IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO.

1, FIRST QUARTER 2017 325

Software Defined Networking Architecture,

Security and Energy Efficiency: A Survey
Danda B. Rawat, Senior Member, IEEE, and Swetha R. Reddy, Member, IEEE

Abstract—Software-defined networking (SDN) is an emerging

paradigm, which breaks the vertical integration in traditional
networks to provide the flexibility to program the network
through (logical) centralized network control. SDN has the capa-
bility to adapt its network parameters on the fly based on its
operating environment. The decoupled structure of SDN serves
as a solution for managing the network with more flexibility
and ease. In SDN, the centralized cost effective architecture pro-
vides network visibility which helps to achieve efficient resource
utilization and high performance. Due to the increasingly perva-
sive existence of smart programmable devices in the network,
SDN provides security, energy efficiency, and network virtu-
alization for enhancing the overall network performance. We
present various security threats that are resolved by SDN and
new threats that arise as a result of SDN implementation. The
recent security attacks and countermeasures in SDN are also
summarized in the form of tables. We also provide a sur-
vey on the different strategies that are implemented to achieve
Fig. 1. Comparison of traditional network architecture and simplified
energy efficiency and network security through SDN implemen- software defined network (SDN) architecture.
tation. In an effort to anticipate the future evolution of this new
paradigm, we discuss the main ongoing research efforts, chal-
lenges, and research trends in this area. With this paper, readers
can have a more thorough understanding of SDN architec- integrated forming a complex structure that is hard to man-
ture, different security attacks and countermeasures, and energy age [3]–[6]. Traditional networks are capable of supporting
efficiency. only vendor specific policies and offer no flexibility for
Index Terms—Software defined network, network virtualiza- dynamic network environment [3], [5], [6].
tion, energy efficiency, SDN security, OpenFlow network. Fig. 1 depicts the comparison of high level transformation
of traditional networking architecture and SDN architecture.
SDN is regarded as the hardware independent next generation
networking paradigm in which networking device from any
I. I NTRODUCTION vendors could be controlled through SDN. SDN has decou-
HE INFORMATION and Communication Technology pled application plane, data plane and control plane. It has
T (ICT) infrastructures are expanding continuously with
the increase in a number of devices and applications for
two prime components: controller and switches. SDN con-
troller is responsible for the management of entire network
Internet-of-Things (IoT) [1] and cyber physical systems [2]. whereas networking switches are responsible for operating
Software-Defined Networking (SDN) is regarded as a technol- based on the instructions deployed through SDN controller.
ogy that is capable of managing the entire network efficiently Unlike the traditional networks, where the entire system needs
and transforming the complex network architecture into the to be reconfigured to upgrade the system, only the software
simple and manageable one. Recent studies have shown that needs to be updated in the SDN, making it more conve-
the traditional networks are not capable of satisfying the grow- nient for upgrading and reduction of overall cost [7]. SDN
ing demands as all components in the network are vertically has gained significant attention as it is flexible and can be
programmed using any high-level programming languages to
Manuscript received March 4, 2016; revised May 19, 2016 and September serve the purpose of the client devices and users [8]–[11].
11, 2016; accepted October 15, 2016. Date of publication October 19, 2016;
date of current version February 22, 2017. This work of D. B. Rawat Programmable SDN allows to adapt the network parameters
was supported in part by the U.S. National Science Foundation (NSF) based on its operating environment to improve overall network
CAREER Award under Grant CNS-1650831, and in part by the NSF under performance as well as detect flaws in the network. Due to
Grant CNS-1658972.
D. B. Rawat is with the Department of Electrical Engineering and the increasingly pervasive existence of smart programmable
Computer Science, Howard University, Washington, DC 20059 USA (e-mail: devices in the network, SDN provides security (e.g., SDN
[email protected]). IPS [12], TIPS [13], anomaly attacks [14]), energy efficiency
S. R. Reddy is with the Department of Electrical Engineering, Georgia
Southern University, Statesboro, GA 30460 USA. and network virtualization for enhancing the overall network
Digital Object Identifier 10.1109/COMST.2016.2618874 performance.
1553-877X  c 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
326 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

Despite the advantages that programmable SDN technol-

ogy offers, it can be vulnerable to many kind of attacks such
as anomaly attacks, intrusion attacks, Denial-of-Service (DoS)
attacks, etc. [15]–[18]. Furthermore, programmable SDN
can be used to help reduce energy consumption by net-
work infrastructure and devices while providing network
security. According to the reports on the energy consump-
tion, the energy consumption by the ICT infrastructure is
proliferating [19] and it is expected to consume up to
14% of the worldwide energy consumption by the end of
2020 [20], [21]. This necessitates an effort and need to reduce
the energy consumption in the networks. SDN platform is
capable of providing high performance along with energy
efficiency and network security. However, the energy effi- Fig. 2. Block diagram of software defined network (SDN) architecture.
ciency methods have to be implemented in SDN to control
the inflating energy consumption while providing network Challenges in SDN are discussed in Section V. Finally, the
security. The proper traffic management and implementation conclusions are presented in Section VI.
of sleep-awake mechanisms in SDN can reduce the over-
all power consumption of the network and thus the energy
II. BACKGROUND OF SDN
bills [22]–[25].
Although there are related survey The development of SDN has begun in early 1990’s with the
papers [6], [7], [16], [26]–[29] which provide informa- ideas obtained from various supporting technologies [30]–[33].
tion about the SDN, more up to date activities of rapidly The idea of decoupling of the data plane and control plane
advancing research areas on SDN security and energy was obtained from the network control point implemented
efficiency is to be brought to the research community. in telephone networks where the data and control are frag-
Furthermore, state-of-the-art literature does not provide recent mented from one another. This proved to be a cost effective
advances on security threats/attacks and countermeasures in and secure solution. Active networks [34], [35] introduced
SDN by categorizing them in terms of their types and recent the programmability in the network through an application
advances in energy management schemes in SDN. The aim interface. The capsule model [36], Tempest [37], Virtual
of this survey paper is to provide the recent works towards Network Infrastructure (VINI) [38], and programmable router
the security aspects of SDN with a more focus on various switch model [34], [39] are the examples of active network-
security threats that are resolved by SDN and new threats ing models that offer the flexibility to control different tasks
that arise as a result of SDN implementation; and various and events. Though these models were discovered much earlier
strategies that are implemented to achieve energy efficiency they could not be implemented due to the lack of proper infras-
in SDN. Further, we present various security threats that tructure and hardware support. The major contribution for
are resolved by SDN and new threats that arise as a result SDN started with the introduction of OpenFlow in 2008 [40].
of SDN implementation. We also provide a survey on the
different strategies that are implemented to achieve energy A. The SDN Architecture
efficiency in the networks through SDN implementation. The SDN is regarded as an emerging technology where the pri-
main contributions of this paper include: mary concept is removing the intelligence from the networking
• We present a detailed study on SDN security aspects devices and managing the entire network functionality with the
by categorization them into two parts. The first part help of a centralized controller. The basic structure of SDN
discusses the threats that can be resolved by the imple- is represented in Fig. 2. It consists of three different layers:
mentation of SDN and the second part discusses security Application layer, Control layer and Infrastructure layer.
threats because of SDN implementation along with their 1) Infrastructure/Data Layer: Infrastructure layer (aka data
countermeasures. layer) in SDN comprises of network devices such as router,
• We summarize security attacks and countermeasures in switch and access point. Both virtual switches such as Open
SDN in a tabular form for a side-by-side comparison. vSwitch, Indigo, Pica8, Nettle, Open Flowj and physical
• We provide a survey on recent techniques to reduce switches coexist in this layer [6], [7], [41]–[43]. The main
energy consumption in SDN and present side-by-side function of the data plane is forwarding the packets according
comparison of different techniques for energy saving to the assigned rules/policies.
through SDN. 2) Control Layer: Control layer consists of a controller
• We present a discussion of research challenges, open which controls the overall SDN functions. This layer acts as
problems and recommendations for SDN that are needed a mediator for infrastructure layer and application layer. The
to be addressed to realize its full potential. controller is responsible for managing the entire traffic flow
The organization of the paper is as follows. Section II dis- and solely takes decisions on routing, flow forwarding and
cusses about the background of SDN. Security and Energy packet dropping through programming [9], [26], [44]. The con-
Efficiency are presented in Sections III and IV respectively. trollers in the distributed environment communicate with each
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 327

other through east-bound and west-bound interfaces. The con-

trol layer and the infrastructure layer communicate with each
other through south-bound API such as OpenFlow, NetConf,
etc. [7].
3) Application Layer: The Application layer is the foremost
layer in the SDN as shown in Fig. 2. It is responsible for
handling software related business and security applications.
Network virtualization, Intrusion Detection Systems (IDS),
Intrusion Prevention Systems (IPS), firewall implementation
and mobility management are some examples of applications
handled by this layer. This layer communicates with the con-
trol layer using Application Control Plane Interface (A-CPI) Fig. 3. A typical architecture for server, network, storage virtualization.
also called as northbound application interface [45] as shown
in Fig. 2.
different controller [53]. ADvanced Flowvisor (ADvisor) was
B. Features of SDN developed to overcome the limitations of FlowVisor and pro-
vide proper isolation among the clients [54]. AutoSlice has
SDN helps to achieve high performance and flexibility com- been proposed in [55] to tackle the issue of scalability and
pared to the conventional networks. SDN offers a centralized constraints associated with flow. Carrier Grade Virtualization
control of entire network through a controller which man- has been proposed in [56] to include translation agents in
ages and automates the functions in all networking elements all networking elements present in infrastructure layer. This
such as switches, routers and firewalls using programs. This agents facilitate the direct communication between physical
feature helps to immediately respond to the changing traf- layer and clients’ controller without involving hypervisors.
fic patterns and dynamically adjust the flows to enhance the Virtualization Cloud Platform (VCP) architecture in SDN
overall network performance, better security and energy effi- relies greatly on Network Operating System (NOS) to pro-
ciency. Another feature of SDN is openness for innovation− vide isolation and proper utilization of network resources [57].
open source platform which helps to improve further explo- FlowN has been proposed in [58] for enabling the flexibility
ration, innovation and development of the network. Traditional in NOX controller. It is a container based virtualization sup-
networks are vendor specific and cannot be modified. Note porting multiple clients on a single platform [59]. HyperFlex
that the openness of SDN does not affect the performance has been proposed as a control plane virtualization scheme in
of the network [46]. Abstraction through layers is one of SDN which mainly focuses on achieving privacy, flexibility
the best features enabled in SDN to reduce the burden on and scalability [60].
the programmer where different layers are interfaced through
APIs [47], [48]. Due to this feature, the application layer has
no direct interaction with physical components of the con- C. Applications of SDN
troller. Abstraction tools like Frentic [47] and pyretic [49] are Data centers are the major places used for storage of infor-
among the most commonly used ones. Virtualization through mation/data. The structure of data centers in conventional
SDN enables the sharing of physical infrastructures among networks is complex and difficult to manage. The available
multiple users and adaptibility in the networks [6], [50]. A resources are not properly utilized as it does not have a com-
typical virtualization architecture is shown in Fig. 3. The vir- plete view of the network. The data centers implemented
tualization can be storage based, network based or server using SDN can dynamically adapt by expanding or shrink-
based [50]. Vmware, Microsoft, Hyper-v, Citrix, Xen server, ing its size based on the requirement. Global view feature in
RHEL are among the most popular companies for providing SDN can be used for efficient traffic management to improve
network virtualization platform [6], [11]. the overall network performance and resource utilization, and
Implementation of virtualization aims at creating a suit- reduce the energy consumption of the network. Upgrading
able environment for all SDN clients to coexist in a single in traditional networks is not only associated with a cost of
platform without interfering with each other. The Networking replacing the entire network but also involves the chance of
Virtualization Proxy (NVP) by VMware [51] and SDNVE losing important information. SDN is capable of upgrading
by IBM [52] are network virtualization platforms that are the data-centers without loosing the information, changing the
used in current SDN. The NVP specializes in reducing the overall work flow in the network and degrading the overall
programming complexity by providing high level abstraction performance [61]–[63].
whereas SDN is capable of handling large number of vir- The usage of SDN in WAN gained significant attention with
tual machines [52]. Some of the commonly used virtualization Google deploying it for managing their data centers. Google
techniques are discussed below. FlowVisor (FV) has proposed employed traffic engineering schemes and were able to get
as a switch virtualization scheme that establishes communi- benefits such as fault tolerance, active link utilization up to
cation between virtual layer and data plane [53]. Switches in 100% promoting energy efficiency [64]. Software driven WAN
system are embedded with a FlowVisor (FV) slicer and FV (SWAN) offers flexibility to optimize the network policies
classifier [53]. Furthermore, each FV slicer is managed by a and handle flows based on the priority set by the client and
328 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

Due to ease to modify the system and adapt various energy

efficient mechanisms, SDN provides a better solution for green
networking which has become important in network design
and deployment for economic and environmental benefits. For
green networking, there have been different approaches con-
sidered [87]. It is noted that SDN switching devices may not
directly help reduce energy consumption in the SDN-based
networks [88], however SDN offers configurations that can
help to reduce energy consumption [87], [89]. Further details
for green networking using SDN are presented in Section IV
of this paper.
Fig. 4. Top-level wireless virtualization architecture with
SDN [71], [81], [82].

III. S ECURITY AND S OFTWARE -D EFINED N ETWORKS

was able to offer 38% more throughput than MLPS (Multi Initially SDN was introduced for the flexibility to config-
Layer Protocol Switching) scheme [65]. Note that the MLPS ure the network to improve overall network performance but
traffic engineering was the most commonly adopted method later SDN is found to be applicable to secure the network.
in conventional networks. Exponential growth of connected Traditional networks are vulnerable to various security threats
devices for IoT and cyber-physical systems [66] can be han- some of which cannot be detected easily. SDN is emerging
dled by SDN by expanding and/or shrinking resources on the technology that can provide security defense solutions as it is
fly [6], [67], [68]. capable of detecting attacks and acting adaptively in a quicker
SDN in Cellular Networks offers centralized control for way than traditional networks. However, there are new kind
cost-effective solutions for reducing Capital expenditures of attacks targeted to SDN [90]. Thus, SDN implementation
(CAPEX) and operating expenses (OPEX) of the cellular in the infrastructure has both pros and cons.
network. Combination of cellular networking technologies The security aspects of SDN are discussed in two sections
and SDN can offer high data rate and better QoS to the as depicted in Fig. 5: the first part (Section III-A) discusses
users [69], [70]. One of the major benefits is its capabil- about the role of SDN to enhance security in existing network
ity to allow switching between different wireless technolo- infrastructure. The second part (Section III-B) presents the
gies to provide better connectivity and coverage [70], [71]. security challenges that arise in SDN.
Failure recovery, availability, dependability and security can
be improved in cellular system [72], [73].
SDN for Wi-Fi Network effectively guarantees airtime A. SDN as a Security Solution
shares to network slices using a Time Division Multiple The various security threats that can be resolved using
Access (TDMA) like airtime scheduling [74]. Furthermore, SDN are summarized in the Table I. In this table, we pro-
SDN provides the flexibility for the deployment of Wi-Fi vide definition of different kinds of threats along with their
infrastructure in the rural areas where the traditional networks countermeasure techniques. The detailed description of these
are hard to deploy and manage [74], [75]. countermeasures and applications are discussed below.
SDN offers network interface for heterogeneous transport 1) SDN as Intrusion Detection System (IDS) and Intrusion
networks through virtualization (e.g., [76]) and for optical net- Prevention System (IPS): An intrusion attack is an unautho-
work virtualization in [77]. The management and allocation of rized activity on a network where attacks absorb network
resources to virtual networks/machines is simplified by intro- resources intended for other uses. Due to the reconfigurablity
ducing ANM (Automatic Network Management) systems in and programmability of SDN, the SDN can be implemented
the design [78]–[80]. as IDS and IPS to monitor the network activities contin-
In order to have seamless switching (aka wireless vir- uously to detect intrusion attacks. Most common intrusion
tualization) between different wireless technologies such as attack vectors that can be defended by using adaptability and
satellite, cellular, TV, GPS, Wi-Fi, etc., Cloud-base Radio programmability of SDN are
Access Networks (C-RAN) has been proposed in [81]. A 1) Asymmetric Routing Attack: The attacker use more than
typical block diagram for C-RAN is shown in Fig. 4. one route to the targeted network device to bypass cer-
SoftRAN has been proposed to provide reliable connectivity tain network segments and intrusion sensors. If networks
and coverage with available spectrum in [83]. Furthermore, for is not set up for asymmetric routing, they are vulnerable
Self Organizing Network (SON) in C-RAN, Heterogeneous to this attack.
Cloud Radio Access Networks (HC-RAN) are capable of 2) Buffer Overflow Attacks: This attack overwrites spe-
supporting the decoupling without degrading the overall net- cific sections of device memory of a target network or
work performance [84], [85]. Similarly, OpenRAN has been replaces normal data in certain memory locations with a
proposed for deployment of SDN in C-RAN for meeting the malware to attack the network with an aim of initiating
QoS requirements using Wireless Spectrum Resource Pool denial-of-service.
(WSRP), SDN controller and Cloud Computing Resource Pool 3) Protocol-Specific Attacks: The network protocols - such
(CCRP) [86]. as TCP, UDP, ARP, IP, ICMP etc., may inadvertently
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 329

Fig. 5. Software defined network (SDN) as a security solution and security attacks that are unique to SDN.

TABLE I
T YPICAL S ECURITY A PPLICATIONS OF SDN AS A S ECURITY PARADIGM

leave a backdoor for network intrusions through spoof- On-path detection and off-path detection approaches have
ing or so with an aim of compromising or even crash- been proposed in [99]. In on-path detection, the suspicious
ing the targeted devices on a network. For instance, packets are detected by attaching the IDS system in the path
while mapping IP network addresses to the hardware of travel of packets. It is more effective than the off-path
addresses, ARP protocol does not perform authentication detection where the IDS is attached as a separate physical
on messages, allowing attackers to execute “man-in-the- module to the system. The other security feature is the abil-
middle” attacks. ity of the IDS to report suspicious activities to the controller
4) Traffic Flooding Attacks: Attacker can generate traf- using alerts/alarms so that the controller can immediately take
fic loads too heavy for the network to overwhelm the an action to mitigate the attacks.
overall network resources. These attacks can be easily IDS and IPS have been integrated with SDN
controlled using SDN. in [12], [13], and [92] to analyze attacks in a network
5) Trojan based Attack: This attack instigates DoS attacks, and supply suitable countermeasures for the attacks. The net-
erase stored data or open back doors to permit system work controller is utilized to gather the required information
control by outside attackers. for the attack analyzer to detect these threats/attacks.
There are different defense solutions based on SDN which SDN is implemented along with a prominent IDS system
are discussed below. CloudWatcher has been proposed in [91] called Snort [100] for the detection of threats in Advanced
for controlling the traffic flow in SDN with program logic and Metering Infrastructure (AMI) which are popular in smart
efficiently routing it through all security components present energy grids. The standalone IDS cannot prevent the mal-
in the infrastructure such as Network IDS and firewalls. This ware from entering the system, so SDN is embedded with
prevents the entry of malicious packets that may pose a threat it to guard and protect the system. Snort detects the mal-
to the network. ware based on predefined rules. These are different methods of
Network Intrusion detection and Countermeasure sElection incorporating snort with SDN including mirror implementation
in virtual network systems (NICE) has been proposed in [98] and PACKET_IN approach [100]. In mirror implementation,
for both intrusion detection and prevention. NICE has four Snort is connected to the OpenFlow switch in SDN where
modules: NICE-A, VM profiling, attack analyzer and a net- all the traffic is made to pass through both OpenFlow switch
work controller. The NICE-A works as a network IDS, VM and snort for detection of suspicious activity. In PACKET_IN
profiling stores the complete activities of VMs (including traf- approach, snort runs as a background application connected
fic conditions, open ports, vulnerabilities and security alerts to the OpenFlow controller and only suspicious activity are
etc.), attack analyzer is responsible for analyzing attacks and reported to the controller. The limitation of these methods is
providing countermeasures, and the network controller helps that there might be flooding of traffic in the network. The new
the analyzer by reporting the complete information of the method for integration is proposed in [92] where the rules
network conditions. of snort are incorporated into OpenFlow switches and snort
330 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

comes into play only when there is some suspicious activ- approach has been proposed in [94] where mobile traffic from
ity in the system. The additional features are also embedded the access points is directed to the controller attached with a
in OpenFlow which includes management server to controller malware detector. Four algorithms for detecting malware are
and policy checking agents in switches. Transparent Intrusion given below.
Prevention Systems (TIPS) [13] has been proposed to prevent 1) IP Blacklisting: A list of all suspicious IP addresses
intrusion attacks by integrating SDN and poll-mode packet is maintained in the system. When switches send
processing [13]. SDN-IPS has been proposed in [12] to prevent unmatched packets to OpenFlow controller, it verifies
the intrusion attacks in a network with high efficiency. the IP address to see if it is from the blacklist and drops
2) SDN for Anomaly Detection: Anomaly detection (or out- the packet if IP is found in that list.
lier detection) in a network is the identification of events or 2) Connection Success Ratio: If the number of unsuccess-
observations which do not conform to an expected pattern. ful connections of the users exceeds the fixed threshold
These days attacks are becoming more sophisticated which value then the user is identified as malicious one.
makes it hard to trace the actual origin of the attack. SDN tech- 3) Throttling Connection: The malicious device/host try-
nology gives us a privilege to configure the devices to serve our ing to attack many systems is identified based on the
need. For instance, home router that is configured using SDN Recently Accessed Host (RAH) list maintained in the
works effectively to detect the malware and spyware attack- system. If the waiting list of the host exceeds a fixed
ing the system [14]. A graphical approach has been proposed threshold value then the user is identified as a malicious
in [93] that relies on OpenFlow based switches to trace-back one.
the origin of attacks where all paths that are vulnerable to 4) Aggregate Analysis: If one host in the network is com-
anomaly attacks can be determined. promised by malicious activity then security of the other
With the implementation of SDN, collaborative detection users in the network is also at risk. This algorithm works
can be implemented through already existing centralized SDN for detection of other infected hosts based on the sim-
controller where each switch or host reports its attack detec- ilarities (i.e., connection time, destination and single
tion decision to the centralized controller. For binary decision platform).
variable di ∈ {0, 1} of each switch/host i = 1, 2, . . . , N, to The integration of SDN for the mobile cloud infrastructure
make a decision (D) about the attack, SDN controller can use has been further explored in [101] for designing a sophisti-
logical AND operation (∪) as cated mechanisms for protecting the network. The prime cause
for the occurrence of DDoS attack in system is due to bot-
D = ∪∀i di (1) nets. The protocol for easy recovery from botnet DDoS attacks
or logical OR operation () as is developed in [96] where the SDN controller is extended
with DDoS blocking module. In [95], SDN has been exploited
D = ∀i di . (2) to use Remote Triggered Black Hole (RBTH) approach for
Note that the AND operator in (1) says there is an attack the prevention of DDoS attacks. The SDN controller plays
when di = 1, ∀i and thus this approach is more restric- a major role in detecting the malicious traffic routed from
tive/conservative. Whereas the OR operator in (2) says there OpenFlow switch and discards them to prevent further damage
is an attack when any one of di ’s is true making it the least to the network. Furthermore, distributed collaborative frame-
conservative. Thus, alternative approach could be the majority work has been proposed in [97] to enable autonomic mitigation
based decision that is given as of DDoS attacks by avoiding privacy leakage and other legal
concerns.

N
N
D = 1 if di > , d = 0 otherwise, (3)
2
i=1 B. Security Attacks in SDN and Countermeasures
which could be a more appropriate scheme to enhance the As discussed, SDN offers defense solutions for vari-
performance of anomaly detection. ous security attacks through its programmability features.
3) SDN for Distributed Denial-of-Service (DDoS) Attack However, there are several new threats that arise as a result
Detection and Prevention: DDoS attacks deny legitimate users of SDN implementation. Note that attacks are prevalent in
to get access to network services. These attacks can cause a SDN as it is mostly dependent on the programs/software
significant damage by compromising the entire network [101]. for defining its behavior which may keep the security of
Conventional networks have some methods to detect DDoS the entire system at stake making it feasible for the attack-
attacks and protect the networks but do not offer very reliable ers to enter the system. In this section, we present security
and flexible defense solutions [102]. Due to the programmable attacks, challenges and countermeasures in SDN. Security vul-
features and reconfigurable nature of SDN, flexible and robust nerabilities in SDN can jeopardize the entire network and
approaches can be designed, deployed and evaluated to detect degrade the performance. The attacks on SDN may occur
and prevent DDoS attacks. in different modules such as controller, virtual machines and
The mobile devices have become more powerful compared OpenFlow switches [6]. There are several attacks that arise
to the past and usage of these devices have been exponen- along with SDN implementation [103]. Typical attack vec-
tially increasing. This increases the chance of attacks including tors and their locations of occurrence in SDN are shown
DDoS attacks in the network. Mobile malware detection in Fig. 6.
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 331

TABLE II
S ECURITY ATTACKS AND C OUNTERMEASURES IN SDN

depends on controller. Once the controller is com-

promised it can pose a threat to entire network. The
threat vectors 3, 4 and 5 are associated with control
plane. The attacks can be directed from various modules
which includes switches in data plane layer, north-
bound interface, southbound interface and application
layer. DoS/DDoS, anomaly and intrusion attacks are the
possible attacks that can occur in control plane.
2) The switches in SDN are only capable of performing
Fig. 6. Threat vectors in SDN. minimal tasks such as forwarding the packets. However,
the threat posed to switches may cause a huge damage to
The description of each threat vector given in Fig. 6 is given entire network. The threat vector 1 and 2 are associated
below. with vulnerabilities in switches. DoS, DDoS, spoofing
• Threat vector 1 represents the fake traffic flows that attacks and intrusion attacks are some attacks associated
occur during intercommunication of SDN devices in data with data plane.
plane. The attack may occur using the spoofed identity 3) The threat vectors 5, 6 and 7 are related to attacks
of legitimate flows or fake identity of the device. in application layer. The software related attacks such
• Threat vector 2 represents the attacks at SDN switches in as bugs, failure of applications, malicious applications
data plane which may occur from the in-flow and out-flow injection, anomaly and intrusion attacks are most com-
of traffic. mon threats in this layer.
• Threat vector 3 represents the attacks that may occur dur- 4) The threat vectors 3, 5 and 7 are associated with the
ing the communication of data plane devices with control attacks on interfaces. The interfaces play a important
plane device (controller). role in enabling communication between two planes.
• Threat vector 4 represents the attacks at the controller. Most of the attacks on the interfaces are similar to
• Threat vector 5 represents the attacks that occur between attacks that occur in other planes. If the interface is
controller and application layer devices (including admin compromised it allows back and forth flow of malicious
systems). traffic in the system.
• Threat vector 6 represents the attacks on administrator’s The detection and mitigation techniques for the above
station which is linked with the controller. discussed attacks are presented in detail below.
• Threat vector 7 represents the attacks targeting commu- 1) DDoS and DoS Attacks in SDN: The SDN con-
nications between data layer and application layer. troller plays a crucial role in determining the functionality
To protect from these threat vectors, defense solutions have of SDN architecture, thus the controller has become one
been proposed in [103] but the most of which are still open to of the main targets for DDoS/DoS attacks. Some vulner-
be explored. Table II discusses various attacks in SDN occur- abilities in FloodLight based controllers lure DDoS/DoS
ring in different layers and provides the results of occurrence attacks [121], [122]. The links between switches and controller
of these attacks along with mitigation techniques to prevent is the point of interest for conducting these attacks. These
these attacks. The description of threats in different layers is attacks can be mitigated by enabling strict Transport Layer
discussed in detail below. Security (TLS) authentication mechanisms in communication
1) The controller is the most obvious target for attack- links between switches and controllers and also prioritiz-
ers as the entire network functionality and behavior ing the pre-existing connections over the new connection.
332 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

Note that DDoS attacks can be detected using techniques called Damask has been proposed in [128] to protect SDN
proposed for conventional network, however same defense from DDoS attacks.
techniques proposed for traditional networks cannot be imple- The entropy method has been proposed in [118] to detect
mented directly in SDN due to the differences in the DDoS attack on controller using a threshold value. The entropy
architecture. Ideas proposed for traditional networks can of the IP addresses is calculated after every incoming 50 pack-
be borrowed while designing attack detection techniques ets and if it is above the threshold value, it declares that
for SDN. there is a suspicious activity in the system. These attacks
Typical DDoS attacks are untraceable as they are carried are mostly directed during the communication with switches.
out by botnets with automated actions. To discover the DDoS Infected switches send overwhelming requests and controller
attacks, there are different approaches [123], [124] which will be involved in responding to these fake requests deny-
could easily detect botnets. Protocols and IP addresses can ing the requests of legitimate users. This attack creates direct
be verified to detect DDoS attacks, however botnets can spoof harm to the legitimate users. These attacks can be mitigated
the identity by faking legit addresses. In this case, the detec- by protecting controller from these malicious flows.
tion system might not be able to detect attacks since protocols TopoGuard has been developed in [105] as a security add-
and IP addresses are faked by attacker that seem legitimate on in an OpenFlow controller to address the vulnerabilities in
for malicious legitimate users or botnets. Furthermore, DDoS network topology. Network attacks have become most com-
attacks could occur at random interval and random time, and mon in many controllers available in today’s market such as
they are persistent. Important DDoS attack defense solutions flood-light, beacon and POX. It focuses on countermeasures
are briefly discuss below. for the vulnerabilities involving host tracking services and link
1) Attack Pattern Recognition [125]: If the attack is hap- discovery in OpenFlow controller. This architecture maintains
pening at particular intervals, such as at any given date the record of host profile which includes MAC address, IP
and time and repeating within similar intervals such as address and location information to provide a seamless ser-
year or months, then the pattern of attack can be rec- vice without delay in hand-off mechanism. The host profile is
ognized. We can also gauge the duration of attacks and monitored and tracked by the Host Tracking Services (HTS)
how long these attacks last. The nature of attack and present in the controller. This can be used for determining the
the packets of attacks can give us a hint of what kind of valid user. When the controller cannot match the host pro-
attack is being carried out. If these information can be file, the new profile is created and stored. If the location of
logged to create a database from the prior experiences host varies with the profile then it gets updated automatically
of attack to generate the statistics, pattern of attack can using HOST_MOVE event presuming the change of location
be recognized. of host. This kind of functionality is not very secure and cre-
2) System Clustering for Added Security [126]: For the ates the gateway for the hijackers and spoofing attacks as the
provided system, DDoS can be nullified or made com- users are not validated with any authentication mechanisms.
plicated to achieve by clustering the system. For each If the attacker can get the access to the location of the target
cluster created, user authentication can be added. With he can trick the controller by mimicking the host creating the
user authentication requirement, further credibility is Web impersonation attack. Public key based methods can be
necessary to penetrate and cause havoc. Therefore, clus- implemented to validate the host but would not be very effi-
tering of system can provide added layer of security to cient solution as the management of these keys would be a
be able to filter out attacks. Moreover, if an attack is car- tedious task involving cost factor. TopoGuard uses precondi-
ried out on one cluster of the system, rest of the cluster tion and post condition techniques for validation of the host
might be safe and not whole system is prone to DDoS migration. The precondition is Port_Down signal before host
attacks. migration and the post condition refers to verification of post
3) Detection of High Speed Flow-level Detection System location of the host and making sure that it cannot be reached
(HiFIND) [127]: In order to detect the DDoS attack in that location. The Link Discovery Service (LDS) uses Link
and provide substantial protection to victim and service Layer Discovery Protocol (LLDP) for discovering the internal
provider, HiFIND can be utilized. It is highly secured links between the switches. The link fabrication attacks occur
due to its high volume capacity and immune to DDoS by injecting fake LLDP packets that are capable of creat-
attacks for high density data packets. Thus, HiFIND is ing DoS attacks and man-in-the-middle-attacks. Methods for
less prone and highly stable when it comes to DDoS resolving these kind of attacks include the additional authen-
attacks that target weaker system; highly vulnerable to tication of LLDP packets using Type Length Variable (TLV)
satisfying only low volume traffic. and switch port confirmation [105]. Furthermore, LineSwitch,
Lightweight DDoS attack detection [119] has been proposed which is a solution based on probability and blacklisting, offers
which is map based detection scheme inspired from Self resiliency against SYN flooding-based control plane saturation
Organizing Map (SOM) technique. It is a three stage process attacks and protection from buffer saturation vulnerabilities in
consisting of flow collector, feature extractor and classifier. SDN [121].
The flow extractor is used for gathering the flow statistics from FortNOX technique has been introduced in [101] and [113]
OpenFlow switches. The feature extractor selects the specific to resolve the security threats in application layer and the con-
information required for the detection based on which classi- trol layer of SDN. It is a software solution implemented in
fier determines legitimate user. The security defense approach NOX OpenFlow system to secure the system. It responds to
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 333

the requests based on the authorization and privileges granted networks that monitors the condition of the complete system
to the users. This method can help to prioritize valid users frequently and determines eleven kinds of bugs such as host
over fake users. unreachable after moving, delayed direct path, excess flooding,
Avant guard has been proposed in [17] that focuses on next TCP packet always dropped after reconfiguration, TCP
two key aspects i.e., security between the data plane and packet dropped after reconfiguration, ARP packets forgotten
control plane and increasing the response rate of controller during address resolution, duplicate SYN packets during tran-
to the data plane requests. These two issues of SDN can sitions, packets of a new flow are dropped, packets drop when
be resolved by the addition of some more security features the load reduces etc. NICE approach provides a report of the
into the system namely connection migration and actuating policy violations and origin of attack helping the system to
triggers. Connection migration is used for enhancing more retrieve back from these bugs.
security in data plane using classification, report, migration FRESCO-DB has been developed in [15] from the click
and relay stage. For providing a strict security, flow packets router [131] which contains two important modules that are
are allowed to interact with the controller only after pass- embedded in NOX controller to detect and countermeasure the
ing the TCP handshake mechanism. This method can help suspicious threats. The API module creates different schemes
in the detection of malicious users. The actuating trigger to counter attack the malware using IDS and other anti-
is enabled to increase the responsiveness between the con- malware applications. Security Enforcement Kernel (SEK)
troller and data plane. These triggers make the data plane module is used for the enforcement of the security related
report all the existing conditions in switches to the controller applications specified by the controller.
asynchronously. The confidentiality and authenticity of applications in SDN
In [129], a model has been proposed to analyze the threats can be protected by the method of encryption and cryp-
that may occur during the communication with data plane by tography [11], [132]. Z3 prover method uses a high level
using the OpenFlow protocol. The analysis is done by combi- programming language to distinguish a legitimate application
nation of STRIDE and attack trees to analyze the attacks such from malicious applications for protecting confidentiality and
as spoofing, tampering, repudiation, information disclosure, integrity of applications [6], [120].
denial of service and elevation of privilege. 3) Intrusion Attacks in SDN: The traditional networks
2) Anomaly Attacks in SDN: Anomaly attacks are involved have built-in middle boxes (which can integrate IDS, fire-
with many risks such as unauthorized access, malicious appli- wall and proxy) and other features to block malicious users.
cation injection etc. which can affect the security of both These middle boxes are not available in SDN but are essen-
applications and networks. Furthermore, these attacks are one tial to secure the SDN from security attacks in both data
of the most dangerous attacks that can occur in any layer of the plane components and controller. They may not be capa-
network and are untraceable and hard to detect. Four anomaly ble of completely preventing the attacks but can be helpful
detection techniques are proposed in [14] which are discussed for enhancing the basic security in SDN. However, integra-
below. tion of these modules in SDN comes with some difficulties
1) Threshold Random Walk with Credit-Based (TRW-CB) as SDN has decoupled structure that relies on centralized
Algorithm [114] considers the user to be suspicious if controller for all tasks such as updating the policies. Thus,
the probability value (i.e., ratio of the number of unsuc- incorporating extra modules may impose the overhead on the
cessful connection and attempts made by the user) is controller showing its impact on the entire network. This might
greater than the fixed threshold value. result in intrusion attacks in SDN when effect of attacks are
2) Rate Limiting Algorithm [115] considers the user to be overlooked as legitimate overhead on the controller [133].
suspicious if the user tries to establish communication There have been various methods proposed for detecting
with multiple devices in a given time above the threshold intrusion attacks in SDN without affecting overall network
value. performance.
3) Maximum Entropy Detection [116] provides the opera- FlowGuard has been proposed in [108] as an SDN fire-
tor with complete view of network from all dimensions. wall and is more sophisticated compared to the firewalls in
It is two staged process in which it first categorizes conventional networks. FlowGuard is associated with a dual
the packets into various classes based on destination functionality to work as packet filter and policy checker. It
and then detects the anomalies based of rapidly varying monitors the network for detecting malicious packets and
traffic patterns. policy violations in SDN.
4) Network Advertisement (NETAD) [117] is a two staged FlowTag architecture has been proposed in [109] for opti-
process. In the first stage, it filters out all unnec- mizing the system by adding the extended architecture along
essary data such as non IP packets, leaving flows, with the middle-box which tags packets passing through it.
etc. In the second stage, it monitors the network and This makes it easier to track the missed and malware packets
detects rarely occurring events and then reports to the present in the network among others [109], [134]. Though the
controller. middle boxes have many advantages associated with it, the
The programmability features of SDN make it convenient management of the middle boxes in SDN is the tedious task.
to debug the errors as well as attract the attackers [130]. NIMBLE architecture has been proposed in [110] for man-
Similarly, No bugs In the Controller Execution (NICE) has aging the middle boxes based on the policy rules provided
been proposed in [112] which is a debugging tool in OpenFlow by the administrator. The slick architecture has been proposed
334 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

in [111] for OpenFlow based SDN which is capable of sup-

porting various devices such as NetFPGAs, GPUs and NPs.
This method uses a separate control plane to control all
operations of middle boxes which enhances the flexibility
of SDN.
As SDN functions are completely based on the instructions
provided by the controller/software, it is more vulnerable to Fig. 7. Different approaches for energy saving through SDN implementation.
process breaks and the introduction of new bugs can result
in reduction of overall performance of SDN [135]. According
to the recent standard (version 1.3.0) of the openSwitch, the
presence of transport layer security (TLS) is not a mandatory
option. However, the southbound API of the network, which
is more prone to the threats, requires a security layer such
as TLS that authenticates users using encryption techniques
before granting the access.
4) Spoofing Attacks in SDN: Spoofing attacks are kind of
attacks in which attacker uses the identity of a legitimate
user to inject fake packets and malicious applications into
the network. Because of flexibility that SDN offers, spoofing
attacks are easy to implement in the software defined net-
works. The OpenFlow switches in SDN are data forwarding
devices with no intelligence programs. They can be spoofed
and used for sending requests to controller. The controller
also cannot block these fake packets as it lacks basic com-
ponents like middle boxes. The other kind of switches in
OpenFlow network are soft switches which are responsible
for network virtualization. These switches are connected to
the controller directly, becoming the attractive target for the
attackers. These switches pave a direct way to the attackers
into the controller where the attackers can configure the rout-
ing policy of the switches misleading all the packets in the
Fig. 8. Typical OpenFlow based SDN and OpenFlow switch.
network [107]. The effect caused due to these attacks can be
reduced by early detection of malware switches. For this pur-
pose all packets flowing into the network should be carefully
inspected. IV. E NERGY E FFICIENCY AND I TS T RADEOFF W ITH
Two schemes for finding suspicious switches have been S ECURITY IN S OFTWARE D EFINED N ETWORKS
proposed in [106]. In the first scheme, malicious switches Due to ease to modify the network operations and adapt
in the system are detected based on the traffic flow higher various energy efficient mechanisms, SDN provides a better
than a given threshold value. The second scheme in the net- solution not only for network security but also for green net-
work involves embedding the third party server to monitor the working which has become important in network design and
switches to find any malicious actions. deployment for economic and environmental benefits. Fig. 7
A technique called Sphinx has been proposed in [107] for consists of different approaches for energy saving in SDN. It
spoofing threats/vulnerabilities detection in network topology is worth noting that the security schemes when implemented
and communication interface between data plane and control consume more energy than without them as security schemes
plane. It takes the advantage of the flow graphs to monitor each consists of computing and communications which consume
and every flow. It also uses four important OpenFlow com- more energy in the network. Thus we study both security and
mands such as FLOW_MOD, PACKET_IN, STATS_REPLY energy efficiency and their trade-off in this section.
and FEATURES_REPLY to obtain all required data from the To see the trade-off between energy efficiency and net-
switch and alert the controller if any suspicious activity is work security, we analyze and evaluate different security
detected near the switches [107]. schemes when SDN and energy saving techniques are imple-
All of these attacks can be avoided to some extent by main- mented. We created a small scale testbed for SDN as shown in
taining the privacy of users’ contents. Most dangerous attacks Fig. 8 where OpenFlow controller monitors the overall status
in the networks are targeted to IP-based networks. This neces- of the network. The OpenFlow PF5240- ProgrammableFlow
sitates the need for protecting the IP as a whole. In SDN Switch offers forty-eight 10/100/1000 Mbps ports & four
the special mechanism called OpenFlow random host muta- 1000/10000 Mbps ports with 176 Gbps switching speeds
tion (OF-RHM) is implemented which hides the actual IPs (Fig. 8(b)); with Flow entry capabilities of 64000-160000.
and uses the random virtual IP addresses [104] that prevents This hybrid controller connects OpenFlow networks to L2/
the attacks to some extend. L3 networks. Having access to this switch will reduce
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 335

Fig. 9. Comparison of energy consumption with and without SDN imple-

mentation for encryption and decryption in various symmetric ciphers and
transmission.
Fig. 11. Comparison of energy consumption with and without SDN
implementation for various Hash functions and transmission.

Fig. 10. Comparison of energy consumption with and without SDN

implementation for key setup in various symmetric ciphers.
Fig. 12. Comparison of energy consumption with and without SDN imple-
mentation with 1024 bits key size for DSA based digital signatures and
network complexity while eliminating the need for tradi- transmission.
tional network protocols by providing OpenFlow 1.0 and 1.3.1
support. NEC’s Virtual Tenant Networks (VTN) technology
provides secure multitenant cloud networks that will allow Next, we plotted variation of energy consumption for tradi-
access to various pre-existing devices from other third-parties. tional network and SDN for key setup in various symmetric
Furthermore, we created a traditional network that was equiv- ciphers as shown in Fig. 10. When key was exchanged, SDN
alent to SDN but networking functions were fixed unlike used low speed (e.g., 10 Mbps) link without degrading any
SDN. network performance as key size is small. But in traditional
Then, we have implemented different security schemes and network, small size key was exchanged with high speed link
energy saving schemes, and collected data to evaluate and which consumes more energy. As a result, traditional network
compare the performance of SDN and traditional network consumes more energy compared to SDN as shown in Fig. 10.
as well as to study tradeoff between energy efficiency and In Fig. 11, we plotted the variation of energy consump-
security. tion with and without SDN implementation for various Hash
First, in Fig. 9, we plotted comparison of energy con- functions for transmission of same data file. Because of the
sumption with and without SDN implementation (adaptive adaptive nature of SDN, it adjusts the network parameters
configuration for both security and energy efficiency) for (speed of the port/link, sleep/on mode based on link activity,
encryption and decryption of same file in various symmetric etc.) and consumes less energy than that in traditional network
ciphers and transmuted that file from one computer to another. as shown in Fig. 11.
From Fig. 9, we observed that the energy consumption for Next, we plotted the variation of energy consumption with
different symmetric ciphers is much higher in traditional net- and without SDN implementation of digital signatures for
work than that in SDN. SDN consumes less energy (while Digital Signature Algorithm (DSA) in Fig. 12 and for RSA
providing same network security) because of the configurable in Fig. 13. In both DSA and RSA, energy consumption is
features of SDN that allows network to adjust both speed of higher in traditional network than that in SDN.
the port (as 10 Mbps port consumes less energy than 100 Mbps Next, we implemented RC5 security scheme in traditional
or 1000 Mbps ports) and utilization of the link based on the network and SDN for identical experimental setup. We plot-
need which is not available in traditional network. ted the variation of energy consumption and security for their
336 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

Fig. 13. Comparison of energy consumption with and without SDN imple-
mentation with 1024 bits key size for RSA based digital signatures and Fig. 15. Comparison of energy consumption for SSL handshake with and
transmission. without SDN implementation with increasing transaction sizes.

Fig. 16. Variation of percentage of average energy/power consumption by tra-

ditional network and SDN with and without security/IPS implementation for
a typical small office home office environment as shown in Fig. 8. Experiment
Fig. 14. Comparison of energy consumption and security trade-off for RC5 was conducted in CWiNs research lab at GSU with NEC OpenFlow switches
encryption and transmission. and controller by mimicking the traffic patterns of the University computer
network.

In traditional network, regardless of time, it consumes same

trade-off for RC5 encryption and transmission of the infor-
power however SDN consumes variable power based on load
mation in Fig. 14. As mentioned earlier, SDN adapts the link
which is based on the time of the day as shown in Fig. 16.
parameter and operating parameters, it consumes less power
During the peak hours all network consume maximum power
than that in traditional network as shown in Fig. 14. However,
however SDN consumes less power during off peak hours.
when SDN needs higher security (higher rounds for RC5
When security scheme such as IPS is implemented, SDN
encryption for better security), energy consumption increases
consumes more power than that of without security imple-
with the level of security (e.g., number of encryption rounds)
mentation as shown in Fig. 16. Thus we can sumarize that the
as shown in Fig. 14.
security comes with cost and we need to consider trade-off
Then we plotted variation of energy consumption for secure
between energy efficiency and security.
socket layer (SSL) handshake in traditional network and in
We can conclude that the SDN can adapte its network
SDN with increasing data sizes as shown in Fig. 15. We
parameters on the fly to provide security with lower energy
observed that energy consumption increases with the data size
consumption compared to traditional network. In other words,
as shown in Fig. 15 for both traditional network and SDN.
energy efficient approaches for SDN can help to consume less
However, energy consumption is lower for SDN than that for
power while providing better or same level of performance and
traditional network since SDN adapts the link speed based on
security than that in (equivalent) traditional network. Thus it
the information to be transmitted. When SDN uses its maxi-
is important to study energy efficient approaches for the SDN,
mum speed limit and its link is fully utilized, it consumes same
which are discussed in the following sub-section to make the
energy as traditional network as shown in Fig. 15. However,
paper self-content.
when there is a room to utilize lower link speed, it consumes
lower energy without degrading the network performance.
Finally, we plotted the variation of average energy/power A. Energy Efficiency in SDN
consumption for the traditional network and the SDN (with As discussed in earlier sections, one of the major prob-
and without security/IPS implementation) as shown in Fig. 16. lems faced by many companies around the world is the
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 337

amount of energy consumed by networks. The need for con- provide the service. This leads to the energy efficient proper
tinuous availability and its huge architecture make network utilization of the networks.
energy consumption high. The companies pay a significant Content based method [148] has been implemented in soft-
percentage of their revenue to power their network infras- ware defined Information Centric Network (ICN) for proper
tructures [136]. Usage of the energy efficient networks such utilization of resources with reduced power consumption in
as SDN is regarded as a solution for reducing the overall the network. ICN has prior information about the length of
consumption of power in the network [23]. This attracted com- content that needs to be delivered and allocates only required
panies like Google to incorporate SDN in their networks [64]. amount of resources. This method also keeps track of these
Implementation of some energy saving strategies in SDN can resources to ensure proper utilization. Elastic tree model
reduce the overall power consumption which leads to the cost proposed in [89] showed 50% reduction in power usage where
reduction [89]. The openness, feasibility and programmability optimizer module allocates most suitable link to efficiently
of SDN reduces the complexity to implement energy effi- handle the traffic load while meeting QoS requirements. The
ciency approaches in both hardware and software. It would be unused links in network are put in sleep mode to save the
more efficient to apply power saving schemes in each module energy.
for overall energy saving [137]. For this purpose the power Multi Layer Traffic Engineering (MLTE) [149] and
consumed in SDN by each module such as chassis, routers GreCO [150] follow the similar approach as elastic tree and
and nodes in the network needs to be known. Furthermore, these approaches insignificantly save power consumption in
SDN is regarded as a viable solution where minimal resources SDN [88]. The exclusive routing algorithm (EXR) in [173]
could be used to perform a task without degrading overall routes the traffic based on the time dimension and this method
network performance (such as security) that reduces energy of routing is more effective and quick compared to other
consumption. energy saving algorithms. In [174], energy efficient routing
Measurement model has been presented in [138], where the protocols are proposed to route the network traffic to the
power consumed by OpenFlow switches such as OF hardware most suitable and shortest path to meet the requirements of
Switch and OF vSwitch running on the server are considered the users. The queue engineering process has been adopted
for the experiment. According to the results obtained, enabling for energy saving of OpenFlow switch in NETFPGA plat-
sleeping mechanisms can improvise the energy efficiency of form [175]. The clock controller is combined with OpenFlow
OF vSwitch as the power consumption of network is depen- controller for supporting various modes for power manage-
dent on number of active links in the network. The additional ment. This method has a separate module that lowers the
savings up to 6.6% of overall power can be achieved by set- frequency to 0 MHz in no traffic conditions for proper usage
ting port configuration rate to 10 Mbps. The obtained power of power [176]. Reducing the replication of unwanted data can
measurements are expected to have error less than 1% in hard- reduce the power consumption of network to some extent [22].
ware switches and 8% in software. The frequent powering off To avoid redundancy in storage of data SMart In-Network
and on can show its impact on decreasing the life time of net- Duplication (SMIND) method has been implemented in [177].
working devices. The efficiency can only be achieved when This method identifies the redundant data using fingerprinting
the adopted schemes do not affect the performance of the technique.
system. So, the method to be implemented in network should 2) Energy Efficient Traffic Engineering/Management:
be selected based on characteristics of the network. Traffic engineering/management for energy optimization is
Table III and Table IV provide a comparison between var- not a new concept. This approach is popular in traditional
ious energy efficiency techniques that have been proposed to networks and is used in SDNs for energy efficiency. The
implement in SDN. These tables provide working principle Asynchronous Transfer Mode (ATM) network [178] has strict
of each method along with advantages and disadvantages that and limited policies for protecting the entire network with-
they offer when they are implemented in SDN. out degrading Quality of Service (QoS) of the users. These
The energy efficient schemes that can be implemented in features are beneficial to SDN. Flow management and load
SDN are discussed below. balancing techniques can be implemented in both switches and
1) Energy Efficiency Through Optimal Network Resource controller for energy efficiency in SDN [65], [179]. Energy
Utilization: The amount of traffic during the different times of usage is minimized in Internet Protocol (IP) based traditional
day is not similar, especially during night times the traffic load networks using load balancing and efficient routing paths such
may be reduced to great extent and most of the nodes in net- as shortest path routing protocols [180]. These features are
work remain unutilized or underutilized (as shown in Fig. 16). also regarded as energy saving schemes in SDN. Similarly,
However, when security defense techniques are implemented, MultiProtocol Label Switching protocol (MPLS) is mostly
power consumption increase significantly. In SDN, due to focused on implementation of traffic engineering (TE) schemes
the flexibility to control the networking devices using a high in the Internet infrastructure [181] for efficient delivery of
level programming language, the rerouting techniques can be packets with optimal energy. This method is suitable for traf-
implemented with ease [88]. The controller in SDN can make fic engineering in SDN where drawbacks of MPLS can be
decisions according to the traffic load in system promoting addressed by the OpenFlow networks.
green networks and efficient resource utilization. The nodes Hash based ECMP has been proposed in [139] as an
that have no traffic can be sent in sleep mode and the nodes Equal Cost Multi Path switch based load balancing scheme
with low traffic can be rerouted to few active networks to that directs the flow to multiple paths in the network to
338 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

TABLE III
E NERGY E FFICIENCY T ECHNIQUES IN SDN

enhance energy efficiency. The major drawbacks of this load balancing scheme capable of handling the large flows [140]. In
balancing technique are computational complexity and low Hedera, controller manages the traffic based on the informa-
performance. Hedera has been regarded as an intelligent load tion obtained from switches and consumes minimum energy.
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 339

TABLE IV
E NERGY E FFICIENCY T ECHNIQUES IN SDN (C ONTD ...)

This helps to avoid collisions. Mahout [141], a load balancing network receive and store it along with the version number.
scheme, has been implemented in data centers to enhance net- When multiple policies exist in the switches then the packet
work performance and reduce energy consumption. DevoFlow is differentiated based on the version number and processed
load balancing has been implemented in [142] in enterprise by using new policy or old policy.
networks and data center environments to reduce the burden A method with per packet consistency and all packet con-
on controller by providing the switches with a set of additional sistency update in SDN has been presented in [48]. The SDN
wild card rules and minimize the overall energy consumption. controller updates the system in a timely manner and elimi-
Other advantages of this method includes performance and nates the old policies when it stops receiving the packets using
scalability. An approach called DIFANE has been capable of the old versions. Some other controllers set expiration date
achieving controller load balancing by implementing detailed for the older versions and do not support them after this fixed
and strict policies in enterprise networks [143]. The goal of the date. The major limitation of this method is it should store
DIFANE is similar to DevoFlow, however this scheme adds both versions in the flow table for certain time. This may
additional switches in the network called authority switches overwhelm the flow table entries and consume more space in
which store all the important flow entries. When the packet memory and increase the energy consumption. A new method
does not match with the flow table rules in the regular switches that deals with single set of rules has been proposed in [158]
they are immediately forwarded to authority switches for mak- to address the issues of memory consumption and energy
ing the decision. Hyperflow has been proposed in [144] as an consumption. In TIMECONF method proposed in [159], new
event based distributed control plane platform, which can pro- policies are updated sequentially in a scheduled time. However
vide the benefits offered by the OpenFlow and also overcome this method is associated with some delay as controller updates
its limitation of scalability. Balance Flow has been proposed the next switch only after it receives an acknowledgment
in [145] as a controller load balancing scheme in OpenFlow from the updated switch. Incremental update method called
networks. It has been proposed as an extension in OpenFlow Net-Plumber [157] has been proposed to enable quick policy
switches called Controller X action. This classifies the flows updates in network by configuring only the portion of switches
into various categories based on the switches from which they that needs an update resulting in lower energy consumption. It
originated and directs them to different controller. SDN/OSPF is located between data plane and control plane, and enforces
Traffic Engineering (SOTE) has been proposed in [147] as a policies into switches at the rate of 50 − 500µs [157].
hybrid traffic engineering method with the combination open Note that the energy can be saved in SDN by lower the
shortest path first and SDN to lower the link utilization in speed of the link while updating the SDN policies. Note that
the network. The main goal of this method is load balanc- the SDN policies can be easily updated with 10 Mbps links in
ing by directing them evenly through all the SDN nodes and real-time and consume 4 watts lower than that of 1Gbps link.
minimize the overall energy consumption. 4) Energy Efficient Monitoring of Traffic Conditions:
3) Energy Efficient SDN Policy Updating Including Security Energy saving in the network can be obtained by dynamically
Policies: Conventional networks update the network policies programming the network according to traffic conditions. In
once in a while, whereas SDN being an adaptive architecture order to dynamically adjust the system based on traffic flow,
needs to be updated frequently to adapt itself to updated envi- it is required to have updated information about the traffic
ronment. The constant updates in the system can hinder the conditions in the network. This necessitates need for traffic
performance of network and also increase power consump- monitoring approaches to be implemented in SDN. Though
tion. In SDN, the controller is responsible for updating and these monitoring schemes are not completely accurate, they
enforcing the new policies in the network. Whenever a new can help the controller to have an idea about traffic flow in
policy is updated in a network, all switches present in the the network including network security attacks.
340 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

An approach called Open TM has been proposed in [151] purpose of identification. The other advantage of the compact
as a query based monitoring system that relies on the features TCAM includes the usage of SDN for removal of redun-
of OpenFlow switches to measure the network traffic. The dant information. By the implementation of compact TCAM
information cannot be obtained from all switches as it may method 80% of the power reduction can be achieved. TCAM
impose overhead on the network and consume more energy. razor has been proposed in [160] to reduce number of flow
The switch from which the traffic statistics are to be col- entries in the flow table by implementing four step mechanism
lected are intelligently chosen from the routing information that compresses the TCAM by 29.0% which leads to the sav-
present in the controller to minimize the energy consumption ings of 54% energy. In this method multidimensional rules are
and boost the overall network performance. Payless has been fragmented into many one dimensional rule lists. BitWeaving
presented in [152] as a pull based traffic monitoring scheme has been proposed in [162] as a non-prefix ternary classifier
that uses adaptive statistics collection algorithm for obtaining implemented for the compression of rules in TCAM using
highly error free traffic conditions in the entire network. In this two different approaches: bit swapping and bit merging. In
method, controller queries the switches in data plane continu- this method flow entries with same decision and just differ by
ously for the updates regarding the traffic flow. Payless proved the single bit can be combined together. BitWeaving method
to be the effective method by lowering the energy consumption was able to achieve the compression ratio of 23.6% with high
in the network. The drawback of this system the querying the speed and energy efficiency [162].
controller continuously for maintaining accuracy which may Palette distribution [163] has been proposed to offer a solu-
impose overhead on the controller. tion for rule placement problem by breaking the large SDN
FlowSense has been proposed in [153] as a push based mon- tables into small sub-tables using pivot bit decomposition. As
itoring method that focuses on estimating the link utilization. all rules cannot be stored under the single network they are
The switches forward the message regarding the detection of divided and distributed among the multiple networks under
new flows to the controller using PacketIn and FlowRemoved SDN. Joint optimization method has been proposed in [164]
commands based on which the controller enforces new poli- that uses both rule allocation and traffic engineering to achieve
cies into the system. These messages could favor FlowSense energy optimization and security in the network. Integer Linear
monitoring scheme to estimate the resource utilization, band- Program has been proposed in [165] that uses greedy heuristic
width and energy consumption in the network. OpenSketch method for achieving the energy saving. Though the software
has been proposed in [155] as a push based traffic flow moni- switches can eliminate the issues such as high cost and can also
toring scheme which follows the similar concept of decoupling update the flow tables up to 10 times quicker than the hardware
the planes as SDN and uses three major stages namely hash- switches, they are associated with some delay in the packet
ing, filtering and counting. Hashing is used for providing a processing. CacheFlow has the hybrid switch embedded with
brief overview on the flows that needs to be measured. The both features of hardware and software switches [166], [167]
filtering stage eliminates the unnecessary data and statistics are that offers energy efficient solutions.
obtained in the counting stage. The results obtained are highly 6) Proper Placement of SDN Devices for Energy Efficiency
accurate. MicroTE has been proposed in [156] as a traffic mon- and Network Security: As SDN controller is regarded as a
itoring scheme in the network. It dynamically adjust itself to brain of the SDN to control behaviors of the network, its
the traffic conditions in the network and immediately respond placement location has a crucial role. The controller should
to the changes in the network. The updates on the recent traf- be capable of managing the provided number of switches
fic conditions received from the agent installed in the server in the network. The proper placement of the controller can
and immediately reported to the controller. OpenSample has improve the overall efficiency in the SDN and can also serve
been proposed in [154] as a push based monitoring scheme as a benefactor for reducing the cost. Deployment of many
that relies on sFlow packet sampling tool for obtaining the controllers in SDN has both pros and cons. The significant
packet headers from network. amount of research has been conducted on SDN controllers
5) Ternary Content Addressable Memory (TCAM) that are needed to be integrated in the system. The number of
Compression for Energy Efficiency and Network Security: controllers in the SDN should be based on the amount of traf-
The rules that are to be implemented in the SDN are stored fic load and network security requirement, and the size of the
in flow table present in Ternary content addressable mem- network that a given controller needs to control A mathemat-
ory (TCAM). It can compare all incoming flows parallelly ical model has been proposed in [171] for the placement of
and enable quick packet processing [182]. The number of the controllers with a motive to minimize the energy cost and to
entries in the flow table are limited as the TCAM usage is boost the network performance. The factors such as the loca-
associated with cost factor. TCAM is expected to impose the tion of the switches, length and bandwidth of the switches
burden of 400 times more cost and 100 times more power and other information is taken into consideration. The con-
usage [183] than the traditional memory storage devices troller placement problem for the minimization of cost can be
such as RAM. The other main concerning issue of TCAM expressed as
is its update time that is limited to 40−50 rule-tables per
Minimize Cc (x) + Cl (v) + Ct (z), (4)
second [166], [167], [184].
Compact TCAM has been proposed in [161] that condenses where Cc (x), Cl (v), Ct (z) are the cost of installing switches,
the structure of TCAM by lowering the size of the flow IDs in cost of linking controllers to switches and the cost for linking
a flow table. The flows assigned with a specific flow ID for the the controllers together respectively. The equation (4) should
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 341

packet with the flow entries in the table to make a decision.

The flow tables in SDN have limited space. The storage of
more number of flow entries could impose overhead on the
flow tables thereby increasing cost and degrading the overall
performance. This necessitates the need for intelligent flow
Fig. 17. Typical open challenges and problems in SDN.
table management methods that can store more number of
rules without increasing the cost and degrading the overall net-
satisfy some criteria such as the number of switches connected
work performance, network security and energy consumption
to the network is always less than the number of ports in the
in SDN [6], [185].
network, the switches in the network have only one particular
link to connect to the network, the controller is capable of
C. Performance of SDN Switches
handling number of packets sent by the switches connected to
a given controller. SDN switches are not intelligent and operate based on the
Next, VM placement in SDN enables proper resource uti- rules set by the SDN controller. The performance of switches
lization by the infrastructure in the network. Though the VMs in a SDN directly impacts the overall performance of the net-
are used in the network for the improvement of energy sav- work including network security [7]. The concerning issues in
ing. The improper and excessive placement of VMs may the switches are: maximum output that can be obtained using
degrade the overall performance and network security, and available OpenFlow switches is limited to 38−1000 flow-mod
increase the energy consumption. Energy efficient QoS guar- per second. Switches need high capacity processors to work
antee Virtual Machine Placement (EQVMP) method has been efficiently. If more number of CPUs are included in the switch,
proposed in [172] to find optimal ways for VM placement. power consumption will be increased.
This method is implemented in three phases as
a). Hop Reduction: Decomposes the VM’s into multiple D. Real-time Change Update in SDN
classes and uses protocols such as OSPF to determine SDN is reconfigurable on the fly based on its operating con-
the suitable path. ditions. In any SDN, it has been a real challenge to address
b). Energy Saving: The suitable location for placing VM’s dynamic real-time change and deployment of rules. As dis-
is decided using best fit algorithm. The position of VM cussed, SDN has an ability to automate the provisioning of
should reduce resource consumption without affecting new converged infrastructures in minutes and impact multiple
QoS. devices in real time. This results in gaps in visibility of SDN
c). Load Balancing: Evenly distributing the traffic for changes and there will be a huge impact when small things
achieving energy efficiency without affecting the net- go wrong. In SDN, another challenge is accommodating rapid
work performance and security. on-demand growth which poses a risk to SDN monitoring
Note that suitable placement of SDN devices in a network platforms. Defense and monitoring solutions must be able to
can help to save significant amount of energy consumed by accommodate the rapid growth of the SDN infrastructures.
the network and provide efficient security defense. Otherwise they can quickly become over-subscribed resulting
in failure of whole systems.
V. OTHER C HALLENGES IN SDN R ELATED TO
P ERFORMANCE , S ECURITY AND E NERGY E FFICIENCY E. Integration of SDN and Traditional Networks
SDN is regarded as an emerging technology for network Traditional network is hierarchical and SDN is flat. Thus,
security and energy efficiency. However, there are many chal- integration of SDN and legacy network is another challenge
lenges and open problems to realize its full potential. In this where defense solutions and monitoring systems should be
section, we discuss about important problems and challenges compatible and robust for both networks to enhance the overall
in SDN. Typical open challenges/problems are summarized performance, network security and energy saving. Note that
in Fig. 17. one system should not be the bottleneck for other. SDN is
expected to be able to work based on a context of a particular
customer or tenant of the network to serve them better and
A. Scalability of the SDN Controller
meet their QoS requirements. This may degrade the network
In SDN, network functions are centralized to SDN con- performance when there is hybrid network with physical and
troller. The SDN controller is responsible for handling all virtual services.
important operations in the network. Thus finding optimal
number of controllers and their optimal position/placement in F. Optimal Location of SDN Devices
the network for better performance, scalability, security and
Optimization for placement of SDN controller, SDN
energy efficiency is still an active research topic.
switches and other end devices is another open problem in
SDN as placement of different SDN devices impacts the
B. Flow-table Management in SDN overall network performance and security. It would be more
SDN is flat network where SDN switches lack efficiency important to enable more efficient network resource sharing
to work independently which makes them dependent on the and improve services for trillions devices in Internet of Things
rules set by the SDN controller. SDN switch matches the applications [186], [187].
342 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

Note that the selection of different parameters depends on [11] N. McKeown et al. (2011). OpenFlow Switch Specification. Accessed
the application that the SDN is envisioned to support. For on Aug. 1, 2016. [Online]. Available: https://www.opennetworking.org/
images/stories/downloads/sdn-resources/onf-specifications/openflow/
instance, optimal parameters in SDN for smart grid may not openflow-spec-v1.4.0.pdf
be optimal SDN parameters for traditional data center net- [12] T. Xing, Z. Xiong, D. Huang, and D. Medhi, “SDNIPS: Enabling
works [188], optimal SDN for IoT may not be optimal SDN software-defined networking based intrusion prevention system in
clouds,” in Proc. 10th Int. Conf. Netw. Service Manag. (CNSM),
for cyber-physical systems, and so on. Rio de Janeiro, Brazil, 2014, pp. 308–311.
[13] O. Joldzic, Z. Djuric, and D. Vukovic, “Building a transparent intrusion
detection and prevention system on SDN,” Norsk informasjonssikker-
VI. C ONCLUSION hetskonferanse, vol. 7, no. 1, pp. 1–4, 2014.
[14] S. A. Mehdi, J. Khalid, and S. A. Khayam, “Revisiting traffic
In this survey, we have explored Software Defined Network anomaly detection using software defined networking,” in Recent
(SDN) architecture, various security threats that are resolved Advances in Intrusion Detection. Heidelberg, Germany: Springer, 2011,
by SDN and new threats that arose as a result of SDN imple- pp. 161–180.
[15] S. Shin et al., “FRESCO: Modular composable security services for
mentation as well as energy efficiency. We have summarized software-defined networks,” in Proc. NDSS, San Diego, CA, USA,
the recent security attacks and countermeasures in SDN in a 2013, pp. 1–16.
tabular form for side-by-side comparison. We have also pro- [16] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “SDN security: A
survey,” in Proc. IEEE SDN Future Netw. Services (SDN4FNS), Trento,
vided a survey on different strategies that are implemented Italy, 2013, pp. 1–7.
to achieve energy efficiency in the networks through SDN [17] S. Shin, V. Yegneswaran, P. Porras, and G. Gu, “AVANT-GUARD:
implementation and presented in a tabular form. In an effort to Scalable and vigilant switch flow management in software-defined
networks,” in Proc. ACM SIGSAC Conf. Comput. Commun. Security,
anticipate the future evolution of this new paradigm, we dis- Berlin, Germany, 2013, pp. 413–424.
cuss the challenges and research efforts in SDN. Note that the [18] D. B. Rawat and C. Bajracharya, Vehicular Cyber Physical Systems:
selection of different SDN parameters depends on the appli- Adaptive Connectivity and Security. Cham, Switzerland: Springer,
2016.
cations that the SDN is envisioned to support. For instance, [19] D. B. Rawat and C. Bajracharya, “Software defined networking for
optimal SDN parameters for smart grid networking may not reducing energy consumption and carbon emission,” in Proc. IEEE
be optimal SDN parameters for traditional data center net- SoutheastCon, Norfolk, VA, USA, 2016, pp. 1–2.
[20] E. Gelenbe and Y. Caseau, “The impact of information technology on
works and optimal SDN for IoT may not be optimal SDN for energy consumption and carbon emissions,” Ubiquity, vol. 2015, p. 1,
cyber-physical systems and so on. Jun. 2015.
It is noted that the future work should be focused on [21] D. B. Rawat and S. Reddy, “Recent advances on software defined wire-
less networking,” in Proc. IEEE SoutheastCon, Norfolk, VA, USA,
designing low power consuming security mechanisms that can 2016, pp. 1–8.
enhance the overall network performance with high visibility [22] R. Wang et al., “Energy-aware routing algorithms in software-defined
and scalability. networks,” in Proc. IEEE 15th Int. Symp. A World Wireless Mobile
Multimedia Netw. (WoWMoM), Sydney, NSW, Australia, 2014, pp. 1–6.
[23] B. Yan, J. Zhou, J. Wu, and Y. Zhao, “Poster: SDN based energy
management system for optical access network,” in Proc. 9th Int.
ACKNOWLEDGMENT Conf. Commun. Netw. China (CHINACOM), Maoming, China, 2014,
However, any opinion, finding, and conclusions or recom- pp. 658–659.
[24] B. B. Bista, A. Fukushi, T. Takata, and D. B. Rawat, “Reducing energy
mendations expressed in this material are those of the author consumption in wired OpenFlow-based networks,” Int. J. Control
and do not necessarily reflect the views of NSF. The authors Autom., vol. 7, no. 6, pp. 401–412, 2014.
are grateful to the anonymous reviewers for their constructive [25] B. B. Bista, M. Takanohashi, T. Takata, and D. B. Rawat, “A power
saving scheme for open flow network,” J. Clean Energy Technol., vol. 1,
comments on the paper. no. 4, pp. 276–280, 2013.
[26] K. Dhamecha and B. Trivedi, “SDN issues—A survey,” Int. J. Comput.
Appl., vol. 73, no. 18, pp. 30–35, 2013.
R EFERENCES [27] S. Scott-Hayward, S. Natarajan, and S. Sezer, “A survey of security
in software defined networks,” IEEE Commun. Surveys Tuts., vol. 18,
[1] S. Jeschke, C. Brecher, H. Song, and D. B. Rawat, Industrial Internet of no. 1, pp. 623–654, 1st Quart., 2016.
Things: Cyber-Manufacturing Systems. Cham, Switzerland: Springer, [28] I. Alsmadi and D. Xu, “Security of software defined networks: A
2016. survey,” Comput. Security, vol. 53, pp. 79–108, Sep. 2015.
[2] D. B. Rawat, J. J. Rodrigues, and I. Stojmenović, Cyber-Physical [29] W. Li, W. Meng, and L. F. Kwok, “A survey on OpenFlow-based
Systems: From Theory to Practice. Boca Raton, FL, USA: CRC Press, software defined networks: Security challenges and countermeasures,”
2015. J. Netw. Comput. Appl., vol. 68, pp. 126–139, Jun. 2016.
[3] P. Goransson and C. Black, Software Defined Networks: A [30] N. Feamster, H. Balakrishnan, J. Rexford, A. Shaikh, and
Comprehensive Approach. St. Louis, MO, USA: Elsevier, 2014. J. van Der Merwe, “The case for separating routing from routers,” in
[4] N. McKeown, “Software-defined networking,” INFOCOM Keynote Proc. ACM SIGCOMM Workshop Future Directions Netw. Architect.,
Talk, vol. 17, no. 2, pp. 30–32, 2009. Portland, OR, USA, 2004, pp. 5–12.
[5] T. D. Nadeau and K. Gray, SDN: Software Defined Networks. [31] A. Greenberg et al., “A clean slate 4D approach to network control
Sebastopol, CA, USA: O’Reilly Media, 2013. and management,” ACM SIGCOMM Comput. Commun. Rev., vol. 35,
[6] F. Hu, Q. Hao, and K. Bao, “A survey on software-defined network and no. 5, pp. 41–54, 2005.
OpenFlow: From concept to implementation,” IEEE Commun. Surveys [32] M. Casado et al., “Ethane: Taking control of the enterprise,” ACM
Tuts., vol. 16, no. 4, pp. 2181–2206, 4th Quart., 2014. SIGCOMM Comput. Commun. Rev., vol. 37, no. 4, pp. 1–12, 2007.
[7] D. Kreutz et al., “Software-defined networking: A comprehensive [33] N. Feamster, J. Rexford, and E. Zegura, “The road to SDN: An intel-
survey,” Proc. IEEE, vol. 103, no. 1, pp. 14–76, Jan. 2015. lectual history of programmable networks,” ACM SIGCOMM Comput.
[8] Open Networking Foundation. Accessed on May 8, 2016. [Online]. Commun. Rev., vol. 44, no. 2, pp. 87–98, 2014.
Available: https://www.opennetworking.org [34] S. Bhattacharjee, K. L. Calvert, and E. W. Zegura, An Architecture for
[9] Floodlight. Accessed on May 8, 2016. [Online]. Available: Active Networking. New York, NY, USA: Springer, 1997.
http://www.projectfloodlight.org/ floodlight [35] D. L. Tennenhouse and D. J. Wetherall, “Towards an active network
[10] OpenDayLight. Accessed on May 8, 2016. [Online]. Available: architecture,” in Proc. DARPA Act. Netw. Conf. Expo., San Francisco,
https://www.opendaylight.org CA, USA, 2002, pp. 2–15.
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 343

[36] D. J. Wetherall, J. V. Guttag, and D. L. Tennenhouse, “ANTS: A toolkit [59] J. Reich, C. Monsanto, N. Foster, J. Rexford, and D. Walker,
for building and dynamically deploying network protocols,” in Proc. “Modular SDN programming with pyretic,” USENIX Tech.
IEEE Open Architect. Netw. Program., San Francisco, CA, USA, 1998, Rep., 2013, accessed on Aug. 1, 2016. [Online]. Available:
pp. 117–129. https://www.cs.princeton.edu/∼jrex/papers/pyretic13.pdf
[37] J. E. van der Merwe, S. Rooney, L. Leslie, and S. Crosby, “The [60] A. Blenk, A. Basta, and W. Kellerer, “HyperFlex: An SDN virtualiza-
tempest-a practical framework for network programmability,” IEEE tion architecture with flexible hypervisor function allocation,” in Proc.
Netw., vol. 12, no. 3, pp. 20–28, May/Jun. 1998. IFIP/IEEE IM, Ottawa, ON, Canada, 2015, pp. 397–405.
[38] A. Bavier, N. Feamster, M. Huang, L. Peterson, and J. Rexford, [61] L. Velasco, A. Asensio, J. L. Berral, A. Castro, and V. López, “Towards
“In VINI veritas: Realistic and controlled network experimentation,” a carrier SDN: An example for elastic inter-datacenter connectivity,”
ACM SIGCOMM Comput. Commun. Rev., vol. 36, no. 4, pp. 3–14, Opt. Exp., vol. 22, no. 1, pp. 55–61, 2014.
2006. [62] V. Pandey, “Towards widespread SDN adoption: Need for synergy
[39] D. S. Alexander et al., “The SwitchWare active network architecture,” between photonics and SDN within the data center,” in Proc. IEEE
IEEE Netw., vol. 12, no. 3, pp. 29–36, May/Jun. 1998. Photon. Soc. Summer Topical Meeting Series, Waikoloa, HI, USA,
[40] N. McKeown et al., “OpenFlow: Enabling innovation in campus net- 2013, pp. 227–228.
works,” ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, [63] J. Kempf, Y. Zhang, R. Mishra, and N. Beheshti, “Zeppelin—A third
pp. 69–74, 2008. generation data center network virtualization technology based on SDN
and MPLS,” in Proc. IEEE 2nd Int. Conf. Cloud Netw. (CloudNet),
[41] W. Stallings, “Software-defined networks and OpenFlow,” Internet
San Francisco, CA, USA, 2013, pp. 1–9.
Protocol J., vol. 16, no. 1, pp. 1–6, 2013.
[64] S. Jain et al., “B4: Experience with a globally-deployed software
[42] SDN-Ready White Box Data Center. Accessed on May 8, 2016.
defined WAN,” ACM SIGCOMM Comput. Commun. Rev., vol. 43,
[Online]. Available: http://www.pica8.com/open-networking/sdn-ready-
no. 4, pp. 3–14, 2013.
white-box-data-center.php
[65] I. F. Akyildiz, A. Lee, P. Wang, M. Luo, and W. Chou, “A roadmap
[43] A. Voellmy and P. Hudak, “Nettle: Taking the sting out of program- for traffic engineering in SDN-OpenFlow networks,” Comput. Netw.,
ming network routers,” in Practical Aspects of Declarative Languages. vol. 71, pp. 1–30, Oct. 2014.
Heidelberg, Germany: Springer, 2011, pp. 235–249. [66] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of
[44] N. Gude et al., “NOX: Towards an operating system for networks,” Things (IoT): A vision, architectural elements, and future directions,”
ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 3, pp. 105–110, Future Gener. Comput. Syst., vol. 29, no. 7, pp. 1645–1660, 2013.
2008. [67] A. Gupta et al., “SDX: A software defined Internet exchange,” in Proc.
[45] A. Voellmy, H. Kim, and N. Feamster, “Procera: A language for high- ACM Conf. SIGCOMM, Chicago, IL, USA, 2014, pp. 551–562.
level reactive network control,” in Proc. 1st Workshop Hot Topics Softw. [68] V. Kotronis, X. Dimitropoulos, and B. Ager, “Outsourcing the routing
Defined Netw., Helsinki, Finland, 2012, pp. 43–48. control logic: Better Internet routing based on SDN principles,” in Proc.
[46] Defining Openness for Open SDN and NFV. Accessed on Nov. 16, 11th ACM Workshop Hot Topics Netw., Redmond, WA, USA, 2012,
2015. [Online]. Available: https://www.sdxcentral.com/articles/ pp. 55–60.
featured/defining-open-sdn-nfv-a-primer-network-operators/2014/07/ [69] J. Costa-Requena, “SDN integration in LTE mobile backhaul net-
[47] S. Gutz, A. Story, C. Schlesinger, and N. Foster, “Splendid isolation: A works,” in Proc. Int. Conf. Inf. Netw. (ICOIN), Phuket, Thailand, 2014,
slice abstraction for software-defined networks,” in Proc. 1st Workshop pp. 264–269.
Hot Topics Softw. Defined Netw., Helsinki, Finland, 2012, pp. 79–84. [70] P. Berthou, “Leveraging SDN for the 5G networks,” in Software
[48] M. Reitblatt, N. Foster, J. Rexford, and D. Walker, “Consistent updates Defined Mobile Networks (SDMN): Beyond LTE Network Architecture.
for software-defined networks: Change you can believe in!” in Proc. Hoboken, NJ, USA: Wiley, 2015, pp. 61–80.
10th ACM Workshop Hot Topics Netw., Cambridge, MA, USA, 2011, [71] D. B. Rawat, S. Shetty, and C. Xin, “Stackelberg-game-based dynamic
p. 7. spectrum access in heterogeneous wireless systems,” IEEE Syst. J.,
[49] C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker, vol. 10, no. 4, 2016.
“Composing software defined networks,” in Proc. NSDI, Lombard, IL, [72] J. Sánchez, I. M. B. Yahia, N. Crespi, T. Rasheed, and D. Siracusa,
USA, 2013, pp. 1–13. “Softwarized 5G networks resiliency with self-healing,” in Proc. 1st
[50] C. Liang and F. R. Yu, “Wireless network virtualization: A survey, Int. Conf. 5G Ubiquitous Connectivity (5GU), 2014, pp. 229–233.
some research issues and challenges,” IEEE Commun. Surveys Tuts., [73] A. Gember, C. Dragga, and A. Akella, “ECOS: Leveraging software-
vol. 17, no. 1, pp. 358–380, 1st Quart., 2015. defined networks to support mobile application offloading,” in Proc. 8th
[51] K. Barr et al., “The VMware mobile virtualization platform: Is that a ACM/IEEE Symp. Architect. Netw. Commun. Syst., Austin, TX, USA,
hypervisor in your pocket?” ACM SIGOPS Oper. Syst. Rev., vol. 44, 2012, pp. 199–210.
no. 4, pp. 124–135, 2010. [74] J. Lee et al., “meSDN: Mobile extension of SDN,” in Proc. 5th Int.
Workshop Mobile Cloud Comput. Services, Bretton Woods, NH, USA,
[52] C. Dixon et al., “Software defined networking to support the soft-
2014, pp. 7–14.
ware defined environment,” IBM J. Res. Develop., vol. 58, nos. 2–3,
[75] K.-K. Yap et al., “The Stanford openroads deployment,” in Proc. 4th
pp. 1–14, Mar./May 2014.
ACM Int. Workshop Exp. Eval. Characterization, Beijing, China, 2009,
[53] R. Sherwood et al., “FlowVisor: A network virtualization layer,”
pp. 59–66.
OpenFlow Switch Consortium, Stanford Univ., Stanford, CA, USA,
[76] R. Muñoz, R. Vilalta, R. Casellas, and R. Martínez, “SDN orchestra-
Tech. Rep., 2009, accessed on Aug. 1, 2016. [Online]. Available:
tion and virtualization of heterogeneous multi-domain and multi-layer
http://archive.openflow.org/downloads/technicalreports/openflow-tr-
transport networks: The STRAUSS approach,” in Proc. IEEE Int. Black
2009-1-flowvisor.pdf
Sea Conf. Commun. Netw. (BlackSeaCom), Constanta, Romania, 2015,
[54] E. Salvadori, R. D. Corin, A. Broglio, and M. Gerola, “Generalizing pp. 142–146.
virtual network topologies in OpenFlow-based networks,” in Proc. [77] T. Szyrkowiec et al., “Demonstration of SDN based optical network
IEEE Glob. Telecommun. Conf. (GLOBECOM), Houston, TX, USA, virtualization and multidomain service orchestration,” in Proc. 3rd Eur.
2011, pp. 1–6. Workshop Softw. Defined Netw. (EWSDN), Budapest, Hungary, 2014,
[55] Z. Bozakov and P. Papadimitriou, “AutoSlice: Automated and scalable pp. 137–138.
slicing for software-defined networks,” in Proc. ACM Conf. CoNEXT [78] Q. Qi, W. Wang, X. Gong, and X. Que, “A SDN-based network virtual-
Student Workshop, Nice, France, 2012, pp. 3–4. ization architecture with autonomie management,” in Proc. Globecom
[56] P. Skoldstrom and W. John, “Implementation and evaluation of a Workshops (GC Wkshps), Austin, TX, USA, 2014, pp. 178–182.
carrier-grade OpenFlow virtualization scheme,” in Proc. 2nd Eur. [79] M. S. Malik, M. Montanari, J. H. Huh, R. B. Bobba, and
Workshop Softw. Defined Netw. (EWSDN), Berlin, Germany, 2013, R. H. Campbell, “Towards SDN enabled network control delegation
pp. 75–80. in clouds,” in Proc. 43rd Annu. IEEE/IFIP Int. Conf. Depend. Syst.
[57] P. Lin, J. Bi, and H. Hu, “VCP: A virtualization cloud plat- Netw. (DSN), Budapest, Hungary, 2013, pp. 1–6.
form for SDN intra-domain production network,” in Proc. 20th [80] R. D. Corin, M. Gerola, R. Riggio, F. De Pellegrini, and E. Salvadori,
IEEE Int. Conf. Netw. Protocols (ICNP), Austin, TX, USA, 2012, “VeRTIGO: Network virtualization and beyond,” in Proc. Eur.
pp. 1–2. Workshop Softw. Defined Netw. (EWSDN), Darmstadt, Germany, 2012,
[58] D. Drutskoy, E. Keller, and J. Rexford, “Scalable network virtualization pp. 24–29.
in software-defined networks,” IEEE Internet Comput., vol. 17, no. 2, [81] D. B. Rawat, M. Song, and S. Shetty, Dynamic Spectrum Access for
pp. 20–27, Mar./Apr. 2013. Wireless Networks. Cham, Switzerland: Springer, 2015.
344 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

[82] D. B. Rawat and N. Sharma, “Wireless network virtualization for [105] S. Hong, L. Xu, H. Wang, and G. Gu, “Poisoning network visibility
enhancing security: Status, challenges and perspectives,” in Proc. IEEE in software-defined networks: New attacks and countermeasures,” in
SoutheastCon, Norfolk, VA, USA, 2016, pp. 1–8. Proc. NDSS, 2015, pp. 1–15.
[83] A. Gudipati, D. Perry, L. E. Li, and S. Katti, “SoftRAN: Software [106] X. Du, M.-Z. Wang, X. Zhang, and L. Zhu, “Traffic-based mali-
defined radio access network,” in Proc. 2nd ACM SIGCOMM Workshop cious switch detection in SDN,” Int. J. Security Appl., vol. 8, no. 5,
Hot Topics Softw. Defined Netw., Hong Kong, 2013, pp. 25–30. pp. 119–130, 2014.
[84] M. Peng, C. Wang, V. Lau, and H. V. Poor, “Fronthaul-constrained [107] M. Dhawan, R. Poddar, K. Mahajan, and V. Mann, “SPHINX:
cloud radio access networks: Insights and challenges,” IEEE Wireless Detecting security attacks in software-defined networks,” in Proc. Netw.
Commun., vol. 22, no. 2, pp. 152–160, Apr. 2015. Distrib. Syst. Security (NDSS) Symp., San Diego, CA, USA, 2015,
[85] M. Y. Arslan, K. Sundaresan, and S. Rangarajan, “Software-defined pp. 1–15.
networking in cellular radio access networks: Potential and challenges,” [108] H. Hu, W. Han, G.-J. Ahn, and Z. Zhao, “FLOWGUARD: Building
IEEE Commun. Mag., vol. 53, no. 1, pp. 150–156, Jan. 2015. robust firewalls for software-defined networks,” in Proc. 3rd Workshop
[86] M. Yang et al., “OpenRAN: A software-defined ran architecture via Hot Topics Softw. Defined Netw., Chicago, IL, USA, 2014, pp. 97–102.
virtualization,” ACM SIGCOMM Comput. Commun. Rev., vol. 43, no. 4, [109] S. K. Fayazbakhsh, V. Sekar, M. Yu, and J. C. Mogul, “FlowTags:
pp. 549–550, 2013. Enforcing network-wide policies in the presence of dynamic middlebox
[87] A. P. Bianzino, C. Chaudet, D. Rossi, and J.-L. Rougier, “A survey actions,” in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw.
of green networking research,” IEEE Commun. Surveys Tuts., vol. 14, Defined Netw., Hong Kong, 2013, pp. 19–24.
no. 1, pp. 3–20, 1st Quart., 2012. [110] Z. Qazi et al., “Practical and incremental convergence between SDN
[88] D. Staessens, S. Sharma, D. Colle, M. Pickavet, and P. Demeester, and middleboxes,” in Proc. Open Netw. Summit, Santa Clara, CA, USA,
“Software defined networking: Meeting carrier grade requirements,” in 2013, pp. 1–15.
Proc. 18th IEEE Workshop Local Metropol. Area Netw. (LANMAN), [111] B. Anwer, T. Benson, N. Feamster, D. Levin, and J. Rexford, “A
Chapel Hill, NC, USA, 2011, pp. 1–6. slick control plane for network middleboxes,” in Proc. 2nd ACM
[89] B. Heller et al., “ElasticTree: Saving energy in data center networks,” SIGCOMM Workshop Hot Topics Softw. Defined Netw., Hong Kong,
in Proc. NSDI, vol. 10. San Jose, CA, USA, 2010, pp. 249–264. 2013, pp. 147–148.
[90] L. Schehlmann, S. Abt, and H. Baier, “Blessing or curse? Revisiting [112] M. Canini, D. Venzano, P. Perešíni, D. Kostić, and J. Rexford, “A
security aspects of software-defined networking,” in Proc. 10th Int. NICE way to test OpenFlow applications,” in Proc. NSDI, vol. 12.
Conf. Netw. Service Manag. (CNSM), Rio de Janeiro, Brazil, 2014, San Jose, CA, USA, 2012, pp. 127–140.
pp. 382–387. [113] P. Porras et al., “A security enforcement kernel for OpenFlow net-
[91] S. Shin and G. Gu, “CloudWatcher: Network security monitoring using works,” in Proc. 1st Workshop Hot Topics Softw. Defined Netw.,
OpenFlow in dynamic cloud networks (or: How to provide security Helsinki, Finland, 2012, pp. 121–126.
monitoring as a service in clouds?),” in Proc. 20th IEEE Int. Conf. [114] S. E. Schechter, J. Jung, and A. W. Berger, “Fast detection of scan-
Netw. Protocols (ICNP), Austin, TX, USA, 2012, pp. 1–6. ning worm infections,” in Recent Advances in Intrusion Detection.
[92] P.-W. Chi, C.-T. Kuo, H.-M. Ruan, S.-J. Chen, and C.-L. Lei, “An Heidelberg, Germany: Springer, 2004, pp. 59–81.
AMI threat detection mechanism based on SDN networks,” in Proc. [115] J. Twycross and M. M. Williamson, “Implementing and testing a virus
SECURWARE, Lisbon, Portugal, 2014, pp. 208–211. throttle,” in Proc. USENIX Security, 2003, p. 20.
[93] J. François and O. Festor, “Anomaly traceback using software [116] Y. Gu, A. McCallum, and D. Towsley, “Detecting anomalies in net-
defined networking,” in Proc. Nat. Conf. Parallel Comput. Technol. work traffic using maximum entropy estimation,” in Proc. 5th ACM
(PARCOMPTECH), Atlanta, GA, USA, 2015, pp. 203–208. SIGCOMM Conf. Internet Meas., Berkeley, CA, USA, 2005, p. 32.
[94] R. Jin and B. Wang, “Malware detection for mobile devices using [117] M. V. Mahoney, “Network traffic anomaly detection based on packet
software-defined networking,” in Proc. 2nd GENI Res. Educ. Exp. bytes,” in Proc. ACM Symp. Appl. Comput., Melbourne, FL, USA,
Workshop (GREE), Salt Lake City, UT, USA, 2013, pp. 81–88. 2003, pp. 346–350.
[95] K. Giotis, G. Androulidakis, and V. Maglaris, “Leveraging SDN for [118] S. M. Mousavi and M. St-Hilaire, “Early detection of DDoS attacks
efficient anomaly detection and mitigation on legacy networks,” in against SDN controllers,” in Proc. Int. Conf. Comput. Netw. Commun.
Proc. 3rd Eur. Workshop Softw. Defined Netw. (EWSDN), Budapest, (ICNC), Garden Grove, CA, USA, 2015, pp. 77–81.
Hungary, 2014, pp. 85–90. [119] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack
[96] S. Lim, J.-I. Ha, H. Kim, Y. Kim, and S. Yang, “A SDN-oriented DDoS detection using NOX/OpenFlow,” in Proc. IEEE 35th Conf. Local
blocking scheme for botnet-based attacks,” in Proc. 6th Int. Conf. Comput. Netw. (LCN), Denver, CO, USA, 2010, pp. 408–415.
Ubiquitous Future Netw. (ICUFN), Shanghai, China, 2014, pp. 63–68. [120] C. Schlesinger, A. Story, S. Gutz, N. Foster, and D. Walker, “Splendid
[97] R. Sahay, G. Blanc, Z. Zhang, and H. Debar, “Towards autonomic isolation: Language-based security for software-defined networks,” in
DDoS mitigation using software defined networking,” in Proc. NDSS Proc. Workshop Hot Topics Softw. Defined Netw., Helsinki, Finland,
Workshop Security Emerg. Netw. Technol. (SENT), San Diego, CA, 2012, pp. 79–84.
USA, 2015, pp. 1–7. [121] M. Ambrosin, M. Conti, F. De Gaspari, and R. Poovendran,
[98] C.-J. Chung, P. Khatkar, T. Xing, J. Lee, and D. Huang, “NICE: “LinesWitch: Efficiently managing switch flow in software-defined net-
Network intrusion detection and countermeasure selection in virtual working while effectively tackling DoS attacks,” in Proc. 10th ACM
network systems,” IEEE Trans. Depend. Secure Comput., vol. 10, no. 4, Symp. Inf. Comput. Commun. Security, Singapore, 2015, pp. 639–644.
pp. 198–211, Jul./Aug. 2013. [122] J. M. Dover. A Denial of Service Attack Against the Open Floodlight
[99] A. G. P. Lobato, U. da Rocha Figueiredo, and O. C. M. B. Duarte, “An SDN Controller. Accessed on Aug. 1, 2016. [Online]. Available:
architecture for intrusion prevention using software defined networks,” http://dovernetworks.com/wp-content/uploads/2013/12/OpenFlood
in Proc. WNetVirt, Rio de Janeiro, Brazil, 2013, p. 1. light-12302013.pdf
[100] M. Roesch et al., “Snort: Lightweight intrusion detection for networks,” [123] J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS
in Proc. LISA, vol. 99. Seattle, WA, USA, 1999, pp. 229–238. defense mechanisms,” ACM SIGCOMM Comput. Commun. Rev.,
[101] Q. Yan and F. R. Yu, “Distributed denial of service attacks in software- vol. 34, no. 2, pp. 39–53, 2004.
defined networking with cloud computing,” IEEE Commun. Mag., [124] M. Drašar, M. Vizváry, and J. Vykopal, “Similarity as a central
vol. 53, no. 4, pp. 52–59, Apr. 2015. approach to flow-based anomaly detection,” Int. J. Netw. Manag.,
[102] M. Abliz, “Internet denial of service attacks and defense mechanisms,” vol. 24, no. 4, pp. 318–336, 2014.
Dept. Comput. Sci., Univ. Pittsburgh, Pittsburgh, PA, USA, Tech. [125] A.-S. Kim, H.-J. Kong, S.-C. Hong, S.-H. Chung, and J. W. Hong, “A
Rep. TR-11-178, 2011. flow-based method for abnormal network traffic detection,” in Proc.
[103] D. Kreutz, F. M. V. Ramos, and P. Verissimo, “Towards secure and IEEE/IFIP Netw. Oper. Manag. Symp., vol. 1. Seoul, South Korea,
dependable software-defined networks,” in Proc. 2nd ACM SIGCOMM 2004, pp. 599–612.
Workshop Hot Topics Softw. Defined Netw., Hong Kong, 2013, [126] P. Casas, J. Mazel, and P. Owezarski, “Unsupervised network intru-
pp. 55–60. sion detection systems: Detecting the unknown without knowledge,”
[104] J. H. Jafarian, E. Al-Shaer, and Q. Duan, “OpenFlow random host Comput. Commun., vol. 35, no. 7, pp. 772–783, 2012.
mutation: Transparent moving target defense using software defined [127] Z. Li, Y. Gao, and Y. Chen, “HiFIND: A high-speed flow-level intrusion
networking,” in Proc. 1st Workshop Hot Topics Softw. Defined Netw., detection approach with DoS resiliency,” Comput. Netw., vol. 54, no. 8,
Helsinki, Finland, 2012, pp. 127–132. pp. 1282–1299, 2010.
RAWAT AND REDDY: SOFTWARE DEFINED NETWORKING ARCHITECTURE, SECURITY AND ENERGY EFFICIENCY 345

[128] B. Wang, Y. Zheng, W. Lou, and Y. T. Hou, “DDoS attack protection in [150] A. Ruiz-Rivera, K.-W. Chin, and S. Soh, “GreCo: An energy aware
the era of cloud computing and software-defined networking,” Comput. controller association algorithm for software defined networks,” IEEE
Netw., vol. 81, pp. 308–319, Apr. 2015. Commun. Lett., vol. 19, no. 4, pp. 541–544, Apr. 2015.
[129] R. Kloti, V. Kotronis, and P. Smith, “OpenFlow: A security analy- [151] A. Tootoonchian, M. Ghobadi, and Y. Ganjali, “OpenTM:
sis,” in Proc. 21st IEEE Int. Conf. Netw. Protocols (ICNP), Göttingen, Traffic matrix estimator for OpenFlow networks,” in Passive
Germany, 2013, pp. 1–6. and Active Measurement. Heidelberg, Germany: Springer, 2010,
[130] N. Handigol, B. Heller, V. Jeyakumar, D. Maziéres, and N. McKeown, pp. 201–210.
“Where is the debugger for my software-defined network?” in Proc. [152] S. R. Chowdhury, M. F. Bari, R. Ahmed, and R. Boutaba, “PayLess:
1st Workshop Hot Topics Softw. Defined Netw., Helsinki, Finland, 2012, A low cost network monitoring framework for software defined net-
pp. 55–60. works,” in Proc. IEEE Netw. Oper. Manag. Symp. (NOMS), Kraków,
[131] E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek, “The Poland, 2014, pp. 1–9.
click modular router,” ACM Trans. Comput. Syst., vol. 18, no. 3, [153] C. Yu et al., “FlowSense: Monitoring network utilization with zero
pp. 263–297, 2000. measurement cost,” in Passive and Active Measurement. Heidelberg,
[132] K. Benton, L. J. Camp, and C. Small, “OpenFlow vulnerability assess- Germany: Springer, 2013, pp. 31–41.
ment,” in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw. [154] J. Suh, T. T. Kwon, C. Dixon, W. Felter, and J. Carter, “OpenSample: A
Defined Netw., Hong Kong, 2013, pp. 151–152. low-latency, sampling-based measurement platform for SDN,” in Proc.
[133] A. Bates, K. Butler, A. Haeberlen, M. Sherr, and W. Zhou, “Let ICDCS, Madrid, Spain, 2014, pp. 1–10.
SDN be your eyes: Secure forensics in data center networks,” in [155] M. Yu, L. Jose, and R. Miao, “Software defined traffic measurement
Proc. NDSS Workshop Security Emerg. Netw. Technol. (SENT), 2014, with OpenSketch,” in Proc. NSDI, vol. 13. Lombard, IL, USA, 2013,
pp. 1–7. pp. 29–42.
[134] M. Suh, S. H. Park, B. Lee, and S. Yang, “Building firewall over [156] T. Benson, A. Anand, A. Akella, and M. Zhang, “MicroTE: Fine
the software-defined network controller,” in Proc. 16th Int. Conf. Adv. grained traffic engineering for data centers,” in Proc. 7th Conf. Emerg.
Commun. Technol. (ICACT), 2014, pp. 744–748. Netw. Exp. Technol., Tokyo, Japan, 2011, p. 8.
[135] W. P. de Jesus, D. A. da Silva, R. T. de Sousa, Jr., and F. V. L. da Frota, [157] P. Kazemian et al., “Real time network policy checking using header
“Analysis of SDN contributions for cloud computing security,” in Proc. space analysis,” in Proc. NSDI, Lombard, IL, USA, 2013, pp. 99–111.
IEEE/ACM 7th Int. Conf. Utility Cloud Comput. (UCC), London, U.K., [158] R. McGeer, “A safe, efficient update protocol for OpenFlow networks,”
2014, pp. 922–927. in Proc. 1st Workshop Hot Topics Softw. Defined Netw., Helsinki,
[136] R. Buyya, A. Beloglazov, and J. Abawajy, “Energy-efficient man- Finland, 2012, pp. 61–66.
agement of data center resources for cloud computing: A vision, [159] T. Mizrahi and Y. Moses, “Time-based updates in software defined
architectural elements, and open challenges,” in Proc. Green Cloud, networks,” in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw.
2010, pp. 1–6. Defined Netw., Hong Kong, 2013, pp. 163–164.
[137] B. G. Assefa and O. Ozkasap, “State-of-the-art energy effi-
[160] C. R. Meiners, A. X. Liu, and E. Torng, “TCAM Razor: A system-
ciency approaches in software defined networking,” in Proc. ICN,
atic approach towards minimizing packet classifiers in TCAMs,” in
San Francisco, CA, USA, 2015, p. 268.
Proc. IEEE Int. Conf. Netw. Protocols (ICNP), Beijing, China, 2007,
[138] F. Kaup, S. Melnikowitsch, and D. Hausheer, “Measuring and modeling pp. 266–275.
the power consumption of OpenFlow switches,” in Proc. 10th Int.
[161] K. Kannan and S. Banerjee, “Compact TCAM: Flow entry compaction
Conf. Netw. Service Manag. (CNSM), Rio de Janeiro, Brazil, 2014,
in TCAM for power aware SDN,” in Distributed Computing and
pp. 181–186.
Networking. Heidelberg, Germany: Springer, 2013, pp. 439–444.
[139] C. E. Hopps. (2000). Analysis of an Equal-Cost Multi-Path
Algorithm. Accessed on Aug. 1, 2016. [Online]. Available: [162] C. R. Meiners, A. X. Liu, and E. Torng, “Bit Weaving: A non-prefix
https://tools.ietf.org/html/rfc2992 approach to compressing packet classifiers in TCAMs,” IEEE/ACM
Trans. Netw., vol. 20, no. 2, pp. 488–500, Apr. 2012.
[140] M. Al-Fares, S. Radhakrishnan, B. Raghavan, N. Huang, and A. Vahdat,
“Hedera: Dynamic flow scheduling for data center networks,” in Proc. [163] Y. Kanizo, D. Hay, and I. Keslassy, “Palette: Distributing tables in
NSDI, vol. 10. San Jose, CA, USA, 2010, p. 19. software-defined networks,” in Proc. IEEE INFOCOM, Turin, Italy,
[141] A. R. Curtis, W. Kim, and P. Yalagandula, “Mahout: Low- 2013, pp. 545–549.
overhead datacenter traffic management using end-host-based ele- [164] H. Huang, P. Li, S. Guo, and B. Ye, “The joint optimization of rules
phant detection,” in Proc. IEEE INFOCOM, Shanghai, China, 2011, allocation and traffic engineering in software defined network,” in Proc.
pp. 1629–1637. IEEE 22nd Int. Symp. Qual. Service (IWQoS), Hong Kong, 2014,
[142] A. R. Curtis et al., “DevoFlow: Scaling flow management for high- pp. 141–146.
performance networks,” ACM SIGCOMM Comput. Commun. Rev., [165] F. Giroire, J. Moulierac, and T. K. Phan, “Optimizing rule place-
vol. 41, no. 4, pp. 254–265, 2011. ment in software-defined networks for energy-aware routing,” in Proc.
[143] M. Yu, J. Rexford, M. J. Freedman, and J. Wang, “Scalable flow-based IEEE Glob. Commun. Conf. (GLOBECOM), Austin, TX, USA, 2014,
networking with DIFANE,” ACM SIGCOMM Comput. Commun. Rev., pp. 2523–2529.
vol. 40, no. 4, pp. 351–362, 2010. [166] M. Dong, H. Li, K. Ota, and J. Xiao, “Rule caching in SDN-enabled
[144] A. Tootoonchian and Y. Ganjali, “HyperFlow: A distributed control mobile access networks,” IEEE Netw., vol. 29, no. 4, pp. 40–45,
plane for OpenFlow,” in Proc. Internet Netw. Manag. Conf. Res. Jul./Aug. 2015.
Enterprise Netw., San Jose, CA, USA, 2010, p. 3. [167] N. Katta, O. Alipourfard, J. Rexford, and D. Walker, “Rule-
[145] Y. Hu, W. Wang, X. Gong, X. Que, and S. Cheng, “BalanceFlow: caching algorithms for software-defined networks,” Tech.
Controller load balancing for OpenFlow networks,” in Proc. IEEE 2nd Rep., 2014, accessed on Aug. 1, 2016. [Online]. Available:
Int. Conf. Cloud Comput. Intell. Syst. (CCIS), vol. 2. Hangzhou, China, http://www.cs.princeton.edu/~nkatta/papers/cacheflow-long14.pdf
2012, pp. 780–785. [168] M. Jarschel and R. Pries, “An OpenFlow-based energy-efficient data
[146] S. H. Yeganeh and Y. Ganjali, “Kandoo: A framework for effi- center approach,” in Proc. ACM SIGCOMM Conf. Appl. Technol.
cient and scalable offloading of control applications,” in Proc. 1st Architect. Protocols Comput. Commun., Helsinki, Finland, 2012,
Workshop Hot Topics Softw. Defined Netw., Helsinki, Finland, 2012, pp. 87–88.
pp. 19–24. [169] D. Kakadia and V. Varma. (2012). Energy Efficient Data Center
[147] Y. Guo, Z. Wang, X. Yin, X. Shi, and J. Wu, “Traffic engi- Networks—A SDN Based Approach. Accessed on Aug. 1, 2016.
neering in SDN/OSPF hybrid network,” in Proc. IEEE 22nd [Online]. Available: http://goo.gl/6o5MBj
Int. Conf. Netw. Protocols (ICNP), Raleigh, NC, USA, 2014, [170] J. M. Wang, Y. Wang, X. Dai, and B. Bensaou, “SDN-based multi-class
pp. 563–568. QoS-guaranteed inter-data center traffic management,” in Proc. IEEE
[148] A. Chanda, C. Westphal, and D. Raychaudhuri, “Content based traffic 3rd Int. Conf. Cloud Netw. (CloudNet), 2014, pp. 401–406.
engineering in software defined information centric networks,” in Proc. [171] A. Sallahi and M. St-Hilaire, “Optimal model for the controller place-
IEEE Conf. Comput. Commun. Workshops (INFOCOM WKSHPS), ment problem in software defined networks,” IEEE Commun. Lett.,
Turin, Italy, 2013, pp. 357–362. vol. 19, no. 1, pp. 30–33, Jan. 2015.
[149] B. Puype, W. Vereecken, D. Colle, M. Pickavet, and P. Demeester, [172] S.-H. Wang, “Virtual machine placement for energy efficiency and QoS
“Multilayer traffic engineering for energy efficiency,” Photon. Netw. in software defined datacenter networks,” Ph.D. dissertation, College
Commun., vol. 21, no. 2, pp. 127–140, 2011. Elect. Comput. Eng., Nat. Chiao Tung Univ., Hsinchu, Taiwan, 2013.
346 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 19, NO. 1, FIRST QUARTER 2017

[173] D. Li, Y. Shang, and C. Chen, “Software defined green data center Danda B. Rawat (S’07–M’09–SM’13) received
network with exclusive routing,” in Proc. IEEE INFOCOM, Toronto, the Ph.D. degree in electrical and computer engi-
ON, Canada, 2014, pp. 1743–1751. neering from Old Dominion University, Norfolk,
[174] A. Markiewicz, P. N. Tran, and A. Timm-Giel, “Energy consump- VA, USA. He is an Associate Professor with
tion optimization for software defined networks considering dynamic the Department of Electrical Engineering and
traffic,” in Proc. IEEE 3rd Int. Conf. Cloud Netw. (CloudNet), 2014, Computer Science, Howard University, Washington,
pp. 155–160. DC, USA. He was with the College of Engineering
[175] J. Naous, D. Erickson, G. A. Covington, G. Appenzeller, and and Information Technology, Georgia Southern
N. McKeown, “Implementing an OpenFlow switch on the NetFPGA University, Statesboro, GA, USA, as a Faculty
platform,” in Proc. 4th ACM/IEEE Symp. Architect. Netw. Commun. Member until 2016. He has published over 120
Syst., San Jose, CA, USA, 2008, pp. 1–9. scientific/technical articles and eight books. His
[176] T. H. Vu, V. C. Luc, N. T. Quan, N. H. Thanh, and P. N. Nam, “Energy research focuses on wireless communication networks, cybersecurity, cyber-
saving for OpenFlow switch on the NetFPGA platform based on queue physical systems, Internet-of-Things, big data analytics, wireless virtualiza-
engineering,” SpringerPlus, vol. 4, no. 1, p. 64, 2015. tion, software-defined networks, smart grid systems, wireless sensor networks,
[177] Y. Hua, X. Liu, and D. Feng, “Smart in-network deduplication for and vehicular/wireless ad-hoc networks. His research is supported by U.S.
storage-aware SDN,” ACM SIGCOMM Comput. Commun. Rev., vol. 43, National Science Foundation, University Sponsored Programs and Center for
no. 4, pp. 509–510, 2013. Sustainability grants. He was a recipient of the NSF Faculty Early Career
[178] S. Keshav, An Engineering Approach to Computer Networking: ATM Development (CAREER) Award and the Outstanding Research Faculty Award
Networks, the Internet, and the Telephone Network, vol. 11997. (Award for Excellence in Scholarly Activity) in 2015, from Allen E. Paulson
Reading, MA, USA: Addison-Wesley, 1997. College of Engineering and Technology, Georgia Southern University among
[179] D. Awduche, A. Chiu, A. Elwalid, I. Widjaja, and X. Xiao, others, and nominated for the Faculty Award of Excellence in Teaching
“Overview and principles of Internet traffic engineering,” Tech. in 2016 from College of Engineering and Technology, Georgia Southern
Rep., 2002, accessed on Aug. 1, 2016. [Online]. Available: University. He has been serving as an Editor/Guest Editor for over ten
https://tools.ietf.org/html/rfc3272 international journals. He serves as the Web-Chair for the IEEE INFOCOM
[180] B. Fortz, J. Rexford, and M. Thorup, “Traffic engineering with tra- 2016/2017, served as the Student Travel Grant Co-Chair of the IEEE
ditional IP routing protocols,” IEEE Commun. Mag., vol. 40, no. 10, INFOCOM 2015, and the Track Chair for Wireless Networking and Mobility
pp. 118–124, Oct. 2002. of the IEEE CCNC 2016 and Communications Network and Protocols of
[181] D. O. Awduche and B. Jabbari, “Internet traffic engineering using the IEEE AINA 2015. He served as the Program Chair, the General Chair,
multi-protocol label switching (MPLS),” Comput. Netw., vol. 40, no. 1, and the Session Chair for numerous international conferences and workshops,
pp. 111–129, 2002. and served as a Technical Program Committee Member for several interna-
[182] N. Katta, O. Alipourfard, J. Rexford, and D. Walker, “Infinite tional conferences including the IEEE INFOCOM, the IEEE GLOBECOM,
CacheFlow in software-defined networks,” in Proc. 3rd Workshop Hot the IEEE CCNC, the IEEE GreenCom, the IEEE AINA, the IEEE ICC, the
Topics Softw. Defined Netw., Chicago, IL, USA, 2014, pp. 175–180. IEEE WCNC, and the IEEE VTC conferences. He is the Founder and the
[183] E. Spitznagel, D. Taylor, and J. Turner, “Packet classification using Director of the Cyber-Security and Wireless Networking Innovations (CWiNs)
extended TCAMs,” in Proc. 11th IEEE Int. Conf. Netw. Protocols, Research Laboratory. He served as the Vice Chair of the Executive Committee
Atlanta, GA, USA, 2003, pp. 120–131. of the IEEE Savannah Section and Webmaster for the section from 2013 to
[184] X. Jin et al., “Dynamic scheduling of network updates,” in Proc. ACM 2017. He is a member of ACM and ASEE.
Conf. SIGCOMM, Chicago, IL, USA, 2014, pp. 539–550.
[185] S. Sezer et al., “Are we ready for SDN? Implementation challenges
for software-defined networks,” IEEE Commun. Mag., vol. 51, no. 7,
pp. 36–43, Jul. 2013. Swetha R. Reddy (S’15–M’16) received
[186] Á. L. V. Caraguay, A. B. Peral, L. I. B. López, and L. J. G. Villalba, the bachelor’s degree from Jawaharlal Nehru
“SDN: Evolution and opportunities in the development IoT applica- Technological University, India, in 2014, and the
tions,” Int. J. Distrib. Sens. Netw., vol. 2014, 2014, Art. no. 735142. master’s degree in electrical and electronics systems
[187] Z. Qin, G. Denker, C. Giannelli, P. Bellavista, and from the Department of Electrical Engineering,
N. Venkatasubramanian, “A software defined networking archi- Georgia Southern University, Statesboro GA,
tecture for the Internet-of-Things,” in Proc. IEEE Netw. Oper. Manag. USA, in 2016. She was a Graduate Research
Symp. (NOMS), Kraków, Poland, 2014, pp. 1–9. Assistant with the Cybersecurity, Wireless Systems
[188] N. Dorsch, F. Kurtz, H. Georg, C. Hägerling, and C. Wietfeld, and Networking Innovations Laboratory, College
“Software-defined networking for smart grid communications: of Engineering and Information Technology,
Applications, challenges and advantages,” in Proc. IEEE Int. Georgia Southern University, Statesboro, GA,
Conf. Smart Grid Commun. (SmartGridComm), Venice, Italy, 2014, USA. Her research lies in the areas of wireless communication networks,
pp. 422–427. software-defined networks, and network security.