Photonic Network Communications

, Volume 37, Issue 1, pp 1–23 | Cite as

Security in OpenFlow-based SDN, opportunities and challenges

  • Jaouad BenabbouEmail author
  • Khalid Elbaamrani
  • Noureddine Idboufker
Original Paper


The SDN paradigm profoundly affects the architecture of networks in favor of more adaptability to the needs for new value-added services. This article examines the positive and negative impacts of such a change on network security. While few in-depth studies have attempted to cover this issue in a comprehensive way, we first tried to define the most relevant axes of analyses with regard to this concept, namely availability, access control and application services oriented security. In relation to these axes as well as to the state of the art of security, a number of researches and studies that have addressed this issue by proposing solutions through the OpenFlow specification are analyzed with the aim to highlight the real opportunities and the real challenges brought by this new concept for the network security.


Security SDN OpenFlow Availability Access control Recovery 


  1. 1.
    Casado, M., Garfinkel, T., Akella, A., Freedman, M.J., Boneh, D., McKeown, N., Shenker, S.: SANE: a protection architecture for enterprise networks. In: USENIX Security Symposium (2006)Google Scholar
  2. 2.
    Casado, M., Freedman, M.J., Pettit, J., Luo, J., McKeown, N., Shenker, S.: Ethane: taking control of the enterprise. In: ACM SIGCOMM Computer Communication Review, vol. 37, no. 4, pp. 1–12. ACM (2007)Google Scholar
  3. 3.
    Jain, S., Kumar, A., Mandal, S., Ong, J., Poutievski, L., Singh, A., Venkata, S., Wanderer, J., Zhou, J., Zhu, M.: B4: experience with a globally-deployed software defined wan. In: Proceedings of the ACM SIGCOMM 2013 Conference, pp. 3–14. ACM (2013)Google Scholar
  4. 4.
    Natarajan, S., Ramaiah, A., Mathen, M.: A software defined cloud-gateway automation system using OpenFlow. In: 2013 IEEE 2nd International Conference on Cloud Networking (CloudNet), Nov 2013, pp. 219–226Google Scholar
  5. 5.
    ACI Fabric Endpoint Learning White Paper., document ID: 1514948434204104. Accessed 22 Jul 2018
  6. 6.
    McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)CrossRefGoogle Scholar
  7. 7.
    Rajasri, K., Srikanth, K., Kingston, S., Bhaskar, R.: SDN and OpenFlow tutorial. Accessed 20 Apr 2018
  8. 8.
    Open Networking Foundation: Technical report ONF TR-511. Principles and Practices for Securing Software-Defined Networks, January 2015. Accessed 14 Jun 2018
  9. 9.
    Hartman, S., Wasserman, M., Zhang, D.: Security requirements in the software defined networking Model draft-hartman-sdnsec-requirements-01. IETF (2012). Accessed 15 Jun 2018
  10. 10.
    Kreutz, D., Ramos, F., Verissimo, P.: Towards secure and dependable software-defined networks. In: Proceedings of 2nd ACM SIGCOMM Work. Hot Topics in Software Defined Networks, pp. 55–60 (2013)Google Scholar
  11. 11.
    Benton, K., Camp, L.J., Small, C.: OpenFlow vulnerability assessment. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. ACM, 2013, pp. 151– 152Google Scholar
  12. 12.
    Yoon, C., Lee, S., Park, H.K.T., Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Flow wars: systemizing the attack surface and defenses in software-defined networks. IEEE/ACM Trans. Netw. 25, 3514–3530 (2017). (ISSN: 1063-6692) CrossRefGoogle Scholar
  13. 13.
    Scott-Hayward, S., Natarajan, S., Sezer, S.: A survey of security in software defined networks. IEEE Commun. Surv. Tutor. 18(1), 623–654 (2016). CrossRefGoogle Scholar
  14. 14.
    Ahmad, I., Namal, S., Ylianttila, M., Gurtov, A.: Security in software defined networks: a survey. IEEE Commun. Surv. Tutor. 17(4), 2317–2346 (2015)CrossRefGoogle Scholar
  15. 15.
    Xu, X., Yu, H., Yang, K.: DDoS attack in software defined networks: a survey., published online September 12, 2017
  16. 16.
    Ali, S.T., Sivaraman, V., Radford, A., Jha, S.: A survey of securing networks using software defined networking. IEEE Trans. Reliab. 64(3), 1086–1097 (2015)CrossRefGoogle Scholar
  17. 17.
    Matias, J., Jacob, E., Toledo, N., Astorga, J.: Towards neutrality in access networks: A NANDO deployment with OpenFlow. In: The Second International Conference on Access Networks ACCESS 2011Google Scholar
  18. 18.
    Dangovas, V, Kuliesius, F.: SDN-driven authentication and access control system. In: The International Conference on Digital Information, Networking, and Wireless Communications (DINWC2014). The Society of Digital Information and Wireless Communication, pp. 20–23 (2014)Google Scholar
  19. 19.
    Shin, S.W., Porras, P., Yegneswaran, V., Fong, M., Gu1, G., Tyson, M.: FRESCO: modular composable security services for software-defined networks. In: Proceedings of Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, February 2013Google Scholar
  20. 20.
    Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting Traffic Anomaly Detection Using Software Defined Networking. Recent Advances in Intrusion Detection. Springer, Berlin (2011). Google Scholar
  21. 21.
    Braga, R., Edjard, M., Alexandre, P.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: 2010 IEEE 35th Conference on Local Computer Networks (LCN). IEEE (2010).
  22. 22.
    Jankowski, D., Amanowicz, M.: Intrusion detection in software defined networks with self-organized maps. J. Telecommun. Inf. Technol 4, 3–9 (2015)Google Scholar
  23. 23.
    Cabaj, K., Wytrębowicz, J., Kukliński, S., Radziszewski, P., Dinh, K.T.: SDN architecture impact on network security. Warsaw University of Technology, Warsaw (2014)CrossRefGoogle Scholar
  24. 24.
    Lim, S., Ha, J., Kim, H., Kim, Y., Yang, S.: A SDN-Oriented DDoS Blocking Scheme for Botnet-Based Attacks. School of Informatics Korea University, Next Communication Research Laboratory ETRI, Daejon (2014)CrossRefGoogle Scholar
  25. 25.
    Yang, X., Liu, Y.: DDoS attack detection under SDN context. In: Proceedings of IEEE International Conference on Computer Communications IEEE (INFO COM16), San Francisco, USA (2016).
  26. 26.
    Chaitanya, B., Medhi, N.: FlowTrApp: an SDN based architecture for DDoS attack detection and mitigation in data centers. In: Proceedings of 3rd International Conference on Signal Processing and Integrated Networks, Noida, India (2016).
  27. 27.
    Bawany, N., Shamsi, J., Salah, K.: DDoS attack detection and mitigation using SDN: methods practices and solutions. Arab J Sci Eng (2017). Google Scholar
  28. 28.
    Shin, S., Gu, G.: CloudWatcher: network security monitoring using OpenFlow in dynamic cloud networks. In: IEEE International Conference on Network Protocols, Austin, USA, 2012, pp. 1–6.
  29. 29.
    Yao, G., Bi, J., Xiao, P.: Source address validation solution with OpenFlow/NOX architecture. In: Proceedings of 19th IEEE ICNP, 2011, pp. 7–12Google Scholar
  30. 30.
    IETF SAVI Working Group: Accessed 5 Jun 2018
  31. 31.
    Open Networking Foundation: OpenFlow switch specification. Version 1.4.0 (Wire Protocol 0x05), October 14, 2013. Version 1.5.1 (Wire Protocol 0x05), March 26, 2015Google Scholar
  32. 32.
    Kuroki, K., Matsumoto, N., Hayashi, M.: Scalable OpenFlow Controller redundancy Tackling Local and Global Recoveries. Integrated Core Network Control And Management Laboratory, KDDI R&D Laboratories, Inc., Saitama (2013)Google Scholar
  33. 33.
    Shin, S., Song, Y., Lee, T., Lee, S., Chung, J., Porras, P., Yegneswaran, V., Noh, J., Kang, B.B.: Rosemary: a robust, secure, and high-performance network operating system. In: Proceedings of the 21th ACM Conference on Computer and Communications Security (CCS), 2014.Google Scholar
  34. 34.
    Chandrasekaran, B., Benson, T.: Tolerating SDN application failures with LegoSDN. In: Proceedings of the 13th ACM Workshop on Hot Topics in Networks, p. 22. ACM (2014)Google Scholar
  35. 35.
    Nencioni, G., Helvik, B.E., Gonzalez, A.J., Heegaard, P.E., Kamisínski, A.: Impact of SDN Controllers Deployment on Network Availability. Department of Telematics, Norwegian University of Science and Technology, Trondheim (2017)Google Scholar
  36. 36.
    Heller, B., Sherwood, R., McKeown, N.: The controller placement problem. In; Proceedings of the First Workshop on Hot Topics in Software Defined Networks, ser. HotSDN’12, pp. 7–12. ACM (2012)Google Scholar
  37. 37.
    Yao, G., Bi, J., Guo, L.: On the cascading failures of multi-controllers in software defined networks. In: Proceedings of 21st IEEE ICNP, October 2013, pp. 1–2Google Scholar
  38. 38.
    Fonseca, P., Bennesby, R., Mota, E., Passito, A.: A replication component for resilient OpenFlow-based networking. In: Network Operations and Management Symposium (NOMS), 2012 IEEE. IEEE (2012)Google Scholar
  39. 39.
    Botelho, A., Ramos, F.M.V., Kreutz, D., Bessani, A.N.: On the feasibility of a consistent and fault-tolerant data store for SDNs. In: 2013 Second European Workshop on Software Defined Networks (EWSDN) ,pp. 38–43. IEEE (2013)Google Scholar
  40. 40.
    Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: ACM SIGCOMM Workshop Hot Topics Software Defined Network (HotSDN13), Hong Kong, China, 2013, pp. 165–166Google Scholar
  41. 41.
    Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., Maglaris, V.: Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput. Netw. 62(5), 122–136 (2014). CrossRefGoogle Scholar
  42. 42.
    Kokila, R.T., Selvi, S.T., Govindarajan, K.: DDoS detection and analysis in SDN based environment using support vector machine classifier. In: Proceedings of IEEE Sixth International Conference on Advanced Computing, Chennai, India (2015).
  43. 43.
    Barki, L., Shidling, A., Meti, N.: Detection of distributed denial of service attacks in software defined networks, In: Proceedings of IEEE International Conference on Advances in Computing, Communications and Informatics (ICACCI), Jaipur, India, 2016, pp. 2576–2581.
  44. 44.
    Wang, R., Jia, Z., Ju, L.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In: IEEE Trustcom/BigDataSE/ISPA, Helsinki, Finland, 2015, pp. 310–317.
  45. 45.
    Wang, H., Xu, L., Gu, G.: FloodGuard: a dos attack prevention extension in software-defined networks. In: Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks DSN’15, 2015Google Scholar
  46. 46.
    Niven-Jenkins, B., Brungard, D., Betts, M., Sprecher, N., Ueno, S.: MPLS-TP requirements, RFC-5654, IETF, 2009. Accessed 23 May 2018
  47. 47.
    Sharma, S., Staessens, D., Colle, D., Pickavet, M., Demeester, P.: OpenFlow: meeting carrier-grade recovery requirements. Comput. Commun. 36(6), 656–665 (2013)CrossRefGoogle Scholar
  48. 48.
    Kuzniar, M., Perešíni, P., Vasic, N., Canini, M., Kostic, D.: Automatic failure recovery for software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, China, August 16, 2013Google Scholar
  49. 49.
    Bianchi, G., Bonola, M., Capone, A., Cascone, C.: OpenState: Programming platform-independent stateful OpenFlow applications inside the switch. SIGCOMM Comput. Commun. Rev. 44(2), 44–51 (2014)CrossRefGoogle Scholar
  50. 50.
    Kempf, J., Bellagamba, E., Kern, A., Jocha, D., Takacs, A., Skoldstrom, P.: Scalable fault management for OpenFlow. In: IEEE International Conference on Communications (ICC), 2012Google Scholar
  51. 51.
    van Adrichem, N.L., van Asten, B.J., Kuipers, F.A.: Fast recovery in software-defined networks. In: EWSDN '14 Proceedings of the 2014 Third European Workshop on Software Defined Networks, September 2014, pp. 61–66 Google Scholar
  52. 52.
    D. Katz, D. Ward, “Bidirectional Forwarding Detection, RFC-5880”, IETF, 2010Google Scholar
  53. 53.
    Schehlmann, L., Abt, S., Baier, H.: Blessing or curse? Revisiting security aspects of software-defined networking. In: International Conference on Network and Service Management (CNSM), pp. 382–387 (2014)Google Scholar
  54. 54.
    Sezer, S., Scott-Hayward, S., Chouhan, P.K., CSIT, Queen’s University Belfast, Fraser, B., Lake, D., Cisco Systems, Finnegan, J., Viljoen, N., Netronome, Miller, M., Rao, N., Tabula.: Are we ready for SDN? Implementation challenges for software-defined networks. IEEE Commun. Mag. 51(7), 36–43 (2013) Google Scholar
  55. 55.
    Network Working Group, RFC 5246.: The Transport Layer Security (TLS) Protocol Version 1.2Google Scholar
  56. 56.
    Namal, S., Ahmad, I., Gurtov, A., Ylianttila, M.: Enabling secure mobility with OpenFlow. In: Proceedings of IEEE SDN4FNS, 2013, pp. 1–5Google Scholar
  57. 57.
    Yu, D., Moore, A.W., Hall, C., Anderson, R.: Authentication for Resilience: The Case of SDN. ser. Security Protocols XXI, pp. 39–44. Springer, Berlin (2013)CrossRefGoogle Scholar
  58. 58.
    Mattos, D.M.F., Duarte, O.C.M.B.: AuthFlow: authentication and access control mechanism for software defined networking. Ann. Telecommun. 71(11-12), 607–615 (2016)CrossRefGoogle Scholar
  59. 59.
    Fayazbakhsh, S., Sekar, V., Yu, M., Mogul, J.: FlowTags: Enforcing network-wide policies in the presence of dynamic middlebox actions. In: Proceedings of the Second Workshop on Hot Topics in Software Defined Networks. ACM, 2013Google Scholar
  60. 60.
    Scott-Hayward, S., Kane, C., Sezer, S.: OperationCheckpoint: SDN Application Control. In: 22nd IEEE International Conference on Network Protocols (ICNP). IEEE, 2014, pp. 618–623Google Scholar
  61. 61.
    Wen, X., Chen, Y., Hu, C., Shi, C., Wang, Y.: Towards a secure controller platform for openflow applications. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 171–172. ACM (2013)Google Scholar
  62. 62.
    Porras, P., Cheung, S., Fong, M., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), February 2015Google Scholar
  63. 63.
    Langford, J.: Implementing Least Privilege at your Enterprise. SANS Institute. July 5, 2003. Accessed 30 May 2018
  64. 64.
    Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A Security Enforcement Kernel for OpenFlowNetworks. Texas A&M University, College Station (2012)Google Scholar
  65. 65.
    Shin, S., Porras, P., Yegneswaran, V., Gu, G.: A framework for integrating security services into software-defined networks. In: Proceedings of ONS, 2013, pp. 1–2Google Scholar
  66. 66.
    Foster, N., Harrison, R., Freedman, M., Monsanto, C., Rexford, J., Story, A., Walker. D.: Frenetic: A Network Programming Language. In: ACM SIGPLAN International Conference on Functional Programming, 2011Google Scholar
  67. 67.
    Reitblatt, M., Canini, M., Guha, A., Foster, N.: FatTire: Declarative Fault Tolerance for Software-Defined Networks, HotSDN’13, August 16, 2013, Hong Kong, ChinaGoogle Scholar
  68. 68.
    Monsanto, C., Foster, N., Harrison, R., Walker, D.: A compiler and run-time system for network programming languages. SIGPLAN Not. 47(1), 217–230 (2012)CrossRefGoogle Scholar
  69. 69.
    Voellmy, A., Hudak, P.: Nettle: Functional Reactive Programming of OpenFlow Networks. In: Yale University Technical Report, 2010Google Scholar
  70. 70.
    Voellmy, A., Kim, J., Feamster, N.: Procera: A Language for High-Level Reactive Network Control. In: Proceedings of ACM Sigcomm HotSDN Workshop, 2012Google Scholar
  71. 71.
    Canini, M., Venzano, D., Peresini, P., Kostic, D., Rexford, J.: A NICE way to test OpenFlow applications. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, 2012Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Network and Telecommunication DepartmentENSA Marrakech, Cadi Ayyad UniversityMarrakechMorocco

Personalised recommendations