WO2018015792A1 - User data isolation in software defined networking (sdn) controller - Google Patents

User data isolation in software defined networking (sdn) controller Download PDF

Info

Publication number
WO2018015792A1
WO2018015792A1 PCT/IB2016/054400 IB2016054400W WO2018015792A1 WO 2018015792 A1 WO2018015792 A1 WO 2018015792A1 IB 2016054400 W IB2016054400 W IB 2016054400W WO 2018015792 A1 WO2018015792 A1 WO 2018015792A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
user data
copy
data portion
message
Prior art date
Application number
PCT/IB2016/054400
Other languages
French (fr)
Inventor
Ashutosh Bisht
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/IB2016/054400 priority Critical patent/WO2018015792A1/en
Publication of WO2018015792A1 publication Critical patent/WO2018015792A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • Embodiments of the invention relate to the field of communication networks, and more specifically, to preventing user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network in order to limit the SDN controller from being exposed to security exploits.
  • SDN Software Defined Networking
  • SDN Software Defined Networking
  • the use of a split architecture network simplifies the network devices (e.g., switches) implementing the forwarding plane by shifting the intelligence of the network into one or more controllers that oversee the switches.
  • SDN facilitates rapid and open innovation at the network layer by providing a programmable network infrastructure.
  • OpenFlow is a protocol that enables controllers and switches in an SDN network to communicate with each other. OpenFlow enables dynamic programming of flow control policies in the network.
  • an SDN controller can add, update, and delete flow entries in flow tables of switches, both reactively (e.g., in response to packets) and proactively.
  • Each flow table in the switch contains a set of flow entries.
  • Each flow entry includes match fields, counters, and a set of instructions to apply to matching packets.
  • OpenFlow allows a switch to transfer the control of a packet to an SDN controller.
  • a switch can transfer control of a packet to an SDN controller using an OpenFlow packet-in message.
  • the SDN controller can determine the appropriate processing for the packet and transmit the packet back to the switch (e.g., along with instructions on how to process the packet) using an OpenFlow packet-out message.
  • an SDN controller in an SDN network not only configures the switches in the data plane of the SDN network but is also involved with processing data plane traffic via OpenFlow packet-in messages.
  • the SDN controller becomes a prime target for security exploits. Malicious traffic from the data plane of the SDN network can reach the SDN controller via OpenFlow packet-in messages and could exploit a security vulnerability in the SDN controller to gain control over the SDN controller, which could potentially compromise the entire data plane of the SDN network.
  • This problem is further exacerbated when the components in the SDN network are implemented using open source components. For example, when an SDN controller is implemented using open source components, vulnerabilities in the SDN controller can be discovered by the public-at-large without any special access rights (e.g., by inspecting publicly available source code).
  • a method is implemented by a network device to prevent user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network to limit the SDN controller from being exposed to security exploits.
  • the method includes receiving a packet-in message, where the packet-in message includes a packet, storing a copy of a user data portion of the packet in a first storage, where the copy of the user data portion of the packet is retrievable from the first storage using a packet identifier that identifies the packet, clearing the user data portion of the packet from the packet-in message, storing a copy of a header field of the packet in a second storage, where the copy of the header field of the packet is retrievable from the second storage using the packet identifier, inserting the packet identifier into the header field of the packet in the packet-in message, and transmitting the packet-in message to the SDN controller, wherein the transmitted packet-in message includes the inserted packet identifier and the cleared user data portion.
  • SDN Software Defined Networking
  • a network device is configured to prevent user data from being accessible to a
  • the network device includes a set of one or more processors and a non-transitory machine-readable storage medium having stored therein a user data isolation module.
  • the user data isolation module when executed by the set of one or more processors, causes the network device to receive a packet-in message, where the packet-in message includes a packet, store a copy of a user data portion of the packet in a first storage, where the copy of the user data portion of the packet is retrievable from the first storage using a packet identifier that identifies the packet, clear the user data portion of the packet from the packet-in message, store a copy of a header field of the packet in a second storage, where the copy of the header field of the packet is retrievable from the second storage using the packet identifier, insert the packet identifier into the header field of the packet in the packet-in message, and transmit the packet-in message to the SDN controller, wherein the transmitted packet-in message includes the inserted packet identifier and the cleared user data portion.
  • a non-transitory machine-readable medium has computer code stored therein, which when executed by a set of one or more processors of a network device, causes the network device to perform operations for preventing user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network to limit the SDN controller from being exposed to security exploits.
  • SDN Software Defined Networking
  • the operations include receiving a packet-in message, where the packet-in message includes a packet, storing a copy of a user data portion of the packet in a first storage, where the copy of the user data portion of the packet is retrievable from the first storage using a packet identifier that identifies the packet, clearing the user data portion of the packet from the packet-in message, storing a copy of a header field of the packet in a second storage, where the copy of the header field of the packet is retrievable from the second storage using the packet identifier, inserting the packet identifier into the header field of the packet in the packet-in message, and transmitting the packet-in message to the SDN controller, wherein the transmitted packet-in message includes the inserted packet identifier and the cleared user data portion.
  • Fig. 1 is a block diagram of a network in which user data isolation can be implemented, according to some embodiments.
  • Fig. 2A is a diagram illustrating a format of an IPv4 header, according to some embodiments.
  • Fig. 2B is a diagram illustrating a format of an IPv6 header, according to some embodiments.
  • FIG. 3 is a flow diagram of a process for performing user data isolation in an SDN network when handling a packet-in message, according to some embodiments.
  • FIG. 4 is a flow diagram of a process for performing user data isolation in an SDN network when handling a packet-out message, according to some embodiments.
  • Fig. 5A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some
  • Fig. 5B illustrates an exemplary way to implement a special-purpose network device, according to some embodiments.
  • Fig. 5C illustrates various exemplary ways in which virtual network elements (VNEs) may be coupled, according to some embodiments.
  • VNEs virtual network elements
  • Fig. 5D illustrates a network with a single network element (NE) on each of the NDs, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments.
  • NE network element
  • Fig. 5E illustrates the simple case of where each of the NDs implements a single NE, but a centralized control plane has abstracted multiple of the NEs in different NDs into (to represent) a single NE in one of the virtual network(s), according to some embodiments.
  • Fig. 5F illustrates a case where multiple VNEs are implemented on different NDs and are coupled to each other, and where a centralized control plane has abstracted these multiple VNEs such that they appear as a single VNE within one of the virtual networks, according to some embodiments.
  • Fig. 6 illustrates a general purpose control plane device with centralized control plane (CCP) software, according to some embodiments.
  • SDN Software Defined Networking
  • references in the specification to "one embodiment,” “an embodiment,” “an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • Bracketed text and blocks with dashed borders may be used herein to illustrate optional operations that add additional features to embodiments of the invention. However, such notation should not be taken to mean that these are the only options or optional operations, and/or that blocks with solid borders are not optional in certain embodiments of the invention.
  • Coupled is used to indicate that two or more elements, which may or may not be in direct physical or electrical contact with each other, co-operate or interact with each other.
  • Connected is used to indicate the establishment of communication between two or more elements that are coupled with each other.
  • An electronic device stores and transmits (internally and/or with other electronic devices over a network) code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using machine-readable media (also called computer-readable media), such as machine-readable storage media (e.g., magnetic disks, optical disks, read only memory (ROM), flash memory devices, phase change memory) and machine-readable transmission media (also called a carrier) (e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals).
  • machine-readable media also called computer-readable media
  • machine-readable storage media e.g., magnetic disks, optical disks, read only memory (ROM), flash memory devices, phase change memory
  • machine-readable transmission media also called a carrier
  • carrier e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals.
  • an electronic device e.g., a computer
  • includes hardware and software such as a set of one or more processors coupled to one or more machine-readable storage media to store code for execution on the set of processors and/or to store data.
  • an electronic device may include non- volatile memory containing the code since the non-volatile memory can persist code/data even when the electronic device is turned off (when power is removed), and while the electronic device is turned on that part of the code that is to be executed by the processor(s) of that electronic device is typically copied from the slower nonvolatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of that electronic device.
  • volatile memory e.g., dynamic random access memory (DRAM), static random access memory (SRAM)
  • Typical electronic devices also include a set or one or more physical network interface(s) to establish network connections (to transmit and/or receive code and/or data using propagating signals) with other electronic devices.
  • network connections to transmit and/or receive code and/or data using propagating signals.
  • One or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.
  • a network device is an electronic device that communicatively interconnects other electronic devices on the network (e.g., other network devices, end-user devices).
  • Some network devices are "multiple services network devices" that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video).
  • Embodiments described herein limit an SDN controller from being exposed to security exploits by preventing the user data portion of a packet from being accessible to the SDN controller.
  • a network device intercepts the packet-in message before the packet-in message reaches the SDN controller. The network device stores a copy of the user data portion of the packet in a storage and clears the user data portion of the packet from the packet in the packet-in message.
  • the copy of the user data portion of the packet is stored in the storage such that it can be retrieved using an opaque packet identifier that identifies the packet (e.g., the packet identifier is opaque in the sense that it does not convey any meaningful details regarding the contents of the user data portion).
  • This opaque packet identifier can be included in a header field of the packet in the packet-in message.
  • the network device may then provide the modified packet-in message to the SDN controller.
  • the SDN controller transmits a corresponding packet-out message (which includes the cleared user data portion of the packet) to the switch, the network device intercepts the packet-out message before the packet-out message reaches the switch.
  • the network device obtains the opaque packet identifier from the header field of the packet in the packet-out message and uses the opaque packet identifier to retrieve the copy of the user data portion from the storage.
  • the copy of the user data portion of the packet is added back to the packet in the packet-out message before the packet-out message is provided to the switch. In this way, user data is prevented from reaching the SDN controller, which helps limit the SDN controller from being exposed to user-crafted security exploits.
  • the SDN controller has access to protocol headers in packet-in messages but does not have access to the user data portions of packets in packet-in messages. Since the SDN controller does not have access to the user data portions of packets in packet-in messages, it is protected against user- crafted security exploits (e.g., arbitrary code supplied by user).
  • the protocol headers are typically set by devices in the network that are managed by a network operator so they have a low probability of containing malicious data that can be used as part of a security exploit.
  • Fig. 1 is a block diagram of a network in which user data isolation can be implemented, according to some embodiments.
  • the network includes an SDN controller 130, a network device 100, and a switch 110.
  • the SDN controller 130 is communicatively coupled to the switch 110 and manages the switch 110.
  • the switch 110 processes packets in the data plane of the network.
  • the SDN controller 130 manages the switch 110 using OpenFlow or another type of protocol that allows communication between an SDN controller 130 and a switch 110 in an SDN network.
  • the SDN controller 130 may configure the packet processing behavior of the switch 110. For example, in an OpenFlow context, the SDN controller 130 can add, update, and delete flow entries in flow tables of the switch 110 to configure the packet processing behavior of the switch 110.
  • the switch 110 may transfer control of the packet to the SDN controller 130 by transmitting an OpenFlow packet-in message to the SDN controller 130.
  • the OpenFlow packet-in message may include the packet that is being transferred to the SDN controller 130.
  • the SDN controller 130 may subsequently transmit a corresponding OpenFlow packet-out message to the switch 110 to transfer control of the packet back to the data plane of the network.
  • packet-in message refers to any type of message that is used to transfer control of a packet from a switch 110 to an SDN controller 130, and unless stated otherwise, is not limited to an OpenFlow packet-in message.
  • packet-out message refers to any type of message that is used to transfer control of a packet from an SDN controller 130 to a switch 110, and unless stated otherwise, is not limited to an OpenFlow packet-out message.
  • the network device 100 can be situated on a communication path between the switch 110 and the SDN controller 130 such that it can intercept packet-in messages being transmitted from the switch 110 to the SDN controller 130 and intercept packet-out messages being transmitted from the SDN controller 130 to the switch 110.
  • the network device 100 includes a user data isolation module 150 to prevent user data from being accessible to the SDN controller 130.
  • the network device 100 may also include a packet storage 160 and a mapping table 170 that are used in conjunction with the user data isolation module 150 to perform user data isolation, as will be described in additional detail below.
  • the user data isolation module 150 (as well as the packet storage 160 and the mapping table 170) is shown as being implemented in a network device 100 that is separate from the SDN controller 130, in some embodiments, the user data isolation module 150 (as well as the packet storage 160 and/or the mapping table 170) may be implemented in the SDN controller 130. Operations for performing user data isolation will now be described with reference to the diagram.
  • the switch 110 transmits a packet-in message towards the SDN controller 130.
  • the packet-in message may include a packet (e.g., a packet that the switch 110 wishes to transfer control of to the SDN controller 130).
  • the packet may include a header portion and a user data portion.
  • the packet is an IPv4 packet, where the header portion is an IPv4 header.
  • the packet is an IPv6 packet, where the header portion is an IPv6 header.
  • the user data portion of the packet is the payload of the packet (as opposed to network data that is used for routing/forwarding the packet), which is typically populated by an end-user or a subscriber terminal, and thus can potentially contain malicious user-crafted data.
  • the user data portion of the packet may be the portion of the packet that follows the IPv4 header or IPv6 header, or may be a portion of the packet that is nested within additional headers following the IPv4 header or IPv6 header.
  • the network device 100 intercepts the packet-in message before it reaches the SDN controller 130, and the user data isolation module 150 clears the user data portion of the packet from the packet-in message before the packet-in message is provided to the SDN controller 130. For this purpose, when the user data isolation module 150 receives the packet-in message, the user data isolation module 150 may parse the packet in the packet-in message to identify the user data portion of the packet.
  • the user data isolation module 150 then stores a copy of the user data portion of the packet in the packet storage 160 and clears the user data portion of the packet from the packet-in message.
  • the user data isolation module 150 may clear the user data portion of the packet by zeroing out all the bits in the user data portion of the packet or otherwise inserting innocuous data in the user data portion of the packet.
  • the copy of the user data portion of the packet is stored in the packet storage 160 so that it can be retrieved and added back later during packet-out processing.
  • the copy of the user data portion of the packet may be stored in packet storage such that it is retrievable from the packet storage using a packet identifier that identifies the packet.
  • the packet identifier can be a value that is automatically generated by the packet storage (e.g., an index or key).
  • the user data isolation module 150 may store the packet identifier in one or more of the header fields of the packet in the packet-in message.
  • the user data isolation module may store the packet identifier in the identification header field or the fragment offset header field of the IPv4 packet in the packet-in message or use both of those fields to store the packet identifier (e.g., if the size of the packet identifier requires more bits than a single field provides).
  • the user data isolation module 150 may store the packet identifier in the flow label header field of the IPv6 packet in the packet-in message.
  • These fields are provided by way of example and not limitation. It should be understood that other fields (or any combination of fields or bits) of the packet can also be used to store the packet identifier.
  • the packet identifier is stored in a header field of the packet in the packet-in message that will not be used by the SDN controller 130 to make packet processing decisions and will not be modified by the SDN controller 130 during packet- in processing. It is possible that the header field is already populated with a value.
  • the user data isolation module 150 may store the existing value in storage so that it can be added back later during packet-out processing. For example, the user data isolation module 150 may create a mapping between the packet identifier and a copy of the header field of the packet in the mapping table 170 before replacing the value in the header field of the packet with the packet identifier.
  • the network device 100 transmits the packet-in message (with the user data portion cleared) to the SDN controller 130. Since the user data portion of the packet in the packet-in message is cleared, the SDN controller's 130 exposure to user-crafted security exploits is limited.
  • the SDN controller 130 transmits a corresponding packet-out message towards the switch 110.
  • the packet-out message includes the packet with the user data portion cleared.
  • the SDN controller 130 may have modified one or more header fields of the packet, but the header field that includes the packet identifier should still be intact.
  • the network device 100 intercepts the packet-out message before it reaches the switch 110, and the user data isolation module 150 adds back the user data portion of the packet and the original value in the header field before the packet-out message is provided to the switch 110.
  • the user data isolation module 150 when the user data isolation module 150 receives the packet-out message, the user data isolation module 150 obtains the packet identifier from the header field of the packet in the packet-out message.
  • the user data isolation module 150 uses the packet identifier to retrieve the copy of the user data portion of the packet from the packet storage 160 and to retrieve the copy of the header field (with the original value) of the packet from the mapping table 170 (e.g., using the packet identifier as a key).
  • the user data isolation module 150 may then insert the copy of the header field (with the original value) of the packet into the header field of the packet in the packet-out message and insert the copy of the user data portion of the packet into the user data portion of the packet in the packet-out message. In this way, the original value in the header field and the original user data portion are added back to the packet in the packet-out message.
  • the network device 100 transmits the packet-out message (with the user data portion added back) to the switch 110.
  • the copy of the user data portion of the packet can be deleted from the packet storage 160 after a timeout period (e.g., after one hour) (the copy of the header field of the packet can be deleted from the mapping table 170 as well).
  • the copy of the user data portion of the packet can be deleted from the packet storage 160 after it has been added back to the packet during packet-out processing.
  • a single packet-in message transmitted to the SDN controller 130 results in the SDN controller 130 transmitting multiple packet-out messages.
  • the SDN controller 130 may instruct the user data isolation module 150 to keep the copy of the user data portion in the packet storage 160 (as well as the copy of the header field in mapping table 170) until the SDN controller 130 instructs the user data isolation module 150 to delete the copy of the user data portion.
  • the SDN controller 130 may instruct the user data isolation module 150 to delete the copy of the user data portion from the packet storage 160 and/or the copy of the header field from the mapping table 170.
  • the user data isolation module may be able to identify the user data portion of a particular packet based on inspecting one or more header fields of the packet (which could also span across multiple layers of headers). In one embodiment, the user data isolation module 150 may be able to identify the user data portion of a particular packet based on inspecting one or more fields in the packet-in message.
  • the user data isolation module 150 may inspect a table ID field (that includes an indication of an identifier (ID) of the flow table that was looked up), a cookie field (that includes an indication of a cookie of the flow entry that was looked up), and/or a match field (that includes an indication of packet metadata) in the packet-in message to identify the user data portion of a packet (e.g., the starting point of the user data portion and the length of the user data portion).
  • a table ID field that includes an indication of an identifier (ID) of the flow table that was looked up
  • a cookie field that includes an indication of a cookie of the flow entry that was looked up
  • a match field that includes an indication of packet metadata
  • Fig. 2A is a diagram illustrating a format of an IPv4 header, according to some embodiments.
  • the IPv4 header includes, among other fields, a 16-bit identification field.
  • the identification field is typically used to identify an IP datagram to which the packet belongs.
  • the IPv4 header also includes, among other fields, a 13-bit fragment offset field.
  • the fragment offset field is typically used to indicate an offset from the start of an IP datagram.
  • the user data isolation module 150 may use the identification field and/or the fragment offset field of an IPv4 packet header to store a packet identifier.
  • Fig. 2B is a diagram illustrating a format of an IPv6 header, according to some embodiments.
  • the IPv6 header includes, among other fields, a 16-bit flow label field.
  • the flow label field is typically used to label sequences of packets that require special handling by IPv6 routers.
  • the user data isolation module 150 may use the flow label field of an IPv6 packet header to store a packet identifier.
  • IPv6 header any combination of fields or bits in the IPv6 header can be used to store the packet identifier, as long as those fields or bits will not be used by the SDN controller 130 to make packet processing decisions and will not be modified by the SDN controller 130 during packet-in processing.
  • Fig. 3 is a flow diagram of a process for performing user data isolation in an SDN network when handling a packet-in message, according to some embodiments.
  • the process may be performed by a network device 100 (including, e.g., user data isolation module 150, packet storage 160, and/or mapping table 170 of network device 100).
  • the network device 100 may be communicatively coupled to an SDN controller 130 and a data plane device (e.g., switch 110) managed by the SDN controller 130 in the SDN network.
  • a data plane device e.g., switch 110
  • the operations in this and other flow diagrams will be described with reference to the exemplary embodiments of the other figures. However, it should be understood that the operations of the flow diagrams can be performed by embodiments of the invention other than those discussed with reference to the other figures, and the embodiments of the invention discussed with reference to these other figures can perform operations different than those discussed with reference to the flow diagrams.
  • the process is initiated when the network device 100 receives a packet-in message, where the packet-in message includes a packet (block 310).
  • the packet-in message may have been intercepted by the network device 100 while the packet-in message was traveling from the data plane device towards the SDN controller 130.
  • the data plane device may have generated the packet-in message to transfer control of the packet to the SDN controller 130.
  • the packet is an IPv4 packet (with an IPv4 header).
  • the packet is an IPv6 packet (with an IPv6 header).
  • the network device 100 stores a copy of a user data portion of the packet in a first storage (block 320).
  • the first storage can be any type of memory that is accessible by the network device 100.
  • the copy of the user data portion of the packet may be retrievable from the first storage (e.g., packet storage 160) using a packet identifier that identifies the packet.
  • the network device 100 parses the packet to identify the user data portion of the packet (e.g., to identify the starting point of the user data portion of the packet and the length of the user data portion of the packet).
  • the network device 100 determines the starting point of the user data portion of the packet and/or the length of the user data portion of the packet based on information in one or more header fields of the packet.
  • the starting point of the user data portion of the packet and/or the length of the user data portion of the packet is determined based on information in one or more fields of the packet-in message.
  • the packet-in message is an OpenFlow packet-in message
  • the starting point of the user data portion of the packet can be determined based on information in a table identifier field, a cookie field, and/or a match field of the packet-in message.
  • the network device 100 then clears the user data portion of the packet from the packet- in message (block 330).
  • the network device 100 clears the user data portion of the packet by zeroing out all the bits in the user data portion of the packet or otherwise inserting innocuous data in the user data portion of the packet. This operation ensures that any malicious data in the user data portion of the packet does not reach the SDN controller 130.
  • the network device 100 stores a copy of a header field of the packet in a second storage (block 340).
  • the second storage can be any type of memory that is accessible by the network device 100.
  • the copy of the header field of the packet is retrievable from the second storage using the packet identifier.
  • the network device 100 may create a mapping between the packet identifier and the copy of the header field in a mapping table 170.
  • the header field may be the identification field, the fragment offset field, or a combination of the identification field and the fragment offset field in the IPv4 header of the packet.
  • the header field may be the flow label field in the IPv6 header of the packet.
  • the network device 100 inserts the packet identifier into the header field of the packet in the packet-in message (block 350) and transmits the packet-in message (with the inserted packet identifier and the cleared user data portion) to the SDN controller 130 (block 360). Since the user data portion of the packet is cleared from the packet-in message that reaches the SDN controller 130, this limits the SDN controller's 130 exposure to user-crafted security exploits. Also, the copy of the user data portion of the packet and the copy of the header field (e.g., the header field in which the packet identifier is inserted) is stored in storage so that they can be added back to the packet during packet-out processing (as will be described with reference to Fig. 4).
  • the network device 100 deletes the copy of the user data portion of the packet from the first storage (and may also delete the copy of the header field of the packet from the second storage) in response to a determination that an elapsed lifetime of the copy of the user data portion of the packet in the first storage (or an elapsed lifetime of the copy of the header field of the packet in the second storage) exceeds a predetermined timeout length.
  • the network device 100 deletes the copy of the user data portion of the packet from the first storage (and may also delete the copy of the header field of the packet from the second storage) in response to receiving an instruction from the SDN controller 130 to delete the copy of the user data portion of the packet (or an instruction from the SDN controller 130 to delete the copy of the header field of the packet).
  • Fig. 4 is a flow diagram of a process for performing user data isolation in an SDN network when handling a packet-out message, according to some embodiments.
  • the process may be performed by a network device 100 (including, e.g., user data isolation module 150, packet storage 160, and/or mapping table 170 of network device 100).
  • the network device 100 may be communicatively coupled to an SDN controller 130 and a data plane device (e.g., switch 110) managed by the SDN controller 130 in the SDN network.
  • a data plane device e.g., switch 110
  • the process is initiated when the network device 100 receives a packet-out message, where the packet-out message includes a packet (block 410).
  • the packet- out message may have been intercepted by the network device 100 while the packet-out message was traveling from the SDN controller 130 towards the data plane device.
  • the SDN controller 130 may have generated the packet-out message in response to receiving a packet-in message (e.g., the packet in the packet-out message may be the same or a modified version of the packet that was in the corresponding packet-in message received by the SDN controller 130).
  • a header field of the packet in the packet-out message includes a packet identifier, and a user data portion of the packet in the packet-out message is cleared (e.g., as a result of the operations described above with reference to Fig. 3).
  • the packet is an IPv4 packet (with an IPv4 header).
  • the header field (that includes the packet identifier) is the identification field, the fragment offset field, or a combination of the identification field and the fragment offset field in the IPv4 header of the packet.
  • the packet is an IPv6 packet (with an IPv6 header).
  • the header field (that includes the packet identifier) is the flow label field in the IPv6 header of the packet.
  • the network device 100 may have previously stored a copy of the original user data portion of the packet in a first storage and stored a copy of the original header field of the packet in a second storage (e.g., as a result of the operations described above with reference to Fig. 3).
  • the network device 100 obtains the packet identifier from the header field of the packet in the packet-out message (block 420) and retrieves a copy of the header field of the packet from the second storage using the packet identifier (block 430). For example, the network device 100 may use the packet identifier as a key to retrieve the copy of the header field of the packet from the second storage. [0049] The network device 100 then inserts the copy of the header field of the packet into the header field of the packet in the packet-out message (block 440). This operation adds the original header field of the packet in the packet- in message back to the packet in the packet-out message.
  • the network device 100 then retrieves the copy of the user data portion of the packet from the first storage using the packet identifier (block 450). For example, the network device 100 may use the packet identifier as a key to retrieve the copy of the user data portion of the packet from the first storage.
  • the network device 100 then inserts the copy of the user data portion of the packet into the user data portion of the packet in the packet-out message (block 460). This operation adds the original user data portion of the packet in the packet-in message back to the packet in the packet-out message.
  • the network device 100 then transmits the packet-out message (with the user data portion and the header field added back) to the data plane device (block 470).
  • Embodiments described herein thus prevent a user data portion in a packet-in message from being accessible to a SDN controller 130 in an SDN network.
  • An advantage provided by the embodiments described herein is that the SDN controller's 130 exposure to security exploits (e.g., user-crafted security exploits) is reduced. Also, embodiments described herein may be implemented with little to no changes at the data plane device or to the control plane protocol (e.g., OpenFlow).
  • security exploits e.g., user-crafted security exploits
  • Fig. 5A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some
  • Fig. 5A shows NDs 500A-H, and their connectivity by way of lines between 500A-500B, 500B-500C, 500C-500D, 500D-500E, 500E-500F, 500F-500G, and 500A-500G, as well as between 500H and each of 500A, 500C, 500D, and 500G.
  • These NDs are physical devices, and the connectivity between these NDs can be wireless or wired (often referred to as a link).
  • NDs 500A, 500E, and 500F An additional line extending from NDs 500A, 500E, and 500F illustrates that these NDs act as ingress and egress points for the network (and thus, these NDs are sometimes referred to as edge NDs; while the other NDs may be called core NDs).
  • Two of the exemplary ND implementations in Fig. 5 A are: 1) a special-purpose network device 502 that uses custom application-specific integrated-circuits (ASICs) and a special-purpose operating system (OS); and 2) a general purpose network device 504 that uses common off-the-shelf (COTS) processors and a standard OS.
  • ASICs application-specific integrated-circuits
  • OS special-purpose operating system
  • COTS common off-the-shelf
  • the special-purpose network device 502 includes networking hardware 510 comprising compute resource(s) 512 (which typically include a set of one or more processors), forwarding resource(s) 514 (which typically include one or more ASICs and/or network processors), and physical network interfaces (NIs) 516 (sometimes called physical ports), as well as non- transitory machine readable storage media 518 having stored therein networking software 520.
  • a physical NI is hardware in a ND through which a network connection (e.g., wirelessly through a wireless network interface controller (WNIC) or through plugging in a cable to a physical port connected to a network interface controller (NIC)) is made, such as those shown by the connectivity between NDs 500A-H.
  • WNIC wireless network interface controller
  • NIC network interface controller
  • the networking software 520 may be executed by the networking hardware 510 to instantiate a set of one or more networking software instance(s) 522.
  • Each of the networking software instance(s) 522, and that part of the networking hardware 510 that executes that network software instance (be it hardware dedicated to that networking software instance and/or time slices of hardware temporally shared by that networking software instance with others of the networking software instance(s) 522), form a separate virtual network element 530A-R.
  • Each of the virtual network element(s) (VNEs) 530A-R includes a control communication and configuration module 532A-R (sometimes referred to as a local control module or control communication module) and forwarding table(s) 534A-R, such that a given virtual network element (e.g., 530A) includes the control
  • communication and configuration module e.g., 532A
  • a set of one or more forwarding table(s) e.g., 534A
  • that portion of the networking hardware 510 that executes the virtual network element e.g., 530A.
  • the special-purpose network device 502 is often physically and/or logically considered to include: 1) a ND control plane 524 (sometimes referred to as a control plane) comprising the compute resource(s) 512 that execute the control communication and configuration module(s) 532A-R; and 2) a ND forwarding plane 526 (sometimes referred to as a forwarding plane, a data plane, or a media plane) comprising the forwarding resource(s) 514 that utilize the forwarding table(s) 534A-R and the physical NIs 516.
  • a ND control plane 524 (sometimes referred to as a control plane) comprising the compute resource(s) 512 that execute the control communication and configuration module(s) 532A-R
  • a ND forwarding plane 526 sometimes referred to as a forwarding plane, a data plane, or a media plane
  • forwarding resource(s) 514 that utilize the forwarding table(s) 534A-R and the physical NIs 516.
  • the ND control plane 524 (the compute resource(s) 512 executing the control communication and configuration module(s) 532A-R) is typically responsible for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) and storing that routing information in the forwarding table(s) 534A-R, and the ND forwarding plane 526 is responsible for receiving that data on the physical NIs 516 and forwarding that data out the appropriate ones of the physical NIs 516 based on the forwarding table(s) 534A-R.
  • data e.g., packets
  • the ND forwarding plane 526 is responsible for receiving that data on the physical NIs 516 and forwarding that data out the appropriate ones of the physical NIs 516 based on the forwarding table(s) 534A-R.
  • Fig. 5B illustrates an exemplary way to implement the special-purpose network device 502 according to some embodiments of the invention.
  • Fig. 5B shows a special-purpose network device including cards 538 (typically hot pluggable). While in some embodiments the cards 538 are of two types (one or more that operate as the ND forwarding plane 526 (sometimes called line cards), and one or more that operate to implement the ND control plane 524 (sometimes called control cards)), alternative embodiments may combine functionality onto a single card and/or include additional card types (e.g., one additional type of card is called a service card, resource card, or multi-application card).
  • additional card types e.g., one additional type of card is called a service card, resource card, or multi-application card.
  • a service card can provide specialized processing (e.g., Layer 4 to Layer 7 services (e.g., firewall, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), Intrusion Detection System (IDS), peer- to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Mobile Wireless Gateways (Gateway General Packet Radio Service (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)).
  • Layer 4 to Layer 7 services e.g., firewall, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), Intrusion Detection System (IDS), peer- to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Mobile Wireless Gateways (Gateway General Packet Radio Service (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)
  • GPRS General Pack
  • the general purpose network device 504 includes hardware 540 comprising a set of one or more processor(s) 542 (which are often COTS processors) and network interface controller(s) 544 (NICs; also known as network interface cards) (which include physical NIs 546), as well as non-transitory machine readable storage media 548 having stored therein software 550.
  • processor(s) 542 execute the software 550 to instantiate one or more sets of one or more applications 564A-R. While one embodiment does not implement virtualization, alternative embodiments may use different forms of virtualization.
  • the virtualization layer 554 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 562A-R called software containers that may each be used to execute one (or more) of the sets of applications 564A-R; where the multiple software containers (also called virtualization engines, virtual private servers, or jails) are user spaces (typically a virtual memory space) that are separate from each other and separate from the kernel space in which the operating system is run; and where the set of applications running in a given user space, unless explicitly allowed, cannot access the memory of the other processes.
  • the multiple software containers also called virtualization engines, virtual private servers, or jails
  • user spaces typically a virtual memory space
  • the virtualization layer 554 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and each of the sets of applications 564A-R is run on top of a guest operating system within an instance 562A-R called a virtual machine (which may in some cases be considered a tightly isolated form of software container) that is run on top of the hypervisor - the guest operating system and application may not know they are running on a virtual machine as opposed to running on a "bare metal" host electronic device, or through para- virtualization the operating system and/or application may be aware of the presence of virtualization for optimization purposes.
  • a hypervisor sometimes referred to as a virtual machine monitor (VMM)
  • VMM virtual machine monitor
  • one, some or all of the applications are implemented as unikernel(s), which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including drivers/libraries of OS services) that provide the particular OS services needed by the application.
  • libraries e.g., from a library operating system (LibOS) including drivers/libraries of OS services
  • unikernel can be implemented to run directly on hardware 540, directly on a hypervisor (in which case the unikernel is sometimes described as running within a LibOS virtual machine), or in a software container
  • embodiments can be implemented fully with unikernels running directly on a hypervisor represented by virtualization layer 554, unikernels running within software containers represented by instances 562A-R, or as a combination of unikernels and the above-described techniques (e.g., unikernels and virtual machines both run directly on a hypervisor, unikernels and sets of applications that are run in different software containers).
  • the instantiation of the one or more sets of one or more applications 564A-R, as well as virtualization if implemented, are collectively referred to as software instance(s) 552.
  • the virtual network element(s) 560A-R perform similar functionality to the virtual network element(s) 530A-R - e.g., similar to the control communication and configuration module(s) 532A and forwarding table(s) 534A (this virtualization of the hardware 540 is sometimes referred to as network function virtualization (NFV)).
  • NFV network function virtualization
  • CPE customer premise equipment
  • each instance 562A-R corresponding to one VNE 560A-R
  • alternative embodiments may implement this correspondence at a finer level granularity (e.g., line card virtual machines virtualize line cards, control card virtual machine virtualize control cards, etc.); it should be understood that the techniques described herein with reference to a correspondence of instances 562A-R to VNEs also apply to embodiments where such a finer level of granularity and/or unikernels are used.
  • the virtualization layer 554 includes a virtual switch that provides similar forwarding services as a physical Ethernet switch. Specifically, this virtual switch forwards traffic between instances 562A-R and the NIC(s) 544, as well as optionally between the instances 562A-R; in addition, this virtual switch may enforce network isolation between the VNEs 560A-R that by policy are not permitted to communicate with each other
  • VLANs virtual local area networks
  • the third exemplary ND implementation in Fig. 5A is a hybrid network device 506, which includes both custom ASICs/special-purpose OS and COTS processors/standard OS in a single ND or a single card within an ND.
  • a platform VM i.e., a VM that that implements the functionality of the special-purpose network device 502 could provide for para-virtualization to the networking hardware present in the hybrid network device 506.
  • NE network element
  • each of the VNEs receives data on the physical NIs (e.g., 516, 546) and forwards that data out the appropriate ones of the physical NIs (e.g., 516, 546).
  • a VNE implementing IP router functionality forwards IP packets on the basis of some of the IP header information in the IP packet; where IP header information includes source IP address, destination IP address, source port, destination port (where "source port" and
  • destination port refer herein to protocol ports, as opposed to physical ports of a ND), transport protocol (e.g., user datagram protocol (UDP), Transmission Control Protocol (TCP), and differentiated services code point (DSCP) values.
  • transport protocol e.g., user datagram protocol (UDP), Transmission Control Protocol (TCP), and differentiated services code point (DSCP) values.
  • FIG. 5C illustrates various exemplary ways in which VNEs may be coupled according to some embodiments of the invention.
  • Fig. 5C shows VNEs 570A.1-570A.P (and optionally VNEs 570A.Q-570A.R) implemented in ND 500A and VNE 570H.1 in ND 500H.
  • VNEs 570A.1-570A.P and optionally VNEs 570A.Q-570A.R
  • VNEs 570A.1-P are separate from each other in the sense that they can receive packets from outside ND 500A and forward packets outside of ND 500A; VNE 570A.1 is coupled with VNE 570H.1, and thus they communicate packets between their respective NDs; VNE 570A.2- 570A.3 may optionally forward packets between themselves without forwarding them outside of the ND 500A; and VNE 570A.P may optionally be the first in a chain of VNEs that includes VNE 570A.Q followed by VNE 570A.R (this is sometimes referred to as dynamic service chaining, where each of the VNEs in the series of VNEs provides a different service - e.g., one or more layer 4-7 network services).
  • Fig. 5C illustrates various exemplary relationships between the VNEs
  • alternative embodiments may support other relationships (e.g., more/fewer VNEs, more/fewer dynamic service chains, multiple different dynamic service chains with some common VNEs and some different VNEs).
  • 5A may form part of the Internet or a private network; and other electronic devices (not shown; such as end user devices including workstations, laptops, netbooks, tablets, palm tops, mobile phones, smartphones, phablets, multimedia phones, Voice Over Internet Protocol (VOIP) phones, terminals, portable media players, GPS units, wearable devices, gaming systems, set-top boxes, Internet enabled household appliances) may be coupled to the network (directly or through other networks such as access networks) to communicate over the network (e.g., the Internet or virtual private networks (VPNs) overlaid on (e.g., tunneled through) the Internet) with each other (directly or through servers) and/or access content and/or services.
  • VOIP Voice Over Internet Protocol
  • Such content and/or services are typically provided by one or more servers (not shown) belonging to a service/content provider or one or more end user devices (not shown) participating in a peer-to-peer (P2P) service, and may include, for example, public webpages (e.g., free content, store fronts, search services), private webpages (e.g.,
  • end user devices may be coupled (e.g., through customer premise equipment coupled to an access network (wired or wirelessly)) to edge NDs, which are coupled (e.g., through one or more core NDs) to other edge NDs, which are coupled to electronic devices acting as servers.
  • edge NDs which are coupled (e.g., through one or more core NDs) to other edge NDs, which are coupled to electronic devices acting as servers.
  • edge NDs may be coupled (e.g., through customer premise equipment coupled to an access network (wired or wirelessly)
  • edge NDs which are coupled (e.g., through one or more core NDs) to other edge NDs, which are coupled to electronic devices acting as servers.
  • compute and storage virtualization one or more of the electronic devices operating as the NDs in Fig.
  • 5A may also host one or more such servers (e.g., in the case of the general purpose network device 504, one or more of the software instances 562A-R may operate as servers; the same would be true for the hybrid network device 506; in the case of the special-purpose network device 502, one or more such servers could also be run on a virtualization layer executed by the compute resource(s) 512); in which case the servers are said to be co-located with the VNEs of that ND.
  • servers e.g., in the case of the general purpose network device 504, one or more of the software instances 562A-R may operate as servers; the same would be true for the hybrid network device 506; in the case of the special-purpose network device 502, one or more such servers could also be run on a virtualization layer executed by the compute resource(s) 512); in which case the servers are said to be co-located with the VNEs of that ND.
  • a virtual network is a logical abstraction of a physical network (such as that in Fig. 5A) that provides network services (e.g., L2 and/or L3 services).
  • a virtual network can be implemented as an overlay network (sometimes referred to as a network virtualization overlay) that provides network services (e.g., layer 2 (L2, data link layer) and/or layer 3 (L3, network layer) services) over an underlay network (e.g., an L3 network, such as an Internet Protocol (IP) network that uses tunnels (e.g., generic routing encapsulation (GRE), layer 2 tunneling protocol (L2TP), IPSec) to create the overlay network).
  • IP Internet Protocol
  • a network virtualization edge sits at the edge of the underlay network and participates in implementing the network virtualization; the network-facing side of the NVE uses the underlay network to tunnel frames to and from other NVEs; the outward-facing side of the NVE sends and receives data to and from systems outside the network.
  • a virtual network instance is a specific instance of a virtual network on a NVE (e.g., a NE/VNE on an ND, a part of a NE/VNE on a ND where that NE/VNE is divided into multiple VNEs through emulation); one or more VNIs can be instantiated on an NVE (e.g., as different VNEs on an ND).
  • a virtual access point is a logical connection point on the NVE for connecting external systems to a virtual network; a VAP can be physical or virtual ports identified through logical interface identifiers (e.g., a VLAN ID).
  • Examples of network services include: 1) an Ethernet LAN emulation service (an Ethernet-based multipoint service similar to an Internet Engineering Task Force (IETF) Multiprotocol Label Switching (MPLS) or Ethernet VPN (EVPN) service) in which external systems are interconnected across the network by a LAN environment over the underlay network (e.g., an NVE provides separate L2 VNIs (virtual switching instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network); and 2) a virtualized IP forwarding service (similar to IETF IP VPN (e.g., Border Gateway Protocol (BGP)/MPLS IP VPN) from a service definition perspective) in which external systems are interconnected across the network by an L3 environment over the underlay network (e.g., an NVE provides separate L3 VNIs (forwarding and routing instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network)).
  • Network services may also include quality of service capabilities (e.g., traffic classification marking, traffic conditioning and scheduling), security capabilities (e.g., filters to protect customer premises from network - originated attacks, to avoid malformed route announcements), and management capabilities (e.g., full detection and processing).
  • quality of service capabilities e.g., traffic classification marking, traffic conditioning and scheduling
  • security capabilities e.g., filters to protect customer premises from network - originated attacks, to avoid malformed route announcements
  • management capabilities e.g., full detection and processing
  • Fig. 5D illustrates a network with a single network element on each of the NDs of Fig. 5A, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention.
  • Fig. 5D illustrates network elements (NEs) 570A-H with the same connectivity as the NDs 500A-H of Fig. 5A.
  • Fig. 5D illustrates that the distributed approach 572 distributes responsibility for generating the reachability and forwarding information across the NEs 570A-H; in other words, the process of neighbor discovery and topology discovery is distributed.
  • the control communication and configuration module(s) 532A-R of the ND control plane 524 typically include a reachability and forwarding information module to implement one or more routing protocols (e.g., an exterior gateway protocol such as Border Gateway Protocol (BGP), Interior Gateway Protocol(s) (IGP) (e.g., Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Routing Information Protocol (RIP), Label Distribution Protocol (LDP), Resource Reservation Protocol (RSVP) (including RS VP-Traffic Engineering (TE):
  • Border Gateway Protocol such as Border Gateway Protocol (BGP), Interior Gateway Protocol(s) (IGP) (e.g., Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Routing Information Protocol (RIP), Label Distribution Protocol (LDP), Resource Reservation Protocol (RSVP) (including RS VP-Traffic Engineering (TE):
  • Border Gateway Protocol such as Border Gateway Protocol (BGP), Interior Gateway Protocol(s) (IGP) (e.g., Open Shortest Path First (OSPF),
  • the NEs 570A-H e.g., the compute resource(s) 512 executing the control communication and configuration module(s) 532A-R
  • the NEs 570A-H perform their responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by distributively determining the reachability within the network and calculating their respective forwarding information.
  • Routes and adjacencies are stored in one or more routing structures (e.g., Routing Information Base (RIB), Label Information Base (LIB), one or more adjacency structures) on the ND control plane 524.
  • the ND control plane 524 programs the ND forwarding plane 526 with information (e.g., adjacency and route information) based on the routing structure(s). For example, the ND control plane 524 programs the adjacency and route information into one or more forwarding table(s) 534A-R (e.g., Forwarding Information Base (FIB), Label Forwarding Information Base (LFIB), and one or more adjacency structures) on the ND forwarding plane 526.
  • FIB Forwarding Information Base
  • LFIB Label Forwarding Information Base
  • the ND can store one or more bridging tables that are used to forward data based on the layer 2 information in that data. While the above example uses the special-purpose network device 502, the same distributed approach 572 can be implemented on the general purpose network device 504 and the hybrid network device 506.
  • Fig. 5D illustrates that a centralized approach 574 (also known as software defined networking (SDN)) that decouples the system that makes decisions about where traffic is sent from the underlying systems that forwards traffic to the selected destination.
  • the illustrated centralized approach 574 has the responsibility for the generation of reachability and forwarding information in a centralized control plane 576 (sometimes referred to as a SDN control module, controller, network controller, OpenFlow controller, SDN controller, control plane node, network virtualization authority, or management control entity), and thus the process of neighbor discovery and topology discovery is centralized.
  • a centralized control plane 576 sometimes referred to as a SDN control module, controller, network controller, OpenFlow controller, SDN controller, control plane node, network virtualization authority, or management control entity
  • the centralized control plane 576 has a south bound interface 582 with a data plane 580 (sometime referred to the infrastructure layer, network forwarding plane, or forwarding plane (which should not be confused with a ND forwarding plane)) that includes the NEs 570A-H (sometimes referred to as switches, forwarding elements, data plane elements, or nodes).
  • the centralized control plane 576 includes a network controller 578, which includes a centralized reachability and forwarding information module 579 that determines the reachability within the network and distributes the forwarding information to the NEs 570A-H of the data plane 580 over the south bound interface 582 (which may use the OpenFlow protocol).
  • the network intelligence is centralized in the centralized control plane 576 executing on electronic devices that are typically separate from the NDs.
  • the network controller 578 may include a user data isolation module 581 that when executed by the network controller 578, causes the network controller 578 to perform operations of one or more embodiments described herein above.
  • each of the control communication and configuration module(s) 532A-R of the ND control plane 524 typically include a control agent that provides the VNE side of the south bound interface 582.
  • the ND control plane 524 (the compute resource(s) 512 executing the control communication and configuration module(s) 532A-R) performs its responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) through the control agent communicating with the centralized control plane 576 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 579 (it should be understood that in some embodiments of the invention, the control
  • communication and configuration module(s) 532A-R in addition to communicating with the centralized control plane 576, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach; such embodiments are generally considered to fall under the centralized approach 574, but may also be considered a hybrid approach).
  • each of the VNE 560A-R performs its responsibility for controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by communicating with the centralized control plane 576 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 579; it should be understood that in some embodiments of the invention, the VNEs 560A-R, in addition to communicating with the centralized control plane 576, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach) and the hybrid network device 506.
  • the general purpose network device 504 e.g., each of the VNE 560A-R performs its responsibility for controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by communicating with the centralized control plane 576 to
  • Fig. 5D also shows that the centralized control plane 576 has a north bound interface
  • the centralized control plane 576 has the ability to form virtual networks 592 (sometimes referred to as a logical forwarding plane, network services, or overlay networks (with the NEs 570A-H of the data plane 580 being the underlay network)) for the application(s) 588.
  • virtual networks 592 sometimes referred to as a logical forwarding plane, network services, or overlay networks (with the NEs 570A-H of the data plane 580 being the underlay network)
  • the centralized control plane 576 maintains a global view of all NDs and configured NEs/VNEs, and it maps the virtual networks to the underlying NDs efficiently (including maintaining these mappings as the physical network changes either through hardware (ND, link, or ND component) failure, addition, or removal).
  • Fig. 5D shows the distributed approach 572 separate from the centralized approach 574
  • the effort of network control may be distributed differently or the two combined in certain embodiments of the invention.
  • embodiments may generally use the centralized approach (SDN) 574, but have certain functions delegated to the NEs (e.g., the distributed approach may be used to implement one or more of fault monitoring, performance monitoring, protection switching, and primitives for neighbor and/or topology discovery); or 2) embodiments of the invention may perform neighbor discovery and topology discovery via both the centralized control plane and the distributed protocols, and the results compared to raise exceptions where they do not agree.
  • SDN centralized approach
  • Such embodiments are generally considered to fall under the centralized approach 574, but may also be considered a hybrid approach.
  • Fig. 5D illustrates the simple case where each of the NDs 500A-H implements a single NE 570A-H
  • the network control approaches described with reference to Fig. 5D also work for networks where one or more of the NDs 500A-H implement multiple VNEs (e.g., VNEs 530A-R, VNEs 560A-R, those in the hybrid network device 506).
  • the network controller 578 may also emulate the implementation of multiple VNEs in a single ND.
  • the network controller 578 may present the implementation of a VNE/NE in a single ND as multiple VNEs in the virtual networks 592 (all in the same one of the virtual network(s) 592, each in different ones of the virtual network(s) 592, or some combination).
  • the network controller 578 may cause an ND to implement a single VNE (a NE) in the underlay network, and then logically divide up the resources of that NE within the centralized control plane 576 to present different VNEs in the virtual network(s) 592 (where these different VNEs in the overlay networks are sharing the resources of the single VNE/NE implementation on the ND in the underlay network).
  • Figs. 5E and 5F respectively illustrate exemplary abstractions of NEs and VNEs that the network controller 578 may present as part of different ones of the virtual networks 592.
  • Fig. 5E illustrates the simple case of where each of the NDs 500A-H implements a single NE 570A-H (see Fig. 5D), but the centralized control plane 576 has abstracted multiple of the NEs in different NDs (the NEs 570A-C and G-H) into (to represent) a single NE 5701 in one of the virtual network(s) 592 of Fig. 5D, according to some embodiments of the invention.
  • Fig. 5E shows that in this virtual network, the NE 5701 is coupled to NE 570D and 570F, which are both still coupled to NE 570E.
  • Fig. 5F illustrates a case where multiple VNEs (VNE 570A.1 and VNE 570H.1) are implemented on different NDs (ND 500A and ND 500H) and are coupled to each other, and where the centralized control plane 576 has abstracted these multiple VNEs such that they appear as a single VNE 570T within one of the virtual networks 592 of Fig. 5D, according to some embodiments of the invention.
  • the abstraction of a NE or VNE can span multiple NDs.
  • the electronic device(s) running the centralized control plane 576 may be implemented a variety of ways (e.g., a special purpose device, a general-purpose (e.g., COTS) device, or hybrid device). These electronic device(s) would similarly include compute resource(s), a set or one or more physical NICs, and a non-transitory machine-readable storage medium having stored thereon the centralized control plane software. For instance, Fig.
  • a general purpose control plane device 604 including hardware 640 comprising a set of one or more processor(s) 642 (which are often COTS processors) and network interface controller(s) 644 (NICs; also known as network interface cards) (which include physical NIs 646), as well as non-transitory machine readable storage media 648 having stored therein centralized control plane (CCP) software 650 and a user data isolation module 651.
  • processors which are often COTS processors
  • NICs network interface controller
  • NICs network interface cards
  • non-transitory machine readable storage media 648 having stored therein centralized control plane (CCP) software 650 and a user data isolation module 651.
  • CCP centralized control plane
  • the processor(s) 642 typically execute software to instantiate a virtualization layer 654 (e.g., in one embodiment the virtualization layer 654 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 662A-R called software containers (representing separate user spaces and also called virtualization engines, virtual private servers, or jails) that may each be used to execute a set of one or more applications; in another embodiment the virtualization layer 654 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and an application is run on top of a guest operating system within an instance 662A-R called a virtual machine (which in some cases may be considered a tightly isolated form of software container) that is run by the hypervisor ; in another embodiment, an application is implemented as a unikernel, which can be generated by compiling directly with an application only a
  • VMM virtual machine monitor
  • an instance of the CCP software 650 (illustrated as CCP instance 676A) is executed (e.g., within the instance 662A) on the virtualization layer 654.
  • the CCP instance 676A is executed, as a unikernel or on top of a host operating system, on the "bare metal" general purpose control plane device 604.
  • the instantiation of the CCP instance 676A, as well as the virtualization layer 654 and instances 662A-R if implemented, are collectively referred to as software instance(s) 652.
  • the CCP instance 676A includes a network controller instance 678.
  • the network controller instance 678 includes a centralized reachability and forwarding information module instance 679 (which is a middleware layer providing the context of the network controller 578 to the operating system and communicating with the various NEs), and an CCP application layer 680 (sometimes referred to as an application layer) over the middleware layer (providing the intelligence required for various network operations such as protocols, network situational awareness, and user - interfaces).
  • this CCP application layer 680 within the centralized control plane 576 works with virtual network view(s) (logical view(s) of the network) and the middleware layer provides the conversion from the virtual networks to the physical view.
  • the user data isolation module 651 can be executed by hardware 640 to perform operations of one or more embodiments of the present invention as part of software instances 652.
  • the centralized control plane 576 transmits relevant messages to the data plane 580 based on CCP application layer 680 calculations and middleware layer mapping for each flow.
  • a flow may be defined as a set of packets whose headers match a given pattern of bits; in this sense, traditional IP forwarding is also flow-based forwarding where the flows are defined by the destination IP address for example; however, in other implementations, the given pattern of bits used for a flow definition may include more fields (e.g., 10 or more) in the packet headers.
  • Different NDs/NEs/VNEs of the data plane 580 may receive different messages, and thus different forwarding information.
  • the data plane 580 processes these messages and programs the appropriate flow information and corresponding actions in the forwarding tables (sometime referred to as flow tables) of the appropriate NE/VNEs, and then the NEs/VNEs map incoming packets to flows represented in the forwarding tables and forward packets based on the matches in the forwarding tables.
  • Standards such as OpenFlow define the protocols used for the messages, as well as a model for processing the packets.
  • the model for processing packets includes header parsing, packet classification, and making forwarding decisions. Header parsing describes how to interpret a packet based upon a well-known set of protocols. Some protocol fields are used to build a match structure (or key) that will be used in packet classification (e.g., a first key field could be a source media access control (MAC) address, and a second key field could be a destination MAC address).
  • MAC media access control
  • Packet classification involves executing a lookup in memory to classify the packet by determining which entry (also referred to as a forwarding table entry or flow entry) in the forwarding tables best matches the packet based upon the match structure, or key, of the forwarding table entries. It is possible that many flows represented in the forwarding table entries can correspond/match to a packet; in this case the system is typically configured to determine one forwarding table entry from the many according to a defined scheme (e.g., selecting a first forwarding table entry that is matched).
  • Forwarding table entries include both a specific set of match criteria (a set of values or wildcards, or an indication of what portions of a packet should be compared to a particular value/values/wildcards, as defined by the matching capabilities - for specific fields in the packet header, or for some other packet content), and a set of one or more actions for the data plane to take on receiving a matching packet. For example, an action may be to push a header onto the packet, for the packet using a particular port, flood the packet, or simply drop the packet.
  • TCP transmission control protocol
  • an unknown packet for example, a "missed packet” or a "match-miss” as used in OpenFlow parlance
  • the packet (or a subset of the packet header and content) is typically forwarded to the centralized control plane 576.
  • the centralized control plane 576 will then program forwarding table entries into the data plane 580 to accommodate packets belonging to the flow of the unknown packet. Once a specific forwarding table entry has been programmed into the data plane 580 by the centralized control plane 576, the next packet with matching credentials will match that forwarding table entry and take the set of actions associated with that matched entry.
  • a network interface may be physical or virtual; and in the context of IP, an interface address is an IP address assigned to a NI, be it a physical NI or virtual NI.
  • a virtual NI may be associated with a physical NI, with another virtual interface, or stand on its own (e.g., a loopback interface, a point-to-point protocol interface).
  • a NI (physical or virtual) may be numbered (a NI with an IP address) or unnumbered (a NI without an IP address).
  • a loopback interface (and its loopback address) is a specific type of virtual NI (and IP address) of a
  • IP addresses of that ND are referred to as IP addresses of that ND; at a more granular level, the IP address(es) assigned to NI(s) assigned to a NE/VNE implemented on a ND can be referred to as IP addresses of that NE/VNE.
  • An embodiment of the invention may be an article of manufacture in which a non- transitory machine-readable medium (such as microelectronic memory) has stored thereon instructions which program one or more data processing components (generically referred to here as a "processor") to perform the operations described above.
  • a non- transitory machine-readable medium such as microelectronic memory
  • program one or more data processing components (generically referred to here as a "processor") to perform the operations described above.
  • some of these operations might be performed by specific hardware components that contain hardwired logic (e.g., dedicated digital filter blocks and state machines). Those operations might alternatively be performed by any combination of programmed data processing components and fixed hardwired circuit components.

Abstract

A method is implemented by a network device to prevent user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network to limit the SDN controller from being exposed to security exploits. The method includes receiving a packet-in message that includes a packet, storing a copy of a user data portion of the packet in a first storage such that it is retrievable from the first storage using a packet identifier that identifies the packet, clearing the user data portion of the packet from the packet-in message, storing a copy of a header field of the packet in a second storage such that it is retrievable from the second storage using the packet identifier, inserting the packet identifier into the header field of the packet in the packet-in message, and transmitting the packet-in message to the SDN controller.

Description

USER DATA ISOLATION IN SOFTWARE DEFINED NETWORKING (SDN)
CONTROLLER
TECHNICAL FIELD
[0001] Embodiments of the invention relate to the field of communication networks, and more specifically, to preventing user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network in order to limit the SDN controller from being exposed to security exploits.
BACKGROUND
[0002] Software Defined Networking (SDN) is an approach to computer networking that employs a split architecture network in which the forwarding (data) plane is decoupled from the control plane. The use of a split architecture network simplifies the network devices (e.g., switches) implementing the forwarding plane by shifting the intelligence of the network into one or more controllers that oversee the switches. SDN facilitates rapid and open innovation at the network layer by providing a programmable network infrastructure.
[0003] OpenFlow is a protocol that enables controllers and switches in an SDN network to communicate with each other. OpenFlow enables dynamic programming of flow control policies in the network.
[0004] Using OpenFlow, an SDN controller can add, update, and delete flow entries in flow tables of switches, both reactively (e.g., in response to packets) and proactively. Each flow table in the switch contains a set of flow entries. Each flow entry includes match fields, counters, and a set of instructions to apply to matching packets.
[0005] OpenFlow allows a switch to transfer the control of a packet to an SDN controller. A switch can transfer control of a packet to an SDN controller using an OpenFlow packet-in message. The SDN controller can determine the appropriate processing for the packet and transmit the packet back to the switch (e.g., along with instructions on how to process the packet) using an OpenFlow packet-out message.
[0006] Thus, an SDN controller in an SDN network not only configures the switches in the data plane of the SDN network but is also involved with processing data plane traffic via OpenFlow packet-in messages. As a result, the SDN controller becomes a prime target for security exploits. Malicious traffic from the data plane of the SDN network can reach the SDN controller via OpenFlow packet-in messages and could exploit a security vulnerability in the SDN controller to gain control over the SDN controller, which could potentially compromise the entire data plane of the SDN network. This problem is further exacerbated when the components in the SDN network are implemented using open source components. For example, when an SDN controller is implemented using open source components, vulnerabilities in the SDN controller can be discovered by the public-at-large without any special access rights (e.g., by inspecting publicly available source code).
SUMMARY
[0007] A method is implemented by a network device to prevent user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network to limit the SDN controller from being exposed to security exploits. The method includes receiving a packet-in message, where the packet-in message includes a packet, storing a copy of a user data portion of the packet in a first storage, where the copy of the user data portion of the packet is retrievable from the first storage using a packet identifier that identifies the packet, clearing the user data portion of the packet from the packet-in message, storing a copy of a header field of the packet in a second storage, where the copy of the header field of the packet is retrievable from the second storage using the packet identifier, inserting the packet identifier into the header field of the packet in the packet-in message, and transmitting the packet-in message to the SDN controller, wherein the transmitted packet-in message includes the inserted packet identifier and the cleared user data portion.
[0008] A network device is configured to prevent user data from being accessible to a
Software Defined Networking (SDN) controller in an SDN network to limit the SDN controller from being exposed to security exploits. The network device includes a set of one or more processors and a non-transitory machine-readable storage medium having stored therein a user data isolation module. The user data isolation module, when executed by the set of one or more processors, causes the network device to receive a packet-in message, where the packet-in message includes a packet, store a copy of a user data portion of the packet in a first storage, where the copy of the user data portion of the packet is retrievable from the first storage using a packet identifier that identifies the packet, clear the user data portion of the packet from the packet-in message, store a copy of a header field of the packet in a second storage, where the copy of the header field of the packet is retrievable from the second storage using the packet identifier, insert the packet identifier into the header field of the packet in the packet-in message, and transmit the packet-in message to the SDN controller, wherein the transmitted packet-in message includes the inserted packet identifier and the cleared user data portion. [0009] A non-transitory machine-readable medium has computer code stored therein, which when executed by a set of one or more processors of a network device, causes the network device to perform operations for preventing user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network to limit the SDN controller from being exposed to security exploits. The operations include receiving a packet-in message, where the packet-in message includes a packet, storing a copy of a user data portion of the packet in a first storage, where the copy of the user data portion of the packet is retrievable from the first storage using a packet identifier that identifies the packet, clearing the user data portion of the packet from the packet-in message, storing a copy of a header field of the packet in a second storage, where the copy of the header field of the packet is retrievable from the second storage using the packet identifier, inserting the packet identifier into the header field of the packet in the packet-in message, and transmitting the packet-in message to the SDN controller, wherein the transmitted packet-in message includes the inserted packet identifier and the cleared user data portion.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] The invention may best be understood by referring to the following description and accompanying drawings that are used to illustrate embodiments of the invention. In the drawings:
[0011] Fig. 1 is a block diagram of a network in which user data isolation can be implemented, according to some embodiments.
[0012] Fig. 2A is a diagram illustrating a format of an IPv4 header, according to some embodiments.
[0013] Fig. 2B is a diagram illustrating a format of an IPv6 header, according to some embodiments.
[0014] Fig. 3 is a flow diagram of a process for performing user data isolation in an SDN network when handling a packet-in message, according to some embodiments.
[0015] Fig. 4 is a flow diagram of a process for performing user data isolation in an SDN network when handling a packet-out message, according to some embodiments.
[0016] Fig. 5A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some
embodiments.
[0017] Fig. 5B illustrates an exemplary way to implement a special-purpose network device, according to some embodiments. [0018] Fig. 5C illustrates various exemplary ways in which virtual network elements (VNEs) may be coupled, according to some embodiments.
[0019] Fig. 5D illustrates a network with a single network element (NE) on each of the NDs, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments.
[0020] Fig. 5E illustrates the simple case of where each of the NDs implements a single NE, but a centralized control plane has abstracted multiple of the NEs in different NDs into (to represent) a single NE in one of the virtual network(s), according to some embodiments.
[0021] Fig. 5F illustrates a case where multiple VNEs are implemented on different NDs and are coupled to each other, and where a centralized control plane has abstracted these multiple VNEs such that they appear as a single VNE within one of the virtual networks, according to some embodiments.
[0022] Fig. 6 illustrates a general purpose control plane device with centralized control plane (CCP) software, according to some embodiments.
DETAILED DESCRIPTION
[0023] The following description describes methods and apparatuses for preventing user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network in order to limit the SDN controller from being exposed to security exploits. In the following description, numerous specific details such as logic implementations, opcodes, means to specify operands, resource partitioning/sharing/duplication implementations, types and
interrelationships of system components, and logic partitioning/integration choices are set forth in order to provide a more thorough understanding of the present invention. It will be appreciated, however, by one skilled in the art that the invention may be practiced without such specific details. In other instances, control structures, gate level circuits and full software instruction sequences have not been shown in detail in order not to obscure the invention. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation.
[0024] References in the specification to "one embodiment," "an embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
[0025] Bracketed text and blocks with dashed borders (e.g., large dashes, small dashes, dot- dash, and dots) may be used herein to illustrate optional operations that add additional features to embodiments of the invention. However, such notation should not be taken to mean that these are the only options or optional operations, and/or that blocks with solid borders are not optional in certain embodiments of the invention.
[0026] In the following description and claims, the terms "coupled" and "connected," along with their derivatives, may be used. It should be understood that these terms are not intended as synonyms for each other. "Coupled" is used to indicate that two or more elements, which may or may not be in direct physical or electrical contact with each other, co-operate or interact with each other. "Connected" is used to indicate the establishment of communication between two or more elements that are coupled with each other.
[0027] An electronic device stores and transmits (internally and/or with other electronic devices over a network) code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using machine-readable media (also called computer-readable media), such as machine-readable storage media (e.g., magnetic disks, optical disks, read only memory (ROM), flash memory devices, phase change memory) and machine-readable transmission media (also called a carrier) (e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals). Thus, an electronic device (e.g., a computer) includes hardware and software, such as a set of one or more processors coupled to one or more machine-readable storage media to store code for execution on the set of processors and/or to store data. For instance, an electronic device may include non- volatile memory containing the code since the non-volatile memory can persist code/data even when the electronic device is turned off (when power is removed), and while the electronic device is turned on that part of the code that is to be executed by the processor(s) of that electronic device is typically copied from the slower nonvolatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of that electronic device. Typical electronic devices also include a set or one or more physical network interface(s) to establish network connections (to transmit and/or receive code and/or data using propagating signals) with other electronic devices. One or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.
[0028] A network device (ND) is an electronic device that communicatively interconnects other electronic devices on the network (e.g., other network devices, end-user devices). Some network devices are "multiple services network devices" that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video).
[0029] Embodiments described herein limit an SDN controller from being exposed to security exploits by preventing the user data portion of a packet from being accessible to the SDN controller. According to some embodiments, when a switch transmits a packet-in message that includes a packet to the SDN controller, a network device intercepts the packet-in message before the packet-in message reaches the SDN controller. The network device stores a copy of the user data portion of the packet in a storage and clears the user data portion of the packet from the packet in the packet-in message. The copy of the user data portion of the packet is stored in the storage such that it can be retrieved using an opaque packet identifier that identifies the packet (e.g., the packet identifier is opaque in the sense that it does not convey any meaningful details regarding the contents of the user data portion). This opaque packet identifier can be included in a header field of the packet in the packet-in message. The network device may then provide the modified packet-in message to the SDN controller. When the SDN controller transmits a corresponding packet-out message (which includes the cleared user data portion of the packet) to the switch, the network device intercepts the packet-out message before the packet-out message reaches the switch. The network device obtains the opaque packet identifier from the header field of the packet in the packet-out message and uses the opaque packet identifier to retrieve the copy of the user data portion from the storage. The copy of the user data portion of the packet is added back to the packet in the packet-out message before the packet-out message is provided to the switch. In this way, user data is prevented from reaching the SDN controller, which helps limit the SDN controller from being exposed to user-crafted security exploits.
[0030] With this technique (also referred to herein generally as "user data isolation"), the SDN controller has access to protocol headers in packet-in messages but does not have access to the user data portions of packets in packet-in messages. Since the SDN controller does not have access to the user data portions of packets in packet-in messages, it is protected against user- crafted security exploits (e.g., arbitrary code supplied by user). The protocol headers are typically set by devices in the network that are managed by a network operator so they have a low probability of containing malicious data that can be used as part of a security exploit.
[0031] Fig. 1 is a block diagram of a network in which user data isolation can be implemented, according to some embodiments. The network includes an SDN controller 130, a network device 100, and a switch 110. The SDN controller 130 is communicatively coupled to the switch 110 and manages the switch 110. The switch 110 processes packets in the data plane of the network. In one embodiment, the SDN controller 130 manages the switch 110 using OpenFlow or another type of protocol that allows communication between an SDN controller 130 and a switch 110 in an SDN network. The SDN controller 130 may configure the packet processing behavior of the switch 110. For example, in an OpenFlow context, the SDN controller 130 can add, update, and delete flow entries in flow tables of the switch 110 to configure the packet processing behavior of the switch 110. In OpenFlow, if the switch 110 receives a packet that it does not know how to process, the switch 110 may transfer control of the packet to the SDN controller 130 by transmitting an OpenFlow packet-in message to the SDN controller 130. The OpenFlow packet-in message may include the packet that is being transferred to the SDN controller 130. The SDN controller 130 may subsequently transmit a corresponding OpenFlow packet-out message to the switch 110 to transfer control of the packet back to the data plane of the network. The term "packet-in message" as used herein refers to any type of message that is used to transfer control of a packet from a switch 110 to an SDN controller 130, and unless stated otherwise, is not limited to an OpenFlow packet-in message. Similarly, the term "packet-out message" as used herein refers to any type of message that is used to transfer control of a packet from an SDN controller 130 to a switch 110, and unless stated otherwise, is not limited to an OpenFlow packet-out message. The network device 100 can be situated on a communication path between the switch 110 and the SDN controller 130 such that it can intercept packet-in messages being transmitted from the switch 110 to the SDN controller 130 and intercept packet-out messages being transmitted from the SDN controller 130 to the switch 110. The network device 100 includes a user data isolation module 150 to prevent user data from being accessible to the SDN controller 130. The network device 100 may also include a packet storage 160 and a mapping table 170 that are used in conjunction with the user data isolation module 150 to perform user data isolation, as will be described in additional detail below. Although the user data isolation module 150 (as well as the packet storage 160 and the mapping table 170) is shown as being implemented in a network device 100 that is separate from the SDN controller 130, in some embodiments, the user data isolation module 150 (as well as the packet storage 160 and/or the mapping table 170) may be implemented in the SDN controller 130. Operations for performing user data isolation will now be described with reference to the diagram.
[0032] At operation 1, the switch 110 transmits a packet-in message towards the SDN controller 130. The packet-in message may include a packet (e.g., a packet that the switch 110 wishes to transfer control of to the SDN controller 130). The packet may include a header portion and a user data portion. In one embodiment, the packet is an IPv4 packet, where the header portion is an IPv4 header. In another embodiment, the packet is an IPv6 packet, where the header portion is an IPv6 header. The user data portion of the packet is the payload of the packet (as opposed to network data that is used for routing/forwarding the packet), which is typically populated by an end-user or a subscriber terminal, and thus can potentially contain malicious user-crafted data. In one embodiment, the user data portion of the packet may be the portion of the packet that follows the IPv4 header or IPv6 header, or may be a portion of the packet that is nested within additional headers following the IPv4 header or IPv6 header. In one embodiment, the network device 100 intercepts the packet-in message before it reaches the SDN controller 130, and the user data isolation module 150 clears the user data portion of the packet from the packet-in message before the packet-in message is provided to the SDN controller 130. For this purpose, when the user data isolation module 150 receives the packet-in message, the user data isolation module 150 may parse the packet in the packet-in message to identify the user data portion of the packet. The user data isolation module 150 then stores a copy of the user data portion of the packet in the packet storage 160 and clears the user data portion of the packet from the packet-in message. The user data isolation module 150 may clear the user data portion of the packet by zeroing out all the bits in the user data portion of the packet or otherwise inserting innocuous data in the user data portion of the packet. The copy of the user data portion of the packet is stored in the packet storage 160 so that it can be retrieved and added back later during packet-out processing. The copy of the user data portion of the packet may be stored in packet storage such that it is retrievable from the packet storage using a packet identifier that identifies the packet. For example, the packet identifier can be a value that is automatically generated by the packet storage (e.g., an index or key). The user data isolation module 150 may store the packet identifier in one or more of the header fields of the packet in the packet-in message. In an embodiment where the packet is an IPv4 packet, the user data isolation module may store the packet identifier in the identification header field or the fragment offset header field of the IPv4 packet in the packet-in message or use both of those fields to store the packet identifier (e.g., if the size of the packet identifier requires more bits than a single field provides). In an embodiment where the packet is an IPv6 packet, the user data isolation module 150 may store the packet identifier in the flow label header field of the IPv6 packet in the packet-in message. These fields are provided by way of example and not limitation. It should be understood that other fields (or any combination of fields or bits) of the packet can also be used to store the packet identifier. Preferably, the packet identifier is stored in a header field of the packet in the packet-in message that will not be used by the SDN controller 130 to make packet processing decisions and will not be modified by the SDN controller 130 during packet- in processing. It is possible that the header field is already populated with a value. In order to preserve the existing value, the user data isolation module 150 may store the existing value in storage so that it can be added back later during packet-out processing. For example, the user data isolation module 150 may create a mapping between the packet identifier and a copy of the header field of the packet in the mapping table 170 before replacing the value in the header field of the packet with the packet identifier.
[0033] At operation 2, the network device 100 transmits the packet-in message (with the user data portion cleared) to the SDN controller 130. Since the user data portion of the packet in the packet-in message is cleared, the SDN controller's 130 exposure to user-crafted security exploits is limited.
[0034] At operation 3, once the SDN controller 130 is finished processing the packet-in message, the SDN controller 130 transmits a corresponding packet-out message towards the switch 110. The packet-out message includes the packet with the user data portion cleared. During processing of the packet-in message, the SDN controller 130 may have modified one or more header fields of the packet, but the header field that includes the packet identifier should still be intact. In one embodiment, the network device 100 intercepts the packet-out message before it reaches the switch 110, and the user data isolation module 150 adds back the user data portion of the packet and the original value in the header field before the packet-out message is provided to the switch 110. For this purpose, when the user data isolation module 150 receives the packet-out message, the user data isolation module 150 obtains the packet identifier from the header field of the packet in the packet-out message. The user data isolation module 150 uses the packet identifier to retrieve the copy of the user data portion of the packet from the packet storage 160 and to retrieve the copy of the header field (with the original value) of the packet from the mapping table 170 (e.g., using the packet identifier as a key). The user data isolation module 150 may then insert the copy of the header field (with the original value) of the packet into the header field of the packet in the packet-out message and insert the copy of the user data portion of the packet into the user data portion of the packet in the packet-out message. In this way, the original value in the header field and the original user data portion are added back to the packet in the packet-out message. At operation 4, the network device 100 transmits the packet-out message (with the user data portion added back) to the switch 110.
[0035] In one embodiment, the copy of the user data portion of the packet can be deleted from the packet storage 160 after a timeout period (e.g., after one hour) (the copy of the header field of the packet can be deleted from the mapping table 170 as well). Typically, the copy of the user data portion of the packet can be deleted from the packet storage 160 after it has been added back to the packet during packet-out processing. However, there can be cases where a single packet-in message transmitted to the SDN controller 130 results in the SDN controller 130 transmitting multiple packet-out messages. In such cases, the SDN controller 130 may instruct the user data isolation module 150 to keep the copy of the user data portion in the packet storage 160 (as well as the copy of the header field in mapping table 170) until the SDN controller 130 instructs the user data isolation module 150 to delete the copy of the user data portion. When the SDN controller 130 determines that the copy of the user data portion stored in the packet storage 160 and/or the copy of the header field stored in the mapping table 170 are no longer needed, the SDN controller 130 may instruct the user data isolation module 150 to delete the copy of the user data portion from the packet storage 160 and/or the copy of the header field from the mapping table 170.
[0036] Although user data isolation techniques have been primarily described in a context where the packet is an IPv4 packet or an IPv6 packet, embodiments are not so limited. The data isolation techniques described herein are also applicable to other types of protocols having different frame/packet formats such as Ethernet, Multiprotocol Label Switching (MPLS), and 802.1Q tunneling (Q-in-Q). The user data isolation module may be able to identify the user data portion of a particular packet based on inspecting one or more header fields of the packet (which could also span across multiple layers of headers). In one embodiment, the user data isolation module 150 may be able to identify the user data portion of a particular packet based on inspecting one or more fields in the packet-in message. For example, the user data isolation module 150 may inspect a table ID field (that includes an indication of an identifier (ID) of the flow table that was looked up), a cookie field (that includes an indication of a cookie of the flow entry that was looked up), and/or a match field (that includes an indication of packet metadata) in the packet-in message to identify the user data portion of a packet (e.g., the starting point of the user data portion and the length of the user data portion).
[0037] Fig. 2A is a diagram illustrating a format of an IPv4 header, according to some embodiments. The IPv4 header includes, among other fields, a 16-bit identification field. The identification field is typically used to identify an IP datagram to which the packet belongs. The IPv4 header also includes, among other fields, a 13-bit fragment offset field. The fragment offset field is typically used to indicate an offset from the start of an IP datagram. In one embodiment, the user data isolation module 150 may use the identification field and/or the fragment offset field of an IPv4 packet header to store a packet identifier. It should be understood that any combination of fields or bits in the IPv4 header can be used to store the packet identifier, as long as those fields or bits will not be used by the SDN controller 130 to make packet processing decisions and will not be modified by the SDN controller 130 during packet-in processing. [0038] Fig. 2B is a diagram illustrating a format of an IPv6 header, according to some embodiments. The IPv6 header includes, among other fields, a 16-bit flow label field. The flow label field is typically used to label sequences of packets that require special handling by IPv6 routers. In one embodiment, the user data isolation module 150 may use the flow label field of an IPv6 packet header to store a packet identifier. It should be understood that any combination of fields or bits in the IPv6 header can be used to store the packet identifier, as long as those fields or bits will not be used by the SDN controller 130 to make packet processing decisions and will not be modified by the SDN controller 130 during packet-in processing.
[0039] Fig. 3 is a flow diagram of a process for performing user data isolation in an SDN network when handling a packet-in message, according to some embodiments. In one embodiment, the process may be performed by a network device 100 (including, e.g., user data isolation module 150, packet storage 160, and/or mapping table 170 of network device 100).
The network device 100 may be communicatively coupled to an SDN controller 130 and a data plane device (e.g., switch 110) managed by the SDN controller 130 in the SDN network. The operations in this and other flow diagrams will be described with reference to the exemplary embodiments of the other figures. However, it should be understood that the operations of the flow diagrams can be performed by embodiments of the invention other than those discussed with reference to the other figures, and the embodiments of the invention discussed with reference to these other figures can perform operations different than those discussed with reference to the flow diagrams.
[0040] In one embodiment, the process is initiated when the network device 100 receives a packet-in message, where the packet-in message includes a packet (block 310). The packet-in message may have been intercepted by the network device 100 while the packet-in message was traveling from the data plane device towards the SDN controller 130. The data plane device may have generated the packet-in message to transfer control of the packet to the SDN controller 130. In one embodiment, the packet is an IPv4 packet (with an IPv4 header). In another embodiment, the packet is an IPv6 packet (with an IPv6 header).
[0041] The network device 100 stores a copy of a user data portion of the packet in a first storage (block 320). The first storage can be any type of memory that is accessible by the network device 100. The copy of the user data portion of the packet may be retrievable from the first storage (e.g., packet storage 160) using a packet identifier that identifies the packet. In one embodiment, the network device 100 parses the packet to identify the user data portion of the packet (e.g., to identify the starting point of the user data portion of the packet and the length of the user data portion of the packet). In one embodiment, the network device 100 determines the starting point of the user data portion of the packet and/or the length of the user data portion of the packet based on information in one or more header fields of the packet. In one embodiment, the starting point of the user data portion of the packet and/or the length of the user data portion of the packet is determined based on information in one or more fields of the packet-in message. For example, in an embodiment where the packet-in message is an OpenFlow packet-in message, the starting point of the user data portion of the packet can be determined based on information in a table identifier field, a cookie field, and/or a match field of the packet-in message.
[0042] The network device 100 then clears the user data portion of the packet from the packet- in message (block 330). In one embodiment, the network device 100 clears the user data portion of the packet by zeroing out all the bits in the user data portion of the packet or otherwise inserting innocuous data in the user data portion of the packet. This operation ensures that any malicious data in the user data portion of the packet does not reach the SDN controller 130.
[0043] The network device 100 stores a copy of a header field of the packet in a second storage (block 340). The second storage can be any type of memory that is accessible by the network device 100. The copy of the header field of the packet is retrievable from the second storage using the packet identifier. For example, the network device 100 may create a mapping between the packet identifier and the copy of the header field in a mapping table 170. In an embodiment where the packet is an IPv4 packet, the header field may be the identification field, the fragment offset field, or a combination of the identification field and the fragment offset field in the IPv4 header of the packet. In an embodiment where the packet is an IPv6 packet, the header field may be the flow label field in the IPv6 header of the packet.
[0044] The network device 100 inserts the packet identifier into the header field of the packet in the packet-in message (block 350) and transmits the packet-in message (with the inserted packet identifier and the cleared user data portion) to the SDN controller 130 (block 360). Since the user data portion of the packet is cleared from the packet-in message that reaches the SDN controller 130, this limits the SDN controller's 130 exposure to user-crafted security exploits. Also, the copy of the user data portion of the packet and the copy of the header field (e.g., the header field in which the packet identifier is inserted) is stored in storage so that they can be added back to the packet during packet-out processing (as will be described with reference to Fig. 4).
[0045] In one embodiment, the network device 100 deletes the copy of the user data portion of the packet from the first storage (and may also delete the copy of the header field of the packet from the second storage) in response to a determination that an elapsed lifetime of the copy of the user data portion of the packet in the first storage (or an elapsed lifetime of the copy of the header field of the packet in the second storage) exceeds a predetermined timeout length. In another embodiment, the network device 100 deletes the copy of the user data portion of the packet from the first storage (and may also delete the copy of the header field of the packet from the second storage) in response to receiving an instruction from the SDN controller 130 to delete the copy of the user data portion of the packet (or an instruction from the SDN controller 130 to delete the copy of the header field of the packet).
[0046] Fig. 4 is a flow diagram of a process for performing user data isolation in an SDN network when handling a packet-out message, according to some embodiments. In one embodiment, the process may be performed by a network device 100 (including, e.g., user data isolation module 150, packet storage 160, and/or mapping table 170 of network device 100). The network device 100 may be communicatively coupled to an SDN controller 130 and a data plane device (e.g., switch 110) managed by the SDN controller 130 in the SDN network.
[0047] In one embodiment, the process is initiated when the network device 100 receives a packet-out message, where the packet-out message includes a packet (block 410). The packet- out message may have been intercepted by the network device 100 while the packet-out message was traveling from the SDN controller 130 towards the data plane device. The SDN controller 130 may have generated the packet-out message in response to receiving a packet-in message (e.g., the packet in the packet-out message may be the same or a modified version of the packet that was in the corresponding packet-in message received by the SDN controller 130). A header field of the packet in the packet-out message includes a packet identifier, and a user data portion of the packet in the packet-out message is cleared (e.g., as a result of the operations described above with reference to Fig. 3). In one embodiment, the packet is an IPv4 packet (with an IPv4 header). In an embodiment where the packet is an IPv4 packet, the header field (that includes the packet identifier) is the identification field, the fragment offset field, or a combination of the identification field and the fragment offset field in the IPv4 header of the packet. In another embodiment, the packet is an IPv6 packet (with an IPv6 header). In an embodiment where the packet is an IPv6 packet, the header field (that includes the packet identifier) is the flow label field in the IPv6 header of the packet. The network device 100 may have previously stored a copy of the original user data portion of the packet in a first storage and stored a copy of the original header field of the packet in a second storage (e.g., as a result of the operations described above with reference to Fig. 3).
[0048] The network device 100 obtains the packet identifier from the header field of the packet in the packet-out message (block 420) and retrieves a copy of the header field of the packet from the second storage using the packet identifier (block 430). For example, the network device 100 may use the packet identifier as a key to retrieve the copy of the header field of the packet from the second storage. [0049] The network device 100 then inserts the copy of the header field of the packet into the header field of the packet in the packet-out message (block 440). This operation adds the original header field of the packet in the packet- in message back to the packet in the packet-out message.
[0050] The network device 100 then retrieves the copy of the user data portion of the packet from the first storage using the packet identifier (block 450). For example, the network device 100 may use the packet identifier as a key to retrieve the copy of the user data portion of the packet from the first storage.
[0051] The network device 100 then inserts the copy of the user data portion of the packet into the user data portion of the packet in the packet-out message (block 460). This operation adds the original user data portion of the packet in the packet-in message back to the packet in the packet-out message. The network device 100 then transmits the packet-out message (with the user data portion and the header field added back) to the data plane device (block 470).
[0052] Embodiments described herein thus prevent a user data portion in a packet-in message from being accessible to a SDN controller 130 in an SDN network. An advantage provided by the embodiments described herein is that the SDN controller's 130 exposure to security exploits (e.g., user-crafted security exploits) is reduced. Also, embodiments described herein may be implemented with little to no changes at the data plane device or to the control plane protocol (e.g., OpenFlow).
[0053] Fig. 5A illustrates connectivity between network devices (NDs) within an exemplary network, as well as three exemplary implementations of the NDs, according to some
embodiments of the invention. Fig. 5A shows NDs 500A-H, and their connectivity by way of lines between 500A-500B, 500B-500C, 500C-500D, 500D-500E, 500E-500F, 500F-500G, and 500A-500G, as well as between 500H and each of 500A, 500C, 500D, and 500G. These NDs are physical devices, and the connectivity between these NDs can be wireless or wired (often referred to as a link). An additional line extending from NDs 500A, 500E, and 500F illustrates that these NDs act as ingress and egress points for the network (and thus, these NDs are sometimes referred to as edge NDs; while the other NDs may be called core NDs).
[0054] Two of the exemplary ND implementations in Fig. 5 A are: 1) a special-purpose network device 502 that uses custom application-specific integrated-circuits (ASICs) and a special-purpose operating system (OS); and 2) a general purpose network device 504 that uses common off-the-shelf (COTS) processors and a standard OS.
[0055] The special-purpose network device 502 includes networking hardware 510 comprising compute resource(s) 512 (which typically include a set of one or more processors), forwarding resource(s) 514 (which typically include one or more ASICs and/or network processors), and physical network interfaces (NIs) 516 (sometimes called physical ports), as well as non- transitory machine readable storage media 518 having stored therein networking software 520. A physical NI is hardware in a ND through which a network connection (e.g., wirelessly through a wireless network interface controller (WNIC) or through plugging in a cable to a physical port connected to a network interface controller (NIC)) is made, such as those shown by the connectivity between NDs 500A-H. During operation, the networking software 520 may be executed by the networking hardware 510 to instantiate a set of one or more networking software instance(s) 522. Each of the networking software instance(s) 522, and that part of the networking hardware 510 that executes that network software instance (be it hardware dedicated to that networking software instance and/or time slices of hardware temporally shared by that networking software instance with others of the networking software instance(s) 522), form a separate virtual network element 530A-R. Each of the virtual network element(s) (VNEs) 530A-R includes a control communication and configuration module 532A-R (sometimes referred to as a local control module or control communication module) and forwarding table(s) 534A-R, such that a given virtual network element (e.g., 530A) includes the control
communication and configuration module (e.g., 532A), a set of one or more forwarding table(s) (e.g., 534A), and that portion of the networking hardware 510 that executes the virtual network element (e.g., 530A).
[0056] The special-purpose network device 502 is often physically and/or logically considered to include: 1) a ND control plane 524 (sometimes referred to as a control plane) comprising the compute resource(s) 512 that execute the control communication and configuration module(s) 532A-R; and 2) a ND forwarding plane 526 (sometimes referred to as a forwarding plane, a data plane, or a media plane) comprising the forwarding resource(s) 514 that utilize the forwarding table(s) 534A-R and the physical NIs 516. By way of example, where the ND is a router (or is implementing routing functionality), the ND control plane 524 (the compute resource(s) 512 executing the control communication and configuration module(s) 532A-R) is typically responsible for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) and storing that routing information in the forwarding table(s) 534A-R, and the ND forwarding plane 526 is responsible for receiving that data on the physical NIs 516 and forwarding that data out the appropriate ones of the physical NIs 516 based on the forwarding table(s) 534A-R.
[0057] Fig. 5B illustrates an exemplary way to implement the special-purpose network device 502 according to some embodiments of the invention. Fig. 5B shows a special-purpose network device including cards 538 (typically hot pluggable). While in some embodiments the cards 538 are of two types (one or more that operate as the ND forwarding plane 526 (sometimes called line cards), and one or more that operate to implement the ND control plane 524 (sometimes called control cards)), alternative embodiments may combine functionality onto a single card and/or include additional card types (e.g., one additional type of card is called a service card, resource card, or multi-application card). A service card can provide specialized processing (e.g., Layer 4 to Layer 7 services (e.g., firewall, Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), Intrusion Detection System (IDS), peer- to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Mobile Wireless Gateways (Gateway General Packet Radio Service (GPRS) Support Node (GGSN), Evolved Packet Core (EPC) Gateway)). By way of example, a service card may be used to terminate IPsec tunnels and execute the attendant authentication and encryption algorithms. These cards are coupled together through one or more interconnect mechanisms illustrated as backplane 536 (e.g., a first full mesh coupling the line cards and a second full mesh coupling all of the cards).
[0058] Returning to Fig. 5A, the general purpose network device 504 includes hardware 540 comprising a set of one or more processor(s) 542 (which are often COTS processors) and network interface controller(s) 544 (NICs; also known as network interface cards) (which include physical NIs 546), as well as non-transitory machine readable storage media 548 having stored therein software 550. During operation, the processor(s) 542 execute the software 550 to instantiate one or more sets of one or more applications 564A-R. While one embodiment does not implement virtualization, alternative embodiments may use different forms of virtualization. For example, in one such alternative embodiment the virtualization layer 554 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 562A-R called software containers that may each be used to execute one (or more) of the sets of applications 564A-R; where the multiple software containers (also called virtualization engines, virtual private servers, or jails) are user spaces (typically a virtual memory space) that are separate from each other and separate from the kernel space in which the operating system is run; and where the set of applications running in a given user space, unless explicitly allowed, cannot access the memory of the other processes. In another such alternative embodiment the virtualization layer 554 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and each of the sets of applications 564A-R is run on top of a guest operating system within an instance 562A-R called a virtual machine (which may in some cases be considered a tightly isolated form of software container) that is run on top of the hypervisor - the guest operating system and application may not know they are running on a virtual machine as opposed to running on a "bare metal" host electronic device, or through para- virtualization the operating system and/or application may be aware of the presence of virtualization for optimization purposes. In yet other alternative embodiments, one, some or all of the applications are implemented as unikernel(s), which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including drivers/libraries of OS services) that provide the particular OS services needed by the application. As a unikernel can be implemented to run directly on hardware 540, directly on a hypervisor (in which case the unikernel is sometimes described as running within a LibOS virtual machine), or in a software container, embodiments can be implemented fully with unikernels running directly on a hypervisor represented by virtualization layer 554, unikernels running within software containers represented by instances 562A-R, or as a combination of unikernels and the above-described techniques (e.g., unikernels and virtual machines both run directly on a hypervisor, unikernels and sets of applications that are run in different software containers).
[0059] The instantiation of the one or more sets of one or more applications 564A-R, as well as virtualization if implemented, are collectively referred to as software instance(s) 552. Each set of applications 564 A-R, corresponding virtualization construct (e.g., instance 562A-R) if implemented, and that part of the hardware 540 that executes them (be it hardware dedicated to that execution and/or time slices of hardware temporally shared), forms a separate virtual network element(s) 560A-R.
[0060] The virtual network element(s) 560A-R perform similar functionality to the virtual network element(s) 530A-R - e.g., similar to the control communication and configuration module(s) 532A and forwarding table(s) 534A (this virtualization of the hardware 540 is sometimes referred to as network function virtualization (NFV)). Thus, NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which could be located in Data centers, NDs, and customer premise equipment (CPE). While embodiments of the invention are illustrated with each instance 562A-R corresponding to one VNE 560A-R, alternative embodiments may implement this correspondence at a finer level granularity (e.g., line card virtual machines virtualize line cards, control card virtual machine virtualize control cards, etc.); it should be understood that the techniques described herein with reference to a correspondence of instances 562A-R to VNEs also apply to embodiments where such a finer level of granularity and/or unikernels are used.
[0061] In certain embodiments, the virtualization layer 554 includes a virtual switch that provides similar forwarding services as a physical Ethernet switch. Specifically, this virtual switch forwards traffic between instances 562A-R and the NIC(s) 544, as well as optionally between the instances 562A-R; in addition, this virtual switch may enforce network isolation between the VNEs 560A-R that by policy are not permitted to communicate with each other
(e.g., by honoring virtual local area networks (VLANs)).
[0062] The third exemplary ND implementation in Fig. 5A is a hybrid network device 506, which includes both custom ASICs/special-purpose OS and COTS processors/standard OS in a single ND or a single card within an ND. In certain embodiments of such a hybrid network device, a platform VM (i.e., a VM that that implements the functionality of the special-purpose network device 502) could provide for para-virtualization to the networking hardware present in the hybrid network device 506.
[0063] Regardless of the above exemplary implementations of an ND, when a single one of multiple VNEs implemented by an ND is being considered (e.g., only one of the VNEs is part of a given virtual network) or where only a single VNE is currently being implemented by an ND, the shortened term network element (NE) is sometimes used to refer to that VNE. Also in all of the above exemplary implementations, each of the VNEs (e.g., VNE(s) 530A-R, VNEs 560A-R, and those in the hybrid network device 506) receives data on the physical NIs (e.g., 516, 546) and forwards that data out the appropriate ones of the physical NIs (e.g., 516, 546). For example, a VNE implementing IP router functionality forwards IP packets on the basis of some of the IP header information in the IP packet; where IP header information includes source IP address, destination IP address, source port, destination port (where "source port" and
"destination port" refer herein to protocol ports, as opposed to physical ports of a ND), transport protocol (e.g., user datagram protocol (UDP), Transmission Control Protocol (TCP), and differentiated services code point (DSCP) values.
[0064] Fig. 5C illustrates various exemplary ways in which VNEs may be coupled according to some embodiments of the invention. Fig. 5C shows VNEs 570A.1-570A.P (and optionally VNEs 570A.Q-570A.R) implemented in ND 500A and VNE 570H.1 in ND 500H. In Fig. 5C, VNEs 570A.1-P are separate from each other in the sense that they can receive packets from outside ND 500A and forward packets outside of ND 500A; VNE 570A.1 is coupled with VNE 570H.1, and thus they communicate packets between their respective NDs; VNE 570A.2- 570A.3 may optionally forward packets between themselves without forwarding them outside of the ND 500A; and VNE 570A.P may optionally be the first in a chain of VNEs that includes VNE 570A.Q followed by VNE 570A.R (this is sometimes referred to as dynamic service chaining, where each of the VNEs in the series of VNEs provides a different service - e.g., one or more layer 4-7 network services). While Fig. 5C illustrates various exemplary relationships between the VNEs, alternative embodiments may support other relationships (e.g., more/fewer VNEs, more/fewer dynamic service chains, multiple different dynamic service chains with some common VNEs and some different VNEs). [0065] The NDs of Fig. 5A, for example, may form part of the Internet or a private network; and other electronic devices (not shown; such as end user devices including workstations, laptops, netbooks, tablets, palm tops, mobile phones, smartphones, phablets, multimedia phones, Voice Over Internet Protocol (VOIP) phones, terminals, portable media players, GPS units, wearable devices, gaming systems, set-top boxes, Internet enabled household appliances) may be coupled to the network (directly or through other networks such as access networks) to communicate over the network (e.g., the Internet or virtual private networks (VPNs) overlaid on (e.g., tunneled through) the Internet) with each other (directly or through servers) and/or access content and/or services. Such content and/or services are typically provided by one or more servers (not shown) belonging to a service/content provider or one or more end user devices (not shown) participating in a peer-to-peer (P2P) service, and may include, for example, public webpages (e.g., free content, store fronts, search services), private webpages (e.g.,
username/password accessed webpages providing email services), and/or corporate networks over VPNs. For instance, end user devices may be coupled (e.g., through customer premise equipment coupled to an access network (wired or wirelessly)) to edge NDs, which are coupled (e.g., through one or more core NDs) to other edge NDs, which are coupled to electronic devices acting as servers. However, through compute and storage virtualization, one or more of the electronic devices operating as the NDs in Fig. 5A may also host one or more such servers (e.g., in the case of the general purpose network device 504, one or more of the software instances 562A-R may operate as servers; the same would be true for the hybrid network device 506; in the case of the special-purpose network device 502, one or more such servers could also be run on a virtualization layer executed by the compute resource(s) 512); in which case the servers are said to be co-located with the VNEs of that ND.
[0066] A virtual network is a logical abstraction of a physical network (such as that in Fig. 5A) that provides network services (e.g., L2 and/or L3 services). A virtual network can be implemented as an overlay network (sometimes referred to as a network virtualization overlay) that provides network services (e.g., layer 2 (L2, data link layer) and/or layer 3 (L3, network layer) services) over an underlay network (e.g., an L3 network, such as an Internet Protocol (IP) network that uses tunnels (e.g., generic routing encapsulation (GRE), layer 2 tunneling protocol (L2TP), IPSec) to create the overlay network).
[0067] A network virtualization edge (NVE) sits at the edge of the underlay network and participates in implementing the network virtualization; the network-facing side of the NVE uses the underlay network to tunnel frames to and from other NVEs; the outward-facing side of the NVE sends and receives data to and from systems outside the network. A virtual network instance (VNI) is a specific instance of a virtual network on a NVE (e.g., a NE/VNE on an ND, a part of a NE/VNE on a ND where that NE/VNE is divided into multiple VNEs through emulation); one or more VNIs can be instantiated on an NVE (e.g., as different VNEs on an ND). A virtual access point (VAP) is a logical connection point on the NVE for connecting external systems to a virtual network; a VAP can be physical or virtual ports identified through logical interface identifiers (e.g., a VLAN ID).
[0068] Examples of network services include: 1) an Ethernet LAN emulation service (an Ethernet-based multipoint service similar to an Internet Engineering Task Force (IETF) Multiprotocol Label Switching (MPLS) or Ethernet VPN (EVPN) service) in which external systems are interconnected across the network by a LAN environment over the underlay network (e.g., an NVE provides separate L2 VNIs (virtual switching instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network); and 2) a virtualized IP forwarding service (similar to IETF IP VPN (e.g., Border Gateway Protocol (BGP)/MPLS IP VPN) from a service definition perspective) in which external systems are interconnected across the network by an L3 environment over the underlay network (e.g., an NVE provides separate L3 VNIs (forwarding and routing instances) for different such virtual networks, and L3 (e.g., IP/MPLS) tunneling encapsulation across the underlay network)). Network services may also include quality of service capabilities (e.g., traffic classification marking, traffic conditioning and scheduling), security capabilities (e.g., filters to protect customer premises from network - originated attacks, to avoid malformed route announcements), and management capabilities (e.g., full detection and processing).
[0069] Fig. 5D illustrates a network with a single network element on each of the NDs of Fig. 5A, and within this straight forward approach contrasts a traditional distributed approach (commonly used by traditional routers) with a centralized approach for maintaining reachability and forwarding information (also called network control), according to some embodiments of the invention. Specifically, Fig. 5D illustrates network elements (NEs) 570A-H with the same connectivity as the NDs 500A-H of Fig. 5A.
[0070] Fig. 5D illustrates that the distributed approach 572 distributes responsibility for generating the reachability and forwarding information across the NEs 570A-H; in other words, the process of neighbor discovery and topology discovery is distributed.
[0071] For example, where the special-purpose network device 502 is used, the control communication and configuration module(s) 532A-R of the ND control plane 524 typically include a reachability and forwarding information module to implement one or more routing protocols (e.g., an exterior gateway protocol such as Border Gateway Protocol (BGP), Interior Gateway Protocol(s) (IGP) (e.g., Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Routing Information Protocol (RIP), Label Distribution Protocol (LDP), Resource Reservation Protocol (RSVP) (including RS VP-Traffic Engineering (TE):
Extensions to RSVP for LSP Tunnels and Generalized Multi-Protocol Label Switching
(GMPLS) Signaling RSVP-TE)) that communicate with other NEs to exchange routes, and then selects those routes based on one or more routing metrics. Thus, the NEs 570A-H (e.g., the compute resource(s) 512 executing the control communication and configuration module(s) 532A-R) perform their responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by distributively determining the reachability within the network and calculating their respective forwarding information. Routes and adjacencies are stored in one or more routing structures (e.g., Routing Information Base (RIB), Label Information Base (LIB), one or more adjacency structures) on the ND control plane 524. The ND control plane 524 programs the ND forwarding plane 526 with information (e.g., adjacency and route information) based on the routing structure(s). For example, the ND control plane 524 programs the adjacency and route information into one or more forwarding table(s) 534A-R (e.g., Forwarding Information Base (FIB), Label Forwarding Information Base (LFIB), and one or more adjacency structures) on the ND forwarding plane 526. For layer 2 forwarding, the ND can store one or more bridging tables that are used to forward data based on the layer 2 information in that data. While the above example uses the special-purpose network device 502, the same distributed approach 572 can be implemented on the general purpose network device 504 and the hybrid network device 506.
[0072] Fig. 5D illustrates that a centralized approach 574 (also known as software defined networking (SDN)) that decouples the system that makes decisions about where traffic is sent from the underlying systems that forwards traffic to the selected destination. The illustrated centralized approach 574 has the responsibility for the generation of reachability and forwarding information in a centralized control plane 576 (sometimes referred to as a SDN control module, controller, network controller, OpenFlow controller, SDN controller, control plane node, network virtualization authority, or management control entity), and thus the process of neighbor discovery and topology discovery is centralized. The centralized control plane 576 has a south bound interface 582 with a data plane 580 (sometime referred to the infrastructure layer, network forwarding plane, or forwarding plane (which should not be confused with a ND forwarding plane)) that includes the NEs 570A-H (sometimes referred to as switches, forwarding elements, data plane elements, or nodes). The centralized control plane 576 includes a network controller 578, which includes a centralized reachability and forwarding information module 579 that determines the reachability within the network and distributes the forwarding information to the NEs 570A-H of the data plane 580 over the south bound interface 582 (which may use the OpenFlow protocol). Thus, the network intelligence is centralized in the centralized control plane 576 executing on electronic devices that are typically separate from the NDs. In one embodiment, the network controller 578 may include a user data isolation module 581 that when executed by the network controller 578, causes the network controller 578 to perform operations of one or more embodiments described herein above.
[0073] For example, where the special-purpose network device 502 is used in the data plane 580, each of the control communication and configuration module(s) 532A-R of the ND control plane 524 typically include a control agent that provides the VNE side of the south bound interface 582. In this case, the ND control plane 524 (the compute resource(s) 512 executing the control communication and configuration module(s) 532A-R) performs its responsibility for participating in controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) through the control agent communicating with the centralized control plane 576 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 579 (it should be understood that in some embodiments of the invention, the control
communication and configuration module(s) 532A-R, in addition to communicating with the centralized control plane 576, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach; such embodiments are generally considered to fall under the centralized approach 574, but may also be considered a hybrid approach).
[0074] While the above example uses the special-purpose network device 502, the same centralized approach 574 can be implemented with the general purpose network device 504 (e.g., each of the VNE 560A-R performs its responsibility for controlling how data (e.g., packets) is to be routed (e.g., the next hop for the data and the outgoing physical NI for that data) by communicating with the centralized control plane 576 to receive the forwarding information (and in some cases, the reachability information) from the centralized reachability and forwarding information module 579; it should be understood that in some embodiments of the invention, the VNEs 560A-R, in addition to communicating with the centralized control plane 576, may also play some role in determining reachability and/or calculating forwarding information - albeit less so than in the case of a distributed approach) and the hybrid network device 506. In fact, the use of SDN techniques can enhance the NFV techniques typically used in the general purpose network device 504 or hybrid network device 506 implementations as NFV is able to support SDN by providing an infrastructure upon which the SDN software can be run, and NFV and SDN both aim to make use of commodity server hardware and physical switches. [0075] Fig. 5D also shows that the centralized control plane 576 has a north bound interface
584 to an application layer 586, in which resides application(s) 588. The centralized control plane 576 has the ability to form virtual networks 592 (sometimes referred to as a logical forwarding plane, network services, or overlay networks (with the NEs 570A-H of the data plane 580 being the underlay network)) for the application(s) 588. Thus, the centralized control plane 576 maintains a global view of all NDs and configured NEs/VNEs, and it maps the virtual networks to the underlying NDs efficiently (including maintaining these mappings as the physical network changes either through hardware (ND, link, or ND component) failure, addition, or removal).
[0076] While Fig. 5D shows the distributed approach 572 separate from the centralized approach 574, the effort of network control may be distributed differently or the two combined in certain embodiments of the invention. For example: 1) embodiments may generally use the centralized approach (SDN) 574, but have certain functions delegated to the NEs (e.g., the distributed approach may be used to implement one or more of fault monitoring, performance monitoring, protection switching, and primitives for neighbor and/or topology discovery); or 2) embodiments of the invention may perform neighbor discovery and topology discovery via both the centralized control plane and the distributed protocols, and the results compared to raise exceptions where they do not agree. Such embodiments are generally considered to fall under the centralized approach 574, but may also be considered a hybrid approach.
[0077] While Fig. 5D illustrates the simple case where each of the NDs 500A-H implements a single NE 570A-H, it should be understood that the network control approaches described with reference to Fig. 5D also work for networks where one or more of the NDs 500A-H implement multiple VNEs (e.g., VNEs 530A-R, VNEs 560A-R, those in the hybrid network device 506). Alternatively or in addition, the network controller 578 may also emulate the implementation of multiple VNEs in a single ND. Specifically, instead of (or in addition to) implementing multiple VNEs in a single ND, the network controller 578 may present the implementation of a VNE/NE in a single ND as multiple VNEs in the virtual networks 592 (all in the same one of the virtual network(s) 592, each in different ones of the virtual network(s) 592, or some combination). For example, the network controller 578 may cause an ND to implement a single VNE (a NE) in the underlay network, and then logically divide up the resources of that NE within the centralized control plane 576 to present different VNEs in the virtual network(s) 592 (where these different VNEs in the overlay networks are sharing the resources of the single VNE/NE implementation on the ND in the underlay network).
[0078] On the other hand, Figs. 5E and 5F respectively illustrate exemplary abstractions of NEs and VNEs that the network controller 578 may present as part of different ones of the virtual networks 592. Fig. 5E illustrates the simple case of where each of the NDs 500A-H implements a single NE 570A-H (see Fig. 5D), but the centralized control plane 576 has abstracted multiple of the NEs in different NDs (the NEs 570A-C and G-H) into (to represent) a single NE 5701 in one of the virtual network(s) 592 of Fig. 5D, according to some embodiments of the invention. Fig. 5E shows that in this virtual network, the NE 5701 is coupled to NE 570D and 570F, which are both still coupled to NE 570E.
[0079] Fig. 5F illustrates a case where multiple VNEs (VNE 570A.1 and VNE 570H.1) are implemented on different NDs (ND 500A and ND 500H) and are coupled to each other, and where the centralized control plane 576 has abstracted these multiple VNEs such that they appear as a single VNE 570T within one of the virtual networks 592 of Fig. 5D, according to some embodiments of the invention. Thus, the abstraction of a NE or VNE can span multiple NDs.
[0080] While some embodiments of the invention implement the centralized control plane 576 as a single entity (e.g., a single instance of software running on a single electronic device), alternative embodiments may spread the functionality across multiple entities for redundancy and/or scalability purposes (e.g., multiple instances of software running on different electronic devices).
[0081] Similar to the network device implementations, the electronic device(s) running the centralized control plane 576, and thus the network controller 578 including the centralized reachability and forwarding information module 579, may be implemented a variety of ways (e.g., a special purpose device, a general-purpose (e.g., COTS) device, or hybrid device). These electronic device(s) would similarly include compute resource(s), a set or one or more physical NICs, and a non-transitory machine-readable storage medium having stored thereon the centralized control plane software. For instance, Fig. 6 illustrates, a general purpose control plane device 604 including hardware 640 comprising a set of one or more processor(s) 642 (which are often COTS processors) and network interface controller(s) 644 (NICs; also known as network interface cards) (which include physical NIs 646), as well as non-transitory machine readable storage media 648 having stored therein centralized control plane (CCP) software 650 and a user data isolation module 651.
[0082] In embodiments that use compute virtualization, the processor(s) 642 typically execute software to instantiate a virtualization layer 654 (e.g., in one embodiment the virtualization layer 654 represents the kernel of an operating system (or a shim executing on a base operating system) that allows for the creation of multiple instances 662A-R called software containers (representing separate user spaces and also called virtualization engines, virtual private servers, or jails) that may each be used to execute a set of one or more applications; in another embodiment the virtualization layer 654 represents a hypervisor (sometimes referred to as a virtual machine monitor (VMM)) or a hypervisor executing on top of a host operating system, and an application is run on top of a guest operating system within an instance 662A-R called a virtual machine (which in some cases may be considered a tightly isolated form of software container) that is run by the hypervisor ; in another embodiment, an application is implemented as a unikernel, which can be generated by compiling directly with an application only a limited set of libraries (e.g., from a library operating system (LibOS) including drivers/libraries of OS services) that provide the particular OS services needed by the application, and the unikernel can run directly on hardware 640, directly on a hypervisor represented by virtualization layer 654 (in which case the unikernel is sometimes described as running within a LibOS virtual machine), or in a software container represented by one of instances 662A-R). Again, in embodiments where compute virtualization is used, during operation an instance of the CCP software 650 (illustrated as CCP instance 676A) is executed (e.g., within the instance 662A) on the virtualization layer 654. In embodiments where compute virtualization is not used, the CCP instance 676A is executed, as a unikernel or on top of a host operating system, on the "bare metal" general purpose control plane device 604. The instantiation of the CCP instance 676A, as well as the virtualization layer 654 and instances 662A-R if implemented, are collectively referred to as software instance(s) 652.
[0083] In some embodiments, the CCP instance 676A includes a network controller instance 678. The network controller instance 678 includes a centralized reachability and forwarding information module instance 679 (which is a middleware layer providing the context of the network controller 578 to the operating system and communicating with the various NEs), and an CCP application layer 680 (sometimes referred to as an application layer) over the middleware layer (providing the intelligence required for various network operations such as protocols, network situational awareness, and user - interfaces). At a more abstract level, this CCP application layer 680 within the centralized control plane 576 works with virtual network view(s) (logical view(s) of the network) and the middleware layer provides the conversion from the virtual networks to the physical view.
[0084] The user data isolation module 651 can be executed by hardware 640 to perform operations of one or more embodiments of the present invention as part of software instances 652.
[0085] The centralized control plane 576 transmits relevant messages to the data plane 580 based on CCP application layer 680 calculations and middleware layer mapping for each flow. A flow may be defined as a set of packets whose headers match a given pattern of bits; in this sense, traditional IP forwarding is also flow-based forwarding where the flows are defined by the destination IP address for example; however, in other implementations, the given pattern of bits used for a flow definition may include more fields (e.g., 10 or more) in the packet headers. Different NDs/NEs/VNEs of the data plane 580 may receive different messages, and thus different forwarding information. The data plane 580 processes these messages and programs the appropriate flow information and corresponding actions in the forwarding tables (sometime referred to as flow tables) of the appropriate NE/VNEs, and then the NEs/VNEs map incoming packets to flows represented in the forwarding tables and forward packets based on the matches in the forwarding tables.
[0086] Standards such as OpenFlow define the protocols used for the messages, as well as a model for processing the packets. The model for processing packets includes header parsing, packet classification, and making forwarding decisions. Header parsing describes how to interpret a packet based upon a well-known set of protocols. Some protocol fields are used to build a match structure (or key) that will be used in packet classification (e.g., a first key field could be a source media access control (MAC) address, and a second key field could be a destination MAC address).
[0087] Packet classification involves executing a lookup in memory to classify the packet by determining which entry (also referred to as a forwarding table entry or flow entry) in the forwarding tables best matches the packet based upon the match structure, or key, of the forwarding table entries. It is possible that many flows represented in the forwarding table entries can correspond/match to a packet; in this case the system is typically configured to determine one forwarding table entry from the many according to a defined scheme (e.g., selecting a first forwarding table entry that is matched). Forwarding table entries include both a specific set of match criteria (a set of values or wildcards, or an indication of what portions of a packet should be compared to a particular value/values/wildcards, as defined by the matching capabilities - for specific fields in the packet header, or for some other packet content), and a set of one or more actions for the data plane to take on receiving a matching packet. For example, an action may be to push a header onto the packet, for the packet using a particular port, flood the packet, or simply drop the packet. Thus, a forwarding table entry for IPv4/IPv6 packets with a particular transmission control protocol (TCP) destination port could contain an action specifying that these packets should be dropped.
[0088] Making forwarding decisions and performing actions occurs, based upon the forwarding table entry identified during packet classification, by executing the set of actions identified in the matched forwarding table entry on the packet.
[0089] However, when an unknown packet (for example, a "missed packet" or a "match-miss" as used in OpenFlow parlance) arrives at the data plane 580, the packet (or a subset of the packet header and content) is typically forwarded to the centralized control plane 576. The centralized control plane 576 will then program forwarding table entries into the data plane 580 to accommodate packets belonging to the flow of the unknown packet. Once a specific forwarding table entry has been programmed into the data plane 580 by the centralized control plane 576, the next packet with matching credentials will match that forwarding table entry and take the set of actions associated with that matched entry.
[0090] A network interface (NI) may be physical or virtual; and in the context of IP, an interface address is an IP address assigned to a NI, be it a physical NI or virtual NI. A virtual NI may be associated with a physical NI, with another virtual interface, or stand on its own (e.g., a loopback interface, a point-to-point protocol interface). A NI (physical or virtual) may be numbered (a NI with an IP address) or unnumbered (a NI without an IP address). A loopback interface (and its loopback address) is a specific type of virtual NI (and IP address) of a
NE/VNE (physical or virtual) often used for management purposes; where such an IP address is referred to as the nodal loopback address. The IP address(es) assigned to the NI(s) of a ND are referred to as IP addresses of that ND; at a more granular level, the IP address(es) assigned to NI(s) assigned to a NE/VNE implemented on a ND can be referred to as IP addresses of that NE/VNE.
[0091] Some portions of the preceding detailed descriptions have been presented in terms of algorithms and symbolic representations of transactions on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of transactions leading to a desired result. The transactions are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
[0092] It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as "processing" or "computing" or "calculating" or "determining" or "displaying" or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
[0093] The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct more specialized apparatus to perform the required method transactions. The required structure for a variety of these systems will appear from the description above. In addition, embodiments of the present invention are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of embodiments of the invention as described herein.
[0094] An embodiment of the invention may be an article of manufacture in which a non- transitory machine-readable medium (such as microelectronic memory) has stored thereon instructions which program one or more data processing components (generically referred to here as a "processor") to perform the operations described above. In other embodiments, some of these operations might be performed by specific hardware components that contain hardwired logic (e.g., dedicated digital filter blocks and state machines). Those operations might alternatively be performed by any combination of programmed data processing components and fixed hardwired circuit components.
[0095] Throughout the description, embodiments of the present invention have been presented through flow diagrams. It will be appreciated that the order of transactions and transactions described in these flow diagrams are only intended for illustrative purposes and not intended as a limitation of the present invention. One having ordinary skill in the art would recognize that variations can be made to the flow diagrams without departing from the broader spirit and scope of the invention as set forth in the following claims.
[0096] In the foregoing specification, embodiments of the invention have been described with reference to specific exemplary embodiments thereof. It will be evident that various
modifications may be made thereto without departing from the broader spirit and scope of the invention as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.

Claims

CLAIMS What is claimed is:
1. A method implemented by a network device (100) to prevent user data from being accessible to a Software Defined Networking (SDN) controller (130) in an SDN network to limit the SDN controller from being exposed to security exploits, the method comprising:
receiving (310) a packet-in message, wherein the packet-in message includes a packet; storing (320) a copy of a user data portion of the packet in a first storage, wherein the copy of the user data portion of the packet is retrievable from the first storage using a packet identifier that identifies the packet;
clearing (330) the user data portion of the packet from the packet-in message;
storing (340) a copy of a header field of the packet in a second storage, wherein the copy of the header field of the packet is retrievable from the second storage using the packet identifier;
inserting (350) the packet identifier into the header field of the packet in the packet-in message; and
transmitting (360) the packet-in message to the SDN controller, the packet-in message comprising the inserted packet identifier and the cleared user data portion.
2. The method of claim 1, further comprising:
receiving (410) a packet-out message, wherein the packet-out message includes the
packet, wherein the header field of the packet includes the packet identifier, and the user data portion of the packet is cleared;
obtaining (420) the packet identifier from the header field of the packet in the packet-out message;
retrieving (430) the copy of the header field of the packet from the second storage using the packet identifier;
inserting (440) the copy of the header field of the packet into the header field of the packet in the packet-out message;
retrieving (450) the copy of the user data portion of the packet from the first storage using the packet identifier;
inserting (460) the copy of the user data portion of the packet into the user data portion of the packet in the packet-out message; and
transmitting (470) the packet-out message to a data plane device managed by the SDN controller, the packet-out message comprising the inserted copy of the user data portion and the inserted copy of the header field.
3. The method of claim 1, wherein the packet is an Internet Protocol version 4 (IPv4) packet.
4. The method of claim 3, wherein the header field is any one of an identification field, a
fragment offset field, or a combination of the identification field and the fragment offset field in an IPv4 header of the packet.
5. The method of claim 1, wherein the packet is an Internet Protocol version 6 (IPv6) packet.
6. The method of claim 5, wherein the header field is a flow label field in an IPv6 header of the packet.
7. The method of claim 1, further comprising:
determining a starting point of the user data portion of the packet and a length of the user data portion of the packet based on information in one or more header fields of the packet.
8. The method of claim 7, wherein the packet-in message is an OpenFlow packet-in message, and wherein the starting point of the user data portion of the packet is further determined based on information in any one of a table identifier field, a cookie field, or a match field of the packet-in message.
9. The method of claim 1, further comprising:
deleting the copy of the user data portion of the packet from the first storage and deleting the copy of the header field of the packet from the second storage in response to a determination that an elapsed lifetime of the copy of the user data portion of the packet in the first storage exceeds a predetermined timeout length.
10. The method of claim 1, further comprising:
deleting the copy of the user data portion of the packet from the first storage in response to receiving an instruction from the SDN controller to delete the copy of the user data portion of the packet.
11. A network device (604) configured to prevent user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network to limit the SDN controller from being exposed to security exploits, the network device comprising: a set of one or more processors (642); and
a non-transitory machine-readable storage medium (648) having stored therein a user data isolation module (651), which when executed by the set of one or more processors, causes the network device to receive a packet-in message, wherein the packet-in message includes a packet, store a copy of a user data portion of the packet in a first storage, wherein the copy of the user data portion of the packet is retrievable from the first storage using a packet identifier that identifies the packet, clear the user data portion of the packet from the packet-in message, store a copy of a header field of the packet in a second storage, wherein the copy of the header field of the packet is retrievable from the second storage using the packet identifier, insert the packet identifier into the header field of the packet in the packet-in message, and transmit the packet-in message to the SDN controller, the packet-in message comprising the inserted packet identifier and the cleared user data portion.
12. The network device of claim 11, wherein the user data isolation module, when executed by the set of one or more processors, further causes the network device to receive a packet-out message, wherein the packet-out message includes the packet, wherein the header field of the packet includes the packet identifier, and the user data portion of the packet is cleared, obtain the packet identifier from the header field of the packet in the packet-out message, retrieve the copy of the header field of the packet from the second storage using the packet identifier, insert the copy of the header field of the packet into the header field of the packet in the packet-out message, retrieve the copy of the user data portion of the packet from the first storage using the packet identifier, insert the copy of the user data portion of the packet into the user data portion of the packet in the packet-out message, and transmit the packet- out message to a data plane device managed by the SDN controller, the packet-out message comprising the inserted copy of the user data portion and the inserted copy of the header field.
13. The network device of claim 11, wherein the packet is an Internet Protocol version 4 (IPv4) packet.
14. The network device of claim 13, wherein the header field is any one of an identification field, a fragment offset field, or a combination of the identification field and the fragment offset field in an IPv4 header of the packet.
15. The network device of claim 11, wherein the user data isolation module, when executed by the set of one or more processors, further causes the network device to determine a starting point of the user data portion of the packet and a length of the user data portion of the packet based on information in a header of the packet.
16. The network device of claim 11, wherein the user data isolation module, when executed by the set of one or more processors, further causes the network device to delete the copy of the user data portion of the packet from the first storage and delete the copy of the header field of the packet from the second storage in response to a determination that an elapsed lifetime of the copy of the user data portion of the packet in the first storage exceeds a predetermined timeout length.
17. A non-transitory machine-readable medium having computer code stored therein, which when executed by a set of one or more processors of a network device, causes the network device to perform operations for preventing user data from being accessible to a Software Defined Networking (SDN) controller in an SDN network to limit the SDN controller from being exposed to security exploits, the operations comprising:
receiving (310) a packet-in message, wherein the packet-in message includes a packet; storing (320) a copy of a user data portion of the packet in a first storage, wherein the copy of the user data portion of the packet is retrievable from the first storage using a packet identifier that identifies the packet;
clearing (330) the user data portion of the packet from the packet-in message;
storing (340) a copy of a header field of the packet in a second storage, wherein the copy of the header field of the packet is retrievable from the second storage using the packet identifier;
inserting (350) the packet identifier into the header field of the packet in the packet-in message; and
transmitting (360) the packet-in message to the SDN controller, the packet-in message comprising the inserted packet identifier and the cleared user data portion.
18. The non-transitory machine -readable medium of claim 17, wherein the computer code, when executed by the set of one or more processors of the network device, causes the network device to perform further operations comprising: receiving (410) a packet-out message, wherein the packet-out message includes the packet, wherein the header field of the packet includes the packet identifier, and the user data portion of the packet is cleared;
obtaining (420) the packet identifier from the header field of the packet in the packet-out message;
retrieving (430) the copy of the header field of the packet from the second storage using the packet identifier;
inserting (440) the copy of the header field of the packet into the header field of the packet in the packet-out message;
retrieving (450) the copy of the user data portion of the packet from the first storage using the packet identifier;
inserting (460) the copy of the user data portion of the packet into the user data portion of the packet in the packet-out message; and
transmitting (470) the packet-out message to a data plane device managed by the SDN controller, the packet-out message comprising the inserted copy of the user data portion and the inserted copy of the header field.
19. The non-transitory machine -readable medium of claim 17, wherein the packet is an Internet Protocol version 6 (IPv6) packet.
20. The non-transitory machine -readable medium of claim 19, wherein the header field is a flow label field in an IPv6 header of the packet.
21. The non-transitory machine -readable medium of claim 17, wherein the computer code, when executed by the set of one or more processors of the network device, causes the network device to perform further operations comprising:
determining a starting point of the user data portion of the packet and a length of the user data portion of the packet based on information in one or more header fields of the packet.
22. The non-transitory machine -readable medium of claim 17, wherein the computer code, when executed by the set of one or more processors of the network device, causes the network device to perform further operations comprising:
deleting the copy of the user data portion of the packet from the first storage in response to receiving an instruction from the SDN controller to delete the copy of the user data portion of the packet.
PCT/IB2016/054400 2016-07-22 2016-07-22 User data isolation in software defined networking (sdn) controller WO2018015792A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2016/054400 WO2018015792A1 (en) 2016-07-22 2016-07-22 User data isolation in software defined networking (sdn) controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2016/054400 WO2018015792A1 (en) 2016-07-22 2016-07-22 User data isolation in software defined networking (sdn) controller

Publications (1)

Publication Number Publication Date
WO2018015792A1 true WO2018015792A1 (en) 2018-01-25

Family

ID=56555510

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2016/054400 WO2018015792A1 (en) 2016-07-22 2016-07-22 User data isolation in software defined networking (sdn) controller

Country Status (1)

Country Link
WO (1) WO2018015792A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205415A (en) * 2020-09-17 2022-03-18 深圳市中兴微电子技术有限公司 Message modification method and device, computer equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015040624A1 (en) * 2013-09-18 2015-03-26 Hewlett-Packard Development Company, L.P. Monitoring network performance characteristics
WO2015131929A1 (en) * 2014-03-04 2015-09-11 Huawei Technologies Co., Ltd. State-dependent data forwarding
WO2015139724A1 (en) * 2014-03-17 2015-09-24 Huawei Technologies Co., Ltd. Device and method for managing policies and/or resources used for configuring a network
US20150281036A1 (en) * 2014-03-27 2015-10-01 Nicira, Inc. Packet tracing in a software-defined networking environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015040624A1 (en) * 2013-09-18 2015-03-26 Hewlett-Packard Development Company, L.P. Monitoring network performance characteristics
WO2015131929A1 (en) * 2014-03-04 2015-09-11 Huawei Technologies Co., Ltd. State-dependent data forwarding
WO2015139724A1 (en) * 2014-03-17 2015-09-24 Huawei Technologies Co., Ltd. Device and method for managing policies and/or resources used for configuring a network
US20150281036A1 (en) * 2014-03-27 2015-10-01 Nicira, Inc. Packet tracing in a software-defined networking environment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205415A (en) * 2020-09-17 2022-03-18 深圳市中兴微电子技术有限公司 Message modification method and device, computer equipment and medium

Similar Documents

Publication Publication Date Title
US10841210B2 (en) Service function proxy performance in software defined networks
US11665089B2 (en) Mechanism for hitless resynchronization during SDN controller upgrades between incompatible versions
EP3378205B1 (en) Service based intelligent packet-in buffering mechanism for openflow switches by having variable buffer timeouts
EP3400685B1 (en) Mechanism to detect control plane loops in a software defined networking (sdn) network
EP3472984B1 (en) Dynamic lookup optimization for packet classification
EP3510730B1 (en) Efficient troubleshooting in sdn network
US10404573B2 (en) Efficient method to aggregate changes and to produce border gateway protocol link-state (BGP-LS) content from intermediate system to intermediate system (IS-IS) link-state database
US20160294625A1 (en) Method for network monitoring using efficient group membership test based rule consolidation
WO2016174597A1 (en) Service based intelligent packet-in mechanism for openflow switches
EP3195537B1 (en) Forwarding table precedence in sdn
US20170149659A1 (en) Mechanism to improve control channel efficiency by distributing packet-ins in an openflow network
WO2018042230A1 (en) Configurable selective packet-in mechanism for openflow switches
WO2018015792A1 (en) User data isolation in software defined networking (sdn) controller
WO2018051172A1 (en) Service function classifier bypass in software defined networking (sdn) networks
US20230239235A1 (en) Transient loop prevention in ethernet virtual private network egress fast reroute

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16745184

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16745184

Country of ref document: EP

Kind code of ref document: A1