Abstract
SDN-based NFV technologies improve the dependability and resilience of networks by enabling administrators to spawn and scale-up traffic management and security services in response to dynamic network conditions. However, in practice, SDN-based NFV services often suffer from poor performance and require complex configurations due to the fact that network packets must be ‘detoured’ to each virtualized security service, which expends bandwidth and increases network propagation delay. To address these challenges, we propose a new SDN-based data plane architecture called DPX that natively supports security services as a set of abstract security actions that are then translated to OpenFlow rule sets. The DPX action model reduces redundant processing caused by frequent packet parsing and provides administrators a simplified (and less error-prone) method for configuring security services into the network. DPX also increases the efficiency of enforcing complex security policies by introducing a novel technique called action clustering, which aggregates security actions from multiple flows into a small number of synthetic rules. We present an implementation of DPX in hardware using NetFPGA-SUME and in software using Open vSwitch. We evaluated the performance of the DPX prototype and the efficacy of its flow-table simplifications against a range of complex network policies exposed to line rates of 10 Gbps. We find that DPX imposes minimal overheads in terms of latency (\(\approx \)0.65 ms in hardware and \(\approx \)1.2 ms in software on average) and throughput (\(\approx \)1% of simple forwarding in hardware and \(\approx \)10% in software for non-DPI security services). This translates to an improvement of 30% over traditional NFV services on the software implementation and 40% in hardware.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Anwer, M.B., Motiwala, M., bin Tariq, M., Feamster, N.: Switchblade: a platform for rapid deployment of network protocols on programmable hardware. ACM SIGCOMM Comput. Commun. Rev. 40(4), 183 (2010)
Berde, P., et al.: ONOS: towards an open, distributed SDN OS. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, pp. 1–6. ACM (2014)
Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832. USENIX Association, Washington, D.C., August 2015. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/fayaz
Firestone, D., et al.: Azure accelerated networking: smartnics in the public cloud. In: 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2018), Renton, WA (2018)
Gill, P., Jain, N., Nagappan, N.: Understanding network failures in data centers: measurement, analysis, and implications. ACM SIGCOMM Comput. Commun. Rev. 41, 350–361 (2011)
Gupta, A., Habib, M.F., Mandal, U., Chowdhury, P., Tornatore, M., Mukherjee, B.: On service-chaining strategies using virtual network functions in operator networks. Comput. Netw. 133, 1–16 (2018)
Honda, M., Huici, F., Lettieri, G., Rizzo, L.: mSwitch: a highly-scalable, modular software switch. In: Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research, pp. 1:1–1:13. SOSR 2015. ACM, New York (2015). https://doi.org/10.1145/2774993.2775065. http://doi.acm.org/10.1145/2774993.2775065
hping3: A network tool able to send custom TCP/IP packets and to display target replies. http://www.hping.org/hping3.html
Hwang, J., Ramakrishnan, K.K., Wood, T.: NetVM: high performance and flexible networking using virtualization on commodity platforms. In: 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2014), pp. 445–458. USENIX Association, Seattle, April 2014. https://www.usenix.org/conference/nsdi14/technical-sessions/presentation/hwang
Intel: Intel DPDK: Data Plane Development Kit. http://dpdk.org
Kim, H., Feamster, N.: Improving network management with software defined networking. IEEE Commun. Magaz. 51(2), 114–119 (2013)
Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, p. 19. ACM (2010)
Martins, J., et al.: ClickOS and the art of network function virtualization. In: 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2014), pp. 459–473. USENIX Association, Seattle, April 2014. https://www.usenix.org/conference/nsdi14/technical-sessions/presentation/martins
Medved, J., Varga, R., Tkacik, A., Gray, K.: OpenDaylight: towards a model-driven SDN controller architecture. In: 2014 IEEE 15th International Symposium on “A World of Wireless, Mobile and Multimedia Networks (WoWMoM)”, pp. 1–6. IEEE (2014)
Mekky, H., Hao, F., Mukherjee, S., Lakshman, T., Zhang, Z.L.: Network function virtualization enablement within SDN data plane. In: IEEE INFOCOM, pp. 1–9 (2017)
Metasploit: Penetration Testing Software. https://www.metasploit.com/
NetFPGA: NetFPGA-SUME board. https://netfpga.org/site/#/systems/1netfpga-sume/details/
nmap: Network Mapper - Security Scanner. https://nmap.org/
Nping: An Open source network packet generation. https://nmap.org/nping/
Open vSwitch: An Open Virtual Switch. http://openvswitch.org/
OpenFlow: Open network foundation. https://www.opennetworking.org/sdn-resources/openflow
NetFPGA Organization: NetFPGA 10G openflow switch (2012). https://github.com/NetFPGA/NetFPGA-public/wiki/NetFPGA-10G-OpenFlow-Switch
Park, T., Kim, Y., Park, J., Suh, H., Hong, B., Shin, S.: QoSE: quality of security a network security framework with distributed NFV. In: 2016 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2016)
Pfaff, B., et al.: The design and implementation of open vSwitch. In: 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2015), pp. 117–130. USENIX Association, Oakland, May 2015. https://www.usenix.org/conference/nsdi15/technical-sessions/presentation/pfaff
POX: Python Network Controller. http://www.noxrepo.org/pox/about-pox/
Qazi, Z.A., Tu, C.C., Chiang, L., Miao, R., Sekar, V., Yu, M.: SIMPLE-fying middlebox policy enforcement using SDN. In: Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM, SIGCOMM 2013, pp. 27–38. ACM, New York (2013). https://doi.org/10.1145/2486001.2486022. http://doi.acm.org/10.1145/2486001.2486022
Roy, A., Zeng, H., Bagga, J., Snoeren, A.C.: Passive realtime datacenter fault detection and localization. In: NSDI, pp. 595–612 (2017)
Sekar, V., Egi, N., Ratnasamy, S., Reiter, M.K., Shi, G.: Design and implementation of a consolidated middlebox architecture. In: Presented as part of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2012), pp. 323–336. USENIX, San Jose (2012). https://www.usenix.org/conference/nsdi12/technical-sessions/presentation/sekar
Shahbaz, M., et al.: Pisces: a programmable, protocol-independent software switch. In: Proceedings of the 2016 ACM SIGCOMM Conference (2016)
Shin, S., Gu, G.: CloudWatcher: network security monitoring using OpenFlow in dynamic cloud networks (or: how to provide security monitoring as a service in clouds?). In: 2012 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2012)
Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013), November 2013
Snort: Network Intrusion Detection System. https://www.snort.org/
Sonchack, J., Aviv, A.J., Keller, E., Smith, J.M.: Enabling practical software-defined networking security applications with OFX (2016)
Suricata: An open source-based intrusion detection system (IDS). https://suricata-ids.org/
Tammana, P., Agarwal, R., Lee, M.: Simplifying datacenter network debugging with pathdump (2016)
Yoon, C., Park, T., Lee, S., Kang, H., Shin, S., Zhang, Z.: Enabling security functions with SDN: a feasibility study. Comput. Netw. 85, 19–35 (2015)
Zeng, H., et al.: Libra: divide and conquer to verify forwarding tables in huge networks. In: 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2014), pp. 87–99. USENIX Association, Seattle, April 2014. https://www.usenix.org/conference/nsdi14/technical-sessions/presentation/zeng
Zilberman, N., Audzevich, Y., Covington, G.A., Moore, A.W.: NetFPGA SUME: toward 100 Gbps as research commodity. IEEE Micro 34(5), 32–41 (2014)
Acknowledgement
KAIST was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No.2018-0-00254, SDN security technology development). SRI International was supported by the National Science Foundation (NSF) award no. 1642150.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Park, T. et al. (2019). DPX: Data-Plane eXtensions for SDN Security Service Instantiation. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)