In this paper, we focused on two prevailing architectural approaches for control-plane virtualization in multi-tenant OpenFlow-ready SDN domains: The first permits the delegation of a specific, non-overlapping part of the overall flowspace to each tenant OpenFlow controller, exposing him/her the entire substrate topology; the second conceals the substrate topology to tenants by abstracting resources and exposing user-controlled (tenant) Virtual Networks (VNs). For both cases, we propose and analyze three control-plane slicing methods (domain, switch and port-wide), enforced by the management plane, that safeguard control-plane isolation among tenant VNs.
Their effectiveness is assessed in terms of control-plane resources (number of flowspace policy rule entries, table lookup times and memory consumption) via measurements on a prototype implementation. To that end, we introduced and prototyped the Flowspace Slicing Policy (FSP) rule engine, an automated mechanism translating substrate management-plane policies into VN mapping control-plane rules. Our experiments, involving thousands of tenants VN requests over a variety of WAN-scale network topologies (e.g. Internet2/OSE3 and GÉANT), demonstrate that the port-wide slicing method is the most efficient in terms of tenant request acceptance ratio, within acceptable control-plane delays and memory consumption.