Software-defined networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties such as security or dependability. Though addressing the latter in an ad-hoc, piecemeal way may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a sys-temic approach. We further advocate, for its materialization, the reiteration of the successful formula behind SDN: 'logical centralization'. As a general concept, we propose anchor, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on security in this article: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the article that centralizing such mechanisms is key for their effectiveness by allowing us to define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms , including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover. We would like to thank the anonymous reviewers for the insightful comments. 1 INTRODUCTION Software-defined networking (SDN) moves the control function out of the forwarding devices, logically centralizing the functional properties of the network. This decoupling between control and data plane leads to higher flexibility and programmability of network control, enabling fast innovation. In spite of all of these benefits, this decoupling, associated with a common southbound application programming interface (API; e.g., OpenFlow), has removed an important natural protection of traditional networks. Specifically, the heterogeneity and diversity of configuration protocols, the closed (and proprietary) nature of the devices, and the distributed nature of the control plane. Hence, from a security perspective, SDN introduces new attack vectors and radically changes the threat surface [37, 70, 110]. So far, the SDN literature has been mostly concerned with functional properties, such as improved routing and traffic engineering [8, 57, 77], efficient topology discovery [94], and enhanced network security services [3, 54, 102, 111], among others, by exploiting the ability to program the control plane. Non-functional properties are those related to reaching goals of quality of the operation of the global system rather than to its specific behavior. However, SDN currently leaves the achievement of non-functional properties to individual mechanisms or services. Works having recently seen the light, concerned in principle with non-functional properties, address specific implementations of functions or services, albeit dependability related [17, 26, 59, 69, 105] or security related [99, 110, 114, 115]. To give an example, security services such as firewalls or Deep Packet Inspection (DPI) mechanisms for attack detection and mitigation rely essentially on functional properties of the network, that is, they are concerned with the SDN function of generating and remotely installing the appropriate flow rules in the data plane. As effective as the former examples may be, their impact on the desired system-level non-functional property (say, integrity or availability) ends up being bottom-up, in an ad-hoc, piecemeal way. It may work for specific cases but, generically, it is most likely to create gaps in the enforcement of the property, which would inevitably lead to efficiency and effectiveness problems (as we show in Section 3). For instance: insecure control plane associations or communications, network information disclosure, spoofing attacks, and hijacking of devices can easily compromise the network operation; performance crises can escalate to globally affect quality of service (QoS); and unavailability and lack of reliability of controllers, forwarding devices, or clock synchronization parameters can considerably degrade network operation [4, 65, 110].