TY - JOUR
T1 - BigMaC
T2 - Reactive network-wide policy caching for SDN policy enforcement
AU - Yan, Bo
AU - Xu, Yang
AU - Chao, H. Jonathan
N1 - Funding Information:
Manuscript received March 16, 2018; revised August 13, 2018; accepted August 20, 2018. Date of publication September 24, 2018; date of current version December 11, 2018. This work was partially supported by the National Science Foundation under Grant 1229218. (Corresponding authors: Yang Xu; H. Jonathan Chao.) The authors are with the Department of Electrical and Computer Engineering, Tandon School of Engineering, New York University, Brooklyn, NY 11201 USA (e-mail: [email protected]; [email protected]; [email protected]).
Publisher Copyright:
© 2018 IEEE.
PY - 2018/12
Y1 - 2018/12
N2 - Enforcing network policies is critical for service deployments over software-defined networks (SDN). Most existing studies suggest proactively compiling policies into flow entries in the data plane and updating the installed entries when necessary. With a growing amount of applications, taking a proactive approach may overflow underlying switch memory. Meanwhile, certain policies can be frequently updated. Such updates may propagate across configurations in the network, leading to a long time for correctness validation. To improve both the scalability and the flexibility of SDN policy enforcement, we advocate reactively deploying network policies in the data plane. To this end, we propose a network-wide policy enforcement framework named BigMaC. BigMaC advertises a neat policy model for network managers to specify various network policies as rules. It then caches the rules as flow entries in the switches reactively on demand. One major challenge for the BigMaC design is to guarantee the consistency of defined policies and cached entries in the network. To maintain consistency with efficient table usage and simple updates, we group rules into buckets and perform rule caching in the unit of buckets. With trace-driven simulations, we verify that BigMaC can significantly save table space and reduce update complexity compared to prior proposals.
AB - Enforcing network policies is critical for service deployments over software-defined networks (SDN). Most existing studies suggest proactively compiling policies into flow entries in the data plane and updating the installed entries when necessary. With a growing amount of applications, taking a proactive approach may overflow underlying switch memory. Meanwhile, certain policies can be frequently updated. Such updates may propagate across configurations in the network, leading to a long time for correctness validation. To improve both the scalability and the flexibility of SDN policy enforcement, we advocate reactively deploying network policies in the data plane. To this end, we propose a network-wide policy enforcement framework named BigMaC. BigMaC advertises a neat policy model for network managers to specify various network policies as rules. It then caches the rules as flow entries in the switches reactively on demand. One major challenge for the BigMaC design is to guarantee the consistency of defined policies and cached entries in the network. To maintain consistency with efficient table usage and simple updates, we group rules into buckets and perform rule caching in the unit of buckets. With trace-driven simulations, we verify that BigMaC can significantly save table space and reduce update complexity compared to prior proposals.
KW - SDN
KW - network-wide policy caching
KW - policy enforcement
UR - http://www.scopus.com/inward/record.url?scp=85054273967&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85054273967&partnerID=8YFLogxK
U2 - 10.1109/JSAC.2018.2871296
DO - 10.1109/JSAC.2018.2871296
M3 - Article
AN - SCOPUS:85054273967
SN - 0733-8716
VL - 36
SP - 2675
EP - 2687
JO - IEEE Journal on Selected Areas in Communications
JF - IEEE Journal on Selected Areas in Communications
IS - 12
M1 - 8470932
ER -