ACST: Audit-based compromised switch tolerance for enhancing data plane robustness in software-defined networking

Abstract Software-defined networking has stimulated the worldwide interests in both academia and industry for its proven advantages. However, switches in data plane are more vulnerable due to malicious attacks. Consequently, the network may consist of a switch misguiding phenomenon: the switches are compromised by the attackers and send the faked statistics while interacting with the controller to mislead the control decision (e.g., optimal routing). In this paper, we introduce an audit-based compromised switch tolerance (ACST) scheme, which aims at tolerating compromised switches and dealing with switch misguiding phenomenon when switches are trustless. Our main idea is to audit the statistics (specifically, state messages) delivered by switches not only to make the controller receive the correct messages but also to identify the compromised switches. Following this idea, we first investigate the switch misguiding phenomenon. Then, we design ACST to ensure that the controller gets the correct state messages even if the compromised switches exist. ACST introduces a special logic plane called fault tolerance proxy plane between data plane and control plane. Each proxy consists of specific function modules, which are used for extracting original state messages and performing statistics auditing. Finally, the proxies output the auditing results, including corrected state messages and the compromised switch IDs. The corresponding algorithm and theoretical proof of its robustness enhancement are also presented. Results show our proposal can successfully resist different manipulating attacks launched by the compromised switches and guarantee a high correctness rate of state messages (approaching 100%). Besides, ACST shows good topological adaptability and produces low overheads.

[1]  Sheng Liu,et al.  Flow Reconnaissance via Timing Attacks on SDN Switches , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[2]  Wolfgang Kellerer,et al.  MORPH: An Adaptive Framework for Efficient and Byzantine Fault-Tolerant SDN Control Plane , 2018, IEEE Journal on Selected Areas in Communications.

[3]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[4]  Li Li,et al.  Joint power optimization of data center network and servers with correlation analysis , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[5]  H. Jonathan Chao,et al.  Congestion-aware single link failure recovery in hybrid SDN networks , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[6]  Tram Truong Huu,et al.  Primary-Backup Controller Mapping for Byzantine Fault Tolerance in Software Defined Networks , 2017, GLOBECOM 2017 - 2017 IEEE Global Communications Conference.

[7]  Shang Gao,et al.  Security Threats in the Data Plane of Software-Defined Networks , 2018, IEEE Network.

[8]  Song Guo,et al.  Byzantine-Resilient Secure Software-Defined Networks with Multiple Controllers in Cloud , 2014, IEEE Transactions on Cloud Computing.

[9]  Thar Baker,et al.  Multi-controller Based Software-Defined Networking: A Survey , 2018, IEEE Access.

[10]  Sakir Sezer,et al.  A Survey of Security in Software Defined Networks , 2016, IEEE Communications Surveys & Tutorials.

[11]  Paulo César da Rocha Fonseca,et al.  A Survey on Fault Management in Software-Defined Networks , 2017, IEEE Communications Surveys & Tutorials.

[12]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[13]  Xirong Que,et al.  Reliability-aware controller placement for Software-Defined Networks , 2013, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013).

[14]  Paolo Bellavista,et al.  Multi-domain SDN controller federation in hybrid FiWi-MANET networks , 2018, EURASIP Journal on Wireless Communications and Networking.

[15]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[16]  Peter Perešíni,et al.  Dynamic, Fine-Grained Data Plane Monitoring With Monocle , 2018, IEEE/ACM Transactions on Networking.

[17]  Chun-Wei Wang,et al.  Improving the Fault-Tolerance Under Software-Defined Network Based on New Sight of Agreement Protocol , 2018, IEEE Access.

[18]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[19]  Yashar Ganjali,et al.  Kandoo: a framework for efficient and scalable offloading of control applications , 2012, HotSDN '12.

[20]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[21]  Joao Santos Scalable design of SDN controllers for optical networks using federation-based architectures , 2016, 2016 21st European Conference on Networks and Optical Communications (NOC).

[22]  Fang Hao,et al.  Towards an elastic distributed SDN controller , 2013, HotSDN '13.

[23]  Rahim Tafazolli,et al.  Priority-Based Flow Control for Dynamic and Reliable Flow Management in SDN , 2018, IEEE Transactions on Network and Service Management.

[24]  Michael J. Freedman,et al.  Ravana: controller fault-tolerance in software-defined networking , 2015, SOSR.

[25]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[26]  Masayuki Murata,et al.  Evaluation of data center network structures considering routing methods , 2012, ICNS 2013.

[27]  Yuthapong Somchit,et al.  Implementation of SDN Stateful Firewall on Data Plane using Open vSwitch , 2018, 2018 15th International Joint Conference on Computer Science and Software Engineering (JCSSE).

[28]  Wolfgang Kellerer,et al.  Controller placement strategies for a resilient SDN control plane , 2016, 2016 8th International Workshop on Resilient Networks Design and Modeling (RNDM).

[29]  Carmen Mas Machuca,et al.  Robust SDN controller placement to malicious node attacks , 2018, 2018 21st Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN).

[30]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[31]  Fan Yao,et al.  A comparative analysis of data center network architectures , 2014, 2014 IEEE International Conference on Communications (ICC).

[32]  Chin-Laung Lei,et al.  How to detect a compromised SDN switch , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[33]  Ying Wang,et al.  A ring-based single-link failure recovery approach in SDN data plane , 2018, NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium.

[34]  Laizhong Cui,et al.  When big data meets software-defined networking: SDN for big data and big data for SDN , 2016, IEEE Network.

[35]  Stefano Vissicchio,et al.  Safe, Efficient, and Robust SDN Updates by Combining Rule Replacements and Additions , 2017, IEEE/ACM Transactions on Networking.