A New Parallel Method to Verify the Packets Forwarding in SDN Networks
Subject Areas : electrical and computer engineeringRozbeh Beglari 1 , Hakem Beitollahi 2
1 - IUST
2 - Iran University of Science and Technology
Keywords: Software defined networks, data security, packet forwarding verification, parallel verification, Openflow,
Abstract :
The rise of Software-Defined Networking (SDN) has revolutionized network management, offering greater flexibility and programmability. However, ensuring the accuracy of packet forwarding remains paramount for maintaining network reliability and security in SDN environments. Unlike traditional IP networks, SDN separates the control plane from the data plane, creating new challenges for securing data transmission. Existing verification methods designed for IP networks often cannot be directly applied to SDN due to this architectural difference. To address the limitations of existing verification methods in SDN networks, new approaches are necessary. This research proposes a novel parallel method for verifying packet forwarding, building upon concepts from DYNAPFV. The proposed approach aims to overcome specific limitations of existing methods (including DYNAPFV), such as scalability issues, slow verification times. Simulations demonstrate significant improvements compared to DYNAPFV. The proposed parallel method achieves a 92% reduction in time required to identify malicious nodes within the network. The results also reveal a trade-off between security and verification time. As the probability of packet integrity confirmation increases from 0.8 to 0.99, system security strengthens, but the time to detect malicious switches also increases.
[1] D. Kreutz, et al., "Software-defined networking: a comprehensive survey," Proceeding of the IEEE, vol. 103, no. 1, pp. 14-76, Jan. 2015.
[2] Q. Li, X. Zou, Q. Huang, J. Zheng, and P. P. C. Lee, "Dynamic packet forwarding verification in SDN," IEEE Trans. on Dependable and Secure Computing, vol. 16, no. 6, pp. 915-929, Dec. 2019.
[3] M. Dhawan, R. Poddar, K. Mahajan, and V. Mann, "Sphinx: detecting security attacks in software-defined networks," in Proc. of Network and Distributed System Security Symp., NDSS'15, 15 pp., San Diego, CA, USA, 7-7 Feb. 2015.
[4] H. Kim and N. Feamster, "Improving network management with software defined networking," IEEE Communications Magazine, vol. 51, no. 2, pp. 114-119, Feb. 2013.
[5] M. Al Ahmad, M. Diab, and S. S. Patra, "Analysis and performance evaluation of openflow controller in SDN using N-policy," in Proc. of Int. Conf. on Recent Advances in Science and Engineering Technology, ICRASET'23, 5 pp., B G NAGARA, India, 23-24 Nov. 2023.
[6] X. Zhang, A. Jain, and A. Perrig, "Packet-dropping adversary identification for data plane security," in Proc. of the ACM CoNEXT Conf., Article Id.: 24, 12 pp., Madrid, Spain, 9-12 Dec. 2008.
[7] H. J. Kim, C. Basescu, L. Jia, S. B. Lee, Y. C. Hu, and A. Perrig, "Lightweight source authentication and path validation," ACM SIGCOMM Computer Communication Review, vol. 44, no. 4, pp. 271-282, Aug. 2014.
[8] H. Beitollahi, D. M. Sharif, and M. Fazeli, "Application layer DDoS attack detection using cuckoo search algorithm-trained radial basis function," IEEE Access, vol. 10, pp. 63844-638542022.
[9] S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks," in Proc. of the ACM SIGSAC Conf. on Computer & Communications Security, pp. 413-424, Berlin, Germany, 4-8 Nov. 2013.
[10] R. Mahajan, M. Rodrig, D. Wetherall, and J. Zahorjan, "Sustaining cooperation in multi-hop wireless networks," in Proc. of the 2nd Conf. on Symp. on Networked Systems Design & Implementation, vol. 2, pp. 231-244, 2-4 May 2005.
[11] R. Aryan, A. Yazidi, F. Brattensborg, O. Kure, and P. E. Engelstad, "SDN spotlight: a real-time openflow troubleshooting framework," J. of Future Generation Computer Systems, vol. 133, pp. 364-377, Aug. 2022.
[12] H. Yu, K. Li, and H. Qi, "An active controller selection scheme for minimizing packet-in processing latency in SDN," J. of Security and Communication Networks, vol. 2019, Article ID: 1949343, Oct. 2019.
[13] H. Wang, L. Xu, and G. Gu, "FloodGuard: A DoS attack prevention extension in software-defined networks," in Proc. of 45th Annual IEEE/IFIP Int. Conf. on Dependable Systems and Networks, pp. 239-250, Rio de Janeiro, Brazil, 22-25 Jun. 2015.
[14] T. Sasaki, C. Pappas, T. Lee, T. Hoefler, and A. Perrig, "SDNsec: forwarding accountability for the SDN data plane," in Proc. of 25th Int. Conf. on Computer Communication and Networks, ICCCN'16, 10 pp., Waikoloa, HI, USA, 1-4 Aug. 2016.
[15] X. Liu, A. Li, X. Yang, and D. Wetherall, "Passport: secure and adoptable source authentication," in Proc. of the 5th USENIX Sympo. on Networked Systems Design and Implementation, pp. 365-378, San Francisco, CA, USA 16-18 Apr. 2008.
[16] Y. Chen, Y. Yang, X. Zou, Q. Li, and Y. Jiang, "Adaptive distributed software defined networking," J. of Computer Communications, vol. 102, pp. 120-129, Apr. 2017.
[17] S. Hong, R. Baykov, L. Xu, S. Nadimpalli, and G. Gu, "Towards SDN-defined programmable byod (bring your own device) security," in Proc. of NDSS'16, 15 pp., San Diego, CA, USA, 21-24 Feb. 2016.
[18] H. Hu, W. Han, G. J. Ahn, and Z. Zhao, "Flowguard: building robust firewalls for software-defined networks," in Proc. of 3rd Workshop on Hot Topics in Software Defined Networking, pp. 97-102, Chicago, IL, USA, 22-22 Aug. 2014.
[19] O. Blial, M. Ben Mamoun, and R. Benaini, "An overview on SDN architectures with multiple controllers," J. of Computer Networks and Communications, vol. 2016, Article ID: 9396525, Apr. 2016.
[20] D. Kreutz, F. M. V. Ramos, and P. Verissimo, "Towards secure and dependable software-defined networks," in Proc. of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 55-60, Hong Kong, China, 16-16 Aug. 2013.