PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking

Software Defined Networking (SDN) is one type of the flow-rule-driven networks. In SDN, a centralized controller dictates the network behavior and configures network devices via flow rules. Therefore, the validity and consistency of flow rules are the critical for the security of operations in SDN, requiring a secure and efficient mechanism to manage and authenticate flow rules between the controller and network devices. In this paper, we aim to develop solutions to guarantee the validity of flow rules in SDN. We analyze the mechanisms that generate and manage flow rules in SDN, and present PERM-GUARD, a fine-grained permission management and authentication scheme for flow rules in SDN. PERM-GUARD employs a new permission authentication model and introduces an identity-based signature scheme for the controller to verify the validity of flow rules. We conduct theoretical analysis and simulation-based evaluation of PERM-GUARD. The results demonstrate that PERM-GUARD can efficiently identify and reject fake flow rules generated by unregistered applications. Meanwhile, it can also effectively filter out unauthorized flow rules created by valid applications, and trace their creator timely and accurately.

[1]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[2]  Craig Gentry,et al.  Practical Identity-Based Encryption Without Random Oracles , 2006, EUROCRYPT.

[3]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[4]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[5]  Guofei Gu,et al.  A First Step Toward Network Security Virtualization: From Concept To Prototype , 2015, IEEE Transactions on Information Forensics and Security.

[6]  Michael Schapira,et al.  VeriCon: towards verifying controller programs in software-defined networks , 2014, PLDI.

[7]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[8]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[9]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[10]  Qi Hao,et al.  A Survey on Software-Defined Network and OpenFlow: From Concept to Implementation , 2014, IEEE Communications Surveys & Tutorials.

[11]  Dan Boneh,et al.  Cryptographically Enforced Control Flow Integrity , 2014, ArXiv.

[12]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[13]  Ghassan O. Karame,et al.  Access control for SDN controllers , 2014, HotSDN.

[14]  Kenneth G. Paterson,et al.  Efficient Identity-Based Signatures Secure in the Standard Model , 2006, ACISP.

[15]  Vinod Yegneswaran,et al.  Model checking invariant security properties in OpenFlow , 2013, 2013 IEEE International Conference on Communications (ICC).

[16]  Thierry Turletti,et al.  A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks , 2014, IEEE Communications Surveys & Tutorials.

[17]  Sakir Sezer,et al.  OperationCheckpoint: SDN Application Control , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[18]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[19]  Yonggang Wen,et al.  “ A Survey of Software Defined Networking , 2020 .

[20]  Yi Wang,et al.  Towards a secure controller platform for openflow applications , 2013, HotSDN '13.

[21]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[22]  Brighten Godfrey,et al.  Enforcing Customizable Consistency Properties in Software-Defined Networks , 2015, NSDI.

[23]  Chen Liang,et al.  Participatory networking: an API for application control of SDNs , 2013, SIGCOMM.

[24]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[25]  Petr Kuznetsov,et al.  A distributed and robust SDN control plane for transactional network updates , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[26]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[27]  Jason Lee,et al.  A first look at modern enterprise traffic , 2005, IMC '05.

[28]  Enrico Del Re,et al.  Software Defined Radio Implementation of CloudRAN GSM Emergency Service , 2015, Journal of Signal Processing Systems.

[29]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[30]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[31]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[32]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[33]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[34]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.