SDN network's policies are updated dynamically at a high pace. As a result, conflicts between policies are prone to occur. Due to the large number of switches and heterogeneous policies within a typical SDN network, detecting those conflicts is a laborious and challenging task. This paper presents two-fold contributions. First, we devise an offline method for detecting unmatched OpenFlow rules, i.e., those rules that are never fired. At the heart of our scheme is a formal approach for predicting the packet's path inside a SDN network. In this perspective, we proffer the taxonomy: invalid and irrelevant anomalies for the unmatched rules. Second, we introduce a new set of definitions for the intra-anomalies, which might occur when using the OpenFlow rule's multi-action feature. We provide some comprehensive experimental results that show the feasibility of our approach and its ability to scale within large SDN network.
Permanent URL (for citation purposes)