论文信息 - Security Analysis of SDN Routing Applications

Security Analysis of SDN Routing Applications

With the steady increase in the information and high network resource sharing, organizations require big data centers. To control the workload in the data centers and minimize the response time, effective load-balancing systems are necessary. The routing applications play an important role here. Some routing applications based on Software Defined Networking (SDN) like Plug-n-Serve , Hedera, ElasticTree suggest an efficient way to handle such a traffic load in the data centers. Centralised routing makes it possible to adjust the network elements like switches, ports, links dynamically as per the traffic load. The routing application takes control of data flow management in the data center system, finds a non-conflicting way for the flow and instructs the switches accordingly. Security of routing applications is important. If an attacker takes control over the data flow routing or scheduling, it can result in forwarding traffic to the servers/switches which are controlled by the attackers. The attacker can even shut down the data center system as some data centers may rely totally on routing application for data flow management. In this paper, several SDN routing applications are compared and detail analysis of two applications Plug-n-Serve and ElasticTree are performed. The architecture of these applications is explained and the security analysis is done using a threat analysis tool called STRIDE . We suggest some mitigation techniques for the well known threats like spoofing , tampering, repudiation etc. and also check if the application has an in-built countermeasure against these threats. In this paper, we describe how ElasticTree application by design provides some mitigation techniques against the threats and the mitigation techniques that the Plug-n-Serve application could use to avoid the threats.

A. A. Sagare | Rahamatullah Khondoker | Anagha Anilkumar Sagare | R. Khondoker

[1] David LeBlanc,et al. Writing Secure Code , 2001 .

[2] Rodrigo Braga,et al. Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[3] Carol Woody,et al. Introduction to the OCTAVE ® Approach , 2003 .

[4] Ahmad-Reza Sadeghi,et al. Modeling Trusted Computing Support in a Protection Profile for High Assurance Security Kernels , 2009, TRUST.

[5] Sujata Banerjee,et al. ElasticTree: Saving Energy in Data Center Networks , 2010, NSDI.

[6] Gail-Joon Ahn,et al. FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[7] Jan Jürjens,et al. UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[8] Vinod Yegneswaran,et al. AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[9] Russ Housley. Digital Signatures on Internet-Draft Documents , 2009, RFC.

[10] Ian F. Alexander,et al. Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[11] Amin Vahdat,et al. Hedera: Dynamic Flow Scheduling for Data Center Networks , 2010, NSDI.

[12] Ketil Stølen,et al. Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[13] Nick McKeown,et al. OpenFlow: enabling innovation in campus networks , 2008, CCRV.