SecFT-SDN: Securing the Flow-Table for Software-Defined Network

The flow table is the core interactive component between the control plane and the data plane in software-defined network, and it realizes global coordination and dynamic mapping of the security policy. The rules of the flow table determine the SDN network behavior, and the flow table security affects the whole security of the SDN facilities. To address the challenges for flow table security, this paper proposes and implements a flow table security framework, named as SecFT-SDN, on the carrier-grade open source SDN controller (ONOS). SecFT-SDN installs flow rule test set, with latency penalty varied from 10.98 milliseconds to 7.17 milliseconds and throughput penalty of 6%-14%(for 1-4 controller node clusters), and it barely affects the network performance. To sum up, SecFT-SDN enhances the security protection facilities on ONOS controller, while incurs an acceptable overhead as a cost-effective trade-off.

[1]  Vinod Yegneswaran,et al.  DELTA: A Security Assessment Framework for Software-Defined Networks , 2017, NDSS.

[2]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[3]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[4]  Nick Feamster,et al.  Procera: a language for high-level reactive network control , 2012, HotSDN '12.

[5]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[6]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[7]  Sven Dietrich,et al.  Security Challenges and Opportunities of Software-Defined Networking , 2017, IEEE Security & Privacy.

[8]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[9]  Vinod Yegneswaran,et al.  A Security-Mode for Carrier-Grade SDN Controllers , 2017, ACSAC.

[10]  David Walker,et al.  Composing Software Defined Networks , 2013, NSDI.

[11]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[12]  Sonia Fahmy,et al.  BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems , 2017, RAID.

[13]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[14]  William H. Sanders,et al.  Cross-App Poisoning in Software-Defined Networking , 2018, CCS.

[15]  Bo Yang,et al.  SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[16]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[17]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[18]  David Walker,et al.  A compiler and run-time system for network programming languages , 2012, POPL '12.

[19]  Seungwon Shin,et al.  The Smaller, the Shrewder: A Simple Malicious Application Can Kill an Entire SDN Environment , 2016, SDN-NFV@CODASPY.

[20]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[21]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.