Application-aware and Dynamic Security Function Chaining for Mobile Networks

Mobile networks have urgent demands of fine-grained, cost-effective and flexible service provision for diversified user traffic. To cope with these demands, researchers have proposed various Service Function Chaining (SFC) solutions with the rise of Software Defined Networking (SDN) and Network Function Virtualization (NFV) technologies. However, most of them are performed based on MAC address and/or OpenFlow protocols without Network Service Header (NSH) support, having drawbacks in complexity, scalability and flexibility. NSH-based approaches are more promising for mobile networks, since they support metadata-based packet information sharing and policy enforcement. Moreover, a hierarchical SFC (hSFC) architecture is proposed to alleviate the scalability and management problems in large-scale networks. Nevertheless, how to realize application awareness and on-demand service provision has not been investigated thoroughly in the hSFC environment. Thus, in this paper, we propose a proactive-based branching approach for application-aware and dynamic security function chaining, where application features are analyzed at first, and then carried in the metadata of NSHs for subsequent processes by the relevant security functions. In this way, the data plane is able to redirect traffic based on metadata without the participation of control plane. Besides, we verify the proposed approach through our prototype system via two typical use cases, the application-aware traffic control and lawful interception, and the related experiment results confirm its feasibility and elasticity.

[1]  Tarik Taleb,et al.  Service Function Chaining in Next Generation Networks: State of the Art and Research Challenges , 2017, IEEE Communications Magazine.

[2]  Georgios Xilouris,et al.  SDN-based service function chaining mechanism and service prototype implementation in NFV scenario , 2017, Comput. Stand. Interfaces.

[3]  Piero Castoldi,et al.  SDN controller for context-aware data delivery in dynamic service chaining , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[4]  Jianhua Li,et al.  Deep Packet Inspection Based Application-Aware Traffic Control for Software Defined Networks , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[5]  Wim Henderickx,et al.  Network Service Header , 2015 .

[6]  Srinivasan Seshan,et al.  PSI: Precise Security Instrumentation for Enterprise Networks , 2017, NDSS.

[7]  Younghan Kim,et al.  An implementation of hierarchical service function chaining using OpenDaylight platform , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).

[8]  James Won-Ki Hong,et al.  Application-aware Traffic Management for OpenFlow networks , 2016, 2016 18th Asia-Pacific Network Operations and Management Symposium (APNOMS).

[9]  Byrav Ramamurthy,et al.  OpenSec: Policy-Based Security Using Software-Defined Networking , 2016, IEEE Transactions on Network and Service Management.

[10]  Mohamed Boucadair,et al.  Hierarchical Service Function Chaining (hSFC) , 2018, RFC.

[11]  Hongke Zhang,et al.  EmuStack: An OpenStack-Based DTN Network Emulation Platform , 2016, 2016 International Conference on Networking and Network Applications (NaNA).

[12]  Shunsuke Homma,et al.  Service Function Chaining Use Cases In Data Centers , 2017 .

[13]  Anat Bremler-Barr,et al.  Deep Packet Inspection as a Service , 2014, CoNEXT.

[14]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[15]  Diego Lopez,et al.  Service Function Chaining Use Cases in Mobile Networks , 2019 .