1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to software defined networking.
2. Description of the Background Art
Software defined networking (SDN) is an emerging architecture for computer networking. Unlike traditional computer network architectures, SDN separates the control plane from the data plane. This provides many advantages, including relatively fast experimentation and optimization of switching and routing policies. SDN is applicable to both physical (i.e., real) and virtual computer networks.
The OpenFlow™ protocol is an open protocol for remotely controlling forwarding tables of network switches that are enabled for SDN. Generally speaking, the OpenFlow™ protocol allows direct access to and manipulation of the forwarding plane of network devices, such as switches and routers. A control plane of an OpenFlow™ protocol-compliant computer network (also referred to as an “OpenFlow™ controller”) may communicate with OpenFlow™ switches (i.e., network switches that are compliant with the OpenFlow™ protocol) to set flow policies that specify how the switches should manipulate packets of network traffic. Example packet manipulation actions include forwarding a packet to a specific port, modifying one or more fields of the packet, asking the controller for action to perform on the packet, or dropping the packet.
FIG. 1 shows a schematic diagram of an SDN computer network that is compliant with the OpenFlow™ protocol. Generally speaking, the OpenFlow™ protocol separates the control plane from the data plane. An OpenFlow™ controller serves as a control plane for making forwarding decisions based on flow policies, which may be stored in a flow policy database. The controller determines flow policies in conjunction with network forwarding setting and network topology. The flow policies may contain a condition and corresponding action to be performed when the condition is met. The action may specify how to manipulate a packet.
An OpenFlow™ switch serves as the data plane that forwards packets, e.g., from an ingress port to an egress port, according to flow tables maintained by the data plane. The data plane is a replacement of traditional switches. When the data plane does not know how to manipulate a specific packet, the data plane may request the controller to receive a flow rule for the specific packet, and store the flow rule in the flow tables. Other packets that meet the same condition as the specific packet will be processed in accordance with the flow rule. The control plane may also actively insert flow rules into the flow tables.