Abstract

Protecting control planes in networking hardware from high rate packets is a critical issue for networks under operation. One common approach for conventional networking hardware is to offload expensive functions onto hard-wired offload engines as ASICs. OpenFlow networks are expected to provide greater network control flexibility by an open interface to the packet-forwarding plane and by centralized controllers. In OpenFlow networks, the approach for conventional networking hardware alone is inadequate because it restricts a certain amount of flexibility that OpenFlow is expected to provide. Therefore, we need a generic control plane protection mechanism in OpenFlow switches as a last resort. In this paper, we propose a mechanism to filter out Packet-In messages without dropping important ones for network control. Our proposed mechanism works simply. Switches record the values of packet header fields before sending Packet-In messages, which are specified by the controllers in advance, and filter out packets that have the same values as the recorded ones. We implemented and evaluated the proposed mechanism on a prototype software switch, concluding that it dramatically reduces CPU loads in the switches and passes important Packet-In messages for network control.