SDN Controllers: The Brain of Software-Defined Networks

An SDN controller is only as useful as its interfaces. Without well-defined APIs, the controller remains a isolated brain—unable to command network devices or serve application needs. The northbound and southbound interfaces are the arteries that carry control traffic through the SDN architecture.

These interfaces aren't mere implementation details. They define the contract between architectural layers, determine what applications can express, constrain what devices must support, and ultimately shape what SDN can achieve. A controller with limited southbound protocols manages only compatible devices. A controller with primitive northbound APIs restricts application sophistication.

This page dissects both interface categories, exploring the protocols, paradigms, and design philosophies that enable controller communication. By understanding northbound and southbound APIs, you'll comprehend how SDN translates high-level intent into low-level forwarding behavior.

SDN architecture organizes interfaces by their relationship to the controller—a directional classification that clarifies function and responsibility.

Interface Taxonomy

• Northbound Interfaces: Connect applications above the controller

  • Applications consume network services through these APIs
  • Express intent, request resources, receive notifications
  • Controller abstracts complexity; applications see simplified model

• Southbound Interfaces: Connect devices below the controller

  • Controller commands forwarding elements through these protocols
  • Install rules, query state, receive events
  • Devices expose capabilities; controller programs behavior

• East-West Interfaces: Connect peer controllers

  • Synchronize state in distributed deployments
  • Coordinate actions across controller instances
  • (Covered separately in distributed controller discussions)

The north/south metaphor derives from network diagrams where applications sit atop infrastructure—controller in the middle, applications above, devices below.

The Abstraction Stack

Each interface layer provides abstraction:

1. Physical Layer: Electrical signals, fiber optics, radio waves
2. Southbound: Protocol messages—flow rules, table entries, counters
3. Controller Core: Topology, paths, policies, state
4. Northbound: Intent, services, resources, events
5. Application: Business logic, user interfaces, automation

Each layer hides complexity from the layer above. Applications don't know about flow table TCAM limits. Controllers don't know about ASIC pipeline specifics. This separation enables:

• Portability: Applications work across different controllers
• Evolvability: Devices upgrade without application changes
• Specialization: Each layer optimizes for its concerns
• Composability: Mix applications and devices freely

Southbound interfaces enable controllers to program, monitor, and manage network devices. These protocols provide the mechanism through which abstract controller decisions become concrete forwarding behavior.

Core Functions

Southbound interfaces must support:

1. Device Discovery: Identify connected devices, their capabilities, and configuration
2. Topology Discovery: Determine how devices interconnect (often via LLDP)
3. State Installation: Program forwarding rules, routing entries, ACLs
4. State Query: Retrieve current configuration and forwarding tables
5. Statistics Collection: Gather counters, throughput, errors, latency metrics
6. Event Notification: Receive alerts about state changes, failures, threshold crossings

Imperative vs Declarative

Southbound protocols follow two paradigms:

• Imperative: Controller specifies exact operations—"add this rule," "delete that entry"

  • OpenFlow: explicitly installs/removes flow rules
  • Precise control but verbose

• Declarative: Controller specifies desired state—"ensure this configuration exists"

  • NETCONF/YANG: defines target configuration
  • Device determines how to reach desired state

OpenFlow: The Canonical Southbound Protocol

OpenFlow deserves special attention as the protocol that launched SDN:

• Match-Action Model: Packets match against flow table entries; matching triggers actions (forward, drop, modify)
• Flow Tables: Ordered tables of priority-based rules with timeouts and counters
• Messages: PacketIn (unknown packet), PacketOut (inject packet), FlowMod (modify rules), StatsRequest/Reply
• Versions: 1.0 (2009) → 1.3 (dominant) → 1.5 (current, limited adoption)

OpenFlow's explicit flow programming enables fine-grained control but creates scaling challenges—large networks may have millions of flows requiring explicit rules.

P4Runtime: Programmable Pipeline Control

P4Runtime extends beyond OpenFlow's fixed-function model:

• Programmable Pipelines: P4 programs define custom packet processing
• Runtime Control: P4Runtime programs table entries for P4-defined tables
• Arbitrary Protocols: Parse and match any header—not just predefined types
• gRPC Transport: Modern RPC with streaming and efficiency

P4Runtime represents next-generation southbound control where the pipeline itself is programmable, not just the entries within fixed tables.

OpenFlow remains the most widely deployed southbound SDN protocol. Understanding its operation is fundamental to SDN practice.

Connection Establishment

OpenFlow uses dedicated control channels:

1. Switch boots and initiates TCP connection to controller (port 6633 legacy, 6653 standard)
2. Optional TLS handshake for encrypted control channel
3. OFPT_HELLO exchanged to negotiate protocol version
4. OFPT_FEATURES_REQUEST/REPLY to discover switch capabilities
5. Controller receives switch datapath ID, port list, supported tables
6. Connection maintained with keepalives (echo request/reply)

Flow Table Structure

Switches contain one or more flow tables, each with entries comprising:

• Match Fields: Headers to match—MAC, IP, VLAN, TCP ports, etc.
• Priority: Higher priority rules evaluated first
• Counters: Packets and bytes matched
• Instructions: Actions to take—forward, drop, modify, goto-table
• Timeouts: Idle and hard timeouts for automatic expiry
• Cookie: Controller-assigned identifier for rule management

Key Message Types

Controller-to-Switch:

• OFPT_FLOW_MOD: Add/modify/delete flow entries
• OFPT_PACKET_OUT: Send packet through switch
• OFPT_STATS_REQUEST: Query counters and state
• OFPT_BARRIER_REQUEST: Ensure message ordering
• OFPT_GROUP_MOD: Modify group tables (multicast/failover)

Switch-to-Controller:

• OFPT_PACKET_IN: Unknown packet forwarded to controller
• OFPT_FLOW_REMOVED: Flow entry expired or deleted
• OFPT_PORT_STATUS: Port state change (up/down/modified)
• OFPT_STATS_REPLY: Response to statistics request
• OFPT_ERROR: Request failed (table full, invalid operation)

OpenFlow Versions and Evolution

OpenFlow has evolved significantly:

• 1.0 (2009): Single table, limited match fields, basic actions
• 1.1 (2011): Multiple tables, VLAN support, groups
• 1.2 (2011): Extensible match (OXM), IPv6 support
• 1.3 (2012): Meters (rate limiting), table features, dominant production version
• 1.4 (2013): Optical port support, synchronized tables
• 1.5 (2014): Egress tables, scheduled bundles, packet registers

Most production deployments use OpenFlow 1.3. Later versions added features but saw limited adoption as alternatives (P4Runtime, gNMI) emerged.

While OpenFlow handles flow-level programming, NETCONF and YANG provide configuration management for network devices. These protocols complement OpenFlow in comprehensive SDN deployments.

YANG: The Data Modeling Language

YANG defines the structure and semantics of configuration data:

• Hierarchical Models: Tree-structured data with containers, lists, leaves
• Type System: Built-in types (string, int, boolean) and derived types
• Constraints: Must, when, mandatory statements enforce validity
• Semantic Annotations: Description, reference, status provide documentation
• Standard and Vendor Models: IETF, OpenConfig, and vendor-specific modules

YANG provides a schema that multiple protocols can transport—NETCONF, RESTCONF, and gNMI all work with YANG-modeled data.

NETCONF: The Configuration Protocol

NETCONF uses RPC over SSH to manage YANG-modeled configuration:

• Capabilities Exchange: Device advertises supported YANG modules
• Get Config: Retrieve current configuration
• Edit Config: Modify configuration with merge/replace/delete
• Lock/Unlock: Prevent concurrent modification
• Validate: Check configuration validity before commit
• Commit: Apply changes atomically
• Transactions: Rollback on failure—all-or-nothing semantics

RESTCONF: REST over YANG

RESTCONF provides HTTP-based access to YANG data:

• RESTful Semantics: GET, POST, PUT, PATCH, DELETE map to operations
• JSON and XML: Both encodings supported
• URL Paths: YANG hierarchy maps to URL path segments
• Standard Authentication: HTTP auth mechanisms apply
• Familiar Tooling: curl, Postman, standard HTTP libraries work

gNMI: Google Network Management Interface

gNMI represents the next evolution in device management:

• gRPC Transport: Binary encoding, streaming, efficient
• Capabilities: Query supported models and encodings
• Get/Set: Retrieve and modify configuration
• Subscribe: Real-time streaming of state changes
• Target-Defined Subscriptions: Device-optimized telemetry

gNMI excels at telemetry—streaming interface counters, routing state, and operational data at high frequency.

Northbound interfaces expose controller capabilities to applications—the software that consumes network services. Unlike southbound protocols (which have standards like OpenFlow), northbound APIs are largely controller-specific, though common patterns emerge.

Design Philosophies

Northbound APIs can be designed at different abstraction levels:

Low-Level APIs (Thin Abstraction)

• Expose raw network constructs: hosts, links, flow rules
• Application must understand network details
• Maximum flexibility, minimum simplification
• Example: "Install this exact flow rule on switch X"

Mid-Level APIs (Path and Policy Abstraction)

• Expose paths, segments, policies
• Controller handles device-level details
• Application thinks in terms of network constructs
• Example: "Create shortest path between A and B with 1Gbps guarantee"

High-Level APIs (Intent Abstraction)

• Expose business-level intent
• Controller translates intent to network state
• Application needs no network expertise
• Example: "Ensure production servers can access the database tier"

Common Northbound API Patterns

REST APIs Most controllers expose RESTful HTTP interfaces:

• Standard HTTP methods: GET, POST, PUT, DELETE
• JSON payloads for data exchange
• URL paths identify resources: /topology/switches/dpid:123
• Status codes communicate results
• Easy integration with any language

gRPC APIs Performance-critical interfaces increasingly use gRPC:

• Protocol Buffers for schema and serialization
• Streaming support for real-time data
• Code generation for type-safe clients
• Bidirectional streaming for interactive protocols

Event Streams Applications need real-time network updates:

• WebSocket for browser-based applications
• Server-Sent Events for simple streaming
• gRPC streams for high-performance use
• Message queues (Kafka, RabbitMQ) for decoupling

Intent-Based Networking (IBN) represents the highest abstraction level for northbound APIs. Instead of specifying how the network should behave, applications declare what they need—the controller determines how to achieve it.

The Intent Abstraction

Intent captures desired network behavior in business or application terms:

• Connectivity Intent: "Servers in the web tier can reach servers in the database tier"
• Security Intent: "Guest WiFi traffic cannot reach corporate network"
• Performance Intent: "VoIP traffic gets priority over bulk transfers"
• Compliance Intent: "PCI-scoped traffic never traverses unencrypted links"

The controller translates intent into:

1. Required network paths and segments
2. Firewall and ACL rules
3. QoS policies and queue configurations
4. Encryption and security policies
5. Monitoring and verification agents

Intent Lifecycle

1. Expression: User or application defines intent in high-level terms
2. Compilation: Controller translates to network-level policies
3. Deployment: Policies pushed to devices as configurations/rules
4. Verification: Controller confirms intended behavior is achieved
5. Maintenance: Ongoing monitoring; automatic remediation on deviation
6. Evolution: Intent updates trigger new compilation/deployment cycle

Intent Verification and Assurance

True IBN goes beyond configuration—it includes continuous verification:

• Pre-Flight Check: Simulate intent against current network; verify feasibility
• Post-Deployment Verification: Confirm actual behavior matches intent
• Continuous Assurance: Monitor for drift; alert on violations
• Closed-Loop Remediation: Automatically correct deviations

This verification capability distinguishes IBN from traditional automation. Automation pushes configuration; IBN ensures the desired outcome is actually achieved.

Challenges in Intent Translation

Translating intent is hard:

• Ambiguity: "Fast" means different things in different contexts
• Conflict Resolution: Competing intents may contradict
• Optimization: Many valid implementations exist; choosing the best is complex
• State Management: Intent must be maintained across network changes
• Explainability: Users need to understand why specific configurations result

Advanced IBN systems use constraint satisfaction, optimization algorithms, and even machine learning to navigate these challenges.

SDN APIs—both northbound and southbound—represent critical attack surfaces. Compromising controller APIs means compromising the entire network. Security must be designed in, not bolted on.

Southbound Security

Controller-to-device channels require protection:

OpenFlow Security

• TLS encryption mandatory for production (vs plaintext TCP)
• Controller and switch certificates for mutual authentication
• Control channel isolation from data traffic
• Rate limiting to prevent DoS via excessive PacketIn

NETCONF Security

• SSH transport provides encryption and authentication
• RBAC for authorization (who can configure what)
• Audit logging for accountability
• Session management to prevent hijacking

gNMI Security

• gRPC supports TLS natively
• Token-based or certificate authentication
• Fine-grained authorization for paths and operations

Northbound Security

Application interfaces present different challenges:

Authentication and Authorization

• Multi-factor authentication for human operators
• Service accounts with limited scopes for applications
• Role-Based Access Control (RBAC) mapping users to permissions
• Attribute-Based Access Control (ABAC) for complex policies

API Gateway Patterns

• Centralized authentication before reaching controller
• Rate limiting prevents abuse
• Request validation rejects malformed input
• Logging captures audit trail

Multi-Tenancy

• Tenant isolation prevents cross-tenant visibility
• Resource quotas prevent single-tenant monopolization
• Namespace separation logically isolates configurations

Common Attack Vectors

• Credential Theft: Stolen API keys enable unauthorized access
• Injection Attacks: Malicious input in API payloads
• Man-in-the-Middle: Unencrypted channels enable interception
• Denial of Service: Overload control plane with requests
• Privilege Escalation: Exploiting authorization gaps
• Replay Attacks: Re-sending captured valid requests

We've explored the critical interfaces that connect SDN controllers to their ecosystem—the northbound APIs serving applications and southbound protocols commanding devices. Let's consolidate the key insights:

What's Next:

With a solid understanding of controller APIs, we'll examine specific popular SDN controllers. From open-source options like ONOS and OpenDaylight to commercial products like Cisco ACI and VMware NSX, we'll explore the landscape of controller implementations and their distinctive features.