Abstract
Software-defined network (SDN) radically changes the network architecture by decoupling the network logic from the underlying forwarding devices. This architectural change rejuvenates the network-layer granting centralized management and reprogrammability of the networks. From a security perspective, SDN separates security concerns into control and data plane, and this architectural recomposition brings up exciting opportunities and challenges. The overall perception is that SDN capabilities will ultimately result in improved security. However, in its raw form, SDN could potentially make networks more vulnerable to attacks and harder to protect. In this paper, we provide a comprehensive review of SDN security domain while focusing on its data plane, which is one of the least explored but most critical aspects in securing this technology. We review the most recent enhancements in SDNs, identify the main vulnerabilities of SDNs, and provide a novel attack taxonomy for SDNs. Thereafter, we provide a comprehensive analysis of challenges involved in protecting SDN data plane and control plane and provide an in-depth look into available solutions with respect to the identified threats and identify their limitations. To highlight the importance of securing the SDN platform, we also review the numerous security services built on top of this technology. We conclude the paper by offering future research directions.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A Packet_In message is sent by forwarding devices to the controller when a packet does not match any of its flow rules.
- 2.
A Flow-mod message allows the controller to modify the state of an OpenFlow switch.
- 3.
The aphorism “security through obscurity” suggests that hiding information provides some level of security.
- 4.
A link layer protocol used by network devices for advertising their identity, capabilities to neighbors on a LAN segment.
- 5.
SPOF is a part of a system that upon failure will prevent an entire system from functioning.
References
Abaid, Z., Rezvani, M., & Jha, S. (2014). MalwareMonitor: An SDN-based framework for securing large networks. In Proceedings of the 2014 CoNEXT on Student Workshop (pp. 40–42). New York, NY: ACM.
Abdou, A., Van Oorschot, P. C., & Wan, T. (2018). Comparative analysis of control plane security of SDN and conventional networks. IEEE Communications Surveys & Tutorials, 20(4), 3542–3559.
Agarwal, K., Rozner, E., Dixon, C., & Carter, J. (2014). SDN traceroute: Tracing SDN forwarding without changing network behavior. In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking (pp. 145–150). New York, NY: ACM.
Ahmad, I., Namal, S., Ylianttila, M., & Gurtov, A. (2015). Security in software defined networks: A survey. IEEE Communications Surveys & Tutorials, 17(4), 2317–2346.
Akhunzada, A., Gani, A., Anuar, N. B., Abdelaziz, A., Khan, M. K., Hayat, A., & Khan, S. U. (2016). Secure and dependable software defined networks. Journal of Network and Computer Applications, 61, 199–221.
Al-Shaer, E., & Al-Haj, S. (2010). FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures. In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration (pp. 37–44). New York, NY: ACM.
Ali, S. T., Sivaraman, V., Radford, A., & Jha, S. (2015). A survey of securing networks using software defined networking. IEEE Transactions on Reliability, 64(3), 1086–1097.
Alsmadi, I., & Xu, D. (2015). Security of software defined networks: A survey. Computers & Security, 53, 79–108.
Anwer, M. B., Benson, T., Feamster, N., Levin, D., & Rexford, J. (2013). A slick control plane for network middleboxes. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (pp. 147–148). New York, NY: ACM.
Arashloo, M. T., Koral, Y., Greenberg, M., Rexford, J., & Walker, D. (2016). SNAP: Stateful network-wide abstractions for packet processing. In Proceedings of the 2016 Conference on ACM SIGCOMM 2016 Conference (pp. 29–43). ACM, 2016.
Assolini, F. (2012). The tale of one thousand and one DSL modems. Kaspersky Lab.
Avramopoulos, I., Kobayashi, H., Wang, R., & Krishnamurthy, A. (2004). Highly secure and efficient routing. In INFOCOM 2004. Twenty-Third Annual Joint Conference of the IEEE Computer and Communications Societies (Vol. 1). Piscataway, NJ: IEEE.
Awerbuch, B., Curtmola, R., Holmer, D., Nita-Rotaru, C., & Rubens, H. (2008). ODSBR: An on-demand secure byzantine resilient routing protocol for wireless ad hoc networks. ACM Transactions on Information and System Security (TISSEC), 10(4), 6.
Benton, K., Camp, L. J., & Small, C. (2013). OpenFlow vulnerability assessment. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (pp. 151–152). New York, NY: ACM.
Berde, P., Gerola, M., Hart, J., Higuchi, Y., Kobayashi, M., Koide, T., et al. (2014). ONOS: Towards an open, distributed SDN OS. In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking (pp. 1–6). New York, NY: ACM.
Bianchi, G., Bonola, M., Capone, A., & Cascone, C. (2014). OpenState: Programming platform-independent stateful OpenFlow applications inside the switch. ACM SIGCOMM Computer Communication Review, 44(2), 44–51.
Big Switch Networks, Project Floodlight. Retrieved July 1, 2018 from http://www.projectfloodlight.org
Bishop, M. A. (2002). The art and science of computer security. Reading, MA: Addison-Wesley Longman Publishing.
Bosshart, P., Gibb, G., Kim, H.-S., Varghese, G., McKeown, N., Izzard, M., et al. (2013). Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN. In ACM SIGCOMM Computer Communication Review (Vol. 43, pp. 99–110). New York, NY: ACM.
Braga, R., de Souza Mota, E., & Passito, A. (2010). Lightweight DDOS flooding attack detection using NOX/OpenFlow. In 2010 IEEE 35th Conference on Local Computer Networks (LCN) (pp. 408–415). Piscataway, NJ: IEEE.
Brooks, M., & Yang, B. (2015). A man-in-the-middle attack against OpenDaylight SDN controller. In Proceedings of the 4th Annual ACM Conference on Research in Information Technology (pp. 45–49). New York, NY: ACM.
Bu, K., Wen, X., Yang, B., Chen, Y., Li, L. E., & Chen, X. (2016). Is every flow on the right track? Inspect SDN forwarding with RuleScope. In IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications (pp. 1–9). Piscataway, NJ: IEEE.
Bull, P., Austin, R., Popov, E., Sharma, M., & Watson, R. (2016). Flow based security for IoT devices using an SDN gateway. In 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud) (pp. 157–163). Piscataway, NJ: IEEE.
Buyya, R., Calheiros, R. N., Son, J., Dastjerdi, A. V., & Yoon, Y. (2014). Software-defined cloud computing: Architectural elements and open challenges. In 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI) (pp. 1–12). Piscataway, NJ: IEEE.
Buyya, R., Srirama, S. N., Casale, G., Calheiros, R., Simmhan, Y., Varghese, B., et al. (2017). A manifesto for future generation cloud computing: Research directions for the next decade. ACM Computing Surveys, 51(5), 105.
Chakrabarty, S., Engels, D. W., & Thathapudi, S. (2015). Black SDN for the internet of things. In 2015 IEEE 12th International Conference on Mobile Ad Hoc and Sensor Systems (MASS) (pp. 190–198). Piscataway, NJ: IEEE.
Chakravarty, S., Naik, V., Acharya, H. B., & Tanwar, C. S. (2015). Towards practical infrastructure for decoy routing (positional paper). In Proceedings of the Workshop on Security of Emerging Networking Technologies (SENT) Held in Conjunction with 22nd Network and Distributed System Security (NDSS) Symposium. Internet Society.
Chasaki, D., & Wolf, T. (2012). Attacks and defenses in the data plane of networks. IEEE Transactions on Dependable and Secure Computing, 9(6), 798–810.
Chinese hackers who breached Google gained access to sensitive data, U.S. officials say. Retrieved August 5, 2018 from https://goo.gl/QrP2iV, 2013.
Chung, C.-J., Khatkar, P., Xing, T., Lee, J., & Huang, D. (2013). Nice: Network intrusion detection and countermeasure selection in virtual network systems. IEEE Transactions on Dependable and Secure Computing, 10(4), 198–211.
Dangovas, V., & Kuliesius, F. (2014). SDN-driven authentication and access control system. In The International Conference on Digital Information, Networking, and Wireless Communications (DINWC2014) (pp. 20–23). The Society of Digital Information and Wireless Communication.
Dargahi, T., Caponi, A., Ambrosin, M., Bianchi, G., & Conti, M. (2017). A survey on the security of stateful SDN data planes. IEEE Communications Surveys & Tutorials, 19(3), 1701–1725.
Desmedt, Y., & Shaghaghi, A. (2016). Function-based access control (FBAC): From access control matrix to access control tensor. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats. New York, NY: ACM.
Dhawan, M., Poddar, R., Mahajan, K., & Mann, V. (2015). SPHINX: Detecting security attacks in software-defined networks. In NDSS (pp. 8–11).
Di Maio, A., Palattella, M., Soua, R., Lamorte, L., Vilajosana, X., Alonso-Zarate, J., et al. (2016). Enabling SDN in VANETs: What is the impact on security? Sensors, 16(12), 2077.
Dong, X., Lin, H., Tan, R., Iyer, R. K., & Kalbarczyk, Z. (2015). Software-defined networking for smart grid resilience: Opportunities and challenges. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, CPSS ’15 (pp. 61–68). New York, NY: ACM.
Erickson, D. (2013). The beacon openflow controller. In Proceedings of the second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (pp. 13–18). New York, NY: ACM.
Feldmann, A., Heyder, P., Kreutzer, M., Schmid, S., Seifert, J. P., Shulman, H., et al. (2016). NETCO: Reliable routing with unreliable routers. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (pp. 128–135). Piscataway, NJ: IEEE.
Feng, T., Bi, J., Yao, G., & Xiao, P. (2012). InSAVO: Intra-AS IP source address validation solution with OpenRouter. In Proceedings of INFOCOM.
Ferguson, A. D., Guha, A., Liang, C., Fonseca, R., & Krishnamurthi, S. (2013). Participatory networking: An API for application control of SDNS. In ACM SIGCOMM Computer Communication Review (Vol. 43, pp. 327–338). New York, NY: ACM.
Flauzac, O., Gonzalez, C., Hachani, A., & Nolot, F. (2015). SDN based architecture for IoT and improvement of the security. In 2015 IEEE 29th International Conference on Advanced Information Networking and Applications Workshops (WAINA) (pp. 688–693). Piscataway, NJ: IEEE.
Fonseca, P., Bennesby, R., Mota, E., & Passito, A. (2012). A replication component for resilient openflow-based networking. In 2012 IEEE Network Operations and Management Symposium (NOMS) (pp. 933–939). Piscataway, NJ: IEEE.
Foster, N., Harrison, R., Freedman, M. J., Monsanto, C., Rexford, J., Story, A., & Walker, D. (2011). Frenetic: A network programming language. ACM SIGPLAN Notices, 46(9), 279–291.
Gember, A., Dragga, C., & Akella, A. (2012). ECOS: Leveraging software-defined networks to support mobile application offloading. In 2012 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS) (pp. 199–210). Piscataway, NJ: IEEE.
Gharakheili, H. H., Exton, L., Sivaraman, V., Matthews, J., & Russell, C. (2015). Third-party customization of residential internet sharing using SDN. In Telecommunication Networks and Applications Conference (ITNAC), 2015 International (pp. 214–219). Piscataway, NJ: IEEE.
Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., & Maglaris, V. (2014). Combining openflow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Computer Networks, 62, 122–136.
Goransson, P., Black, C., & Culver, T. (2016). Software defined networks: A comprehensive approach. Los Altos, CA: Morgan Kaufmann.
Handigol, N., Heller, B., Jeyakumar, V., Mazières, D., & McKeown, N. (2014). I know what your packet did last hop: Using packet histories to troubleshoot networks. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14) (pp. 71–85).
Heller, B. (2009). Openflow switch specification, version 1.0.0. Open Networking Foundation.
Hong, S., Xu, L., Wang, H., & Gu, G. (2015). Poisoning network visibility in software-defined networks: New attacks and countermeasures. In NDSS (Vol. 15, pp. 8–11).
Hsu, H.-W., Huang, K.-L., Kao, Y.-C., Tsai, S.-C., & Lin, Y.-B. (2017). Deploying WLAN service with openflow technology. International Journal of Network Management, 27(3), e1970
Hu, H., Ahn, G. J., Han, W., & Zhao, Z. (2014). Towards a reliable SDN firewall. Presented as part of the Open Networking Summit 2014 (ONS)
Hu, H., Han, W., Ahn, G.-J., & Zhao, Z. (2014). FLOWGUARD: Building robust firewalls for software-defined networks. In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking (pp. 97–102). New York, NY: ACM.
Jafarian, J. H., Al-Shaer, E., & Duan, Q. (2012). Openflow random host mutation: Transparent moving target defense using software defined networking. In Proceedings of the First Workshop on Hot Topics in Software Defined Networks (pp. 127–132). New York, NY: ACM.
Jo, H., Nam, J., & Shin, S. (2018). NOSArmor: Building a secure network operating system. Security and Communication Networks, 2018, 9178425.
Kalkan, K., & Zeadally, S. (2017). Securing internet of things (IoT) with software defined networking (SDN). IEEE Communications Magazine, (99), 1–7.
Karakus, M., & Durresi, A. (2017). Quality of service (QOS) in software defined networking (SDN): A survey. Journal of Network and Computer Applications, 80, 200–218.
Katta, N., Hira, M., Kim, C., Sivaraman, A., & Rexford, J. (2016). Hula: Scalable load balancing using programmable data planes. In Proceedings of the Symposium on SDN Research (p. 10). New York, NY: ACM.
Kazemian, P., Chang, M., Zeng, H., Varghese, G., McKeown, N., & Whyte, S. (2013). Real time network policy checking using header space analysis. Presented as part of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI) (pp. 99–111).
Kazemian, P., Varghese, G., & McKeown, N. (2012). Header space analysis: Static checking for networks. Presented as Part of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12) (pp. 113–126).
Khurshid, A., Zou, X., Zhou, W., Caesar, M., & Godfrey, P. B. (2013). VeriFlow: Verifying network-wide invariants in real time. In Proceedings of the First Workshop on Hot Topics in Software Defined Networks (pp. 49–54). New York, NY: ACM.
Khurshid, A., Zou, X., Zhou, W., Caesar, M., & Godfrey, P. B. (2013). VeriFlow: Verifying network-wide invariants in real time. Presented as Part of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13) (pp. 15–27).
Kirkpatrick, K. (2013). Software-defined networking. Communications of the ACM, 56(9), 16–19.
Kloti, R., Kotronis, V., & Smith, P. (2013). Openflow: A security analysis. In 2013 21st IEEE International Conference on Network Protocols (ICNP) (pp. 1–6). Piscataway, NJ: IEEE.
Koponen, T., Casado, M., Gude, N., Stribling, J., Poutievski, L., Zhu, M., et al. (2010). Onix: A distributed control platform for large-scale production networks. In OSDI (Vol. 10, pp. 1–6).
Kotani, D., & Okabe, Y. (2014). A packet-in message filtering mechanism for protection of control plane in openflow networks. In Proceedings of the Tenth ACM/IEEE Symposium on Architectures for Networking and Communications Systems (pp. 29–40). New York, NY: ACM.
Kreutz, D., Ramos, F., & Verissimo, P. (2013). Towards secure and dependable software-defined networks. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (pp. 55–60). New York, NY: ACM.
Kreutz, D., Ramos, F. M., Verissimo, P., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2015). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1), 14–76.
Krösche, R., Thimmaraju, K., Schiff, L., & Schmid, S. (2018). I did it my way! A covert timing channel in software-defined networks.
Lee, S., Wong, T., & Kim, H. S. (2006). Secure split assignment trajectory sampling: A malicious router detection system. In International Conference on Dependable Systems and Networks, DSN (pp. 333–342). Piscataway, NJ: IEEE.
Li, Q., Zou, X., Huang, Q., Zheng, J., & Lee, P. P. (2018). Dynamic packet forwarding verification in SDN. IEEE Transactions on Dependable and Secure Computing.
Lin, P.-C., Li, P.-C., & Nguyen, V. L. (2017). Inferring openflow rules by active probing in software-defined networks. In 2017 19th International Conference on Advanced Communication Technology (ICACT) (pp. 415–420). Piscataway, NJ: IEEE.
Lindner, F. (2009). Cisco IOS router exploitation. Black Hat USA.
Liu, K., Deng, J., Varshney, P. K., & Balakrishnan, K. (2007). An acknowledgment-based approach for the detection of routing misbehavior in MANETs. IEEE Transactions on Mobile Computing, 6(5), 536–550.
Liu, X., Li, A., Yang, X., & Wetherall, D. (2008). Passport: Secure and adoptable source authentication. In NSDI (Vol. 8, pp. 365–378).
Liu, X., Xue, H., Feng, X., & Dai, Y. (2011). Design of the multi-level security network switch system which restricts covert channel. In 2011 IEEE 3rd International Conference on Communication Software and Networks (ICCSN) (pp. 233–237). Piscataway, NJ: IEEE.
Mahajan, R., Rodrig, M., Wetherall, D., & Zahorjan, J. (2005). Sustaining cooperation in multi-hop wireless networks. In Proceedings of the 2nd Conference on Symposium on Networked Systems Design & Implementation (Vol. 2, pp. 231–244). Berkeley, CA: USENIX Association.
Marti, S., Giuli, T. J., Lai, K., & Baker, M. (2000). Mitigating routing misbehavior in mobile ad hoc networks. In Proceedings of the 6th Annual International Conference on Mobile Computing and Networking (pp. 255–265). New York, NY: ACM.
Matias, J., Tornero, B., Mendiola, A., Jacob, E., & Toledo, N. (2012). Implementing layer 2 network virtualization using openflow: Challenges and solutions. In 2012 European Workshop on Software Defined Networking (EWSDN) (pp. 30–35). Piscataway, NJ: IEEE.
McBride, M., Cohn, M., Deshpande, S., Kaushik, M., Mathews, M., & Nathan, S. (2013). SDN security considerations in the data center. Open Networking Foundation-ONF SOLUTION BRIEF.
McKeown, N. (2009). Software-defined networking. INFOCOM Keynote Talk, 17(2), 30–32.
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., et al. (2008). Openflow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2), 69–74.
Medved, J., Varga, R., Tkacik, A., & Gray, K. (2014). OpenDaylight: Towards a model-driven SDN controller architecture. In 2014 IEEE 15th International Symposium on World of Wireless, Mobile and Multimedia Networks (WoWMoM) (pp. 1–6). Piscataway, NJ: IEEE.
Mehdi, S. A., Khalid, J., & Khayam, S. A. (2011). Revisiting traffic anomaly detection using software defined networking. In International Workshop on Recent Advances in Intrusion Detection (pp. 161–180). Berlin: Springer.
Meloni, S., Gómez-Gardenes, J., Latora, V., & Moreno, Y. (2008). Scaling breakdown in flow fluctuations on complex networks. Physical Review Letters, 100(20), 208701
Mendonca, M., Seetharaman, S., & Obraczka, K. (2012). A flexible in-network IP anonymization service. In 2012 IEEE International Conference on Communications (ICC) (pp. 6651–6656). Piscataway, NJ: IEEE.
Monsanto, C., Foster, N., Harrison, R., & Walker, D. (2012). A compiler and run-time system for network programming languages. In ACM SIGPLAN Notices (Vol. 47, pp. 217–230). New York, NY: ACM.
Monsanto, C., Reich, J., Foster, N., Rexford, J., & Walker, D. (2013). Composing software defined networks. In 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13) (Vol. 13, pp. 1–13).
Moshref, M., Bhargava, A., Gupta, A., Yu, M., & Govindan, R. (2014). Flow-level state transition as a new switch primitive for SDN. In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking (pp. 61–66). New York, NY: ACM.
Nadeau, T. D., & Gray, K. (2013). SDN: Software defined networks: An authoritative review of network programmability technologies. Sebastopol, CA: O’Reilly Media.
Naous, J., Walfish, M., Nicolosi, A., Mazières, D., Miller, M., & Seehra, A. (2011). Verifying and enforcing network paths with ICING. In Proceedings of the Seventh Conference on Emerging Networking Experiments and Technologies (p. 30). New York, NY: ACM.
Ng, E., Cai, Z., & Cox, A. (2010). Maestro: A system for scalable OpenFlow control. Rice University, Houston, TX, TSEN Maestro-Techn. Rep, TR10-08.
Nguyen, T.-H., & Yoo, M. (2017). Analysis of link discovery service attacks in SDN controller. In 2017 International Conference on Information Networking (ICOIN) (pp. 259–261). Piscataway, NJ: IEEE.
Nippon Telegraph and Telephone Corporation, RYU network operating system. Retrieved June 1, 2018 from http://osrg.github.com/ryu
NIST: CVE-2014-9295 detail. Retrieved August 1, 2018 from https://nvd.nist.gov/vuln/detail/CVE-2014-9295, 2014.
Nobakht, M., Sivaraman, V., & Boreli, R. (2016). A host-based intrusion detection and mitigation framework for smart home IoT using OpenFlow. In 2016 11th International Conference on Availability, Reliability and Security (ARES) (pp. 147–156). Piscataway, NJ: IEEE.
NSA Preps America for Future battle, Spiegel. Retrieved September 1, 2018 from https://goo.gl/PXMXeG, 2015.
OConnor, T. J., Enck, W., Petullo, W. M., & Verma, A. (2018). PivotWall: SDN-based information flow control. In SIGCOMM Symposium on Software Defined Networking Research (SOSR). New York, NY: ACM.
Open Networking Foundation. The benefits of multiple flow tables and TTPs. Technical report, ONF Technical Report, 2015 [visited on 2018-07-01].
OpenFlow Switch Specification 1.5. 1(Protocol version 0x06), 2014.
OpenStack and network virtualization. Retrieved August 1, 2018 from http://blogs.vmware.com/vmware/2013/04/openstack-and-network-virtualization.html, 2013.
Open vSwitch. Retrieved August 5, 2018 from https://www.openvswitch.org/
Padmanabhan, V. N., & Simon, D. R. (2003). Secure traceroute to detect faulty or malicious routing. ACM SIGCOMM Computer Communication Review, 33(1), 77–82.
Pelekis, N., Kopanakis, I., Panagiotakis, C., & Theodoridis, Y. (2010). Unsupervised trajectory sampling. In Machine learning and knowledge discovery in databases (pp. 17–33). Berlin: Springer.
Perešíni, P., Kuźniar, M., & Kostić, D. (2015). Monocle: Dynamic, fine-grained data plane monitoring. In Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies (p. 32). New York, NY: ACM.
Pfaff, B., & Davie, B. (2013). The Open vSwitch database management protocol. Internet Engineering Task Force, RFC 7047 (Informational). http://vswitch.org
Phemius, K., Bouet, M., & Leguay, J. (2014). Disco: Distributed multi-domain SDN controllers. In 2014 IEEE Network Operations and Management Symposium (NOMS) (pp. 1–4). Piscataway, NJ: IEEE.
Photos of an NSA upgrade factory show Cisco router getting implant. Retrieved September 1, 2018 from https://goo.gl/KNH6gD, 2014.
PicOS: One-of-a-Kind Open NOS. Retrieved September 1, 2018 from https://www.pica8.com/product/#sdn-edition
Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., & Gu, G. (2012). A security enforcement kernel for OpenFlow networks. In Proceedings of the First Workshop on Hot Topics in Software Defined Networks (pp. 121–126). New York, NY: ACM.
Porras, P. A., Cheung, S., Fong, M. W., Skinner, K., & Yegneswaran, V. (2015). Securing the software defined network control layer. In NDSS.
Qazi, Z. A., Tu, C.-C., Chiang, L., Miao, R., Sekar, V., & Yu, M. (2013). SIMPLE-fying middlebox policy enforcement using SDN. In ACM SIGCOMM Computer Communication Review (Vol. 43, pp. 27–38). New York, NY: ACM.
Salman, O., Abdallah, S., Elhajj, I. H., Chehab, A., & Kayssi, A. (2016). Identity-based authentication scheme for the internet of things. In 2016 IEEE Symposium on Computers and Communication (ISCC) (pp. 1109–1111). Piscataway, NJ: IEEE.
Sándor, H., Genge, B., & Sebestyén-Pál, G. (2015). Resilience in the internet of things: The software defined networking approach. In 2015 IEEE International Conference on Intelligent Computer Communication and Processing (ICCP) (pp. 545–552). Piscataway, NJ: IEEE.
Sasaki, T., Pappas, C., Lee, T., Hoefler, T., & Perrig, A. (2016). SDNsec: Forwarding accountability for the SDN data plane. In 2016 25th International Conference on Computer Communication and Networks (ICCCN) (pp. 1–10). Piscataway, NJ: IEEE.
Schehlmann, L., & Baier, H. (2013). COFFEE: A concept based on OpenFlow to filter and erase events of botnet activity at high-speed nodes. In GI-Jahrestagung (pp. 2225–2239).
Scott-Hayward, S. (2015). Design and deployment of secure, robust, and resilient SDN controllers. In 2015 1st IEEE Conference on Network Softwarization (NetSoft) (pp. 1–5). Piscataway, NJ: IEEE.
Scott-Hayward, S., Kane, C., & Sezer, S. (2014). OperationCheckpoint: SDN application control. In 2014 IEEE 22nd International Conference on Network Protocols (ICNP) (pp. 618–623). Piscataway, NJ: IEEE.
Scott-Hayward, S., Natarajan, S., & Sezer, S. (2015). A survey of security in software defined networks. IEEE Communications Surveys & Tutorials, 18(1), 623–654.
Scott-Hayward, S., Natarajan, S., & Sezer, S. (2016). A survey of security in software defined networks. IEEE Communications Surveys & Tutorials, 18(1), 623–654.
Sezer, S., Scott-Hayward, S., Chouhan, P. K., Fraser, B., Lake, D., Finnegan, J., et al. (2013). Are we ready for SDN? Implementation challenges for software-defined networks. IEEE Communications Magazine, 51(7), 36–43
Shaghaghi, A., Kaafar, M. A., & Jha, S. (2017). WedgeTail: An intrusion prevention system for the data plane of software defined networks. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS’17) (pp. 849–861). New York, NY: ACM.
Shaghaghi, A., Kaafar, M. A., Scott-Hayward, S., Kanhere, S. S., Jha, S. (2016). Towards policy enforcement point of (PEPS). In IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN) (pp. 50–55). Piscataway, NJ: IEEE.
Shaghaghi, A., Kanhere, S. S., Kaafar, M. A., Bertino, E., & Jha, S. (2018). Gargoyle: A network-based insider attack resilient framework for organizations. In 2018 IEEE 43rd Conference on Local Computer Networks (LCN). Piscataway, NJ: IEEE.
Shaghaghi, A., Kanhere, S. S., Kaafar, M. A., & Jha, S. (2018). Gwardar: Towards protecting a software-defined network from malicious network operating systems. In 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA) (pp. 1–5). Piscataway, NJ: IEEE.
Shang, A., Liao, J.,& Du, L. Pica8 Xorplus. http://sourceforge.net/projects/xorplus. [Online, visited on 2018-06-01].
Shin, S., & Gu, G. (2012). CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?). In 2012 20th IEEE International Conference on Network Protocols (ICNP) (pp. 1–6). Piscataway, NJ: IEEE.
Shin, S., & Gu, G. (2013). Attacking software-defined networks: A first feasibility study. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (pp. 165–166). New York, NY: ACM.
Shin, S., Song, Y., Lee, T., Lee, S., Chung, J., Porras, P., et al. (2014). Rosemary: A robust, secure, and high-performance network operating system. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 78–89). New York, NY: ACM.
Shin, S., Yegneswaran, V., Porras, P., & Gu, G. (2013). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (pp. 413–424). New York, NY: ACM.
Shin, S. W., Porras, P., Yegneswara, V., Fong, M., Gu, G., & Tyson, M. (2013). FRESCO: Modular composable security services for software-defined networks. In 20th Annual Network & Distributed System Security Symposium (NDSS).
Shirali-Shahreza, S., & Ganjali, Y. (2013). FleXam: Flexible sampling extension for monitoring and security applications in OpenFlow. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (pp. 167–168). New York, NY: ACM.
Singla, A., & Rijsman, B. (2013). Contrail architecture. Juniper Networks, 1–44.
Skowyra, R., Bahargam, S., & Bestavros, A. (2013). Software-defined IDS for securing embedded mobile devices. In 2013 IEEE High Performance Extreme Computing Conference (HPEC) (pp. 1–7). Piscataway, NJ: IEEE.
Smith, M., Dvorkin, M., Laribi, Y., Pandey, V., Garg, P., & Weidenbacher, N. (2014). OpFlex control protocol. IETF.
Snort—network intrusion detection & prevention system. Retrieved September 1, 2018 from https://snort.org, 2018.
Snowden: The NSA planted backdoors in Cisco products, InfoWorld. Retrieved August 1, 2018 from http://infoworld.com/article/2608141/internet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html, 2014.
Sonchack, J., Dubey, A., Aviv, A. J., Smith, J. M., & Keller, E. (2016). Timing-based reconnaissance and defense in software-defined networks. In Proceedings of the 32nd Annual Conference on Computer Security Applications (pp. 89–100). New York, NY: ACM.
Song, H. (2013). Protocol-oblivious forwarding: Unleash the power of SDN through a future-proof forwarding plane. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (pp. 127–132). New York, NY: ACM.
Suresh, L., Schulz-Zander, J., Merz, R., Feldmann, A., & Vazao, T. (2012). Towards programmable enterprise WLANS with Odin. In Proceedings of the First Workshop on Hot Topics in Software Defined Networks (pp. 115–120). New York, NY: ACM.
SYNful Knock—a Cisco router implant—Part I. https://fireeye.com/blog/threat-research/2015/09/synful_knock-acis.html, 2015.
Tantar, E., Palattella, M. R., Avanesov, T., Kantor, M., & Engel, T. (2014). Cognition: A tool for reinforcing security in software defined networks. In EVOLVE-A Bridge Between Probability, Set Oriented Numerics, and Evolutionary Computation V (pp. 61–78). Berlin: Springer
Thimmaraju, K., Schiff, L., & Schmid, S. (2017). Outsmarting network security with SDN teleportation. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P) (pp. 563–578). Piscataway, NJ: IEEE.
Tootoonchian, A., & Ganjali, Y. (2010). HyperFlow: A distributed control plane for OpenFlow. In Proceedings of the 2010 Internet Network Management Conference on Research on Enterprise Networking (p. 3).
Tootoonchian, A., Gorbunov, S., Ganjali, Y., Casado, M., & Sherwood, R. (2012). On controller performance in software-defined networks. Hot-ICE, 12, 1–6.
Trevisan, M., Drago, I., Mellia, M., Song, H. H., & Baldi, M. (2017). Awesome: Big data for automatic web service management in SDN. IEEE Transactions on Network and Service Management, 15(1), 13–26.
Tsou, T., Yin, H., Xie, H., & Lopez, D. (2012). Use cases for alto with software defined networks.
Vault 7: CIA hacking tools revealed. Retrieved August 1, 2018 from https://wikileaks.org/ciav7p1, 2017.
VMware’s network virtualization poses huge threat to data center switch fabric vendors. Retrieved August 5, 2018 from https://goo.gl/T2qDkL, 2013.
Voellmy, A., & Hudak, P. (2011). Nettle: Taking the sting out of programming network routers. In International Symposium on Practical Aspects of Declarative Languages (pp. 235–249). Berlin: Springer.
Voellmy, A., Kim, H., & Feamster, N. (2012). Procera: A language for high-level reactive network control. In Proceedings of the First Workshop on Hot Topics in Software Defined Networks (pp. 43–48). New York, NY: ACM.
Voellmy, A., & Wang, J. (2012). Scalable software defined network controllers. ACM SIGCOMM Computer Communication Review, 42(4), 289–290.
Wang, Y., Zhang, Y., Singh, V. K., Lumezanu, C., & Jiang, G. (2013). NetFuse: Short-circuiting traffic surges in the cloud. In 2013 IEEE International Conference on Communications (ICC) (pp. 3514–3518). Piscataway, NJ: IEEE.
Wen, X., Chen, Y., Hu, C., Shi, C., & Wang, Y. (2013). Towards a secure controller platform for OpenFlow applications. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (pp. 171–172). New York, NY: ACM.
Xing, T., Huang, D., Xu, L., Chung, C. J., & Khatkar, P. (2013). SnortFlow: A OpenFlow-based intrusion prevention system in cloud environment. In Research and Educational Experiment Workshop (GREE), 2013 Second GENI (pp. 89–92). Piscataway, NJ: IEEE.
Xing, T., Xiong, Z., Huang, D., & Medhi, D. (2014). SDNIPS: Enabling software-defined networking based intrusion prevention system in clouds. In 2014 10th International Conference on Network and Service Management (CNSM) (pp. 308–311). Piscataway, NJ: IEEE.
Xu, T., Gao, D., Dong, P., Zhang, H., Foh, C. H., & Chao, H. C. (2017). Defending against new-flow attack in SDN-based internet of things. IEEE Access, 5, 3431–3443
Yao, G., Bi, J., Feng, T., Xiao, P., & Zhou, D. (2014). Performing software defined route-based IP spoofing filtering with SEFA. In 2014 23rd International Conference on Computer Communication and Networks (ICCCN) (pp. 1–8). Piscataway, NJ: IEEE.
Yao, G., Bi, J., & Guo, L. (2013). On the cascading failures of multi-controllers in software defined networks. In 2013 21st IEEE International Conference on Network Protocols (ICNP) (pp. 1–2). Piscataway, NJ: IEEE.
Yao, G., Bi, J., & Xiao, P. (2011). Source address validation solution with OpenFlow/NOX architecture. In 2011 19th IEEE International Conference on Network Protocols (ICNP) (pp. 7–12). Piscataway, NJ: IEEE.
Yiakoumis, Y., Schulz-Zander, J., & Zhu, J. (2011). Pantou: OpenFlow 1.0 for OpenWRT. http://www.openflow.org/wk/index.php/Open_Flow1.0_forOpenWRT
Yin, H., Xie, H., Tsou, T., Lopez, D., Aranda, P., & Sidi, R. (2012). SDNi: A message exchange protocol for software defined networks (SDNS) across multiple domains. IETF Draft, Work in Progress.
Yoon, C., Lee, S., Kang, H., Park, T., Shin, S., Yegneswaran, V., et al. (2017). Flow wars: Systemizing the attack surface and defenses in software-defined networks. IEEE/ACM Transactions on Networking, 25(6), 3514–3530.
Yoon, C., Park, T., Lee, S., Kang, H., Shin, S., & Zhang, Z. (2015). Enabling security functions with SDN: A feasibility study. Computer Networks, 85, 19–35.
YuHunag, C., MinChi, T., YaoTing, C., YuChieh, C., & YanRen, C. (2010). A novel design for future on-demand service and security. In 2010 12th IEEE International Conference on Communication Technology (ICCT) (pp. 385–388). Piscataway, NJ: IEEE.
Zaalouk, A., Khondoker, R., Marx, R., & Bayarou, K. M. (2014). OrchSec: An orchestrator-based architecture for enhancing network-security using network monitoring and SDN control functions. In 2014 IEEE International Conference on Network Operations and Management Symposium (NOMS) (pp. 1–9). Piscataway, NJ: IEEE.
Zerkane, S., Espes, D., Le Parc, P., & Cuppens, F. (2016). Software defined networking reactive stateful firewall. In IFIP International Information Security and Privacy Conference (pp. 119–132). Berlin: Springer.
Zerkane, S., Espes, D., Le Parc, P., & Cuppens, F. (2016). Vulnerability analysis of software defined networking. In International Symposium on Foundations and Practice of Security (pp. 97–116). Berlin: Springer.
Zhang, P., Li, H., Hu, C., Hu, L., & Xiong, L. (2016). Stick to the script: Monitoring the policy compliance of SDN data plane. In 2016 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS) (pp. 81–86). Piscataway, NJ: IEEE.
Zhang, P., Li, H., Hu, C., Hu, L., Xiong, L., Wang, R., et al. (2016). Mind the gap: Monitoring the control-data plane consistency in software defined networks. In Proceedings of the 12th International on Conference on Emerging Networking Experiments and Technologies (pp. 19–33). New York, NY: ACM.
Zhang, P., Xu, S., Yang, Z., Li, H., Li, Q., Wang, H., et al. (2018). FOCES: Detecting forwarding anomalies in software defined networks. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS) (pp. 830–840). Piscataway, NJ: IEEE.
Zhang, P., Zhang, C., & Hu, C. (2017). Fast testing network data plane with RuleChecker. In 2017 IEEE 25th International Conference on Network Protocols (ICNP) (pp. 1–10). Piscataway, NJ: IEEE.
Zhang, X., Jain, A., & Perrig, A. (2008). Packet-dropping adversary identification for data plane security. In Proceedings of the 2008 ACM CoNEXT Conference (p. 24). New York, NY: ACM.
Zhang, Z.-K., Cho, M. C. Y., Wang, C.-W., Hsu, C.-W., Chen, C.-K., & Shieh, S. (2014). IoT security: Ongoing challenges and research opportunities. In 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications (SOCA) (pp. 230–234). Piscataway, NJ: IEEE.
Zhou, Y., Chen, K., Zhang, J., Leng, J., & Tang, Y. (2018). Exploiting the vulnerability of flow table overflow in software-defined network: Attack model, evaluation, and defense. Security and Communication Networks, 2018, 4760632.
Zhu, S., Bi, J., Sun, C., Wu, C., & Hu, H. (2015). SDPA: Enhancing stateful forwarding for software-defined networking. In 2015 IEEE 23rd International Conference on Network Protocols (ICNP) (pp. 323–333). Piscataway, NJ: IEEE.
Acknowledgements
We acknowledge the useful comments offered by Sandra Scott-Hayward (Queen’s University Belfast, UK) for improving this paper. Arash Shaghaghi acknowledges the Cloud Computing and Distributed Systems Laboratory for hosting his visit at the University of Melbourne, Australia.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Shaghaghi, A., Kaafar, M.A., Buyya, R., Jha, S. (2020). Software-Defined Network (SDN) Data Plane Security: Issues, Solutions, and Future Directions. In: Gupta, B., Perez, G., Agrawal, D., Gupta, D. (eds) Handbook of Computer Networks and Cyber Security. Springer, Cham. https://doi.org/10.1007/978-3-030-22277-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-22277-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22276-5
Online ISBN: 978-3-030-22277-2
eBook Packages: Computer ScienceComputer Science (R0)