Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Software Defined Networking (SDN) is an ongoing infrastructure trend in which the control layer of networks is abstracted away from the switching layer. SDN uses a multi-layer approach that includes a switching layer. The switching layer may include simple commodity switches that contain network ports, network processors to process packets and extract their properties, and a set of rules. The rules instruct the switch how to handle incoming packets that are received. Switches, however, have limited space to hold rules. As such, in some cases, one or more active rules in the switch are periodically replaced with stored rules to process incoming packets.
Changing a rule might consist of reprogramming the switch. Generally, incoming packets that do not match one of the active rules in the switch are forwarded to a controller that attempts to locate a matching rule in a set of stored rules. If a matching rule is located, the controller removes one of the active rules from the switch and installs the matching rule in the switch.
In some cases, a race condition might exist when the switch is not able to process a matching rule in time. In these cases, the switch might drop a packet, forward the packet to a wrong destination, or broadcast the packet in an effort to find the right destination. Broadcasting a packet, when rarely performed (e.g., new packets starting a new session), generally causes few problems. In a “rule map attack”, however, an attacker can force repeated broadcasting or loss of a target stream of packets, thus potentially obtaining copies of target data or breaking a connection.