Transaction-Based Flow Rule Conflict Detection and Resolution in SDN

Software-defined Networking (SDN) brings new vitality to traditional network technology as its nice property of network programmability makes our network more open and flexible. By using interfaces of SDN controllers, different applications with diverse network functions can deploy their needed flow rules into SDN switches. However, some of these flow rules would probably produce conflicts that result in invalidation of network functions and cause security issues. To address this issue, we design a novel approach, Transaction-based flow rule Conflict Detection and Resolution (TCDR), which can isolate the flow rules of different network functions to avoid interference between different network functions. Meanwhile, our proposed method introduces a transaction-based authentication to guarantee the legality of flow rules. Finally, we implement a prototype of our solution, and evaluate its effectiveness and efficiency. The performance evaluation shows that TCDR can reject illegal flow rules and avoid many flow rule conflicts with a small overhead.

[1]  Obi Akonjang,et al.  SANE: A Protection Architecture For Enterprise Networks , 2007 .

[2]  Yonggang Wen,et al.  “ A Survey of Software Defined Networking , 2020 .

[3]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[4]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[5]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[6]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[7]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[8]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[9]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[10]  Vinod Yegneswaran,et al.  Model checking invariant security properties in OpenFlow , 2013, 2013 IEEE International Conference on Communications (ICC).

[11]  Boris Beizer,et al.  Black Box Testing: Techniques for Functional Testing of Software and Systems , 1996, IEEE Software.

[12]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[13]  Rob Sherwood,et al.  Can the Production Network Be the Testbed? , 2010, OSDI.

[14]  Paulo S. L. M. Barreto,et al.  Efficient and Provably-Secure Identity-Based Signatures and Signcryption from Bilinear Maps , 2005, ASIACRYPT.

[15]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[16]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[17]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.