P4 Edge node enabling stateful traffic engineering and cyber security

Abstract

Next-generation edge nodes interfacing innovative IT clusters, 5G fronthaul, and internet of things (IoT) gateways to the optical metro/core network will require advanced and dynamic online quality of service (QoS) per-flow traffic treatment, assuring ultra-low latency requirements. However, current software-defined networking (SDN) implementations (e.g., OpenFlow) do not support forwarding procedures based on the network state, profile variations, and the history of flow statistics at the node level. Currently, such procedures require intervention by the SDN controller, leading to scalability issues and additional latency in data plane forwarding. Moreover, severe security challenges are expected to affect such nodes and threaten IT resources. Thus, increasing bandwidths will require direct deep packet inspection to avoid involvement of the SDN controller, as performed currently, or dedicated and costly security systems. This paper leverages on the potential of the programming protocol-independent packet processors (P4) open source language, recently introduced by the inventors of OpenFlow, to program the data plane structure and behavior of an SDN switch. P4 is able to instantiate custom pipelines and stateful objects, enabling complex workflows, user-defined protocols/headers, and finite state machines enforcement. Moreover, P4 allows portable implementations over different hardware targets, thus opening the way to open source fully programmable devices. Special effort is dedicated to motivate and apply P4 within a multilayer edge scenario, proposing the architecture and the applicability of an SDN P4-enabled packet-over-optical node. Moreover, three specific multilayer use cases covering dynamic traffic engineering (TE) (e.g., traffic offload and optical bypass) and cybersecurity (e.g., distributed denial of service port scan) are discussed and addressed through P4-based solutions. Experimental evaluations have been conducted over a multilayer SDN network exploiting reference P4 software switches (i.e., the behavioral model version 2, or BMV2) and field-programmable gate arrays (FPGAs) at 10 gigabit Ethernet optical interfaces. Extensive results report effective dynamic TE and cybersecurity mitigation enforcement at P4 switches without any controller intervention, showing excellent scalability performance and overall latencies practically in line with current commercial OpenFlow switches.