RoSCo: Robust Updates for Software-Defined Networks

In many Software-Defined Networking (SDN) deployments the control plane ends up being actually centralized, yielding a single point of failure and attack. This paper models the interaction between the data plane and a distributed control plane consisting of a set of failure-prone and potentially malicious (compromised) control devices, and implements a secure and robust controller platform that allows network administrators to integrate new network functionality as with a centralized approach. Concretely, the network administrator may program the data plane from the perspective of a centralized controller without worrying about distribution, asynchrony, failures, attacks, or coordination problems that any of these could cause. We introduce a formal SDN computation model for applying network policies and show that it is impossible to implement asynchronous non-blocking and strongly consistent SDN controller platforms in that model. We then present a robust SDN controller protocol (RoSCo) which implements (i) a protocol with provably linearizable semantics for applying network policies that is resilient against faulty/malicious control devices as long as a correct majority exists, and (ii) a modification to the protocol that improves performance by relaxing the guarantees of linearizability to exploit commutativity among updates. Extensive experiments conducted with a functional prototype of RoSCo over a large networked infrastructure supporting Open vSwitch (OVS)-compatible Agilio CX (TM) SmartNIC hardware show that RoSCo induces bearable overhead. In fact, RoSCo achieves higher throughput in most cases investigated than the seminal Ravana platform which addresses only benign (crash) failures.