Mitigation of security attacks in the SDN data plane using P4-enabled switches

This paper presents a study and demonstration of some of the commonly seen internal security attacks and related countermeasures using P4, a dataplane programming language. The idea is that the vulnerabilities arising in programmable data planes are sufficiently mitigated with this P4 implementation. This also provides users with the flexibility to add or drop security features in the deployed switches, better visibility into the defense system owing to its open source nature and the portability of these P4 programs across many different vendors and devices. We evaluate our P4 code on software and hardware switches to detect IP-address spoofing attacks. The results show that attack packets are always detected and dropped, while the throughput remains unaffected and nearly constant across varying fractions of malicious packets injected in the network.

[1]  Aziz Mohaisen,et al.  Losing control of the internet: using the data plane to attack the control plane , 2010, CCS '10.

[2]  Nick McKeown,et al.  The P4->NetFPGA Workflow for Line-Rate Packet Processing , 2019, FPGA.

[3]  Tilman Wolf,et al.  Attacks and Defenses in the Data Plane of Networks , 2012, IEEE Transactions on Dependable and Secure Computing.

[4]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[5]  Goyal Abhilash,et al.  Intrusion Detection and Prevention in Software Defined Networking , 2018, 2018 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS).

[6]  Marco de Vivo,et al.  Internet security attacks at the basic levels , 1998, OPSR.

[7]  Rajkumar Buyya,et al.  Software-Defined Network (SDN) Data Plane Security: Issues, Solutions and Future Directions , 2018, Handbook of Computer Networks and Cyber Security.

[8]  Lei Xu,et al.  Attacking the Brain: Races in the SDN Control Plane , 2017, USENIX Security Symposium.

[9]  Shang Gao,et al.  Security Threats in the Data Plane of Software-Defined Networks , 2018, IEEE Network.

[10]  Takayuki Sasaki,et al.  Control-plane isolation and recovery for a secure SDN architecture , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).

[11]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[12]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.