Our software performs the verification of flow matching functionality of OpenFlow switches. There can be two causes of this incorrect or no matching: (1) bugs in OpenFlow switch implementation and (2) errors in FlowTable configuration. The objective of verification is to find this incorrect or no matching and hence, to find the packet-headers that cannot be matched or can be matched incorrectly with the Flow-Match Header of a Flow Entry.
Our software transmits test packets to verify that all the packet-headers match correctly with the Flow-Match Header or not. However, if the test packets have to match with the Flow Entries of data packets, these would need additional bandwidth to be reserved for test packets on the links corresponding to the outgoing actions of the matched Flow Entries. To overcome the challenge (additional bandwidth requirement), we forward the test packets through duplicated (copied) Flow Entries, which either drop or forward the test packets to the controller (instead of forwarding these on the outgoing links).
Our software performs three steps for verification: (1) flow duplication, (2) test packet generation, and (3) matching errors identification. In the flow duplication step, the tool copies the Flow Entries from a FlowTable to another FlowTable. In the test packet generation step, the tool generates and transmits test packets that can match with the Flow-Match Header of duplicated Flow Entries. In the matching errors identification step, the tool calculates the matching errors: (1) by applying the binary search method on the increased counters of Flow Entries (binary-search method) or (2) by comparing the sent and received test packets (packet-reception method).
We release a patch (autoTPGpatch).and a zip file (autoTPG.zip) to run the AutoTPG tool in the floodlight controller. Please perform the following steps to integrate our tool in the floodlight controller.
1) Download floodlight-plus (which supports OpenFlow 1.3 version) through the following commands:
git clone https://bitbucket.org/sdnhub/floodlight-plus.git
2) Apply the patch file in the floodlight folder by:
cd floodlight-plus
wget http://users.intec.ugent.be/unify/autoTPG/autoTPGpatch
patch -s -p2 < autoTPGpatch
3) Unzip autoTPG.zip at src/main/java/net/floodlightcontroller/
wget http://users.intec.ugent.be/unify/autoTPG/autoTPG.zip
unzip autoTPG.zip
4) Install the floodlight controller by:
sudo make (or sudo ant)
In this example, we will install a wildcarded flow in a switch and will verify the flow for the flow-matching issue that may be present in the switch. For emulating the matching issue, a firewall rule is added which does not allow the incoming packets to be matched with the Flow Entry. Using our software, a Flow Entry or a complete FlowTable can be verified for flow matching issues. We show the working our tool in the following steps:
1) Install a wildcarded Flow Entry in a FlowTable.
curl -d '{"switch":"00:00:00:00:00:00:00:01", "tableid": "0", "priority":"1", "inport":"1", "etherType":"0x800", "ipDst":"11.0.0.2/24","output":"1"}' http://controller-IP:8080/wm/autoTPG/qpc/jsonIn the above command, the switch datapath id is 00:00:00:00:00:00:00:01, all the remaining attributes are self-explanatory. For example, inport is the incoming port of the packets and ipSrc is the source IP address of the flow Entry.
2)Install a firewall rule.
curl -d '{"switch":"00:00:00:00:00:00:00:01", "tableid": "0", "priority":"1","firewall":"true", "inport":"1", "etherType":"0x800", "ipDst":"11.0.0.2/32","output":"1"}' http://controller-ip:8080/wm/autoTPG/qpc/json3) Verify the FlowTable.
curl -d '{"switch":"00:00:00:00:00:00:00:01", "tableid": "0", "method":"rec"}' http://controller-ip:8080/wm/autoTPG/qpvf/json
The method is "bin" for applying the binary search method and "rec" for applying the packet-reception method for verifying the Flow Entries.
The results will be displayed in the same terminal.
1) Sachin Sharma, Wouter Tavernier, Sahel Sahhaf, Didier Colle, Mario Pickavet, Piet Demeester, "Verification of Flow Matching Functionality in the Forwarding Plane of OpenFlow Networks", IEICE Transactions on communications, Vol.E98-B,No.11,pp. 2190-2201,Nov. 2015.
2) Sachin Sharma, Wouter Tavernier, Didier Colle, Mario Pickavet, Piet Demeester, "Verification of aggregated flows in OpenFlow networks", IEEE INFOCOM, pp. 7-8, 2015
Copyright (c) 2015 Ghent University and iMinds vzw with offices at Gaston Crommenlaan 8, box 102, 9050 Ghent, Belgium.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software for non-commercial educational and research use, including without limitation the rights to use, copy, modify, merge, publish, distribute and/or sublicense copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
1. The above copyright notice and this permission notice shall be included in all copies of the Software.
2. Permission is restricted to non-commercial educational and research use: the use of the Software is allowed for teaching purposes and academic research. Usage by non-academic parties is allowed in a strict research environment only. The use of the results of the research for commercial purposes or inclusion in commercial activities requires the permission of iMinds vzw. 3. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This code is contributed by iMinds - Ghent University. The code is written in the part of work performed in the UNIFY project (www.fp7-unify.eu). For any question or bug, please report at Sachin.Sharma@intec.ugent.be.