Paper Info
Title
Oko: Extending Open vSwitch with Stateful Filters
Abstract
With the Software-Defined Networking paradigm, software switches emerged as the new edge of datacenter networks. The widely adopted Open vSwitch implements the OpenFlow forwarding model; its simple match-action abstraction eases network management, while providing enough flexibility to define complex forwarding pipelines. OpenFlow, however, cannot express the many packets processing algorithms required for traffic measurement, network security, or congestion diagnosis, as it lacks a persistent state and basic arithmetic and logic operations. This paper presents Oko, an extension of Open vSwitch that enables runtime integration of stateful filtering and monitoring functionalities based on Berkeley Packet Filter (BPF) programs into the OpenFlow pipeline. BPF programs attached to OpenFlow rules act as intelligent filters over packets, while leaving the packets unmodified. This approach enables the transparent extension of Open vSwitch's flow caching architecture, retaining its high-performance benefits. Furthermore, the use of BPF allows for safe runtime extension and prevention of switch failures due to faulty programs. We compare our implementation based on Open vSwitch-DPDK to existing approaches with comparable isolation properties and measure a near 2x improvement of performance.
Year
DOI
Venue
2018
10.1145/3185467.3185496
SOSR '18: Symposium on SDN Research Los Angeles CA USA March, 2018
Keywords
Field
DocType
Software-Defined Networking, Programmable Networks, Datacenter Networks
Computer science,Network packet,Network security,Berkeley Packet Filter,Software,OpenFlow,Stateful firewall,Software-defined networking,Network management,Distributed computing
Conference
ISBN
Citations 
PageRank 
978-1-4503-5664-0
7
0.55
References 
Authors
17
5
Name
Order
Citations
PageRank
Paul Chaignon191.59
Kahina Lazri2354.94
Jérôme François317021.81
Thibault Delmas470.55
Olivier Festor566585.40