vSFC: Generic and Agile Verification of Service Function Chains in the Cloud

With the advent of network function virtualization (NFV), outsourcing network functions (NFs) to the cloud is becoming increasingly popular for enterprises since it brings significant benefits for NF deployment and maintenance, such as improved scalability and reduced overhead. However, NF outsourcing limits the control of customer enterprises over NF deployment and management, consequently raising serious security concerns. Enterprises cannot ensure whether their outsourced NFs and associated service function chains (SFCs) are correctly enforced according to their specifications. In this paper, we propose vSFC, an SFC verification scheme that allows an enterprise to accurately verify the correctness of SFC enforcement in real time. Specifically, it can detect a wide range of SFC violations including forwarding path incompliance, packet dropping, and flow dropping attacks. Meanwhile, it is generic and agile, which can be applied to arbitrary cloud architectures without requiring any modification to NFs. To demonstrate the feasibility and performance of vSFC, we implement a vSFC prototype on top of Linux kernel-based virtual machines (KVM) and conduct extensive experiments with real traffic. The experimental results show that vSFC can accurately detect SFC violations with negligible overhead.

[1]  Lightweight Source Authentication and Path Validation , 2014 .

[2]  Andreas Haeberlen,et al.  Accountable Virtual Machines , 2010, OSDI.

[3]  Sylvia Ratnasamy,et al.  SafeBricks: Shielding Network Functions in the Cloud , 2018, NSDI.

[4]  Mingwei Xu,et al.  Security Policy Violations in SDN Data Plane , 2018, IEEE/ACM Transactions on Networking.

[5]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[6]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[7]  Alex C. Snoeren,et al.  Inside the Social Network's (Datacenter) Network , 2015, Comput. Commun. Rev..

[8]  Xin Zhang,et al.  Network fault localization with small TCB , 2011, 2011 19th IEEE International Conference on Network Protocols.

[9]  kc claffy,et al.  Understanding Internet traffic streams: dragonflies and tortoises , 2002, IEEE Commun. Mag..

[10]  Tianlong Yu,et al.  BUZZ: Testing Context-Dependent Policies in Stateful Networks , 2016, NSDI.

[11]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[12]  Filip De Turck,et al.  Network Function Virtualization: State-of-the-Art and Research Challenges , 2015, IEEE Communications Surveys & Tutorials.

[13]  Sylvia Ratnasamy,et al.  BlindBox: Deep Packet Inspection over Encrypted Traffic , 2015, SIGCOMM.

[14]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[15]  Navendu Jain,et al.  Demystifying the dark side of the middle: a field study of middlebox failures in datacenters , 2013, Internet Measurement Conference.

[16]  Adrian Perrig,et al.  High-Speed Inter-Domain Fault Localization , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[17]  Cong Wang,et al.  Bringing execution assurances of pattern matching in outsourced middleboxes , 2016, 2016 IEEE 24th International Conference on Network Protocols (ICNP).

[18]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[19]  David K. Y. Yau,et al.  Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis , 2018, IEEE Transactions on Information Forensics and Security.

[20]  Yu Cheng,et al.  Accurate and Efficient Traffic Monitoring Using Adaptive Non-Linear Sampling Method , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[21]  Scott Shenker,et al.  E2: a framework for NFV applications , 2015, SOSP.

[22]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[23]  Grenville J. Armitage,et al.  A survey of techniques for internet traffic classification using machine learning , 2008, IEEE Communications Surveys & Tutorials.

[24]  Carsten Lund,et al.  Properties and prediction of flow statistics from sampled packet streams , 2002, IMW '02.

[25]  Qi Li,et al.  Towards Verifiable Performance Measurement over In-the-Cloud Middleboxes , 2019, IEEE INFOCOM 2019 - IEEE Conference on Computer Communications.

[26]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[27]  Navendu Jain,et al.  Understanding network failures in data centers: measurement, analysis, and implications , 2011, SIGCOMM.

[28]  Vyas Sekar,et al.  Towards verifiable resource accounting for outsourced computation , 2013, VEE '13.

[29]  Zhi Liu,et al.  Embark: Securely Outsourcing Middleboxes to the Cloud , 2016, NSDI.

[30]  Yih-Chun Hu,et al.  Coward attacks in vehicular networks , 2010, MOCO.

[31]  Jianping Wu,et al.  Generic and agile service function chain verification on cloud , 2017, 2017 IEEE/ACM 25th International Symposium on Quality of Service (IWQoS).

[32]  Katerina J. Argyraki,et al.  Verifying Reachability in Networks with Mutable Datapaths , 2016, NSDI.

[33]  Qi Li,et al.  Dynamic Packet Forwarding Verification in SDN , 2019, IEEE Transactions on Dependable and Secure Computing.

[34]  Shigeng Zhang,et al.  FlowCloak: Defeating Middlebox-Bypass Attacks in Software-Defined Networking , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[35]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[36]  Andrew Warfield,et al.  Split/Merge: System Support for Elastic Execution in Virtual Middleboxes , 2013, NSDI.

[37]  Torsten Hoefler,et al.  SDNsec: Forwarding Accountability for the SDN Data Plane , 2016, 2016 25th International Conference on Computer Communication and Networks (ICCCN).

[38]  Michael Walfish,et al.  Verifying and enforcing network paths with icing , 2011, CoNEXT '11.

[39]  Vyas Sekar,et al.  Verifiable network function outsourcing: requirements, challenges, and roadmap , 2013, HotMiddlebox '13.

[40]  Bradley C. Kuszmaul,et al.  Cilk: an efficient multithreaded runtime system , 1995, PPOPP '95.

[41]  Emmett Witchel,et al.  Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data , 2016, OSDI.