In many Software-Defined Networking (SDN) deployments the control plane ends up being actually centralized, yielding a single point of failure and attack. This paper models the interaction between the data plane and a distributed control plane consisting of a set of failure-prone and potentially malicious (compromised) control devices, and implements a secure and robust controller platform that allows network administrators to integrate new network functionality as with a centralized approach. Concretely, the network administrator may program the data plane from the perspective of a centralized controller without worrying about distribution, asynchrony, failures, attacks, or coordination problems that any of these could cause. We introduce a formal SDN computation model for applying network policies and show that it is impossible to implement asynchronous non-blocking and strongly consistent SDN controller platforms in that model. We then present a robust SDN controller protocol (RoSCo) which implements (i) a protocol with provably linearizable semantics for applying network policies that is resilient against faulty/malicious control devices as long as a correct majority exists, and (ii) a modification to the protocol that improves performance by relaxing the guarantees of linearizability to exploit commutativity among updates. Extensive experiments conducted with a functional prototype of RoSCo over a large networked infrastructure supporting Open vSwitch (OVS)-compatible Agilio CX™ SmartNIC hardware show that RoSCo induces bearable overhead. In fact, RoSCo achieves higher throughput in most cases investigated than the seminal Ravana [35] platform which addresses only benign (crash) failures.

Top