Versions Compared

Old Version 4

changes.mady.by.user Alex Lu

Saved on

compared with

New Version Current

changes.mady.by.user Alex Lu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • IFloodlightProviderService

  • IDeviceService

  • IStorageSourceService

  • IRestApiService

How It Works

...

The application takes advantage of IDeviceService in Floodlight to monitor deviceAdded event so as to store the Accessing Pair [dpid, IP] in a set, an Accessing Pair represents a switch of with that dpid connects to a host with a host of that IP, that is to say, given a host IP in the network, the application can search the Accessing Pair Set to find the switch connected with itto it. e.g. If user requests to add a new ACL rule like "deny flow with src-ip 10.0.0.0/24", the application will insert a static flow entry like "src-ip:10.0.0.0/24, action=deny" into every switch connected with the to the host with a IP address in subnet 10.0.0.0/24, a single flow entry masked for the entire subnet is inserted into every possible relevant switch, rather than insert a flow entry for every flow with a IP address in the subnet defined in a ACL rule, like the present Floodlight firewall does.

...

The application allows all flows by default, the ACL rule with "ALLOW" action is just used to subtract the allowing flow from the denying flow which has a larger match range, e.g. "allow flow with src-ip 10.0.0.1/32 but deny all other flows with src-ip 10.0.0.0/24". e.g. If there is a general ACL entries like "allow all packets src-ip:10.0.0.1", the application would insert a static flow entry in the switch that connects host(10.0.0.1) like "src-ip:10.0.0.1, action=output to controller" so as to let the controller determine how to forward that flow. 

Issues and Limitations

The ACL application has the potential to increase the size of flow table needlessly if packets for the rules never actually arrive. As a result, it could in theory slow down the lookup process when any packet is received on the switch.

There are pros and cons to both approaches and there is no perfect solution. The solution of choice should depend on the requirements of a given application/scenario. The ACL application would provide an alternative implementation with different performance implications and having multiple choices is always a good thing!.