A Formal Approach for Automatic Detection and Correction of SDN Switch Misconfigurations

Software-defined networking (SDN) is a network architecture that enables the network to be centrally controlled using software. The network administrators can reprogram the network using SDN without changing hardware devices to provide new solutions for controlling network traffic. However, SDN has its drawbacks in security, scalability, and elasticity. The security validation of SDN configurations is an important issue that should be addressed. Therefore, there is a need for automated methods to analyze, investigate and fix switch configurations faults. The objective of our work is to propose: (1) a new formal approach to discover security challenges using Flow entries Decision Diagram (FeDD) analysis, to identify loop freedom, access violation, black-holes, and controller misconfiguration; (2) an optimal and fine-grained resolution mechanisms to correct these misconfigurations in different topologies: (3) a tool that implements the proposed techniques and effectively helps administrators in detecting and resolving switch misconfigurations.

[1]  Wei Zhao,et al.  Atomic Predicates-Based Data Plane Properties Verification in Software Defined Networking Using Spark , 2020, IEEE Journal on Selected Areas in Communications.

[2]  Mingwei Xu,et al.  Security Policy Violations in SDN Data Plane , 2018, IEEE/ACM Transactions on Networking.

[3]  Ziming Zhao,et al.  Towards a reliable firewall for software-defined networks , 2019, Comput. Secur..

[4]  George Varghese,et al.  Automatic Test Packet Generation , 2012, IEEE/ACM Transactions on Networking.

[5]  Hao Li,et al.  Mind the Gap: Monitoring the Control-Data Plane Consistency in Software Defined Networks , 2016, CoNEXT.

[6]  Hongkun Yang,et al.  Real-time verification of network properties using Atomic Predicates , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[7]  Noriaki Yoshiura,et al.  Packet Reachability Verification in OpenFlow Networks , 2020, ICSCA.

[8]  D. M. Akbar Hussain,et al.  Maintaining Consistent Firewalls and Flows (CFF) in Software-Defined Networks , 2019, Smart Network Inspired Paradigm and Approaches in IoT Applications.

[9]  Michael Schapira,et al.  VeriCon: towards verifying controller programs in software-defined networks , 2014, PLDI.

[10]  Rajkumar Buyya,et al.  Software-Defined Network (SDN) Data Plane Security: Issues, Solutions and Future Directions , 2018, Handbook of Computer Networks and Cyber Security.

[11]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[12]  Anja Feldmann,et al.  OFRewind: Enabling Record and Replay Troubleshooting for Networks , 2011, USENIX Annual Technical Conference.

[13]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[14]  George Varghese,et al.  Real Time Network Policy Checking Using Header Space Analysis , 2013, NSDI.

[15]  Kuang-Ching Wang,et al.  State-aware Network Access Management for Software-Defined Networks , 2016, SACMAT.

[16]  Qiang Xu,et al.  Enabling layer 2 pathlet tracing through context encoding in software-defined networking , 2014, HotSDN.

[17]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[18]  Amina Saadaoui,et al.  Deep and Automated SDN Data Plane Analysis , 2019, 2019 International Conference on Software, Telecommunications and Computer Networks (SoftCOM).

[19]  William J. Tolone,et al.  FlowTable pipeline misconfigurations in Software Defined Networks , 2017, 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[20]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[21]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[22]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[23]  Pavol Helebrandt,et al.  Enhancing security of SDN focusing on control plane and data plane , 2019, 2019 7th International Symposium on Digital Forensics and Security (ISDFS).