• PDF / 1,449,701 Bytes
• 15 Pages / 439.37 x 666.142 pts Page_size
• 48 Downloads / 215 Views

DOWNLOAD

REPORT

Science and Technology on Communication Information Security Control Laboratory, Jiaxing, China 2 Xidian University, Xi’an, China [email protected] 3 PLA Air Force Xi’an Flight Academy, Xi’an, China

Abstract. In Software-defined network (SDN), the switching devices on the data plane rely on the flow entries issued by controllers to forward packets. Therefore, the correctness of flow entries becomes critical. However, the lack of security mechanism in SDN architecture makes the packet forwarding on the data plane easy to be damaged by malicious flow entries. In this paper, we argue that a malicious controller can easily issue malicious flow entries to hinder packets from being forwarded correctly on the data plane. We present a scheme based on P4 to detect and locate malicious flow entries on the data plane. Moreover, we implement the prototype of our scheme and extensive experiments to show that the proposed scheme can prevent malicious flow entries from damaging the packet forwarding of the data plane with trivial overheads.

Keywords: SDN

1

· P4 · Malicious detection · Flow entry

Introduction

In Software-defined network (SDN), controllers issue flow entries to the data plane and the switch devices on the data plane forward packets according to the flow entries [8]. Different from the traditional network, the SDN flow entries are only generated by the controller. However, the switching device in the traditional network can generate packet forwarding rules by itself according to some routing protocols, such as RIP and OSPF. Such packet forwarding mechanism in SDN can significantly simplify network management, but also introduces a new threat: a malicious controller can issue malicious flow entries to disrupt packet forwarding on the data plane. The controller abstracts network programmability as high-level APIs and offers them to SDN applications for the support of various network functions including issuing flow entries [11]. Therefore, malicious applications can easily call the controller’s APIs to issue malicious flow entries. Several attempts have been made to prevent malicious applications from sending malicious flow entries. Many proposals adopt permission control to limit the APIs which can be used by c Springer Nature Singapore Pte Ltd. 2020  S. Yu et al. (Eds.): SPDE 2020, CCIS 1268, pp. 50–64, 2020. https://doi.org/10.1007/978-981-15-9129-7_4

Protecting the Data Plane of SDN from MFE Based on P4

51

each application [6,12,15]. However, these controls cannot prevent compromised applications after deployment from issuing malicious flow entries. Some studies [7,13] monitor each inserted flow entry and check whether it has any negative impact on the data plane, but they are unable to identify the threats which are caused by a set of flow entries. Other works [4,9,10] implements Byzantine fault tolerance [2] by assigning multiple controllers to the switch, thereby preventing the distribution of malicious flow entries. However, their methods cannot prevent the malicious flow entries directly sent from the controller witho

Recommend Documents

SDN-Enabled Cloud Data Center

169 42 49MB

Service Function Chaining Based on Segment Routing Using P4 and SR-IOV (P4-SFC)

150 13 45MB

Protecting the Web from Misinformation

157 71 7MB

Protecting Sensitive Data

132 25 8MB

SDN-Enabled Data Center Networks

171 104 49MB

Big Data Issues in SDN Based IoT: A Review

179 59 8MB

On the Entries of Orthogonal Projection Matrices

185 84 324KB

Secure Data Sharing Framework Based on Supervised Machine Learning Detection System for Future SDN-Based Networks

146 101 18MB

Protecting the Non-Human Animals of Coastal Ecosystems from Disasters

160 76 6MB

entries; Sand entries; shoestring sands; sounding sandssand

170 100 62KB

A Survey on SDN Based Security in Internet of Things

197 46 2MB

Detection of Malicious URLs on Twitter

187 51 63MB