UDP, or some other transport or
application protocol.
 The network device examines the IP
header and possibly other headers in each
packet and makes a forwarding decision.
Data Plane Protocols
 The other important flow of
traffic is via the southbound
application programming
interface (API), consisting of
OpenFlow protocol data units
(PDUs) or some similar
southbound API protocol traffic.
OpenFlow
 OpenFlow is a Layer 2 communications protocol that gives access to the
forwarding plane of a network switch or router over the network

 OpenFlow is the first standard communications interface defined between the

control and forwarding layers of an SDN architecture.

 OpenFlow allows direct access to and manipulation of the forwarding plane of

network devices such as switches and routers, both physical and virtual
(hypervisor-based).

 OpenFlow is an open interface for remotely controlling the forwarding tables in

network switches, routers, and access points.
OpenFlow
 OpenFlow is defined in the OpenFlow Switch Specification, published by
the Open Networking Foundation (ONF).

 OpenFlow, the most widely used implementation of the SDN data plane.

 OpenFlow is both a specification of the logical structure of data plane

functionality and a protocol between SDN controllers and network
devices.
OpenFlow
 Figure 4.3 indicates the main
elements of an OpenFlow
environment, consisting of
 SDN controllers that include
OpenFlow software,
 OpenFlow switches, and
 end systems.
OpenFlow switch
 This section covers the
OpenFlow switch architecture
defined by ONF
 OpenFlow switch consists of one
or more flow tables, group table
and meter table. It includes a data
path and a control channel.
 A single switch can be managed
by one or more controllers.
Components of an OpenFlow switch
 Figure 4.4 displays the main
components of an OpenFlow
switch.
 OpenFlow Channel
 Flow Table
 Group table
 Meter table
 Port
OpenFlow Channel
 OpenFlow channel is an
interface between an OpenFlow
switch and an OpenFlow
controller, used by the controller
to manage the switch.
 An SDN controller
communicates with OpenFlow-
compatible switches using the
OpenFlow protocol.
OpenFlow port
 Port connects to other OpenFlow
switches and to end-user devices that
are the sources and destinations of
packet flows.
 OpenFlow port: Where packets enter
and exit the OpenFlow pipeline.
 A packet can be forwarded from one
OpenFlow switch to another OpenFlow
switch only via an output OpenFlow
port on the first switch and an ingress
OpenFlow port on the second switch.
Flow Table
 Flow table – the standard table that allows
to forward packet to a single port.

 A flow table matches incoming packets to

a particular flow and specifies what
functions are to be performed on the
packets.

 The flow tables and group table are used

during the lookup or forwarding phase in
order to forward the packet to appropriate
port.
Flow Table
 flow is packets going between a source and
destination pair that share a set of header field
values.

 For example, a flow could consist of all

packets with the same source and destination
IP addresses or all packets with the same
virtual LAN (VLAN) identifier.

 In general terms, a flow is a sequence of

packets going between a source and destination
pair.
 A collection of flows is a flow table.
Flow Table
 Using the OpenFlow switch
protocol, the controller can add,
update, and delete flow entries in
tables, both reactively (in
response to packets) and
proactively.

 A switch includes one or more

flow tables.
Pipeline
 If there is more than one flow table,
they are organized as a pipeline.
 Pipeline is the set of linked flow
tables that provide matching,
forwarding, and packet modification
in a switch
 The use of multiple tables in a
pipeline, rather than a single flow
table, provides the SDN controller
with considerable flexibility.
Group Table
 Group table: A flow table may direct a
flow to a group table, which may trigger a
variety of actions that affect one or more
flows.

 Group table is used for special actions like

multicast, broadcast, load balancing and
others

 The group table and group actions enable

OpenFlow to represent a set of ports as a
single entity for forwarding packets.
Meter Table
 Meter table: A meter table can
trigger a variety of performance-
related (QoS) actions on a flow.
 It contains actions related to
QoS management.
 Meter table is used to perform
simple QoS operations like rate-
limiting to complex QoS
operations like DiffServ
OpenFlow Switch Operations
Flow Table Structure
 The basic building block of the logical switch architecture is the flow
table.
 Each packet that enters a switch passes through one of more flow tables.
 Each flow table consists of a number of rows, called flow entries,
consisting of seven components,as defined in the list that follows.
Flow Table Structure
 Match fields: Used to select packets that match the values in the fields. An
OpenFlow switch has a table of packet-handling rules, where each rule has a
pattern that matches on bits in the packet header.
 Priority: Relative priority of table entries. This is a 16-bit field with 0
corresponding to the lowest priority. In principle, there could be 2 16 = 64k
priority levels. Priority disambiguate between rules with overlapping patterns.

 Upon receiving a packet, an OpenFlow switch identifies the highest-priority

matching rule, performs the associated actions, and increments the counters.
Flow Table Structure
 Counters: Updated for matching packets in that particular flow. A set of
counters track the number of bytes and packets.

 The OpenFlow specification defines a variety of counters.

 Table counters
 e.g. Packet lookups/matches
 Flow counters
 e.g. packets/bytes received
 Port counters
 e.g. packets/bytes transmitted/received, drops
Flow Table Structure
 Instructions: are attached to a flow entry and describe the OpenFlow
processing that happens when a packet matches the flow entry.
 It usually contains a set of actions
 Forward packet to port(s)
 Encapsulate and forward to controller
 Drop packet
 Send to normal processing pipeline
 Modify Header Fields
Flow Table Structure
 Actions taken on the packet flow based on the match in the header
Flow Table Structure
 Timeouts: Maximum amount of idle time before a flow is expired by the
switch.
 Each flow entry has an idle_timeout and a hard_timeout associated with it.
 A nonzero hard_timeout field causes the flow entry to be removed after the
given number of seconds, regardless of how many packets it has matched.
 A nonzero idle_timeout field causes the flow entry to be removed when it has
matched no packets in the given number of seconds.
Flow Table Structure
 Cookie: 64-bit opaque data value chosen by the controller. May be used by
the controller to filter flow statistics, flow modification and flow deletion;
not used when processing packets.
 Flags: Flags alter the way flow entries are managed; for example, the flag
OFPFF_SEND_FLOW_REM triggers flow removed messages for that
flow entry.
Flow Tables Structure
OpenFlow Protocol
 The OpenFlow protocol describes message exchanges that take place
between an OpenFlow controller and an OpenFlow switch.

 The OpenFlow protocol enables the controller to manage the logical

structure of a switch, without regard to the details of how the switch
implements the OpenFlow logical architecture.

 The OpenFlow protocol enables the controller to perform add, update, and
delete actions to the flow entries in the flow tables.
OpenFlow Messages
 The OpenFlow switch protocol supports
three message types:
 Controller-to-switch messages are
initiated by the controller and used to
directly manage or inspect the state of
the switch.
 Asynchronous messages are initiated
by the switch and used to update the
controller of network events and
changes to the switch state.
 Symmetric messages are initiated by
either the switch or the controller and
sent without solicitation.
Controller to switch Messages
 Controller to switch messages are initiated by the controller and may or
may not require a response from the switch.
 Features: The controller may request the identity and the basic
capabilities of a switch by sending a features request. Switch replies with
list of ports, ports speeds, supported tables and actions.
 Configuration: The controller is able to set and query configuration
parameters in the switch.
 Modify state messages are sent by the controller to manage state on the
switches i.e., Add, delete, or modify flow tables.
Controller to switch Messages
 Read state messages are used by the controller to collect various
information from the switch, such as current configuration, statistics and
capabilities. Controller queries table, flow, or port counters.

 Packet out message used by controller to send packets out of a specified

port on the switch and to forward packets received via Packet-in messages.

 Barrier Used to ensure message dependencies have been met to receive

notifications for completed operations.
Asynchronous Messages
 These types of messages are initiated by the switch, and sent to the controller
without solicitation from the controller.
 Packet in: Transfer the control of a packet to the controller. All packets that
do not have a matching flow entry are encapsulated and sent to the controller.
 Flow removed: Inform the controller about the removal of a flow entry from
a flow table. Sent to controller when flow expires due to idle or hard timeouts.
 Port status: Inform the controller of a change on a port. Generated if a port is
brought down.
 Error: The switch is able to notify controllers of problems using error
messages.
Symmetric Messages
 These messages are sent without solicitation from either the controller or
the switch.
 They are simple yet helpful.
 Hello : Hello messages are exchanged between the switch and controller
upon connection startup. Sent during the handshake i.e. secure channel
setup.
 Echo request and reply messages can be used by either the switch or
controller to measure the latency or bandwidth of a controller-switch
connection or just verify that the device is up and running (Live).
Acknowledgement : content taken from

Foundations of Modern Networking

SDN, NFV, QoE, IoT, and Cloud
William Stallings
Pearson Education, Inc.