Conferences >2016 IEEE NetSoft Conference ...

Securing data planes in software-defined networks

Download PDF
Download References
Request Permissions
Save to
Alerts

Abstract:

Ensuring correct data-plane operations is an integral part of securing software-defined networks (SDN). This paper explores practical solutions for localizing and mitigat...Show More

Metadata

Abstract:

Ensuring correct data-plane operations is an integral part of securing software-defined networks (SDN). This paper explores practical solutions for localizing and mitigating malicious switches that disobey installed flow rules. Our main insight is that the flexible and proactive nature of SDNs enables efficient defense against realistic adversaries who can collude and report falsified information in addition to manipulating packet forwarding decisions. In contrast, previous proposals either assume a simple threat model or require expensive cryptographic operations even during peacetime. To systematically explore the design space, we study three complementary techniques for data-plane security, that is, active probing, statistics checking, and packet obfuscation. This paper presents the initial design and implementation of our data-plane security system and highlight potential research challenges.

Published in: 2016 IEEE NetSoft Conference and Workshops (NetSoft)

Date of Conference: 06-10 June 2016

Date Added to IEEE Xplore: 04 July 2016

Electronic ISBN:978-1-4673-9486-4

DOI: 10.1109/NETSOFT.2016.7502486

Conference Location: Seoul, Korea (South)

References is not available for this document.

Contents

I. Introduction

Ensuring correct data-plane operations is challenging even without malicious devices (e.g., routers or switches) in the networks. The presence of malicious devices exacerbates the problem; they can behave stealthily to evade detection and even incriminate benign entities by reporting falsified information. As more and more vulnerable routers and switches are exploited to launch attacks (such as denial of service or hijacking traffic), it is imperative to study how to secure data planes against compromised in-network devices.

Select All

P. Kazemian, M. Change and H. Zheng, "Real Time Network Policy Checking Using Header Space Analysis", USENIX NSDI, 2013.

Google Scholar

H. Zeng, P. Kazemian, G. Varghese and N. McKeown, "Automatic Test Packet Generation", IEEE/ACM Transactions on Networking, vol. 22, pp. 554-566, 2014.

View Article

Google Scholar

C. Fung and C. Fung, "FlowMon: Detecting Malicious Switches in Software-Defined Networks", SafeConfig, 2015.

Google Scholar

P.-W. Chi, C.-T. Kuo, C.-L. Lei and J.-W. Guo, "How to detect a compromised sdn switch", IEEE NetSoft, 2015.

Google Scholar

X. Zhang, C. Lan and A. Perrig, "Secure and Scalable Fault Localization under Dynamic Traffic Patterns", IEEE S&P, 2012.

View Article

Google Scholar

X. Zhang, Z. Zhou, H.-C. Hsiao, T.H.-J. Kim, A. Perrig and P. Tague, "ShortMAC: Efficient Data-Plane Fault Localization", NDSS, 2012.

Google Scholar

T. Kim, C. Basescu, L. Jia, S. B. Lee, Y.-C. Hu and A. Perrig, "Lightweight Source Authentication and Path Validation", ACM SIGCOMM, 2014.

CrossRef Google Scholar

"SDN switches aren't hard to compromise researcher says", [online] Available: http://www.networkworld.com/article/2956777/security/sdn-switches-arent-hard-to-compromise-researcher-says.html.

Google Scholar

"NSA Laughs at PCs Prefers Hacking Routers and Switches", [online] Available: http://www.wired.com/2013/09/nsa-router-hacking/.

Google Scholar

10.

S. Matsumoto, S. Hitz and A. Perrig, "Fleet: Defending SDNs from Malicious Administrators", ACM HotSDN, 2014.

CrossRef Google Scholar

11.

R. P. Dilworth, "A decomposition theorem for partially ordered sets", Annals of Mathematics, pp. 161-166, 1950.

CrossRef Google Scholar

12.

C. Berge, "Two theorems in graph theory", Proceedings of the National Academy of Sciences of the United States of America, vol. 43, no. 9, pp. 842, 1957.

CrossRef Google Scholar

13.

J. E. Hoperoft and R. M. Karp, "An n^5/2 algorithm for maximum matchings in bipartite graphs", SIAM Journal on computing, vol. 2, no. 4, pp. 225-231, 1973.

CrossRef Google Scholar

14.

"Rocketfuel", [online] Available: http://research.cs.washington.edu/networking/rocketfuel/.

Google Scholar

15.

H. Mai, A. Khurshid, R. Agarwal, M. Caesar, P. B. Godfrey and S. T. King, "Debugging the data plane with anteater", ACM SIGCOMM Computer Communication Review, vol. 41, pp. 290, 2011.

CrossRef Google Scholar

16.

A. Khurshid, W. Zhou, M. Caesar and P. Godfrey, "Veriflow: verifying network-wide invariants in real time", ACM SIGCOMM Computer Communication Review, vol. 42, no. 4, pp. 467-472, 2012.

CrossRef Google Scholar

17.

P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson and G. Gu, "A security enforcement kernel for OpenFlow networks", ACM HotSDN, 2012.

CrossRef Google Scholar

18.

N. Handigol, B. Heller, V. Jeyakumar, D. Maziéres and N. McKeown, "Where is the debugger for my software-defined network?", ACM HotSDN, 2012.

CrossRef Google Scholar

19.

J. R. Ballard, I. Rae and A. Akella, "Extensible and scalable network monitoring using opensafe", INM/WREN, 2010.

Google Scholar

20.

N. L. Van Adrichem, C. Doerr, F. Kuipers et al., "Opennetmon: Network monitoring in openflow software-defined networks", IEEE NOMS, 2014.

View Article

Google Scholar

21.

S. R. Chowdhury, M. F. Bari, R. Ahmed and R. Boutaba, "Payless: A low cost network monitoring framework for software defined networks", IEEE NOMS, 2014.

CrossRef Google Scholar

22.

I. Avramopoulos and J. Rexford, "Stealth Probing: Efficient Data-Plane Security for IP Routing", USENIX ATC, 2006.

Google Scholar

23.

N. Mowla, I. Doh, K. Chae et al., "An efficient defense mechanism for spoofed IP attack in SDN based CDNi", ICOIN, 2015.

View Article

Google Scholar

References is not available for this document.

MIT Libraries

MIT Libraries

Securing data planes in software-defined networks

Abstract:

Metadata

Abstract:

I. Introduction

References

IEEE Account

Purchase Details

Profile Information

Need Help?

MIT Libraries

MIT Libraries

Securing data planes in software-defined networks

Alerts

Abstract:

Metadata

Abstract:

I. Introduction

References