Securing SDN Southbound and Data Plane Communication with IBC

In software-defined network (SDN), the southbound protocol defines the communication between the control plane and the data plane. The agreed protocol, OpenFlow, suggests securing the southbound communication with Transport Layer Security (TLS). However, most current SDN projects do not implement the security segment, with only a few exceptions such as OpenDayLight, HP VAN SDN, and ONOS implementing TLS in the southbound communication. From the telecommunication providers’ perspective, one of the major SDN consumers besides data centers, the data plane becomes much more complicated with the addition of wireless data plane as it involves numerous wireless technologies. Therefore, the complicated resource management along with the security of such a data plane can hinder the migration to SDN. In this paper, we propose securing the distributed SDN communication with a multidomain capable Identity-Based Cryptography (IBC) protocol, particularly for the southbound and wireless data plane communication. We also analyze the TLS-secured Message Queuing Telemetry Transport (MQTT) message exchanges to find out the possible bandwidth saved with IBC.

[1]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[2]  Harsha V. Madhyastha,et al.  FlowSense: Monitoring Network Utilization with Zero Measurement Cost , 2013, PAM.

[3]  Carsten Bormann,et al.  CoAP: An Application Protocol for Billions of Tiny Internet Nodes , 2012, IEEE Internet Computing.

[4]  Thierry Turletti,et al.  Decentralizing SDN's control plane , 2014, 39th Annual IEEE Conference on Local Computer Networks.

[5]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[6]  Victor C. M. Leung,et al.  Automated network selection in a heterogeneous wireless network environment , 2007, IEEE Network.

[7]  Carsten Bormann,et al.  The Constrained Application Protocol (CoAP) , 2014, RFC.

[8]  Toni Alatalo,et al.  Mobile information systems , 2001 .

[9]  Hoon-Jae Lee,et al.  TLS Channel Implementation for ONOS’s East/West-Bound Communication , 2016 .

[10]  Aditya Akella,et al.  Extensible and Scalable Network Monitoring Using OpenSAFE , 2010, INM/WREN.

[11]  S. Chia The Universal Mobile Telecommunication System , 1992, IEEE Communications Magazine.

[12]  Gene Tsudik,et al.  Simple Identity-Based Cryptography with Mediated RSA , 2003, CT-RSA.

[13]  Azer Bestavros,et al.  Software-Defined IDS for securing embedded mobile devices , 2013, 2013 IEEE High Performance Extreme Computing Conference (HPEC).

[14]  Liqun Chen,et al.  Identity based authenticated key agreement protocols from pairings , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[15]  Fang Hao,et al.  Towards an elastic distributed SDN controller , 2013, HotSDN '13.

[16]  Robert W. Heath,et al.  The future of WiMAX: Multihop relaying with IEEE 802.16j , 2009, IEEE Communications Magazine.

[17]  Steven J. Vaughan-Nichols,et al.  OpenFlow: The Next Generation of the Network? , 2011, Computer.

[18]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[19]  Raouf Boutaba,et al.  PolicyCop: An Autonomic QoS Policy Enforcement Framework for Software Defined Networks , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[20]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[21]  Liqun Chen,et al.  Identity-based key agreement protocols from pairings , 2017, International Journal of Information Security.

[22]  Sanjit Chatterjee,et al.  On the Efficiency and Security of Pairing-Based Protocols in the Type 1 and Type 4 Settings , 2010, WAIFI.

[23]  Dan Boneh,et al.  A Method for Fast Revocation of Public Key Certificates and Security Capabilities , 2001, USENIX Security Symposium.

[24]  Antonio Lioy,et al.  Dependability in Wireless Networks: Can We Rely on WiFi? , 2007, IEEE Security & Privacy.

[25]  David A. Cooper A Closer Look at Revocation and Key Compromise in Public Key Infrastructures , 1998 .

[26]  Nigel P. Smart,et al.  AN IDENTITY BASED AUTHENTICATED KEY AGREEMENT PROTOCOL BASED ON THE WEIL PAIRING , 2001 .

[27]  Matthew Baker Long-Term Evolution (LTE) , 2013 .

[28]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[29]  Yustus Eko Oktian,et al.  Securing distributed SDN with IBC , 2015, 2015 Seventh International Conference on Ubiquitous and Future Networks.

[30]  Zonghua Zhang,et al.  Enabling security functions with SDN: A feasibility study , 2015, Comput. Networks.