软件定义网络数据平面安全综述

doi:10.11959/j.issn.2096-109x.2018087

Abstract

Abstract:

The software-defined network decouples the data plane from the control plane,aiming to introduce network innovation faster and fundamentally automate the management of large networks.Architecture innovation brings challenges and opportunities.Security issues limit the widespread adoption of software-defined networks.Attacks on the data plane may damage the entire software-defined network.The data plane structure and development trends were introduced,data plane security risks were analyzed,vulnerabilities were pointed out,and potential attack scenarios were identified.It also presents two specific solutions,discusses the significance and limitations,and looks forward to future security research directions.

Key words: software-defined network (SDN), data plane, stateful SDN data plane, SDN security, data plane security

CLC Number:

TP393

Zhongfu GUO, Xingming ZHANG, Bo ZHAO, Sunan WANG. Survey of software-defined networking data plane security[J]. Chinese Journal of Network and Information Security, 2018, 4(11): 1-12.

Figures/Tables 6

References 77

[1]	MEDVED J , VARGA R , TKACIK A ,et al. Opendaylight:towards a model-driven sdn controller architecture[C]// 2014 IEEE 15th International Symposium on. IEEE, 2014: 1-6.
[2]	BERDE P , GEROLA M , HART J ,et al. ONOS:towards an open,distributed SDN OS[C]// The Third Workshop on Hot topics in Software Defined Networking. 2014: 1-6.
[3]	TOOTOONCHIAN A , GANJALI Y . HYPERFLOW:a distributed control plane for openflow[C]// 2010 Internet Network Management Conference on Research on Enterprise Networking. 2010:3.
[4]	Heller B. . Openflow switch specification,version 1.0.0[J]. Wire, 2009,12.
[5]	FUNDATION O N . The benefits of multiple flow tables and ttps[R]. 2015.
[6]	BOSSHART P , GIBB G , KIM H S ,et al. Forwarding metamorphosis:fast programmable match-action processing in hardware for SDN[C]// ACM sigcomm Computer Communication Review. 2013 99-110.
[7]	ZAL M , KLEBAN J . Performance evaluation of OpenFlow devices[J]. 2014.
[8]	BAKTIR A C , OZGOVDE A , ERSOY C . Implementing service-centric model with P4:a fully-programmable approach[C]// IEEE/IFIP Network Operations and Management Symposium. 2018: 1-6.
[9]	SONG H , . Protocol-oblivious forwarding:unleash the power of SDN through a future-proof forwarding plane[C]// The Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 127-132.
[10]	BIANCHI G , BONOLA M , CAPONE A ,et al. OpenState:programming platform-independent stateful openflow applications inside the switch[J]. ACM sigcomm Computer Communication Review, 2014,44(2): 44-51.
[11]	BIANCHI G , BONOLA M , PONTARELLI S ,et al. Open packet processor:a programmable architecture for wire speed platformindependent stateful in-network processing[R]. 2016.
[12]	MOSHREF M , BHARGAVA A , GUPTA A ,et al. Flow-level state transition as a new switch primitive for SDN[C]// The third WorkShop on Hot Topics in Software Defined Networking. 2014: 61-66.
[13]	ZHU S , BI J , SUN C ,et al. Sdpa:enhancing stateful forwarding for software-defined networking[C]// IEEE 23rd International Conference on Network Protocols(ICNP). 2015: 323-333.
[14]	HU H , HAN W , AHN G J ,et al. FLOWGUARD:building robust firewalls for software-defined networks[C]// The Third Workshop on Hot Topics in Software Defined Networking. 2014: 97-102.
[15]	CHANG Y , LIN T . Cloud-clustered firewall with distributed SDN devices[C]// IEEE Wireless Communications and Networking Conference(WCNC). 2018: 1-5.
[16]	KIRAVUO T , SARELA M , MANNER J . A survey of Ethernet LAN security[J]. IEEE Communications Surveys ＆ Tutorials, 2013,15(3): 1477-1491.
[17]	AHLGREN B , DANNEWITZ C , IMBRENDA C ,et al. A survey of information-centric networking[J]. IEEE Communications Magazine, 2012,50(7).
[18]	ZIER L , FISCHER W , BROCKNERS F . Ethernet-based public communication services:challenge and opportunity[J]. IEEE Communications Magazine, 2004,42(3): 88-95.
[19]	OLIVIER F , CARLOS G , FLORENT N . New security architecture for IoT network[J]. Procedia Computer Science, 2015,52: 1028-1033.
[20]	KHAN S , GANI A , WAHAB A W A ,et al. Software-defined network forensics:motivation,potential locations,requirements,and challenges[J]. IEEE Network, 2016,30(6): 6-13.
[21]	CHOWDHARY A , PISHARODY S , HUANG D . SDN based scalable mtd solution in cloud network[C]// Proceedings of the 2016 ACM Workshop on Moving Target Defense. ACM, 2016: 27-36.
[22]	YAN Q , YU F R , GONG Q ,et al. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments:a survey,some research issues,and challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 602-622.
[23]	CAPONE A , CASCONE C , NGUYEN A Q T ,et al. Detour planning for fast and reliable failure recovery in SDN with OpenState[C]// 2015 11th International Conference on the Design of Reliable Communication Networks (DRCN), 2015: 25-32.
[24]	KATTA N , HIRA M , KIM C ,et al. Hula:scalable load balancing using programmable data planes[C]// The Symposium on SDN Research. 2016:10.
[25]	BIANCHI G , BONOLA M , CAPONE A ,et al. OpenState:programming platform-independent stateful openflow applications inside the switch[J]. ACM sigcomm Computer Communication Review, 2014,44(2): 44-51.
[26]	ARASHLOO M T , KORAL Y , GREENBERG M ,et al. SNAP:stateful network-wide abstractions for packet processing[C]// The 2016 ACM SIGCOMM Conference. ACM, 2016: 29-43.
[27]	ARASHLOO M T , KORAL Y , GREENBERG M ,et al. SNAP:stateful network-wide abstractions for packet processing[C]// The 2016 ACM SIGCOMM Conference. ACM, 2016: 29-43.
[28]	DARGAHI T , CAPONI A , AMBROSIN M ,et al. A survey on the security of stateful SDN data planes[J]. IEEE Communications Surveys ＆ Tutorials, 2017,19(3): 1701-1725.
[29]	LEVIN D , WUNDSAM A , HELLER B ,et al. Logically centralized? state distribution trade-offs in software defined networks[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012: 1-6.
[30]	PERE?í , Ni P , KUZNIAr M ， KOSTI? D . Rule-level data plane monitoring with monocle[C]// ACM sigcomm Computer Communication Review. 2015,45(4): 595-596.
[31]	KU? , NIAR M , PERE?íNi P , KOSTI? D , . What you need to know about SDN flow tables[C]// International Conference on Passive and Active Network Measurement. 2015: 347-359.
[32]	ZHANG Y , BEHESHTI N , TATIPAMULA M . On resilience of split-architecture networks[C]// Global Communications Conference,GLOBECOM. 2011: 1-6.
[33]	ZHOU Y , CHEN K , ZHANG J ,et al. Exploiting the vulnerability of flow table overflow in software-defined network:attack model,evaluation,and defense[J]. Security and Communication Networks, 2018,2018.
[34]	KLOTI R , KOTRONIS V , SMITH P . Openflow:a security analysis[C]// 2013 21st IEEE International Conference on Network Protocols (ICNP), 2013: 1-6.
[35]	YOON C , LEE S , KANG H ,et al. Flow wars:systemizing the attack surface and defenses in software-defined networks[J]. IEEE/ACM Transactions on Networking, 2017,25(6): 3514-3530.
[36]	SCOTT-HAYWARD S , NATARAJAN S , SEZER S . A survey of security in software defined networks[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 623-654.
[37]	BENTON K , CAMP L J,SMALL,C . Openflow vulnerability assessment[C]// The Second ACM SIGCOMM Workshop on Hot topics in Software Defined Networking ACM, 2013: 151-152.
[38]	LIN P C , LI P C , NGUYEN V L . Inferring OpenFlow rules by active probing in software-defined networks[C]// 2017 19th International Conference on Advanced Communication Technology (ICACT), 2017: 415-420.
[39]	NIST:CVE-2014-9295 Detail[EB/OL]. , 2014.
[40]	KLOTI R , KOTRONIS V , SMITH P . Openflow:a security analysis[C]// IEEE International Conference on In Network Protocols (ICNP), 2013: 1-6.
[41]	KREUTZ D , RAMOS F , VERISSIMO P . Towards secure and dependable software-defined networks[C]// The Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 55-60.
[42]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[43]	KIM T H J , BASESCU C , JIA L ,et al. Lightweight source authentication and path validation[C]// ACM sigcomm Computer Communication Review. 2014,44(4): 271-282.
[44]	KIRKPATRICK K . Software-defined networking[J]. Communications of the ACM, 2013,56(9): 16-19.
[45]	KLOTI R , KOTRONIS V , SMITH P . Openflow:a security analysis[C]// IEEE International Conference on Network Protocols(ICNP). 2013: 1-6.
[46]	SHAGHAGHI A , KAAFAR M A , JHA S . Wedgetail:an intrusion prevention system for the data plane of software defined networks[C]// 2017 ACM on Asia Conference on Computer and Communications Security. 2017: 849-861.
[47]	DHAWAN M , PODDAR R , MAHAJAN K ,et al. Sphinx:detecting security attacks in software-defined networks[C]// NDSS. 2015.
[48]	KAZEMIAN P , CHAN M , ZENG H ,et al. Real time network policy checking using header space analysis[C]// NSDI. 2013: 99-111.
[49]	KAZEMIAN P , VARGHESE G , MCKEOWN N . Header space analysis:static checking for networks[C]// NSDI. 2012: 113-126.
[50]	KHURSHID A , ZHOU W , CAESAR M ,et al. Veriflow:Verifying network-wide invariants in real time[C]// The First Workshop on Hot Topics in Software Defined Networks. ACM, 2012: 49-54.
[51]	MAI H , KHURSHID A , AGARWAl R ,et al. Debugging the data plane with anteater[C]// ACM SIGCOMM Computer Communication Review. 2011,41(4): 290-301.
[52]	KIM T H J , BASESCU C , JIA L ,et al. Lightweight source authentication and path validation[C]// ACM SIGCOMM Computer Communication Review. ACM, 2014,44(4): 271-282.
[53]	LIU X , LI A , YANG X ,et al. Passport:secure and adoptable source authentication[C]// NSDI. 2008,8: 365-378.
[54]	NAOUS J , WALFISH M , NICOLOSI A ,et al. Verifying and enforcing network paths with icing[C]// The Seventh Conference on Emerging Networking Experiments and Technologies. 2011:30.
[55]	SASAKI T , PAPPAS C , LEE T ,et al. SDNsec:Forwarding accountability for the SDN data plane[C]// 25th International Conference on Computer Communication and Networks (ICCCN). 2016: 1-10.
[56]	ZHANG X , ZHOU Z , HSIAO H C ,et al. ShortMAC:efficient Data-Plane Fault Localization[C]// NDSS. 2012.
[57]	AVRAMOPOULOS I , KOBAYASHI H , WANG R ,et al. Highly secure and efficient routing[C]// Twentythird Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, 2004,1.
[58]	MAHAJAN R , RODRIG M , WETHERALL D ,et al. Sustaining cooperation in multi-hop wireless networks[C]// The 2nd Conference on Symposium on Networked Systems Design ＆ Implementation-Volume 2. 2005: 231-244.
[59]	AGARWAL K , ROZNER E , DIXON C ,et al. SDN traceroute:Tracing SDN forwarding without changing network behavior[C]// The third Workshop on Hot Topics in Software Defined Networking. ACM, 2014: 145-150.
[60]	AWERBUCH B , CURTMOLA R , HOLMER D ,et al. ODSBR:an on-demand secure Byzantine resilient routing protocol for wireless ad hoc networks[J]. ACM Transactions on Information and System Security (TISSEC), 2008,10(4): 6-1.
[61]	PADMANABHAN V N , SIMON D R . Secure traceroute to detect faulty or malicious routing[J]. ACM SIGCOMM Computer Communication Review, 2003,33(1): 77-82.
[62]	LIU K , DENG J , VARSHNEY P K ,et al. An ackno-wledgmentbased approach for the detection of routing misbehavior in MANETs[J]. IEEE Transactions on Mobile Computing, 2007,6(5): 536-550.
[63]	MARTI S , GIULI T J , LAI K ,et al. Mitigating routing misbehavior in mobile ad hoc networks[C]// The 6th Annual International Conference on Mobile Computing and Networking. 2000: 255-265.
[64]	ZHANG X , JAIN A , PERRIG A . Packet-dropping adversary identification for data plane security[C]// 2008 ACM CoNEXT Conference. ACM, 2008:24.
[65]	PELEKIS N , KOPANAKIS I , PANAGIOTAKIS C ,et al. Unsupervised trajectory sampling[J]. Machine Learning and Knowledge Discovery in Databases, 2010: 17-33.
[66]	HANDIGOL N , HELLER B , JEYAKUMAR V ,et al. I know what your packet did last hop:using packet histories to troubleshoot networks[C]// NSDI. 2014,14: 71-85.
[67]	KAZEMIAN P , CHANG M , ZENG H ,et al. Real time network policy checking using header space analysis[C]// The 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13). 2013: 99-111.
[68]	KAZEMIAN P , VARGHESE G , MCKEOWN N . Header space analysis:Static checking for networks[C]// The 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12). 2012: 113-126.
[69]	KHURSHID A , ZOU X , ZHOU W ,et al. Veriflow:Verifying network-wide invariants in real time[C]// The 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13). 2013: 15-27.
[70]	MAI H , KHURSHID A , AGARWAL R ,et al. Debugging the data plane with anteater[C]// ACM SIGCOMM Computer Communication Review. 2011: 290-301.
[71]	THIMMARAJU K , SCHIFF L , SCHMID S . Outsmarting network security with SDN teleportation[C]// IEEE European Symposium on Security and Privacy (EuroS＆P). 2017: 563-578.
[72]	HONG S , XU L , WANG H ,et al. Poisoning network visibility in software-defined networks:new attacks and countermeasures[C]// NDSS. 2015: 8-11.
[73]	XIA W , WEN Y , FOH C H ,et al. A survey on software-defined networking[J]. IEEE Communications Surveys ＆ Tutorials, 2015,17(1): 27-51.
[74]	JACOBSON V , SMETTERS D K , THORNTON J D ,et al. Networking named content[C]// The 5th International Conference on Emerging Networking Experiments and Technologies. 2009: 1-12.
[75]	AHLGREN B , DANNEWITZ C , IMBRENDA C ,et al. A survey of information-centric networking[J]. IEEE Communications Magazine, 2012,50(7).
[76]	ABDALLAH E G , HASSANEIN H S , ZULKERNINE M . A survey of security attacks in information-centric networking[J]. IEEE Communications Surveys ＆ Tutorials, 2015,17(3): 1441-1454.
[77]	COMPAGNO A , CONTI M , GASTI P ,et al. Poseidon:mitigating interest flooding DDoS attacks in named data networking[C]// 2013 IEEE 38th Conference on Local Computer Networks (LCN). 2013: 630-638.

Metrics

Recommended 0

No Suggested Reading articles found!

Survey of software-defined networking data plane security

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 77

Related Articles 15

Metrics

Recommended 0

[1]	Xianyi CHEN, Jun GU, Kai YAN, Dong JIANG, Linfeng XU, Zhangjie FU. Double adversarial attack against license plate recognition system [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 16-27.
[2]	Tianpeng YE, Xiang LIN, Jianhua LI, Xuankai ZHANG, Liwen XU. Personalized lightweight distributed network intrusion detection system in fog computing [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 28-37.
[3]	Lijun ZU, Yalin CAO, Xiaohua MEN, Zhihui LYU, Jiawei YE, Hongyi LI, Liang ZHANG. Adaptive selection method of desensitization algorithm based on privacy risk assessment [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 49-59.
[4]	Ruiqi XIA, Manman LI, Shaozhen CHEN. Identification on the structures of block ciphers using machine learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 79-89.
[5]	Jingyi YUAN, Zichuan LI, Guojun PENG. EN-Bypass: a security assessment method on e-mail user interface notification [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 90-101.
[6]	Feng YU, Qingxin LIN, Hui LIN, Xiaoding WANG. Privacy-enhanced federated learning scheme based on generative adversarial networks [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 113-122.
[7]	Chuntao ZHU, Chengxi YIN, Bolin ZHANG, Qilin YIN, Wei LU. Forgery face detection method based on multi-domain temporal features mining [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 123-134.
[8]	Xiaomeng LI, Daidou GUO, Xunfang ZHUO, Heng YAO, Chuan QIN. Carrier-independent screen-shooting resistant watermarking based on information overlay superimposition [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 135-149.
[9]	Zhao CAI, Tao JING, Shuang REN. Survey on Ethereum phishing detection technology [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 21-32.
[10]	Yan PAN, Wei LIN, Yuefei ZHU. Progressive active inference method of protocol state machine [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 81-93.
[11]	Pan YANG, Fei KANG, Hui SHU, Yuyao HUANG, Xiaoshao LYU. Binary program taint analysis optimization method based on function summary [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 115-131.
[12]	Tian XIAO, Zhihao JIANG, Peng TANG, Zheng HUANG, Jie GUO, Weidong QIU. High-performance directional fuzzing scheme based on deep reinforcement learning [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 132-142.
[13]	Chenghao YUAN, Yong LI, Shuang REN. Dynamic multi-keyword searchable encryption scheme [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 143-153.
[14]	Zezhou HOU, Jiongjiong REN, Shaozhen CHEN. Security evaluation for parameters of SIMON-like cipher based on neural network distinguisher [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 154-163.
[15]	Xuejing GUO, Yixiang FANG, Yi ZHAO, Tianzhu ZHANG, Wenchao ZENG, Junxiang WANG. Traditional guidance mechanism based deep robust watermarking [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 175-183.