Software Defined Networking (SDN) and it's Potential for Real-Time Defense

Working with the team on the day job researching and soon-to-be-testing SDN controllers in the lab.  Had a stimulating conversation on the "state of networking and security" with someone with whom I trust in our company...it was an intellectually stimulating conversation.  He is on the SDN working group with other prestigious fellows and I he brought up a paper, a PhD dissertation, that touched on at a high level the topic of "Active Network Defense using SDN".  He didn't have any more information but it got me and the team thinking...Yes...the north and southbound interfaces all exist to do this.  If we had to design it the architecture might look something like this:

 

OpenFlow rules can be written to match on any combination of 12 items:

Ingress Port
Ethernet Source (Layer 2 source)
Ethernet Destination (Layer 2 Destination)
Ether Type
VLAN ID
VLAN Priority
IP Source
IP Destination
IP Protocol
IP ToS
TCP/UDP Source Port
TCP/UDP Destination Port

An example flow table entry for a layer2 port would look like this…

Rule:
     In Port:  e1/4
     In VLAN:  Untagged
     Source Mac:  0024:2214:a5ba
     Destination Mac:  0024:2025:2a44
Action:  FORWARD
     Out Port:  e1/2

This essentially says that any Ethernet frames coming into ingress port ethernet1/4 with no vlan ID with a specific source and destination MAC address, forward it out port 1/2.  Reminds me of a route-map at layer 3 but instead it's happening at layer 2 instead.