Advanced Hybrid Information Processing. Second EAI International Conference, ADHIP 2018, Yiyang, China, October 5-6, 2018, Proceedings

Research Article

A Fine-Grained Detection Mechanism for SDN Rule Collision

Download
126 downloads
  • @INPROCEEDINGS{10.1007/978-3-030-19086-6_60,
        author={Qiu Xiaochen and Zheng Shihui and Gu Lize and Cai Yongmei},
        title={A Fine-Grained Detection Mechanism for SDN Rule Collision},
        proceedings={Advanced Hybrid Information Processing. Second EAI International Conference, ADHIP 2018, Yiyang, China, October 5-6, 2018, Proceedings},
        proceedings_a={ADHIP},
        year={2019},
        month={5},
        keywords={Software-defined network OpenFlow Flow table Collision detection and resolution},
        doi={10.1007/978-3-030-19086-6_60}
    }
    
  • Qiu Xiaochen
    Zheng Shihui
    Gu Lize
    Cai Yongmei
    Year: 2019
    A Fine-Grained Detection Mechanism for SDN Rule Collision
    ADHIP
    Springer
    DOI: 10.1007/978-3-030-19086-6_60
Qiu Xiaochen1, Zheng Shihui1,*, Gu Lize1, Cai Yongmei2
  • 1: Beijing University of Posts and Telecommunication
  • 2: Xinjiang University of Finance and Economics
*Contact email: shihuizh@bupt.edu.cn

Abstract

The rules issued by third-party applications may have direct violations or indirect violations with existing security flow rules in the SDN (software-defined network), thereby leading to the failure of security rules. Currently, existing methods cannot detect the rule collision in a comprehensive and fine-grained manner. This paper proposes a deep detection mechanism for rule collision that can detect grammatical errors in the flow rules themselves, and can also detect direct and indirect rule collisions between third-party and security applications based on the set intersection method. In addition, our mechanism can effectively and automatically resolve the rule collision. Finally, we implement the detection mechanism in the RYU controller, and use Mininet to evaluate the function and performance. The results show that the mechanism proposed in this paper can accurately detect the static, dynamic and dependency collisions of flow rules, and ensure that the decline of throughput of the northbound interface of the SDN network is controlled at 20%.