Data communication systems exchange user data for user devices to provide various data communication services. The user devices may be phones, computers, media players, and the like. The data communication services might be media streaming, audio/video conferencing, data messaging, or internet access. Software-Defined Networks (SDNs) have become a popular data communication system to deliver these data communication services.
An SDN has applications, controllers, and data machines. The SDN controllers expose network-level control-plane Application Programming Interfaces (APIs) to the SDN applications. The SDN applications call these SDN controller APIs to implement the data communication services. In a like manner, the SDN data machines expose network-level data-plane APIs to the SDN controllers. The SDN controllers call these SDN data machine APIs to implement the data communication services. The SDN data machines process user data in response to the SDN data machine API calls.
For example, an SDN application may determine that an update to an SDN Flow Descriptor Table (FDT) is required to support a user data service. The SDN application calls a controller API with the FDT update. The SDN controller calls a data machine API with the FDT update. The SDN data machine updates its FDT responsive to the data machine API call from the SDN controller. Subsequently, the SDN data machine receives user data packets, matches the packet addresses to an action in the updated FDT, and performs the action on the user data packets. The SDN data machines may forward, drop, or store the user data packets based on the FDT.
Many SDNs run on Network Function Virtualization (NFV) computer systems. NFV computer systems have Virtual Network Functions (VNFs) that perform like typical communication network elements or portions of these network elements. The VNFs run under the control of hypervisors that control VNF access to NFV hardware (circuitry, memory, communication interfaces). To implement a data communication service, an NFV Management and Orchestration (MANO) system drives the NFV hardware to execute and support the VNFs based on NFV service descriptors for the data communication service. In NFV-SDN systems, the VNFs may be SDN applications, SDN controllers, and SDN virtual data machines.
Unfortunately, current SDN controllers are not efficiently and effectively configured to process API calls from SDN applications. In particular, SDN applications and controllers in an NFVI do not securely interact. SDN applications lack integrity in current SDN systems.