Protecting the Data Plane of SDN From Malicious Flow Entries Based on P4

In Software-defined network (SDN), the switching devices on the data plane rely on the flow entries issued by controllers to forward packets. Therefore, the correctness of flow entries becomes critical. However, the lack of security mechanism in SDN archi

  • PDF / 1,449,701 Bytes
  • 15 Pages / 439.37 x 666.142 pts Page_size
  • 48 Downloads / 217 Views

DOWNLOAD

REPORT


Science and Technology on Communication Information Security Control Laboratory, Jiaxing, China 2 Xidian University, Xi’an, China [email protected] 3 PLA Air Force Xi’an Flight Academy, Xi’an, China

Abstract. In Software-defined network (SDN), the switching devices on the data plane rely on the flow entries issued by controllers to forward packets. Therefore, the correctness of flow entries becomes critical. However, the lack of security mechanism in SDN architecture makes the packet forwarding on the data plane easy to be damaged by malicious flow entries. In this paper, we argue that a malicious controller can easily issue malicious flow entries to hinder packets from being forwarded correctly on the data plane. We present a scheme based on P4 to detect and locate malicious flow entries on the data plane. Moreover, we implement the prototype of our scheme and extensive experiments to show that the proposed scheme can prevent malicious flow entries from damaging the packet forwarding of the data plane with trivial overheads.

Keywords: SDN

1

· P4 · Malicious detection · Flow entry

Introduction

In Software-defined network (SDN), controllers issue flow entries to the data plane and the switch devices on the data plane forward packets according to the flow entries [8]. Different from the traditional network, the SDN flow entries are only generated by the controller. However, the switching device in the traditional network can generate packet forwarding rules by itself according to some routing protocols, such as RIP and OSPF. Such packet forwarding mechanism in SDN can significantly simplify network management, but also introduces a new threat: a malicious controller can issue malicious flow entries to disrupt packet forwarding on the data plane. The controller abstracts network programmability as high-level APIs and offers them to SDN applications for the support of various network functions including issuing flow entries [11]. Therefore, malicious applications can easily call the controller’s APIs to issue malicious flow entries. Several attempts have been made to prevent malicious applications from sending malicious flow entries. Many proposals adopt permission control to limit the APIs which can be used by c Springer Nature Singapore Pte Ltd. 2020  S. Yu et al. (Eds.): SPDE 2020, CCIS 1268, pp. 50–64, 2020. https://doi.org/10.1007/978-981-15-9129-7_4

Protecting the Data Plane of SDN from MFE Based on P4

51

each application [6,12,15]. However, these controls cannot prevent compromised applications after deployment from issuing malicious flow entries. Some studies [7,13] monitor each inserted flow entry and check whether it has any negative impact on the data plane, but they are unable to identify the threats which are caused by a set of flow entries. Other works [4,9,10] implements Byzantine fault tolerance [2] by assigning multiple controllers to the switch, thereby preventing the distribution of malicious flow entries. However, their methods cannot prevent the malicious flow entries directly sent from the controller witho