OpenFlow messages

The communication between the controller and switch happens using the OpenFlow protocol, where a set of defined messages can be exchanged between these entities over a secure channel. The secure channel is an interface that connects each OpenFlow switch to a controller. The Transport Layer Security (TLS) connection to the user-defined (otherwise fixed) controller is initiated by the switch with its power on. The controller's default TCP port is 6633. The switch and controller mutually authenticate by exchanging certificates signed by a site-specific private key. Each switch must be user-configurable, with one certificate for authenticating the controller (controller certificate) and the other for authenticating to the controller (switch certificate). Traffic to and from the secure channel is not checked against the flow table; therefore, the switch must identify incoming traffic as local before checking it against the flow table.

In case a switch loses contact with the controller as a result of an echo request timeout, TLS session timeout, or other disconnections, it should attempt to contact one or more backup controllers. If some number of attempts to contact a controller (zero or more) fails, the switch must enter the emergency mode and immediately reset the current TCP connection. Then, the matching process is dictated by the emergency flow table entries (marked with the emergency bit set). Emergency flow modified messages must have timeout value set to zero. Otherwise, the switch must refuse the addition and respond with an error message. All normal entries are deleted when entering the emergency mode. Upon connecting to a controller again, the emergency flow entries remain. The controller then has the option of deleting all the flow entries if it wants.

The first time a switch boots up, it is considered to be in emergency mode. The configuration of the default set of flow entries is outside the scope of the OpenFlow protocol.

The controller configures and manages the switch, receives events from the switch, and sends packets to the switch through this interface. Using the OpenFlow protocol, a remote controller can add, update, or delete flow entries from the switch's flow table. This can happen reactively (in response to a packet arrival) or proactively. The OpenFlow protocol can be viewed as one possible implementation of controller-switch interactions (southbound interface), as it defines the communication between the switching hardware and a network controller.

For security, OpenFlow 1.3.x provides optional support for encrypted TLS communication and a certificate exchange between the switches/controller(s); however, the exact implementation and certificate format is not currently specified. Also, fine-grained security options regarding scenarios with multiple controllers are outside the scope of the current specification, as there is no specific method to only grant partial access permissions to an authorized controller. The OpenFlow protocol defines three message types, each with multiple subtypes:

  • Controller-to-switch
  • Symmetric
  • Asynchronous
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset