Asecure and high-performancemulti-controller architecture for software-defined networking Project supported by the National Natural Science Foundation of China (Nos. 61402357, 61272459, and 61402357), the China Postdoctoral Science Foundation (No. 2015M570835), the Fundamental Research Funds for the Central Universities, China, the Program for New Century Excellent Talents in University, and the CETC 54 Project (No. ITD-U14001/KX142600008)

Controllers play a critical role in software-defined networking (SDN). However, existing singlecontroller SDN architectures are vulnerable to single-point failures, where a controller’s capacity can be saturated by flooded flow requests. In addition, due to the complicated interactions between applications and controllers, the flow setup latency is relatively large. To address the above security and performance issues of current SDN controllers, we propose distributed rule store (DRS), a new multi-controller architecture for SDNs. In DRS, the controller caches the flow rules calculated by applications, and distributes these rules to multiple controller instances. Each controller instance holds only a subset of all rules, and periodically checks the consistency of flow rules with each other. Requests from switches are distributed among multiple controllers, in order to mitigate controller capacity saturation attack. At the same time, when rules at one controller are maliciously modified, they can be detected and recovered in time. We implement DRS based on Floodlight and evaluate it with extensive emulation. The results show that DRS can effectively maintain a consistently distributed rule store, and at the same time can achieve a shorter flow setup time and a higher processing throughput, compared with ONOS and Floodlight.