Towards resilient in-band control path routing with malicious switch detection in SDN

In Software Defined Networks (SDNs), the control plane functionalities depend on the correctness of the information (e.g., network state) received from the data plane. A malicious switch on the in-band control path could tamper/drop the control messages, leading to misbehavior of the control plane. Hence, it is important to consider the security of in-band control paths on the southbound interface in SDN. Instead of actively probing the network with specific test packets/flows that incur high overhead on the control plane, we present in this paper, a novel control path routing approach that selects two node-disjoint control paths for every switch in the network in such a way that a malicious node can be detected based on the normal packet-in messages sent on the control paths. We develop an optimization programming formulation that provides control path routing solution and minimizes the average number of intermediate nodes while satisfying the malicious switch detection and resilience constraints. We demonstrate the effectiveness of the proposed approach through numerical analysis. The results show that the proposed approach enables faster malicious switch detection with less control overhead compared to an existing approach.

[1]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[2]  Hsu-Chun Hsiao,et al.  Securing data planes in software-defined networks , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).

[3]  Tram Truong Huu,et al.  Fault tolerance in TCAM-limited software defined networks , 2017, Comput. Networks.

[4]  Ahmed Toumanari,et al.  Survey of Security in Software-Defined Network , 2017 .

[5]  Tram Truong Huu,et al.  Primary-Backup Controller Mapping for Byzantine Fault Tolerance in Software Defined Networks , 2017, GLOBECOM 2017 - 2017 IEEE Global Communications Conference.

[6]  Rami Ghannam,et al.  Handling malicious switches in software defined networks , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[7]  Ramin Yahyapour,et al.  Performance Evaluation of a Scalable Software-Defined Networking Deployment , 2013, 2013 Second European Workshop on Software Defined Networks.

[8]  Matthew Roughan,et al.  The Internet Topology Zoo , 2011, IEEE Journal on Selected Areas in Communications.

[9]  Tooska Dargahi,et al.  A Survey on the Security of Stateful SDN Data Planes , 2017, IEEE Communications Surveys & Tutorials.