SDN: The Programmable Network

Posted on Posted in Networks and Security, Uncategorized

The emergence of connected-device networks and the Internet of Things (IoT) places a new burden on networks to not only perform reliably, with guaranteed quality, in real-time, but also to do so dynamically. Within traditional network configurations, the inability of operators to effectively declare conditional rules — given condition A, do x; otherwise, do y — limits network programmability to one, static state.  Because traffic policies cannot be dynamically configured across the system, networks must allocate a continuous bandwidth to all connected services, despite service priority.  Emerging in network design, however, the separation of the network’s intelligence from devices is allowing for more nuanced, programmable control of the network from a centralized controller.  In separating the network into control and data planes, software-defined networks (SDNs) endow operators with a new-found ability to program network traffic so that different services may receive different latency priorities.  This article presents a concise overview of SDN functionality and its current relevance to the adaptive enterprise.


Based on the design of the Internet as a resilient communication system (capable of surviving even a nuclear attack!), traditional TCP/IP networks are highly-distributed, de-centralized networks which base information forwarding on the movement of packets throughout the system.  Traditional networks are both complex and relatively static [4].  Vertical integration bundles the control and data planes within the network’s switches and routers.  In an effort to lend increased flexibility and in-path functionality to network infrastructures, an industry of vertically-integrated vendors has emerged to offer a proliferation of specialized components and middleboxes.  While effective in terms of performance and resilience, several features of conventional network design inhibit scalability in emerging data-centre and cloud-computing implementations.

First, the complexity and rigidity of traditional networks makes them difficult to manage and to control globally [2, 4].  While vendors offer proprietary solutions in specialized hardware, high-level policies must be configured individually within the network’s devices using low-level policies and vendor-specific commands [3, 4].  The need for administrative management of changes at each level not only makes the network difficult to configure according to pre-defined policies, it renders difficult their adaptive re-configuration responding to faults, load, and changes.  Dynamic configuration within networks is essential to the adaptive provisioning of resources for the real-time management of traffic [1].

Second, the vertical coupling of data and control planes reduces the flexibility of the network and hinders the innovation necessary for the continued evolution of network infrastructures [4].  Combating this inflexibility of vertical integration, the strategic placement of new networking features via specialized middle-boxes increase the complexity, rigidity and cost of the network.  Vendor-distinct network devices inflate both the initial investment and the ongoing maintenance costs of IP networks.  Further, the protracted development and upgrade cycles of emerging switch technologies and software applications introduce risk and cost factors prohibitive of rapid, Big Data-era expansion.

Software-defined Networks

Software-defined networks base packet forwarding on information flows [3].  Rather than mapping the destination address to output ports, SDN forwarding tables define actions to take on flow [4, 6].  Unlike traditional networks, SDN network devices are simplified into forwarding elements serving the sole purpose of moving data; packet-forwarding decisions are delegated to data-layer devices from a distinct control plane [1, 5].  Within each switch, flow tables store match-action rules for taking decisions on incoming packets [6].  Flow tables consist of three parts: matching rules; actions to be executed on matching packets; and counters that keep statistics of matching packets [4].  This flow-based abstraction of SDNs enables the unified behavior of different types of network devices, orchestrated from a logically-centralised control system.

Unique to SDNs, the differentiated control plane maintains a holistic overview of the entire network’s infrastructure, which it collects from the network devices [2, 5].  Leveraging this global network view, the controllers devise co-ordinated traffic-engineering policies based on end-user applications and policy requirements, and configure individual network elements accordingly [1].  Application-layer requests communicate to the controller via north-bound interfaces, and the controller programs the network’s forwarding devices through a well-defined southbound interface.  The control plane may comprise of several horizontally-distributed controllers which together serve to gather a logically centralized, abstract view of the network’s resources [1, 4].  In this way, the control plane acts as the “network brain”, capable of making decisions for handling network traffic and responsible for responding to requests, sending data towards the destination plane, and maintaining a total network control logic [2, 4].

The horizontal tiering of the SDN into functional planes allows for the specification of user or administrator intent at the application layer, the execution of this intent at the data layer, and the control of this execution at the control layer.  The decoupling of decision-making logic from network devices enables an essential “separation of concerns” between the network’s traffic-management policy definition, policy implementation, and traffic forwarding into three distinct tiers [1, 4].  Specifically, the separation of the data and control planes enables programmable behavior, allowing responsive change to the controller to update levels across the network [2, 3].  An adaptive design, the SDN framework not only enables real-time policy implementation, it allows for the deployment of new protocols in response to changing traffic requirements [1].  Through the centralized network logic of SDNs, administrators can initialize, control and manage networks dynamically, bypassing the need to configure hardware devises individually [2, 3].  The programmable management of network flows simplifies policy enforcement and network configuration/reconfiguration, offering more-efficient traffic management, and leading to a more plastic, evolvable network design [1, 4].


Despite realizing this tremendous gain in terms of network flexibility and adaptiveness, the SDN paradigm presents unique challenges in terms of network resilience, scalability and security [3].  Specifically, the centralization of a complex, distributed control architecture presents the challenge of a fragile, insecure and vulnerable-to-attack environment; multiple possible failures of the different components may compromise the essential control-to-data-plane communication, resulting in “brainless” networks [4].  Further, general limitations in network-device memory, and the reactive configuration of the switches to the controller introduce potential latency overhead in flow-based packet handling, which impact the scalability of SDN networks [3, 4, 6].  Finally, the flexibility introduced with software-defined networks necessitates a new balance of necessary trade-offs between network connectivity, partition tolerance and policy enforcement [4].  Understanding both the performance trade-offs and the risks inherent within architectural decisions is an essential requisite for production-scale deployments of the SDN concept.


[1] Bakhshi, T. (2018). Securing wireless software defined networks: Appraising threats, defenses & research challenges. 2018 International Conference on Advancements in Computational Sciences (ICACS). doi:10.1109/icacs.2018.8333279

[2] Bilal, T., Faiz, Z., & Shah, M. A. (2017). Software defined networks: An analysis on robust security practices. 2017 23rd International Conference on Automation and Computing (ICAC). doi:10.23919/iconac.2017.8082061

[3] Fernández, J. P., Villalba, L. G., & Kim, T. (2018). Software Defined Networks in Wireless Sensor Architectures. Entropy, 20(4), 225. doi:10.3390/e20040225

[4] Kreutz, D., Ramos, F. M., Verissimo, P. E., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2015). Software-Defined Networking: A Comprehensive Survey. Proceedings of the IEEE, 103(1), 14-76. doi:10.1109/jproc.2014.2371999

[5] Machado, C. C., Granville, L. Z., & Schaeffer-Filho, A. (2016). ANSwer: Combining NFV and SDN features for network resilience strategies. 2016 IEEE Symposium on Computers and Communication (ISCC). doi:10.1109/iscc.2016.7543771

[6] Sood, K., Yu, S., & Xiang, Y. (2016). Software-Defined Wireless Networking Opportunities and Challenges for Internet-of-Things: A Review. IEEE Internet of Things Journal, 3(4), 453-463. doi:10.1109/jiot.2015.2480421