Veriﬁcation of aggregated ﬂows in OpenFlow networks Sachin Sharma, Wouter Tavernier, Didier Colle, Mario Pickavet, and Piet Demeester Department of Information Technology (INTEC), Ghent University - iMinds, Email: {sachin.sharma, wouter.tavernier, didier.colle, mario.pickavet, piet.demeester}@intec.ugent.be Abstract—Recently, the automatic test packet generation (ATPG) tool is proposed to verify a network for error conditions (e.g., incorrect ﬁrewall rules, software, hardware, and perfor- mance errors). However, this tool is not able to verify aggregated ﬂows (i.e., ﬂows having wildcards in some of their ﬁelds) for matching issues. In this paper, we propose a mechanism to verify aggregated ﬂows in OpenFlow networks. In the demonstration, we verify aggregated ﬂows installed in an emulated pan-European topology using our proposed mechanism. I. I NTRODUCTION In OpenFlow [1], the control plane is decoupled from switches or routers, and is embedded into one or more external servers called controllers. However, like traditional networks, debugging for errors (e.g., software, hardware, and ﬁrewall rules errors) is one of the time consuming and complex tasks in OpenFlow networks. One of the reasons of this complexity is the presence of aggregated ﬂows, which contain several individual ﬂows by having wildcards in some of their ﬁelds. As aggregated ﬂows can match many different ﬂows, it is difﬁcult to ﬁnd which ﬂow is having an issue (such as matching issue). The issue could be caused by misconﬁguration (e.g., ﬁrewall rules), software issues, hardware issues, or malicious attacks. Debugging all these errors is difﬁcult by just analyzing the conﬁguration of networks. Therefore, network operators have to debug manually by sending test packets in the network. Manual debugging takes signiﬁcant time in ﬁnding the issues. Therefore, the ATPG tool [2] is proposed recently for automatic veriﬁcation of all ﬂows by transmitting test packets in networks. However, this tool does not verify the matching header part of aggregated ﬂows for software or hardware matching issues. In this paper, we propose a mechanism to verify all the aggregated ﬂows for these issues. The aim of our mechanism is : (1) to perform automatic discovery of matching errors, (2) to minimize the time required to ﬁnd errors, (3) to minimize the bandwidth required for veriﬁcation. The mechanism is implemented in the part of a veriﬁcation activity [3] in the UNIFY project (www.fp7-unify.eu). For the demo, we ﬁrst generate the matching errors for aggregated ﬂows and then ﬁnd these errors using our mecha- nism. Executing the mechanism, generating errors, and ﬁnding the errors are performed by different GUIs (Graphical User Interface) placed in the controller and in an emulated switch topology (pan-European topology). In addition, during the demo, we transmit data trafﬁc containing faulty and non-faulty ﬂows, and show that the errors found through our mechanism are actually present in the network, as trafﬁc containing faulty ﬂows are not received by the destinations. II. VERIFICATION MECHANISM In our mechanism, for veriﬁcation, two steps – (1) ﬂow- entry transformation and (2) test packet generation – are performed. The ﬂow-entry transformation step transforms an aggregated ﬂow-entry into three entries and can be performed at the time of ﬂow addition. The test packet generation step veriﬁes these three entries for matching issues and can be performed at any time when the veriﬁcation of the aggregated ﬂow is required. In the mechanism, a ﬁeld (such as EtherType or VLAN) of a ﬂow is used to distinguish data and test packets. It is assumed that this ﬁeld is always wildcarded for data ﬂows. This assumption allows the mechanism to add the same matching-header for two of the entries (ﬂow-entry 1 and 2 in Fig. 1) in the ﬂow-entry transformation step. As the matching- header part of these entries is same, the assumption is that if a matching error is present in one entry, it is also present in the other entry. P, matching-header: actions (P, EtherType, IP): actions (P, *, 10.1.*.*/16): Table:2 FlowTABLE 1 FlowTABLE 2 1 P, matching-header: actions (P, EtherType, IP): actions (P, *, 10.1.*.*/16): Port:3 (P+, E,10.1.*.*/16):Drop 2 3 P, matching-header: actions (P, EtherType, IP): actions (P, *, 10.1.*.*/16): Port:3 Aggregated Flow Transformed Aggregated Flow * = wildcard and E is EtherType of test packets FlowTABLE 1 Fig. 1. Flow-Entry Transformation step. P+ is a priority no. higher than P The ﬂow-entry transformation step is shown in Fig .1. In this step, an aggregated ﬂow is transformed into three ﬂow- entries. The ﬁrst entry is present in the same FlowTable as the original ﬂow, and the other two entries are present in another FlowTable i.e., FlowTable 2 in Fig .1. The ﬁrst ﬂow-entry, which has the same matching header as the original ﬂow, redi- rects all the matched packets to another table (i.e., FlowTable 2). The second ﬂow-entry, which has same matching-header as the ﬁrst entry and a lower priority number than the third entry, redirects all the matched data packets to the output action (Port:3) of the original ﬂow. The third ﬂow-entry, which contains EtherType (E) of test packets in its matching header part, drops all the matched test packets. After establishing these entries, the controller can now perform veriﬁcation using test packet generation step. In the test packet generation step, the controller ﬁnds the matching errors in the aggregated ﬂow by transmitting test packets. For ﬁnding errors in a switch, the controller in our mechanism sends ﬁrst all the test packets (which can be matched through an aggregated ﬂow). It then ﬁnds the number of errors by subtracting the number of sent packets from the increase in the counters (statistics) of the third ﬂow entry (the third entry) in FlowTable 2. It also ﬁnds that if there is an increase in counters of another test packet ﬂow-entry containing unmatched ﬂow (due to incorrect matching). At this time, the controller knows the number of ﬂow matching errors. However, it does not know that which ﬂows have a