Analysis and Research on Network Security for OpenFlow-based SDN

doi:10.3969/j.issn.1671-1122.2015.02.005

Abstract

Abstract:

OpenFlow-based SDN technology separates the data and control planes of network, deploys central controller to manage and control the network, and provides a new solution for the development of future network. However, this new method of network management and control differs essentially from traditional network management method using close network equipment with distributed control plane currently, which would introduce new management and security problems when achieving centralized management. In this paper, we firstly introduce the defects of the three-layer architecture itself and the possible security issues, and analyze these issues from infrastructure layer, southbound interface, control layer, northbound interface and application layer respectively. Then, we summarize current related research status and research methods, and provide feasible solutions from four aspects including authentication mechanisms, backup and recovery of control layer, network anomaly detection and defense mechanisms, application isolation and permission management. After the discussion, we conclude the paper and point out the research direction.

Key words: OpenFlow network, software defined networking, control layer, authentication, backup

CLC Number:

TP309

ZUO Qing-yun, ZHANG Hai-su. Analysis and Research on Network Security for OpenFlow-based SDN[J]. Netinfo Security, 2015, 15(2): 26-32.

Figures/Tables 4

References 24

[1]	Mckeown N, Anderson T, Balakrishnan H, et al.OpenFlow: Enabling Innovation in Campus Networks[J]. ACM SIGCOMM Computer Communication Review 2008, 38(2): 69-74.
[2]	Kreutz D, Ramos F, Verissimo P.Towards Secure and Dependable Software-Defined Networks[C]// HotSDN. 2013: 55-60.
[3]	Benton K, Camp L, Small C.OpenFlow Vulnerability Assessment[C]// HotSDN. 2013: 151-152.
[4]	Shin S, Gu G.Attacking Software-Defined Networks: A First Feasibility Study[C]//HotSDN. 2013: 165-166.
[5]	Koponen T, Casado M, Gude N, et al.Onix: A Distributed Control Platform for Large-scale Production Networks[C]//Proc. of the 9th USENIX conference on Operating Systems Design and Implementation (OSDI). Vancouver: USENIX Association, 2010: 1-6.
[6]	Open Networking Foundation[EB/OL]., 2014-03-10.
[7]	Gude N, Koponen T, Pettit J, et al.Nox: Towards an operating system for networks[J]. ACM Computer Communication Review, 2008, 38(3):105-110.
[8]	Sharma S, Staessens D, Colle D, et al.OpenFlow: Meeting carrier-grade recovery requirements[J]. Computer communications. 2012, 36(6):656-665.
[9]	Kuzniar M, Peresini P, Vasic N, et al.Automatic Failure Recovery for Software-Defined Networks[C]//HotSDN. 2013:159-160.
[10]	Kozat U, Liang G, Kokten K.Verifying Forwarding Plane Connectivity and Locating Link Failures using Static Rules in Software Defined Networks[C]//HotSDN. 2013:157-158.
[11]	Tootoonchian A, Ganjali Y.HyperFlow:A Distributed Control Plane for OpenFlow[C] //Proceeding of Internet Network Management Workshop/Workshop on Research on Enterprise Networking (INM/WREN), 2010:3-3.
[12]	Yeganeh S, Ganjali Y.Kandoo: A Framework for Efficient and Scalable Offloading of Control Applications[C]//HotSDN, 2012: 19-24.
[13]	Dixit A, Hao F, Mukherjee S, et al.Towards an Elastic Distributed SDN Controller[C]//HotSDN. 2013:7-12.
[14]	Pfaff B, Pettit J, Koponen T, Amidon K, Casado M, Shenker S.Extending Networking into the Virtualization Layer[C]//Proc. of the 7th ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets), 2009.
[15]	Mehdi S, Khalid J, Khayam S. Revisiting Traffic Anomaly Detection Using Software Defined Networking[C]//Proc of the 14th International Conference on Recent Advances in Intrusion Detection (RAID), 2011:161-180.
[16]	Shin S, Porras P, Yegneswaran V, et al.FRESCO: Modular Composable Security Services for Software-Defined Networks[C]// NDSS, 2013.
[17]	Jose L, Yu M, Rexford J.Online Measurement of Large Traffic Aggregates on Commodity Switches[C]//Proc of the 11th USENIX Conference on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services (Hot-ICE), 2011:13-13.
[18]	Braga R, Mota E, Passito A. Lightweight DDoS Flooding Attack Detection Using NOX/OpenFlow[C]//IEEE 35th Conference on Local Computer Networks (LCN), 2010:408-415.
[19]	Shahreza S, Ganjali Y.FleXam: Flexible Sampling Extension for Monitoring and Security Applications in OpenFlow[C]//HotSDN. 2013:167-168.
[20]	Canini M, Venzano D, Peresini P, et al.A NICE way to test OpenFlow applications[C]//Proc. of the 9th USENIX Symp. on Networked Systems Design and Implementation (NSDI), 2012:10.
[21]	Sherwood R, Gibb G, Yap K, et al.Can the production network be the testbed?[C] //Proc. of the 9th USENIX Conf.on Operating Systems Design and Implementation (OSDI), 2010:1-6.
[22]	Porras P, Shin S, Yegneswaran V.A Security Enforcement Kernel for OpenFlow Networks[C]//HotSDN, 2012:121-126.
[23]	Wen X, Chen Y, Hu C.Towards a Secure Controller Platform for OpenFlow Applications[C]//HotSDN, 2013:171-172.
[24]	Foster N, Guha A, Reitblatt M, et al.Languages for Software-Defined Networks[J]. IEEE communications magazine. 2013, 51(2):128-134.