Improving the Tunnel Management Performance of Secure VPLS Architectures with SDN Madhusanka Liyanage 1 , Mika Ylianttila 2 , Andrei Gurtov 3 1 Centre for Wireless Communication (CWC), University of Oulu, Finland 2 Centre for Internet Excellence (CIE), University of Oulu, Finland 3 Helsinki Institute for Information Technology (HIIT), Finland and ITMO University, Russia. Email: 1 madhusanka@ee.oulu.fi, 2 mika.ylianttila@oulu.fi, 3 gurtov@hiit.fi Abstract—Secure VPLS (Virtual Private LAN Services) net- works are becoming attractive in many Enterprise applications. However, the tunnel establishment mechanisms of legacy VPLS architectures are static, complex and inflexible in nature. As a result, secure VPLS architectures are suffering from limitations such as the limited scalability, over utilization of network re- sources, high tunnel establishment delay and high operational cost. In this article, we propose a novel SDN (Software Defined Networking) based VPLS (Virtual Private LAN Services) archi- tecture to overcome tunnel management limitations in existing secure VPLS architectures. The proposed architecture utilizes IPsec enabled OpenFlow switches as PEs (Provider Edge Equip- ments) and OpenFlow protocol to install flow rules in PEs. A centralized controller is used to manage the tunnel establish- ment functions. We also propose a novel tunnel management mechanism which can estimate the tunnel duration based on real time session characteristics. Moreover, a novel tunnel resumption mechanism is proposed to reduce the tunnel establishment delay of subsequent tunnel establishments. Finally, the performance of proposed architecture is analyzed by using a simulation model and a testbed implementation. Index Terms—VPLS, SDN, OpenFlow, Security, IPsec, HIP I. I NTRODUCTION Ethernet based VPLS network is a transparent, protocol- independent, multipoint L2VPN (Layer 2 Virtual Private Net- work) mechanism to interconnect remote customer sites over IP (Internet Protocol) or MPLS (Multiprotocol Label Switch- ing) based provider networks. Initially, VPLS networks are used to interconnect the premises-wide SCADA (Supervisory Control and Data Acquisition) and process control devices. However, VPLS networks are now becoming attractive in many Enterprise applications such as DCI (data center inter- connect), voice over IP (VoIP) and videoconferencing services due to the simple, protocol-independent and cost efficient operation. New VPLS applications demand additional requirements such as elevated security, enhanced scalability, optimum uti- lization of network resources and further reduction in opera- tional cost. Although the existing secure VPLS architectures are able to provide a sufficient level of security, they are still suffering from limitations such as low scalability, over utiliza- tion of network resources, high latency tunnel establishments and high operational cost. In this article, we propose a novel SDN based VPLS (SoftV- PLS) architecture to overcome tunnel management limitations in legacy secure VPLS architectures. Moreover, we propose two new mechanisms to improve the performance of legacy tunnel management functions. 1) Dynamic tunnel establishment mechanism: allows dy- namically changing of the tunnel parameter based on the real-time network statistics. 2) Tunnel resumption mechanism : reduce the tunnel es- tablishment delay of subsequent tunnel establishments between authorized PEs. Finally, the performance of proposed architecture is ana- lyzed by using a simulation model and a testbed implementa- tion. The rest of the paper is organized as follows. The back- ground of legacy secure VPLS architectures is presented in Section II. Related works are mentioned in Section III. The proposed VPLS architecture is described in Section IV. We discuss the numerical and testbed experiment results in Section V and VI. Section VII contains the conclusion and future research directions. II. BACKGROUND A. Virtual Private LAN Service (VPLS) VPLS provides the multipoint-to-multipoint Ethernet com- munication over IP/MPLS based provider networks.Figure 1 illustrates a simple VPLS architecture. Fig. 1: The network topology of a simple VPLS network A VPLS network consists of different components such as Customer edge Equipment (CE), Provider edge Equipment (PE), Provider (P) routers, PWs (Pseudo Wires)/tunnels and a provider network. CEs are located at the customers premises. They are the middleboxes between the provider and customer networks. PEs are belonged to the service provider and they