FSFW: FlowSpace Firewall

FlowSpace Firewall (FSFW) provides network virtualization of OpenFlow enabled switches.  The virtualization happens on a per-vlan tag per-interface basis.  Instead of attempting to interpret a rule and make possible modifications (like FlowVisor) to a flow mod, FlowSpace firewall either allows a rule to pass through or rejects it, and sends an error back to the controller.

FlowSpace Firewall also provides the ability to slice flow statistics based on the defined flow space and send each controller only the set of flows that it is able to modify.

The ultimate goal of FlowSpace Firewall is to provide the ability for multiple controllers to control a single openflow switch, without those controllers being able to step on each others flow rules. What seperates it from other OpenFlow virtualization tools (such as FlowVisor) is its limited scope, currently only slicing on vlan/interface, and the ability to configure it with "friendly names" like port name and node name instead of DPID and port id (as those may change).  The limited scope allows for simpler and faster slicing of requests.  

FlowSpace firewall is configured using an XML file, the configuration file accepts vlan ranges, allowing for more configuration than other SDN virtualization tools.  The ability to use friendly names provides the ability for port ids to change without having to update the configuration.  

FlowSpace Firewall is a module that plugs into Floodlight (an opensource openflow controller) which is developed in Java.

For assistance please contact fsfw-users@grnoc.iu.edu or join our list at https://mail1.grnoc.iu.edu/mailman/listinfo/fsfw-users

FlowSpace Firewall is Distributed under the Apache 2 License and is Copyright 2013 Indiana University


FlowSpace Firewall (FSFW) is designed to work with any OpenFlow 1.0 compatible switch and controller.  FSFw has 2 main goals in its development, first to allow multiple openflow controllers to configure an openflow switch, and to prevent each openflow controller from interfering with other openflow controllers communicating with the switch.  To accomplish these goals the following features have been implemented in FSFW.

  • Rate Limiting - Each Slice/Switch combination has a configurable rate limit of control channel messages that can be sent from a controller to a switch. Once this limit has been exceeded FSFW will return errors to the offending controller
  • Allow/Deny Rules based on FlowSpace - Before a FlowRule is sent to a switch the rule is verified to be allowed in the controllers FlowSpace.  If it is allowed it is sent to the switch, if it is denied an error is returned to the controller.  
  • XID Translation/Barrier/Error reporting - All message XIDs are translated to an internally mapped XID.  If an error occurs on the switch for a given FlowMod then only the controller which sent the FlowMod receives the error.   
  • FlowStat Slicing - FlowStats are continually queried from the switch and cached in memory.  When a Slice requests the flow stats for a device, the flow stats are fetched from memory and then sliced.  Only flows that exist in the Slice's flowspace are returned.
  • Web-Services - JSON-RPC web-services allow for monitoring and configuration reloads
  • Configurable Logging - Without restarting FSFW the logging level can be changed for each module of FSFW/Floodlight individually with minimal delay.  This allows for better trouble shooting without the need for a restart of FSFW.
  • Managed Tag Mode - For controllers that do not know how to do vlan translation across a complex backbone, or completely ignore vlan tags, FSFW will append and strip vlan tags from matches and actions to make the flow rule fit in the FlowSpace.
  • Idle/Hard Timeout - Some devices do not support idle/hard timeouts in openflow.  For those devices FSFW can be configured to intercept and remove the flows.

Tested Openflow 1.0 Applications

Vendor Product Version(s)
GlobalNOC    OESS: Open Exchange Software Suite