Software-Defined Networking (SDN)
SDN architecture, OpenFlow, network function virtualization (NFV), intent-based networking, and programmable infrastructure
Chapter 11: Software-Defined Networking (SDN)
When Google Rebuilt the Internet
In 2012, Google made an announcement that stunned the networking world: they had built an entirely new networkβcalled B4βto connect their data centers across the globe. But B4 wasnβt remarkable for its scale. What was revolutionary was its architecture.
Traditional networks used thousands of expensive routers running proprietary software, each independently making routing decisions based on distributed protocols. B4 used commodity switch hardware controlled by centralized software. Googleβs engineers could update how traffic flowed across three continents by modifying code, not by logging into hundreds of devices.
The result? B4 ran at near 100% link utilizationβunheard of in traditional networks that typically run at 30-40% to handle traffic bursts. Google estimated they saved hundreds of millions of dollars in equipment and bandwidth costs.
This was Software-Defined Networking (SDN) at scale. And it represented a fundamental shift in how networks could be built and operated.
Today, SDN principles underpin cloud networking, container orchestration, and enterprise network modernization. Understanding SDN is essential for anyone working with modern infrastructure.
In fact, youβve already been learning about SDN without realizing it. The cloud VPCs we discussed in Chapter 9? Theyβre implemented using SDN. The Kubernetes networking from Chapter 10? Built on SDN principles. This chapter brings those concepts into focus, showing you the underlying architecture that makes modern programmable networks possible.
The Problem with Traditional Networks
To appreciate why SDN matters, we first need to understand what was wrong with the traditional approach. The problems weβll discuss arenβt theoreticalβtheyβre why large organizations like Google invested millions of dollars to fundamentally rethink how networks work.
Distributed Control
Traditional networks operate on a distributed model: every router and switch makes its own forwarding decisions based on protocols like OSPF, BGP, and spanning tree. Each device runs complex software, maintains its own view of the network, and independently determines how to handle packets.
Traditional Network Architecture
Traditional Network Architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ
β Smart Router A β β Smart Router B β β Smart Router C β
β β β β β β
β ββββββββββββββ β β ββββββββββββββ β β ββββββββββββββ β
β βControl β β β βControl β β β βControl β β
β βPlane β β β βPlane β β β βPlane β β
β β(OSPF, BGP) β β β β(OSPF, BGP) β β β β(OSPF, BGP) β β
β ββββββββββββββ€ β β ββββββββββββββ€ β β ββββββββββββββ€ β
β βData Plane β β β βData Plane β β β βData Plane β β
β β(Forwarding)β β β β(Forwarding)β β β β(Forwarding)β β
β ββββββββββββββ β β ββββββββββββββ β β ββββββββββββββ β
βββββββββ¬βββββββββ βββββββββ¬βββββββββ βββββββββ¬βββββββββ
β β β
βββββββββββββββββββββββΌββββββββββββββββββββββ
β
Each device is independent "brain"
Must configure each one separatelyThe Challenges
| Challenge | Impact |
|---|---|
| Device-centric management | Configure each device individually via CLI |
| Vendor lock-in | Proprietary protocols and management interfaces |
| Slow change velocity | Network changes require careful planning, maintenance windows |
| Limited automation | Scripts must handle vendor-specific syntax |
| Complex troubleshooting | Must check each device to trace problems |
| Expensive hardware | Vendors charge premium for intelligence in devices |
| Protocol ossification | Deploying new protocols requires hardware upgrades |
THINK ABOUT IT
Compare this to early computing, where each computer was programmed individually. The revolution came when we separated hardware from software and centralized management. SDN brings this same revolution to networking.
These challenges led researchers and network engineers to ask a fundamental question: what if we could redesign networking from scratch? The answer was SDN.
SDN Architecture: Separating Planes
The core idea of SDN is elegantly simple, even if the implementation can be complex. Itβs based on recognizing that network devices do two fundamentally different things, and we can separate them.
The Key Insight
SDNβs fundamental innovation is separation of the control plane from the data plane:
- Control Plane: The βbrainβ that decides how packets should be handledβrouting tables, ACLs, QoS policies
- Data Plane: The βmuscleβ that actually forwards packets based on rules from the control plane
SDN Architecture
SDN Architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββ
β SDN Controller β
β (Centralized Brain) β
β β
β ββββββββββββββββββββββββββββββββββββββββββ β
Northbound β β Control Plane Logic β β
API (REST, β β β’ Network topology view β β
gRPC) β β β’ Path computation β β
β² β β β’ Policy enforcement β β
β β β β’ Traffic engineering β β
β β ββββββββββββββββββββββββββββββββββββββββββ β
Applications β β β
(Orchestration, β Southbound API (OpenFlow, β
Security, β NETCONF, gRPC) β
Monitoring) βββββββββββββββββββββββΌβββββββββββββββββββββββββ
β
βββββββββββββββββββββββΌββββββββββββββββββββββ
β βΌ β
βββββββββββββββββ΄ββββ βββββββββββββββββββββ ββββββββββββββ΄βββ
β Simple Switch β β Simple Switch β β Simple Switch β
β β β β β β
β βββββββββββββββ β β βββββββββββββββ β β βββββββββββββ β
β β Flow Tables β β β β Flow Tables β β β βFlow Tablesβ β
β β (From Ctrl) β β β β (From Ctrl) β β β β(From Ctrl)β β
β βββββββββββββββ€ β β βββββββββββββββ€ β β βββββββββββββ€ β
β β Data Plane β β β β Data Plane β β β βData Plane β β
β β(Forwarding) β β β β(Forwarding) β β β β(Forward) β β
β βββββββββββββββ β β βββββββββββββββ β β βββββββββββββ β
βββββββββββββββββββββ βββββββββββββββββββββ βββββββββββββββββ
Switches become "dumb" hardwareβjust forward based on rules
All intelligence is in the centralized controllerBenefits of Separation
| Benefit | Description |
|---|---|
| Centralized view | Controller sees entire network topology |
| Programmability | Network behavior is software-defined |
| Vendor independence | Standard protocols, commodity hardware |
| Rapid innovation | Update software, not hardware |
| Automation-friendly | APIs enable programmatic control |
| Simplified devices | Cheaper switches, lower power |
The concept of separating control and data planes is powerful, but it raises a practical question: how does the controller actually tell the switches what to do? This is where OpenFlow comes in.
OpenFlow: The SDN Protocol
OpenFlow was the protocol that kicked off the SDN revolution. It provides a standard way for controllers to communicate with switches, defining how forwarding rules are expressed and programmed. While newer alternatives exist today, understanding OpenFlow illuminates how SDN works at its core.
What is OpenFlow?
OpenFlow is the original protocol defining communication between SDN controllers and switches. It allows the controller to define forwarding rules (flow entries) that switches use to handle packets.
Flow Tables
OpenFlow switches maintain flow tablesβordered lists of rules that determine how to handle packets:
OpenFlow Flow Table Entry
OpenFlow Flow Table Entry:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββ¬βββββββββββ¬ββββββββββββββ¬βββββββββββββββββββ
β Match Fields β Priority β Counters β Actions β
βββββββββββββββββββββββΌβββββββββββΌββββββββββββββΌβββββββββββββββββββ€
β in_port=1 β β packets: 0 β output:2 β
β eth_type=0x0800 β 1000 β bytes: 0 β set_vlan:100 β
β ip_dst=10.0.0.0/8 β β β β
βββββββββββββββββββββββΌβββββββββββΌββββββββββββββΌβββββββββββββββββββ€
β in_port=2 β β packets: 0 β output:1 β
β eth_dst=* β 100 β bytes: 0 β β
βββββββββββββββββββββββΌβββββββββββΌββββββββββββββΌβββββββββββββββββββ€
β * (wildcard) β 0 β packets: 0 β output:CONTROLLERβ
β β β bytes: 0 β (packet-in) β
βββββββββββββββββββββββ΄βββββββββββ΄ββββββββββββββ΄βββββββββββββββββββ
Packet arrives:
1. Compare against flow entries (highest priority first)
2. First match: Execute actions
3. No match: Send to controller (or default action)
Match Fields can include:
- Ingress port
- Ethernet src/dst, type, VLAN
- IP src/dst, protocol
- TCP/UDP src/dst port
- And more...
Actions include:
- Forward to port(s)
- Drop
- Modify headers
- Send to controller
- Send to another flow tableOpenFlow Messages
| Message Type | Direction | Purpose |
|---|---|---|
| Packet-In | Switch β Controller | Send unmatched packet for decision |
| Packet-Out | Controller β Switch | Inject packet into switch |
| Flow-Mod | Controller β Switch | Add/modify/delete flow entries |
| Stats-Request/Reply | Bidirectional | Query flow statistics |
| Port-Status | Switch β Controller | Port state changes |
| Features-Request/Reply | Bidirectional | Switch capabilities |
OpenFlow Reactive Flow Setup
OpenFlow Reactive Flow Setup:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Host A Switch Controller
β β β
β 1. Packet to B β β
βββββββββββββββββββββββΊβ β
β β β
β β 2. No flow match! β
β β PACKET-IN β
β ββββββββββββββββββββββββββΊβ
β β β
β β 3. Controller decides β
β β FLOW-MOD + PACKET-OUT
β βββββββββββββββββββββββββββ€
β β β
β β 4. Flow installed β
β β Packet forwarded β
β βββββββββββββββββββββ€ β
β β β
β 5. Subsequent β β
β packets match β β
β flow directly β β
βββββββββββββββββββββββΊβ β
β βββββββββββββββββββββ€ (No controller involved)Proactive vs Reactive
Reactive: Controller populates flows on-demand when packets arrive (higher latency for first packet)
Proactive: Controller pre-populates flows before traffic arrives (no first-packet latency, but requires knowledge of expected traffic)
Now that we understand how switches process traffic using flow tables, letβs look at the other half of the equation: the controller that programs those tables.
SDN Controllers
The controller is the brain of an SDN networkβitβs where all the intelligence lives. Choosing the right controller and understanding its architecture is crucial for both functionality and security.
Popular Controllers
| Controller | Type | Notes |
|---|---|---|
| ONOS | Open source | Carrier-grade, high availability |
| OpenDaylight | Open source | Modular, enterprise focus |
| Floodlight | Open source | Simple, educational |
| Ryu | Open source | Python-based, easy development |
| VMware NSX | Commercial | Data center virtualization |
| Cisco ACI | Commercial | Application-centric |
| Big Switch (Arista) | Commercial | Cloud-scale SDN |
Controller Architecture
SDN Controller Internal Architecture
SDN Controller Internal Architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SDN CONTROLLER β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Northbound API (REST, gRPC) β β
β β Applications talk to controller here β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββ β
β β Core Services β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β Topology β β Host β β Statistics β β β
β β β Manager β β Tracker β β Manager β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β Path β β Flow β β Device β β β
β β β Computation β β Manager β β Manager β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Southbound API (OpenFlow, NETCONF, gRPC) β β
β β Controller talks to switches here β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββNetwork Function Virtualization (NFV)
SDN separates the control plane from the data plane, making network switches programmable. But what about other network functionsβfirewalls, load balancers, intrusion detection systems? Traditionally, these required dedicated hardware appliances. NFV extends the SDN philosophy to these functions.
NFV and SDN are complementary technologies that together enable fully software-defined infrastructure. Understanding both helps you see the complete picture of modern programmable networks.
From Hardware to Software
Traditionally, network functions like firewalls, load balancers, and IDS required dedicated hardware appliances. NFV virtualizes these functions, running them as software on commodity servers.
Traditional vs NFV
Traditional vs NFV:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TRADITIONAL (Hardware Appliances):
ββββββββββββββββββββββββββββββββββ
βββββββββββ
Traffic βββΊ Router βββΊ Firewall βββΊ Load Balancer βββΊ Servers
(HW) (HW) (HW)
Each function: Dedicated hardware, proprietary, expensive
NFV (Virtualized Functions):
ββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββ
β Standard x86 Server(s) β
β βββββββββββββββββββββββββββββββββββββββββββ β
β β Hypervisor / Container β β
β β βββββββββββ ββββββββ ββββββββββββββββ β β
Traffic βββββββΌββΊβ βvRouter βββvFW βββvLoad BalancerββββΌββΊ Servers
β β β (VM) β β(VM) β β (VM) β β β
β β βββββββββββ ββββββββ ββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββ
All functions: Software on commodity hardwareNFV Benefits
- Cost reduction: Commodity hardware instead of appliances
- Flexibility: Spin up/down functions as needed
- Speed: Deploy new functions in minutes, not months
- Scalability: Scale horizontally by adding VMs
- Automation: API-driven deployment and management
Common Virtual Network Functions (VNFs)
| VNF Type | Purpose | Examples |
|---|---|---|
| vRouter | Routing | VyOS, FRRouting, BIRD |
| vFirewall | Security | pfSense, OPNsense, Fortinet VM |
| vLoad Balancer | Traffic distribution | HAProxy, NGINX, F5 BIG-IP Virtual |
| vIDS/IPS | Intrusion detection | Suricata, Snort |
| vWAN Optimizer | WAN acceleration | Silver Peak, Riverbed |
| vDNS | Name resolution | BIND, Unbound |
SDN + NFV Together
SDN and NFV Relationship
SDN and NFV Relationship:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Orchestration Layer β
β (ONAP, OSM, or cloud platform) β
βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββ€
β SDN Domain β NFV Domain β
β β β
β βββββββββββββββββββ β βββββββββββββββββββββββββββββββ β
β β SDN Controller β β β VNF Manager β β
β β (Control Plane)β β β (Deploy/manage VNFs) β β
β ββββββββββ¬βββββββββ β βββββββββββββββ¬ββββββββββββββββ β
β β β β β
β ββββββββββ΄βββββββββ β βββββββββββββββ΄ββββββββββββββββ β
β β SDN Switches β β β Virtual Network Functions β β
β β (Data Plane) ββββββΌββββΊβ (vFW, vLB, vRouter...) β β
β βββββββββββββββββββ β βββββββββββββββββββββββββββββββ β
β β β
β SDN: How traffic flows β NFV: What happens to traffic β
βββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββIntent-Based Networking (IBN)
SDN and NFV give us programmatic control over networks, but we still need to tell the controller exactly what to do. What if we could go a step further and just tell the network what we want to achieve and let it figure out the details?
This is the promise of Intent-Based Networkingβa higher level of abstraction that translates business intent into network configuration automatically.
From βHowβ to βWhatβ
Traditional networking requires administrators to specify exactly how to configure each device. Intent-Based Networking allows specifying what you want, and the system figures out how.
Traditional vs IntentBased
Traditional vs Intent-Based:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TRADITIONAL (Imperative):
βββββββββββββββββββββββββ
Admin specifies HOW:
- "On switch A, create VLAN 100"
- "On switch A, port 1-10 in VLAN 100"
- "On switch A, create ACL: permit 10.0.0.0/8"
- "On switch A, apply ACL to VLAN 100"
- "On switch B, create VLAN 100..."
- (Repeat for every switch...)
INTENT-BASED (Declarative):
βββββββββββββββββββββββββββ
Admin specifies WHAT:
"Finance department users should only access finance servers"
IBN System:
1. Translates intent to policy
2. Discovers current network state
3. Computes required changes
4. Pushes configuration to all devices
5. Verifies intent is achieved
6. Continuously monitors for violationsIBN Architecture
IntentBased Networking System
Intent-Based Networking System:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INTENT LAYER β
β "HR users can access HR servers during business hours" β
βββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β Translate
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ
β POLICY LAYER β
β Source: HR_Group (10.1.0.0/24, AD Group: HR) β
β Dest: HR_Servers (10.100.0.0/24) β
β Time: M-F 08:00-18:00 β
β Action: Allow β
βββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β Compile
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ
β ACTIVATION LAYER β
β Router A: ACL permit 10.1.0.0/24 β 10.100.0.0/24 β
β Switch B: VLAN assignment, port security β
β Firewall: Rule 100: src HR β dst HR_Servers, time-based β
βββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β Push + Verify
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ
β ASSURANCE LAYER β
β Continuous monitoring: Is intent being achieved? β
β Alert if violations detected β
β Auto-remediate if possible β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββIBN Vendors
- Cisco DNA Center: Intent-based for enterprise
- Apstra (Juniper): Data center intent automation
- Forward Networks: Intent verification and simulation
- VMware NSX: Declarative security policies
SDN Security Considerations
The centralized architecture that makes SDN powerful also creates new security challenges. When all network intelligence lives in one place, that place becomes a critical target. Understanding these risksβand how to mitigate themβis essential for anyone deploying SDN.
But SDN isnβt just a security risk; itβs also a security enabler. The same centralized control that creates attack opportunities also enables powerful defensive capabilities that werenβt possible with traditional distributed networks.
New Attack Surfaces
SDN introduces new security considerations:
SDN Security Concerns
SDN Security Concerns:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββ
β SDN CONTROLLER β
βββββββββββββββββββββββ€ β
β β SINGLE POINT OF COMPROMISE β
β Northbound API β - If controller compromised, β
β attacks β attacker controls entire network β
β (unauthorized apps) β - Controller is HIGH-VALUE target β
β β β
βββββββββββββββββββββββ€ AVAILABILITY CONCERN β
β - Controller failure = network blind β
βββββββββββββββββββββββ€ - Need HA clustering β
β β β
β Southbound attacks β COMMUNICATION SECURITY β
β (fake controller, β - OpenFlow should use TLS β
β message injection) β - Authenticate controllers β
β β β
βββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Switches β
β β
β FLOW TABLE ATTACKS β
β - Overflow flow tables (resource exhaustion) β
β - Inject malicious flows (if controller compromised) β
β β
β DENIAL OF SERVICE β
β - Flood controller with packet-in messages β
β - Generate traffic with no matching flows β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββSecurity Best Practices
| Area | Recommendation |
|---|---|
| Controller hardening | Treat as critical infrastructure, limit access |
| TLS everywhere | Encrypt controller-switch communication |
| Controller HA | Deploy clustered controllers |
| API security | Strong authentication, rate limiting |
| Flow table limits | Set maximum flows, handle overflow gracefully |
| Anomaly detection | Monitor for unusual controller traffic patterns |
| Separation of duties | Different apps shouldnβt modify same flows |
| Audit logging | Log all flow modifications |
SDN Security Applications
SDN also enables powerful security use cases:
- Microsegmentation: Fine-grained isolation between workloads
- Quarantine: Instantly isolate compromised hosts
- Traffic steering: Route traffic through security functions dynamically
- DDoS mitigation: Push filtering rules to edge instantly
- Forensics: Capture and redirect traffic for analysis
SDN Security Response Example
SDN Security Response Example:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. IDS detects malware on Host 10.0.1.50
2. Security app calls controller API:
"Quarantine host 10.0.1.50"
3. Controller pushes flows to ALL switches:
- Drop all traffic from 10.0.1.50 except to quarantine VLAN
- Redirect 10.0.1.50 to remediation portal
4. Response time: Seconds (vs. minutes/hours traditionally)
5. All network paths blocked simultaneously
(Traditional: Update each device's ACL individually)Practical SDN
Simple SDN Lab with Mininet
Mininet is a network emulator that creates virtual SDN networks:
# Install Mininet (Ubuntu)
sudo apt install mininet
# Create simple topology
sudo mn --topo single,4 --controller remote
# This creates:
# - 1 switch with 4 hosts
# - Connects to remote controller (default localhost:6653)
# In another terminal, run a controller (Ryu example)
pip install ryu
ryu-manager ryu.app.simple_switch_13
# Back in Mininet, test connectivity
mininet> pingall
mininet> h1 ping h2
mininet> iperf h1 h2Writing SDN Applications
Example Ryu controller application (Python):
from ryu.base import app_manager
from ryu.controller import ofp_event
from ryu.controller.handler import MAIN_DISPATCHER
from ryu.controller.handler import set_ev_cls
from ryu.ofproto import ofproto_v1_3
class SimpleSwitch(app_manager.RyuApp):
OFP_VERSIONS = [ofproto_v1_3.OFP_VERSION]
@set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)
def packet_in_handler(self, ev):
"""Handle packets that don't match any flow."""
msg = ev.msg
dp = msg.datapath
ofp = dp.ofproto
parser = dp.ofproto_parser
# Flood the packet (simple hub behavior)
actions = [parser.OFPActionOutput(ofp.OFPP_FLOOD)]
out = parser.OFPPacketOut(
datapath=dp,
buffer_id=msg.buffer_id,
in_port=msg.match['in_port'],
actions=actions
)
dp.send_msg(out)SDN in the Real World
| Use Case | How SDN Helps |
|---|---|
| Data centers | Automated provisioning, microsegmentation |
| WAN | SD-WAN, traffic engineering |
| Campus | Policy-based access, segmentation |
| Cloud | Virtual networks, VPC implementation |
| 5G | Network slicing, dynamic capacity |
| IoT | Device isolation, traffic management |
Key Takeaways
-
SDN separates the control plane from the data plane, centralizing network intelligence in a controller
-
OpenFlow is the foundational protocol for SDN, defining how controllers program switch flow tables
-
NFV virtualizes network functions, running firewalls, load balancers, and routers as software on commodity hardware
-
Intent-Based Networking abstracts configuration further, allowing administrators to specify what they want rather than how to configure it
-
SDN security introduces new attack surfaces (controller compromise) but also enables powerful security applications (instant quarantine, microsegmentation)
-
SDN is foundational to modern cloud networking, container orchestration (Kubernetes CNI), and enterprise network modernization
Self-Assessment
-
Comprehension: Why is centralizing the control plane both a benefit and a security risk?
-
Application: A company wants to instantly block all traffic from a compromised host across their entire network. How would SDN enable this compared to traditional networking?
-
What if: If an attacker gained access to the SDN controllerβs northbound API, what attacks would be possible?
Review Questions
- What are the control plane and data plane, and why does SDN separate them?
- How do OpenFlow flow tables work?
- What is the difference between NFV and SDN?
- What benefits does Intent-Based Networking provide over traditional configuration?
- What are the main security concerns with SDN architecture?
- How can SDN improve network security response times?
Key Standards and Resources
- ONF (Open Networking Foundation): SDN standards body
- OpenFlow Specification: Switch-controller protocol
- ETSI NFV: NFV architecture standards
- OpenDaylight: Open source SDN controller
- ONOS: Open source carrier-grade SDN controller