Are We Ready for SDN? Implementation Challenges for Software-Defined Networks

• Name of article：Are We Ready for SDN?  Implementation Challenges for  Software-Defined Networks
• Origin of the article：Sezer S , Scott-Hayward S , Chouhan P , et al. Are we ready for SDN? Implementation challenges for software-defined networks[J]. IEEE Communications Magazine, 2013, 51(7):36-43.

ABSTRACT：

Cloud services are exploding, and organizations  are converging their data centers in order  to take advantage of the predictability, continuity,  and quality of service delivered by virtualization  technologies（利用虚拟化技术提供的可预测性、连续性和服务质量）. In parallel（并行的、同时）, energy-efficient（能源有效、节能）  and high-security networking is of increasing  importance. Network operators, and service and  product providers require a new network solution  to efficiently tackle the increasing demands  of this changing network landscape（环境）. Softwaredefined  networking has emerged as an efficient  network technology capable of supporting the  dynamic nature of future network functions and  intelligent applications（支持未来网络功能和智能应用的动态特性） while lowering operating  costs through simplified hardware, software, and  management. In this article, the question of how  to achieve a successful carrier grade network（载波级网络）  with software-defined networking is raised. Specific  focus is placed on the challenges of network  performance, scalability, security, and interoperability  with the proposal of potential solution  directions（潜在问题的解决方案）.

Cloud services are exploding 随着云服务增长

converging their data centers 数据中心聚合

the predictability, continuity,  and quality of service delivered by virtualization  technologies 为了利用虚拟化技术提供可预测性、连续性和服务质量

energy-efficient  and high-security networking 节能、高安全的网络变得重要

a new network solution 因此需要一种新的网络解决方案。

1.INTRODUCTION: WHAT IS  SOFTWARE-DEFINED NETWORKING?

Network configuration and installation requires  highly skilled personnel adept at configuration of  many network elements. Where interactions  between network nodes (switches, routers, etc.)  are complex, a more systems-based approach  encompassing elements of simulation（包含模拟元素的方法） is required.  With the current programming interfaces on  much of today’s networking equipment, this is  difficult to achieve.

In addition, operational costs（运营成本） involved in provisioning  and managing large multivendor networks  covering multiple technologies have been  increasing over recent years, while the predominant  trend in revenue for operations has been  decreasing. Coupled with increasing scarcity（缺乏） of  human resources and increasing costs of real  estate, this “perfect storm” for service providers  is leading to renewed interest in solutions that  can unify network management and provisioning  across multiple domains（跨多个域统一网络管理和资源调配）. A new network model  is required to support this.

The term software-defined networking (SDN)  has been coined in recent years. However, the  concept behind SDN has been evolving（提出） since  1996, driven by the desire to provide user-controlled  management of forwarding in network  nodes. Implementations by research and industry  groups include Ipsilon (proposed General Switch  Management protocol, 1996), The Tempest (a  framework for safe, resource-assured, programmable  networks, 1998) and Internet Engineering  Task Force (IETF) Forwarding and  Control Element Separation, 2000, and Path  Computation Element, 2004. Most recently,  Ethane (2007) and OpenFlow (2008) have  brought the implementation of SDN closer to  reality. Ethane is a security management architecture  combining simple flow-based switches  with a central controller managing admittance  and routing of flows. OpenFlow enables entries  in the Flow Table to be defined by a server  external to the switch. SDN is not, however, limited  to any one of these implementations, but is  a general term for the platform.

For clarity（为了更明确）, SDN is described in this article  with the Open Networking Foundation (ONF)  [1] definition: “In the SDN architecture, the control  and data planes are decoupled, network intelligence  and state are logically centralized, and the  underlying network infrastructure（基础设施） is abstracted  from the applications

SDN focuses on four key features：

• Separation of the control plane from the  data plane
• A centralized controller and view of the  network
• Open interfaces between the devices in the  control plane (controllers) and those in the  data plane
• Programmability of the network by external  applications

Network configuration and installation 网络的安装配置需要

highly skilled personnel 高级技术人员

interactions  between network nodes 如果网络结点之间的交互很复杂（交换机、路由器）

A more systems-based approach  encompassing elements of simulation  那么就需要一个包含模拟元素的更基于系统的方法

operational costs 近年来运营成本不断增加

unify network management and provisioning  across multiple domains 人们对跨多个域统一网络管理和资源调配的解决方案重新有了兴趣

new Network Model 这就需要有一个新的网络模型支持

the  concept behind SDN has been evolving 虽然SDN是近年来才出现的词汇，但是SDN背后的概念一直在发展

 provide user-controlled  management of forwarding in network  nodes 其驱动力是提供用户控制的网络节点转发管理

SDN focuses on four key features：

• Separation of the control plane from the  data plane  控制、数据分离
• A centralized controller and view of the  network  逻辑集中
• Open interfaces between the devices in the  control plane (controllers) and those in the  data plane 开放接口
• Programmability of the network by external  applications 可编程

 Our vision of the future SDN architecture is  described in Fig. 1

Our vision of the future SDN architecture is described in Fig. 1. This architecture encompasses（包含） the complete network platform.

The bottom tier of Fig. 1 involves the physical network equipment including Ethernet switches and routers. This forms（组成） the data plane

The central tier consists of the controllers  that facilitate(促进) setting up and tearing down（删除） flows  and paths in the network. The controllers use  information about capacity and demand obtained  from the networking equipment through which  the traffic flows. The central tier links with the  bottom tier via an application programming  interface (API) referred to as the southbound  API. Connections between controllers operate  with east and westbound APIs. The controllerapplication  interface is referred to as the northbound  API.

Functional applications such as energy-efficient networking, security monitoring, and access control for operation and management of the network are represented at the top of Fig. 1 highlighting（突出了） the user control/management separation from the data plane. An application in this article refers to a service provided by the network operator. Detailed insight（了解） into every element of the architecture in Fig. 1 is beyond the scope（范围） of this article. Instead, the transition from the traditional network to the state of the art in SDN today is presented（被取代）.

A key challenge in SDN relates to（涉及到） separation  of the control and data planes, and maintaining  carrier grade service within this framework（框架）. The  architecture requirements to meet operational  expectations in carrier grade networks are scalability,  reliability, quality of service (QoS), and  service management [2]. Four specific questions  arising from the control-data plane separation  challenge are discussed later in this article. A  series of solutions to these identified issues are  then studied, and the article concludes with the  outline（概述） of our vision for the future of SDN

physical network equipment 图一的底层涉及许多物理网络设备，形成了数据平面

facilitate setting up and tearing down flows  and paths in the network 中间的控制层有助于在网络中设置和删除流和路径

application programming  interface 中心层通过一个称为南向API的应用程序编程接口（API）与底层连接

east and westbound APIs 控制器之间用东、西向API连接

northbound  API 上方应用层与控制器之间用北向API连接

2. BACKGROUND: WHY SDN?

The fundamental purpose of the communication  network is to transfer information from one  point to another. Within the network the data  travels across multiple nodes, and efficient（高效） and  effective（有效） data transfer (forwarding) is supported  by the control provided by network applications/services.

NETWORKING THE OLD WAY

In traditional networks, as shown in Fig. 2, the  control and data planes are combined（组合） in a network  node.  The control plane is responsible for configuration  of the node and programming the paths  to be used for data flows. Once these paths have  been determined（被确定）, they are pushed down to the  data plane. Data forwarding at the hardware  level is based on this control information.  In this traditional approach, once the flow  management (forwarding policy) has been defined,  the only way to make an adjustment to the policy  is via changes to the configuration of the devices.  This has proven restrictive（有限制的） for network operators  who are keen to scale their networks in response  to changing traffic demands, increasing use of  mobile devices, and the impact of “big data.”

control and data planes are combined 传统网络中，控制平面和数据平面组合在网络节点中

configuration  of the node and programming the paths 控制平面负责配置节点并编程用于数据流的路径。一旦确定了这些路径，它们就被下推到数据平面

flow  management 传统的方法中，一旦定义了流管理（转发策略）

changes to the configuration of the devices 对策略进行调整的唯一方法是通过更改设备的配置

NETWORKING THE SDN WAY

From these service-focused requirements, SDN  has emerged. Control is moved out of the individual（单独的）  network nodes and into the separate, centralized controller. SDN switches are controlled  by a network operating system (NOS) that collects  information using the API shown in Fig. 2a  and manipulates（操纵） their forwarding plane, providing  an abstract model of the network topology to  the SDN controller hosting（承载） the applications

The controller can therefore exploit（利用） complete  knowledge of the network to optimize（优化） flow management  and support service-user requirements  of scalability and flexibility. For example, bandwidth（带宽）  can be dynamically（动态地） allocated（分配） into the data  plane from the application

In Fig. 3, once the first packet of a new flow  arrives at the switch from the sender (step 1), the  switch checks for a flow rule for this packet in  the SDN cache (step 2). If a matching entry（匹配项） is  found, the instructions associated with the specific  flow entry are executed (e.g., update counter,  packet/match fields, action set, metadata). Packets  are then forwarded to the receiver (step 5).

If no match is found in the flow table, the  packet may be forwarded to the controller over  a secure channel (step 3). Using the southbound  API (e.g., OpenFlow, ForCES, PCEP), the controller  can add, update, and delete flow entries,  both reactively (in response to packets) and  proactively. The controller executes the routing  algorithm, and adds a new forwarding entry to  the flow table in the switch and to each of the  relevant switches along the flow path (step 4).  The switch then forwards the packet to the  appropriate port to send the packet to the receiver  (step 5).

network operating system SDN交换机由网络操作系统（NOS）控制

manipulates their forwarding plane 网络操作系统使用图2所示的API收集信息并操纵其转发平面

abstract model of the network topology 向承载应用的sdn控制器提供网络拓扑的抽象模型

matching entry 交换机在SDN缓存中检查该分组的流规则，如果找到匹配项，则执行与特定流项相关联的指令，然后将包转发到接收器

a secure channel 如果在流表中未找到匹配项，则可以通过安全信道将包转发到控制器

reactively and  proactively 使用南向API，控制器可以添加、更新和删除流条目，既可以是被动的（响应数据包），也可以是主动的

3.WHERE DOES SDN TAKE US?

SDN implementation opens up a means for new  innovation and new applications. Dynamic topology  control (i.e., adjusting switch usage depending  on load and traffic mapping（流量映射）) becomes  possible with the global network view. This  introduces scope for network-wide access control,  power management, and home networking,  for which the network view is not beneficial but  absolutely necessary

Furthermore, the network programmability  possible in SDN allows seamless communication（无缝通信）  at all levels, from hardware to software and ultimately  to end users (network operators). Programmability  makes applications aware of the  network and the network aware of applications.  This enables greatly improved use of resources  and opens up the potential for new applications  with the associated potential for revenue（收入、财政的） generation  (e.g., flow metering) in which cost plans can  be defined based on a level of service provision.

SDN的实施为新的创新和新的应用开辟了途径

the global network view 使用全局网络视图可以实现动态拓扑控制

seamless communication  at all levels 此外，SDN中的网络可编程性允许从硬件到软件并最终到最终用户（网络运营商）的所有级别的无缝通信

可编程性使应用程序了解网络，使网络了解应用程序，这使得资源的利用大大提高，并为新的应用开发了潜力，同时也带来了相关的创收潜力

4.KEY CHALLENGES

SDN holds great promise in terms of simplifying  network deployment and operation along with  lowering the total cost of managing enterprise  and carrier networks by providing programmable  network services. However, a number of challenges  remain to be addressed.

This section  focuses on four specific questions arising from  the challenges of SDN.

• （1）PERFORMANCE VS. FLEXIBILITY: HOW CAN THE PROGRAMMABLE SWITCH BE ACHIEVED?

One fundamental challenge of SDN is how to  handle high-touch high-security high-performance  packet processing flows in an efficient  manner. There are two elements to consider:  performance and programmability/flexibility.  In this section, performance refers specifically  to the processing speed of the network node  considering both throughput（吞吐量） and latency（延迟）. Programmability  means the capability to change  and/or accept a new set of instructions in order  to alter functional behavior. Flexibility is the  ability to adapt systems to support new unforeseen  features (e.g., applications, protocols, security  measures).  There are a number of initiatives [3, 4] underway  to allow programmability of existing network  technologies in a manner conformant with  the goals of SDN. Beyond these, the SDN programmability and performance problem remains  a challenge to achieve node bandwidth beyond  100 Gb/s

Figure 4 outlines（概述） the main technologies used for network processing（网络处理） in terms of their relationship (trade-off（权衡）) between programmability/flexibility and performance

 

Taking into account the programmability/performance  trade-off of data processing technologies,  it is evident that only a hybrid approach(混合方法） will  provide an effective technology solution for  SDN. Main SDN node functions can be decomposed（分解）  into clusters（集群） of subfunctions（子功能） such that feature-specific  technologies (within or across  nodes) are used to satisfy the best performance  vs. programmability trade-off in terms of power  dissipation（能耗）, cost, and scalability

One goal of SDN is to develop networks built  on general-purpose hardware. The combination  of technologies as described in the hybrid architecture  supports this goal. With a programmable  interface built on standard hardware, a multivendor（多供应商）  equipped network becomes a possibility

handle high-touch high-security high-performance SDN的一个基本挑战是如何高效地处理高接触、高安全、高性能的分组处理流

performance and programmability/flexibility 需要考虑两个因素：性能和可编程性/灵活性

throughput and latency 性能具体指考虑吞吐量和延迟的网络节点的处理速度

accept a new set of instructions可编程性是指为了改变功能行为而改变和/或接受一组新指令的能力

adapt systems to support new unforeseen  features 灵活性是指调整系统以支持新的不可预见功能（如应用程序、协议、安全措施）的能力

a hybrid approach 考虑到数据处理技术的可编程性/性能权衡，很明显，只有混合方法才能为SDN提供有效的技术解决方案

decomposed  into clusters of subfunctions SDN的主要节点功能可以分解为子功能的集群，以便使用特定于特征的技术（在节点内或跨节点）来满足最佳性能

general-purpose hardware SDN的目标之一是开发基于通用硬件的网络，混合架构中描述的技术组合支持这一目标

a multivendor  equipped network 通过在标准硬件上构建可编程接口，一个多供应商配备的网络成为可能

• （2）SCALABILITY: HOW CAN THE CONTROLLER  BE ENABLED TO PROVIDE A  GLOBAL NETWORK VIEW?

Assuming that the performance requirements  can be achieved within the hybrid programmable  architecture, a further issue that has seen some  discussion but limited solution is scalability in  SDN

The issue can loosely（大致地） be split into（分为） controller scalability and network node scalability. The focus here is on controller scalability in which three specific challenges are identified. The first is the latency introduced by exchanging network information between multiple nodes and a single controller. The second is how SDN controllers communicate with other controllers using the east and westbound APIs. The third challenge is the size and operation of the controller back-end database.

Considering the first issue, a distributed or  peer-to-peer controller（分布式或对等控制器基础设施） infrastructure would share  the communication burden of the controller.  However, this approach does not eliminate（消除） the  second challenge of controller-to-controller interactions,  for which an overall network view（整体的网络视图） is  required.

Traditional packet networks lend themselves  to scalable solutions because they do not require  extensive state to be held between system units（系统单元）.  Each network node is autonomous（自治的）, requiring  only limited knowledge of its neighbors. Routing  protocols have been designed to control traffic  with this in mind. In order to create resilient（弹性的）  networks, alternative（备用） paths and secondary（辅助） equipment  are required. It may then be necessary to  hold some state between systems to ensure that  should a failure occur, there is little or no interruption（中断）  in service. Typical systems that require  this functionality include network elements such  as load balancers（负载平衡器） and firewalls.

Within a pure SDN environment, a single  controller or group of controllers would provide  control plane services for a wider number of  data forwarding nodes, thus allowing a systemwide  view of network resources. Other approaches that match（匹配） the goals of  SDN with existing routing protocols involve  addition of an orchestration layer（编排层） exposing an  API that application elements may use to request  desired performance from the transport layer

controller scalability and network node scalability 这个问题可以大致分为控制器可伸缩性和网络节点可伸缩性，这里的重点是控制器的可伸缩性，其中确定了三个具体的挑战。

the latency introduced

multiple nodes and a single  controller 第一个是通过在多个节点和单个控制器之间交换网络信息而引入的延迟

using the  east and westbound APIs 第二个是sdn控制器如何使用东向和西向API与其他控制器通信

controller back-end  database 第三个挑战是控制器后端数据库的大小和操作

• （3）SECURITY: HOW CAN THE SOFTWARE-DEFINED NETWORK BE PROTECTED FROM

MALICIOUS ATTACK?

There has been limited industry and research  community discussion to date on the security  issues associated with SDN. A greater focus on  security is therefore required if SDN is going to  be acceptable in broader deployment. Indeed, a  security working group has been set up within  Open Networking Foundation (ONF) with this in mind. A number of issues are highlighted here  that underscore（强调） the need for further study and  development of security solutions.

Potential security vulnerabilities exist across  the SDN platform. At the controller-application  level, questions have been raised around authentication（认证）  and authorization（授权） mechanisms to enable  multiple organizations to access network  resources while providing the appropriate protection  of these resources [12]. Not all applications  require the same network privileges（特权）, and a  security model must be put in place to isolate（隔离）  applications and support network protection

 One potential solution is role-based authorization

On the plus side, the SDN architecture supports  a highly reactive security monitoring, analysis,  and response system. From the security  perspective（角度） SDN can support:

1. Network forensics: facilitate quick and  straightforward, adaptive threat identification  and management through a cycle of  harvesting intelligence from the network,  analyzing it, updating policy, and then  reprogramming to optimize from network  experience
2. Security policy alteration（更改）: allow you to define a security policy and have it pushed out to all the infrastructure elements, reducing the frequency of misconfiguration and conflicting policies across the infrastructure
3. Security service insertion（插入）: facilitate（促进） security service insertion where applications like firewalls and intrusion（入侵） detection systems (IDSs) can be applied to specified traffic according to the organization’s policies

However, the security of SDN will only be as good as the defined security policy. Implementation of existing authentication and authorization mechanisms can resolve some aspects of the security challenge. Meanwhile, threat detection and protection techniques will continue to evolve. The key, though, is for individual organizations to effectively and comprehensively define their security policies in order to exploit（利用） the full extent of available network protection

the security  issues 迄今为止，业界和研究界对与SDN相关的安全问题的讨论有限

Potential security vulnerabilities SDN平台上存在潜在的安全漏洞

authentication  and authorization mechanisms 在控制器应用层，围绕认证和授权机制提出了一些问题，以使多个组织能够访问网络资源，同时对这些资源提供适当的保护

network privileges 并非所有应用程序都需要相同的网络权限

isolate  applications and support network protection 必须建立安全模型来隔离应用程序并支持网络保护

role-based authorization 一个潜在的解决方案是基于角色的授权

a highly reactive security monitoring, analysis,  and response system 另一方面，SDN体系结构支持高度反应性的安全监视、分析和响应系统

从安全角度来看，SDN可以支持：

Network forensics 网络取证——通过从网络中获取情报、分析情报、更新策略的循环，促进快速、直接、自适应的威胁识别和管理，然后重新编程以优化网络体验

Security policy alteration 安全策略更改——允许您定义安全策略并将其推送到所有基础结构元素，减少整个基础结构中的错误配置和冲突策略的频率

Security service insertion 安全服务插入：促进安全服务插入，其中防火墙和入侵检测系统（IDSS）等应用程序可以根据组织的策略应用于指定的流量

the defined security policy SDN的安全性仅与定义的安全策略一样好，关键是各个组织要有效和全面地定义其安全策略，以便充分利用可用的网络保护

• （4）INTEROPERABILITY: HOW CAN SDN SOLUTIONS  BE INTEGRATED INTO EXISTING NETWORKS?

To answer this question requires consideration of interoperability and standardization to support the transition from the traditional network model to SDN

It would be straightforward to deploy a completely  new infrastructure based on SDN technology.  For this, all elements and devices in the  network would be SDN-enabled. However, there  is a vast（庞大的） installed base of networks supporting  vital（重要的） systems and businesses today. To simply  “swap out” these networks for new infrastructure  is not going to be possible, and is only well suited  for closed environments such as data centers  and campus networks（校园网）.

The transition to SDN therefore requires simultaneous（同时的） support of SDN and legacy（遗留的） equipment.

interoperability and standardization 需要考虑互操作性和标准化，以支持从传统网络模型向SDN的过渡

be SDN-enabled 网络中的所有元素和设备都将启用SDN

closed environments 简单地将网络“交换”成新的基础设施是不可能的，即使可以也只能适用于数据中心和校园网等封闭环境

simultaneous support 因此，向SDN的过渡需要SDN和遗留设备的同时支持

CONCLUSION

SDN has emerged as a means to improve programmability within the network to support the dynamic nature of future network functions. As bandwidth demand escalates, the provision of additional capabilities and processing power with support for multiple 100GE channels will be seamless through an SDN-based update and/or upgrade. SDN promises flexibility, centralized control, and open interfaces between nodes, enabling an efficient, adaptive network

In order to achieve this goal, a number of  outstanding（明显的） challenges must be resolved. In this  article we have presented a discussion of a number  of challenges in the area of performance,  scalability, security, and interoperability. Existing  research and industry solutions（行业解决方案） could resolve  some of these problems, and a number of working  groups are also discussing potential solutions. In addition to these, the hybrid programmable architecture could be a means to counter（抵消、解决） performance and scalability issues introduced by SDN. The objective（目标） of the model is to optimize flow processing in the network

However, significant issues  must be addressed in order to meet expectations(达到预期）.  Indeed, consideration of the potential for  application-driven networks（应用驱动网络） might lead us to  wonder whether SDN as currently envisioned is  even sufficient. Nevertheless, it is certain that  SDN is here to stay as an evolutionary（进化的） step,  paving the way toward a highly optimized ubiquitous（无处不在的）  service architecture

a means to improve programmability SDN已经成为一种提高网络内可编程性的手段

dynamic nature of future network functions  用于支持未来网络功能的动态特性

flexibility, centralized  control, and open interfaces between nodes SDN保证了灵活性、集中控制和节点间的开放接口，从而实现了一个高效、自适应的网络

this vision of future  communications SDN将有助于实现未来通信的愿景，为了达到预期，必须解决重大问题

the potential for  application-driven networks 事实上，考虑到应用驱动网络的潜力，我们可能会怀疑目前设想的SDN是否足够。

an evolutionary step 然而可以肯定的是，SDN将作为一个进化的步骤留在这里

 highly optimized ubiquitous  service architecture 为高度优化的无处不在的服务架构铺平道路。