Flow consistency in an intensive SDN security architecture with multiple controllers

doi:10.11959/j.issn.2096-109x.2017.00223

Abstract

Abstract:

As critical components in SDN,controllers are prone to suffer from a series of potential attacks which result in system crashes.To prevent the compromise caused by single failure of controller or flow-tampering attacks,Mcad-SA,an aware decision-making security architecture with multiple controllers was proposed,which coordinates heterogeneous controllers internally as an“associated”controller.This architecture extends existing control plane and takes advantage of various controllers’merits to improve the difficulty and cost of probes and attacks from attackers.In this framework,flow rules distributed to switches are no longer relying on a single controller but according to the vote results from the majority of controllers,which significantly enhances the reliability of flow rules.As to the vote process of flow rules,segmentation and grading is adopted to pick up the most trustful one from multiple flow rules and implement flow consistency.This mechanism avoids comparison between rules via bit by bit which is impractical among several controllers.Theory analysis and simulation results demonstrates the effectiveness,availability and resilience of the proposed methods and their better security gain over general SDN architectures.

Key words: multi-controller, security, Mcad-SA, flow consistency

Ying-ying LV,Yun-fei GUO,Chao QI,Qi WU,Ya-wen WANG. Flow consistency in an intensive SDN security architecture with multiple controllers[J]. Chinese Journal of Network and Information Security, 2017, 3(12): 62-78.

Figures/Tables 21

References 24

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM Sigcomm Computer Communication Review, 2008,38(2): 69-74.
[2]	MONSANTO C , REICH J , FOSTER N ,et al. Composing software-defined networks[C]// The 10th USENIX Conference on Networked Systems Design and Implementation,USENIX Association. 2013: 1-14.
[3]	KREUTZ D , RAMOS F M V , VERISSIMO P . Towards secure and dependable software-defined networks[C]// The Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 55-60.
[4]	CABAJ K,WYTR?BOWICZ J,KUKLI?SKI S , et al . SDN architecture impact on network security[C]// Federated Conference on Computer Science and Information Systems. 2014.
[5]	SCOTT-HAYWARD S , NATARAJAN S , SEZER S . A survey of security in software defined networks[J]. IEEE Communications Surveys＆Tutorials, 2015,18(1): 623-654.
[6]	PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]//2012:121-126.　　　　　　　2012: 121-126.
[7]	PORRAS P , CHEUNG S , FONG M ,et al. Securing the Software-Defined Network Control Layer[C]// The 2015 Network and Distributed System Security Symposium (NDSS),San Diego,California. 2015.
[8]	JAIN S , KUMAR A , MANDAL S ,et al. B4:experience with a globally-deployed software defined wan[C]// ACM SIGCOMM 2013 Conference on SIGCOMM. 2013: 3-14.
[9]	BERDE P , HART J , HART J ,et al. ONOS:towards an open,distributed SDN OS[C]// The Workshop on Hot Topics in Software Defined NETWORKING. 2010: 1-6.
[10]	ELDEFRAWY K , KACZMAREK T . Byzantine fault tolerant software-defined networking (SDN) controllers[C]// Computer Software and Applications Conference. 2016: 208-213.
[11]	CELLO M , XU Y , WALID A ,et al. BalCon:a distributed elastic SDN control via efficient switch migration[C]// IEEE International Conference on Cloud Engineering. 2017.
[12]	GUO Z , XU Y , CELLO M ,et al. JumpFlow:reducing flow table usage in software-defined networks[J]. Computer Networks, 2015,(92): 300-315.
[13]	MCGEER R , . A safe,efficient update protocol for openflow networks[C]// The Workshop on Hot Topics in Software Defined Networks. 2012: 61-66.
[14]	SUKAPURAM R , BARUA G . Enhanced algorithms for consistent network updates[C]// Network Function Virtualization and Software Defined Network. 2016: 184-190.
[15]	HUSSEIN A , ELHAJJ I H , CHEHAB A ,et al. SDN verification plane for consistency establishment[C]// Computers and Communication. IEEE, 2016: 519-524.
[16]	HUA J , GE X , ZHONG S . FOUM:a flow-ordered consistent update mechanism for software-defined networking in adversarial settings[C]// The International Conference on Computer Communications. 2016: 1-9.
[17]	Reitblatt M , Foster N , Rexford J ,et al. Consistent updates for software-defined networks:change you can believe in![C]// ACM Workshop on Hot Topics in Networks. 2011:7.
[18]	Ryu SDN Framework[EB/OL]. .
[19]	FloodLight.“Open SDN controller”[EB/OL]. .
[20]	QI C , WU J , HU H ,et al. Dynamic-scheduling mechanism of controllers based on security policy in software-defined network[J]. Electronics Letters, 2016,52(23): 1918-1920.
[21]	QI C , WU J , HU H ,et al. An intensive security architecture with multi-controller for SDN[C]// Computer Communications Workshops. 2016: 401-402.
[22]	OpenDaylightConsortium[EB/OL]. .
[23]	LANTZ B , HELLER B , MCKEOWN N . A network in a laptop:rapid prototyping for software-defined networks[C]// ACM Workshop on Hot Topics in Networks. 2010: 1-6.
[24]	MACHAT R , BANKS S , CALABRIA F ,et al． ISSU benchmarking methocldogy[DB/OL]. .

Metrics

Recommended 0

No Suggested Reading articles found!

Field	Notations
version	The version of control protocol we take
type	The type of messages
length	The length of payload
packet_id	The unique id of message
module_id	The unique id of module operating on the controller

Application on Server	IP	CPU	Memory	Operation System
Floodlight	192.168.108.1	2.00 GHz	32 G	Ubuntu16.04
ONOS	192.168.108.2	2.00 GHz	32 G	Ubuntu16.04
ODL	192.168.108.3	2.00 GHz	32 G	Ubuntu16.04
Proxy and arbiter	192.168.108.4	2.00 GHz	32 G	Ubuntu16.04