Securing centralized SDN control with distributed blockchain technology

• Autorzy: Ahmad Suhail , Mir Ajaz Hussain

Identyfikatory

DOI

10.7494/csci.2023.24.1.4605

• Języki publikacji: EN

Abstrakty

EN

Software-Defined Networks (SDN) advocate the segregation of network control logic, forwarding functions and management applications into different planes to achieve network programmability and automated and dynamic flow control in next-generation networks. It promotes the deployment of novel and augmented network-management functions in order to have flexible, robust, scalable, and cost-effective network deployments. All of these features introduce new research challenges and require secure communication protocols among segregated network planes. This manuscript focuses on the security issue of the southbound interface that operates between the SDN control and the data plane. We have highlighted the security threats that are associated with an unprotected southbound interface and those issues that are related to the existing TLS-based security solution. A lightweight blockchain-based decentralized security solution is proposed for the southbound interface to secure the resources of logically centralized SDN controllers and distributed forwarding devices from opponents. The proposed mechanism can operate in multi-domain SDN deployment and can be used with a wide range of network controllers and data plane devices. In addition to this, the proposed security solution has been analyzed in terms of its security features, communication, and re-authentication overhead.

Słowa kluczowe

EN

SDN; SDN security; blockchain; southbound interface; TLS; threats in SDNs

• Wydawca: Wydawnictwa AGH
• Czasopismo: Computer Science
• Rocznik: 2023
• Tom: T. 24 (1)
• Strony: 5--30
• Opis fizyczny: Bibliogr. 59 poz., rys., tab.

Twórcy

autor

Ahmad Suhail

• University of Kashmir, Department of Computer Science and Engineering, India

autor

Mir Ajaz Hussain

• National Institute of Technology, Electronics and Communication Department, Srinagar, Jammu & Kashmir, India

Bibliografia

• [1] Abdou A., Oorschot van P.C., Wan T.: Comparative analysis of control plane security of SDN and conventional networks, IEEE Communications Surveys & Tutorials, vol. 20(4), pp. 3542–3559, 2018.
• [2] Agborubere B., Sanchez-Velazquez E.: OpenFlow communications and TLS security in software-defined networks. In: 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 560–566, 2017.
• [3] Ahmad S., Mir A.H.: Scalability, consistency, reliability and security in SDN controllers: a survey of diverse SDN controllers, Journal of Network and Systems Management, vol. 29(1), pp. 1–59, 2021.
• [4] Al-Fares M., Loukissas A., Vahdat A.: A scalable, commodity data center network architecture, ACM SIGCOMM Computer Communication Review, vol. 38(4), pp. 63–74, 2008.
• [5] AlEroud A., Alsmadi I.: Identifying cyber-attacks on software defined networks: An inference-based intrusion detection approach, Journal of Network and Computer Applications, vol. 80, pp. 152–164, 2017.
• [6] Alharbi T.: Deployment of blockchain technology in software defined networks: A survey, IEEE Access, vol. 8, pp. 9146–9156, 2020.
• [7] Ali S.T., Sivaraman V., Radford A., Jha S.: A survey of securing networks using software defined networking, IEEE Transactions on Reliability, vol. 64(3), pp. 1086–1097, 2015.
• [8] Alsmadi I., Xu D.: Security of software defined networks: A survey, Computers & Security, vol. 53, pp. 79–108, 2015.
• [9] Alupotha J., Prasadi S., Alawatugoda J., Ragel R., Fawsan M.: Implementing a proven-secure and cost-effective countermeasure against the compression ratio info-leak mass exploitation (CRIME) attack. In: 2017 IEEE International Conference on Industrial and Information Systems (ICIIS), pp. 1–6, 2017.
• [10] Ashouri M., Setayesh S.: Enhancing the Performance and Stability of SDN Architecture with a Fat-Tree Based Algorithm, 2018. https://hal.archives-ouvertes. fr/hal-01858528 (working paper or preprint).
• [11] Aviram N., Schinzel S., Somorovsky J., Heninger N., Dankel M., Steube J., Valenta L., et al.: DROWN: Breaking TLS Using SSLv2. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 689–706, 2016.
• [12] Benton K., Camp L.J., Small C.: OpenFlow vulnerability assessment. In: HotSDN’13: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 151–152, 2013.
• [13] Berde P., Gerola M., Hart J., Higuchi Y., Kobayashi M., Koide T., Lantz B., et al.: ONOS: towards an open, distributed SDN OS. In: HotSDN’14: Proceedings of the third workshop on Hot topics in software defined networking, pp. 1–6, 2014.
• [14] Bhargavan K., Leurent G.: On the practical (in-) security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 456–467, 2016.
• [15] Bhargavan K., Leurent G.: Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH. In: Network and Distributed System Security Symposium – NDSS 2016, 2016.
• [16] Bianchi G., Bonola M., Capone A., Cascone C.: OpenState: Programming platform-independent stateful OpenFlow applications inside the switch, ACM SIGCOMM Computer Communication Review, vol. 44(2), pp. 44–51, 2014.
• [17] Bianchi G., Bonola M., Pontarelli S., Sanvito D., Capone A., Cascone C.: Open Packet Processor: a programmable architecture for wire speed platformindependent stateful in-network processing, arXiv:160501977, 2016. doi: 10. 48550/ARXIV.1605.01977.
• [18] Bosshart P., Daly D., Gibb G., Izzard M., McKeown N., Rexford J., Schlesinger C., Talayco D., et al.: P4: Programming protocol-independent packet processors, ACM SIGCOMM Computer Communication Review, vol. 44(3), pp. 87–95 2014.
• [19] Chica J.C.C., Imbachi J.C., Vega J.F.B.: Security in SDN: A comprehensive survey, Journal of Network and Computer Applications, vol. 159, 102595, 2020.
• [20] Chole S., Fingerhut A., Ma S., Sivaraman A., Vargaftik S., Berger A., Mendelson G., et al.: dRMT: Disaggregated Programmable Switching. In: SIGCOMM’17: Proceedings of the Conference of the ACM Special Interest Group on Data Communication, pp. 1–14, 2017.
• [21] Fisher D.: CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions, ThreatPost, 2012.
• [22] Floodlight Project. http://www.projectfloodlight.org/.
• [23] Foster N., Harrison R., Freedman M.J., Monsanto C., Rexford J., Story A., Walker D.: Frenetic: A network programming language, ACM Sigplan Notices, vol. 46(9), pp. 279–291, 2011.
• [24] Gao J., Zhai E., Liu H.H., Miao R., Zhou Y., Tian B., Sun C., et al.: Lyra: A crossplatform language and compiler for data plane programming on heterogeneous ASICs. In: SIGCOMM’20: Proceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication, pp. 435–450, 2020.
• [25] He C., Feng X.: Pomp: protocol oblivious SDN programming with automatic multi-table pipelining. In: IEEE INFOCOM 2018 – IEEE Conference on Computer Communications, pp. 998–1006, 2018.
• [26] Hong S., Xu L., Wang H., Gu G.: Poisoning network visibility in software-defined networks: New attacks and countermeasures. In: NDSS, vol. 15, pp. 8–11, 2015.
• [27] Hsu K.F., Beckett R., Chen A., Rexford J., Tammana P., Walker D.: Contra: A programmable system for performance-aware routing. In: NSDI’20: Proceedings of the 17th USENIX Conference on Networked Systems Design and Implementation (NSDI 20), pp. 701–721, 2020.
• [28] Huang S., Zhao J., Wang X.: HybridFlow: A Lightweight Control Plane for Hybrid SDN in Enterprise Networks. In: 2016 IEEE/ACM 24th International Symposium on Quality of Service (IWQoS), pp. 1–2, 2016.
• [29] Jin C., Lumezanu C., Xu Q., Mekky H., Zhang Z.L., Jiang G.: Magneto: Unified Fine-grained Path Control in Legacy and OpenFlow Hybrid Networks. In: SOSR 2017 – Proceedings of the 2017 Symposium on SDN Research, pp. 75–87, 2017.
• [30] Jin C., Lumezanu C., Xu Q., Zhang Z.L., Jiang G.: Telekinesis: Controlling Legacy Switch Routing with OpenFlow in Hybrid Networks. In: SOSR ’15: Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research, pp. 1–7, 2015.
• [31] Khan S., Gani A., Wahab A.W.A., Guizani M., Khan M.K.: Topology discovery in software defined networks: Threats, taxonomy, and state-of-the-art, IEEE Communications Surveys & Tutorials, vol. 19(1), pp. 303–324, 2016.
• [32] Koponen T., Casado M., Gude N., Stribling J., Poutievski L., Zhu M., Ramanathan R., et al.: Onix: A distributed control platform for large-scale production networks. In: OSDI’10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, 2010.
• [33] Kreutz D., Ramos F.M., Verissimo P.E., Rothenberg C.E., Azodolmolky S., Uhlig S.: Software-defined networking: A comprehensive survey, Proceedings of the IEEE, vol. 103(1), pp. 14–76, 2014.
• [34] Lam J., Lee S.G., Lee H.J., Oktian Y.E.: Securing SDN southbound and data plane communication with IBC, Mobile Information Systems, vol. 2016, 2016.
• [35] Latif S.A., Wen F.B.X., Iwendi C., Wang L.F., Mohsin S.M., Han Z., Band S.S.: AI-empowered, blockchain and SDN integrated security architecture for IoT network of cyber physical systems, Computer Communications, vol. 181, pp. 274–283, 2022.
• [36] Lee S., Shin Y., Hur J.: Return of version downgrade attack in the era of TLS 1.3. In: CoNEXT’20: Proceedings of the 16th International Conference on Emerging Networking Experiments and Technologies, pp. 157–168, 2020.
• [37] McKeown N., Anderson T., Balakrishnan H., Parulkar G., Peterson L., Rexford J., Shenker S., Turner J.: OpenFlow: enabling innovation in campus networks, ACM SIGCOMM Computer Communication Review, vol. 38(2), pp. 69–74 2008.
• [38] Meng W., Li W., Zhou J.: Enhancing the security of blockchain-based software defined networking through trust-based traffic fusion and filtration, Information Fusion, vol. 70, pp. 60–71, 2021.
• [39] Merget R., Brinkmann M., Aviram N., Somorovsky J., Mittmann J., Schwenk J.: Raccoon Attack: Finding and Exploiting Most-Significant-BitOracles in TLS-DH (E). In: 30th USENIX Security Symposium (USENIX Security 21), pp. 213–230, 2021.
• [40] Microsoft Research. https://mitls.org/pages/attacks/3SHAKE.
• [41] Moller B., Duong T., Kotowicz K.: This POODLE bites: exploiting the SSL 3.0 fallback, Security Advisory, vol. 21, pp. 34–58, 2014.
• [42] Monsanto C., Reich J., Foster N., Rexford J., Walker D.: Composing software defined networks. In: 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI’13), pp. 1–13, 2013.
• [43] Moshref M., Bhargava A., Gupta A., Yu M., Govindan R.: Flow-level state transition as a new switch primitive for SDN. In: HotSDN’14: Proceedings of the third workshop on Hot topics in software defined networking, pp. 61–66, 2014.
• [44] OpenDayLight Project. http://www.opendaylight.org/.
• [45] OpenFlow Switch Specifications Version 1.0. https://www.opennetworking.org/ wp-content/uploads/2013/04/openflow-spec-v1.0.0.pdf.
• [46] OpenFlow Switch Specifications Version 1.5. https://www.opennetworking.org/ wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf.
• [47] Pandya B., Parmar S., Saquib Z., Saxena A.: Framework for securing SDN southbound communication. In: 2017 International Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS), pp. 1–5, 2017.
• [48] Pontarelli S., Bifulco R., Bonola M., Cascone C., Spaziani M., Bruschi V., Sanvito D., et al.: FlowBlaze: Stateful Packet Processing in Hardware. In: NSDI’19: Proceedings of the 16th USENIX Conference on Networked Systems Design and Implementation, pp. 531–548, 2019.
• [49] POX Controller. https://github.com/noxrepo/pox/.
• [50] Shahbaz M., Choi S., Pfaff B., Kim C., Feamster N., McKeown N., Rexford J.: Pisces: A programmable, protocol-independent software switch. In: SIGCOMM’16: Proceedings of the 2016 ACM SIGCOMM Conference, pp. 525–538, 2016.
• [51] Shin S., Song Y., Lee T., Lee S., Chung J., Porras P., Yegneswaran V., et al.: Rosemary: A robust, secure, and high-performance network operating system. In: CCS’14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 78–89, 2014.
• [52] Sivaraman A., Budiu M., Cheung A., Kim C., Licking S., Varghese G., Balakrishnan H., Alizadeh M., McKeown N.: Packet Transactions: High-Level Programming for Line-Rate Switches, arXiv:151205023, 2016. doi: 10.48550/arXiv.1512. 05023.
• [53] Sivaraman A., Cheung A., Budiu M., Kim C., Alizadeh M., Balakrishnan H., Varghese G., McKeown N., Licking S.: Packet Transactions: High-Level Programming for Line-Rate Switches. In: SIGCOMM’16: Proceedings of the 2016 ACM SIGCOMM Conference, pp. 15–28, 2016.
• [54] Song H.: Protocol-oblivious forwarding: Unleash the power of SDN through a future-proof forwarding plane. In: HotSDN’13: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 127–132, 2013.
• [55] Voellmy A., Kim H., Feamster N.: Procera: A language for high-level reactive network control. In: HotSDN’12: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp. 43–48, 2012.
• [56] Wu X., Li P., Miskell T., Wang L.M., Luo Y., Jiang X.: Ripple: An Efficient Runtime Reconfigurable P4 Data Plane for Multicore Systems. In: 2019 International Conference on Networking and Network Applications (NaNA), pp. 142–148, 2019.
• [57] Yoon C., Lee S., Kang H., Park T., Shin S., Yegneswaran V., Porras P., Gu G.: Flow Wars: Systemizing the Attack Surface and Defenses in Software-Defined Networks, IEEE/ACM Transactions on Networking, vol. 25(6), pp. 3514–3530, 2017.
• [58] Zhang Y., Lin X., Xu C.: Blockchain-based secure data provenance for cloud storage. In: Information and Communications Security. 20th International Conference, ICICS 2018, Lille, France, October 29–31, 2018, Proceedings, pp. 3–19, Springer, 2018.
• [59] Zhu S., Bi J., Sun C., Wu C., Hu H.: SDPA: Enhancing stateful forwarding for software-defined networking. In: 2015 IEEE 23rd International Conference on Network Protocols (ICNP), pp. 323–333, 2015.

Uwagi

PL

Opracowanie rekordu ze środków MEiN, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2022-2023).