Computer Science

Computer Science ›› 2021, Vol. 48 ›› Issue (3): 295-306.doi: 10.11896/jsjkx.200300119

• Information Security • Previous Articles     Next Articles

Survey on Software Defined Networks Security

DONG Shi   

  1. School of Computer Science and Technology,Zhoukou Normal University,Zhoukou,Henan 466001,China
  • Received:2020-03-20 Revised:2020-08-30 Online:2021-03-15 Published:2021-03-05
  • About author:DONG Shi,born in 1980,Ph.D,professor,is a member of China Computer Federation.His main research interests include distributed computing and network management.
  • Supported by:
    Key Science and Technology Program of Henan Province,China(192102210125).

PDF (PC)

1764

Abstract: Software-defined networks(SDN) is a new network architecture,which enables separate network control plane from data planes through OpenFlow technology,thus the network traffic can be flexible controlled.SDN has become a hot topic in the next generation of Internet.With the development and wide application of SDN,its security problem has become an important research topic and some achievements have been made by the domestic and foreign scholars in recent years.Based on three-layer architecture of SDN,the security problems and solutions of each layer are summarized.Firstly,the definition and three frameworks of SDN are presented;then security issues and corresponding solutions are outlined under the data layer,the control layer and application layer;in next,the security of similarities and differences between traditional network and SDN are discussed;and finally,the research challenges in future are prposed.

Key words: Application plane, Control plane, Data plane, OpenFlow, Software defined networks

CLC Number: 

  • TP391
[1]MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:Enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[2]BOSSHART P,DALY D P,GIBB G,et al.P4:programming protocol-independent packet processors[J].ACM Special Interest Group on Data Communication,2014,44(3):87-95.
[3]WANG H,SOULE R,DANG H T,et al.P4FPGA:A RapidPrototyping Framework for P4[C]//symposium on Sdn Research.2017:122-135.
[4]ZUO Q Y,CHEN M,ZHAO G S,et al.Research on OpenFlow-based SDN technologies[J].Journal of Software,2013,24(5):1078-1097.
[5]DONG S,ABBAS K,JAIN R.A Survey on Distributed Denial of Service (DDoS) Attacks in SDN and Cloud Computing Environments[J].IEEE Access,2019,7:80813-80828.
[6]YU Y,WANG Z L,BI J,et al.A survey on the languages in the northbound interface of the software defined neworking[J/OL].Journal of Software,2016.http://www.jos.org.cn/ 1000-9825/5028.htm.
[7]SHIN S,PORRAS P,YEGNESWARAN V,et al.A Framework For Integrating Security Services into Software-Defined Networks[C]//Proceedings of the 2013 Open Networking Summit (Research Track poster paper).2013.
[8]KREUTZ D,RAMOS F,VERISSIMO P.Towards secure and dependable software-defined networks[C]//Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.ACM,2013:55-60.
[9]HARTMAN S,WASSERMAN M,ZHANG D.Software driven networks problem statement[J/OL].Network Working Group Internet-Draft,2013.https://tools.ietf.org/html/drafthartman- sdnsec-requirements-00.
[10]XIE H,TSOU T,LOPEZ D,et al.Use cases for ALTO with software defined networks[J/OL].Working Draft,IETF Secretariat,Internet-Draft,2012.https://tools.ietf.org/html/draft-xie-alto-sdn-use-cases-01.
[11]NAOUS J,ERICKSON D,COVINGTON G A,et al.Implementing an OpenFlow switch on the NetFPGA platform[C]//Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS ’08).2008:1-9.
[12]JARSCHEL M,OECHSNER S,SCHLOSSER D,et al.Modeling and performance evaluation of an OpenFlow architecture[C]//23rd International Teletraffic Congress (ITC 2011).IEEE,2011.
[13]YAO G,BI J,GUO L.On the cascading failures of multi-controllers in software defined networks[C]//21st IEEE International Conference on Network Protocols (ICNP).IEEE,2014.
[14]FONSECA,BENNESBY R,MOTA E,et al.A replication component for resilient OpenFlow-based networking[C]//IEEE Network Operations and Management Symposium.2012:933-939.
[15]SEEDORF J,BURGER E.Application-layer traffic optimization (ALTO)problem statement[OL].http://www.rfc-editor.org/rfc/rfc5693.txt.
[16]NADEAU T,PAN P.Software driven networks problem statement[J/OL].Network Working Group Internet-Draft,2011.https://tools.ietf.org/html/draft-nadeau-sdn-problem-statement-00.
[17]BROOKS M,YANG B.A man-in-the-middle attack againstopendaylight sdn controller[C]//Proceedings of the 4th Annual ACM Conference on Research in Information Technology.ACM,2015:45-49.
[18]LIN P C,LI P C,NGUYEN V L.Inferring openflow rules by active probing in software-defined networks[C]//2017 19th International Conference Advanced Communication Technology (ICACT).IEEE,2017:415-420.
[19]SHIN S,YEGNESWARAN V,PORRAS P,et al.Avant-guard:Scalable and vigilant switch flow management in software-defined networks[C]//ACM Sigsac Conference on Computer & Communications Security.2013:413-424.
[20]ZHANG Y,BEHESHTI N,TATIPAMULA M.On resilience of splitarchitecture networks[C]//Proceedings of the Global Communications Conference.2011:1-6.
[21]DIERKS T.The Transport Layer Security (TLS) protocol version 1.2 [EB/OL].http://tools.ietf.org/html/ rfc5246.
[22]RESCORLA E,MODADUGU N.Datagram Transport LayerSecurity Version 1.2[EB/OL].http://tools.ietf.org/html/ rfc6347.
[23]BENTON K,CAMP L J,SMALL C.OpenFlow vulnerability assessment[C]//Acm Sigcomm Workshop on Hot Topics in Software Defined Networking.2013:151-152.
[24]LIYANAGE M,GURTOV A.Secured VPN models for LTE backhaul networks[C]//IEEE Vehicular Technology Conference (VTC Fall).2012:1-5.
[25]STAESSENS D,SHARMA S,COLLE D,et al.Software defined networking:Meeting carrier grade requirements[C]//18th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN).2011:1-6.
[26]SHAGHAGHI A,KAAFAR M A,BUYYA R,et al.Software-Defined Network (SDN) Data Plane Security:Issues,Solutions and Future Directions[J].arXiv:1804.00262,2018.
[27]ZHOU Y D,CHEN K Y,ZHANG J J,et al.Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network:Attack Model,Evaluation,and Defense[J].Security and Communication Networks,2018,2018:1-15.
[28]SCOTT-HAYWARD S,NATARAJAN S,SEZER S.A Survey of Security in Software Defined Networks[J].IEEE Communications Surveys & Tutorials,2016,18(1):623-654.
[29]SEZER S.Are we ready for SDN? Implementation challenges for software-defined networks[J].IEEE Communication Magazine,2013,51(7):36-43.
[30]FOSTER N.Frenetic:A network programming language[J].SIGPLAN Notices,2011,46(9):279-291.
[31]VOELLMY A,KIM H,FEAMSTER N.Procera:A languagefor high-level reactive network control[C]//First Workshop on Hot Topics in Software Defined Networks.2012:43-48.
[32]MONSANTO C,FOSTER N,HARRISON R,et al.A compiler and run-time system for network programming languages[J].SIGPLAN Notices,2012,47(1):217-230.
[33]SHIN S.FRESCO:Modular composable security services forsoftware-defined networks[C]//Proceedings of Network and Distributed Security Symposium.2013:1-16.
[34]WEN X,CHEN Y,HU C,et al.Towards a secure controller platform for OpenFlow applications[C]//Proceedings of the second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.2013:171-172.
[35]CHOWDHARY A,HUANG D,ALSHAMRANI A,et al.Trufl:Distributed trust management framework in sdn[C]//ICC 2019-2019 IEEE International Conference on Communications (ICC).IEEE,2019:1-6.
[36]BECKETT R.An assertion language for debugging SDN applications[C]//Proc3rd ACM Workshop Hot Topics Software.Defined Network,2014:91-96.
[37]KHURSHID A,ZOU W,ZHOU W X,et al.Veriflow:Verifying network-wide invariants in real time[C]//Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation.2013:15-28.
[38]SON S,SHIN S,YEGNESWARAN V,et al.Model checkinginvariant security properties in openflow[C]//IEEE International Conference on Communications.2013:1974-1979.
[39]CANINI M,KOSTIC D,REXFORD J,et al.Automating thetesting of OpenFlow applications[C]//Proceedings of the 1st International Workshop on Rigorous Protocol Engineering(WRiPE).2011:1-6.
[40]HANDIGOL N,HELLER B,JEYAKUMAR V,et al.Where is the debugger for my software-defined network?[C]//Workshop Hot Topics Software.Defined Network,2012:55-60.
[41]WUNDSAM A,LEVIN D,SEETHARAMAN S,et al.OFRe-wind:Enabling record and replay troubleshooting for networks[C]//Usenix Conference on Usenix Technical Conference.2011:29.
[42]Security-enhanced floodlight.SDx Central,Sunnyvale,CA,USA[EB/OL].http://www.sdncentral.com/education/ towardsecure-sdn-control-layer/2013/10/.
[43]SWITCH B.Developing floodlight modules.Floodlight Open-low controller[EB/OL].http://www.projectfloodlight.org/floodlight/.
[44]FERNANDEZ M.Comparing openflow controller paradigmsscalability:reactive and proactive[C]//IEEE International Conference on Advanced Information Networking & Applications.2013:1009-1016.
[45]VOELLMY A,WANG J.Scalable software defined networkcontrollers[J].Acm Sigcomm Computer Communication Review,2012,42(4):289-290.
[46]GUDE N,KOPONEN T,PETTIT J,et al.NOX:towards an ope-rating system for networks[J].ACM SIGCOMM Computer Communication Review,2008,38(3):105-110.
[47]CAI Z,COX A L,EUGENE N G.Maestro:A system for scalable OpenFlow control[J/OL].Cs.rice.edu,https://scholarship.rice.edu/bitstream/handle/1911/96391/TR10-11.pdf?se-quence=1&isAllowed=y.
[48]PHEMIUS K,BOUET M,LEGUAY J.DISCO:Distributedmultidomain SDN controllers[C]//IEEE Network Operations and Management Symposium (NOMS).2014:1-4.
[49]PHEMIUS K,BOUET M,LEGUAY J.DISCO:DistributedSDN controllers in a multi-domain environment[C]//IEEE Network Operations and Management Symposium (NOMS).2014:1-2.
[50]Advanced Message Queuing Protocol[EB/OL].http://www.amqp.org.
[51]TOOTOONCHIAN A,GANJALI Y.HyperFlow:A distributed control plane for OpenFlow[C]//Internet Network Management Conference on Research on Enterprise Networking. USENIX Association,2010:3.
[52]HELLER B,SHERWOOD R,MCKEOWN N.The controllerplacement problem[C]//Acm Sigcomm Workshop on Hot To-pics in Software Defined Networking.2012:7-12.
[53]AHMAD I,KARUNARATHNA S N,YLIANTTILA M,et al.Load balancing in software defined mobile networks[C]//Software Defined Mobile Networks (SDMN):Beyond LTE Network Architecture.Hoboken,NJ,USA:Wiley,2015:225-245.
[54]NAMAL S,AHMAD I,GURTOV A,et al.SDN based intertechnology load balancing leveraged by flow admission control[C]//IEEE SDN for Future Networks and Services(SDN4FNS).2013:1-5.
[55]BRAGA R,MOTA E,PASSITO A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]//The 35th Annual IEEE Conference on Local Computer Networks.2010:408-415.
[56]KOHONEN T.The self-organizing map[J].Neurocomputing,1998,21(1):1-6.
[57]DONG S,SAREM M.DDoS Attack Detection Method Based on Improved KNN With the Degree of DDoS Attack in Software-Defined Networks[J].IEEE Access,2020:5039-5048.
[58]KALKAN K,ALTAY L,GÜR G,et al.JESS:Joint Entropy-Based DDoS Defense Scheme in SDN[J].IEEE Journal on Selected Areas in Communications,2018,36(10):2358-2372.
[59]WU Z J,XU Q,WANG J J,et al.Low-Rate DDoS Attack Detection Based on Factorization Machine in Software Defined Network[J].IEEE Access,2020,8:17404-17418.
[60]HU Y,WANG W,GONG X,et al.On reliability optimized controller placement for software-defined networks[J].China Communication,2014,11(2):38-54.
[61]HU Y N,WANG W D,GONG X Y,et al.Reliability aware controller placement for software-defined networks[C]//FIP/IEEE International Symposium on Integrated Network Management.2013:672-675.
[62]BARI M.Dynamic controller provisioning in software definednetworks[C]//International Conference on Network & Service Management.2013:18-25.
[63]HOCK D.Pareto-optimal resilient controller placement in SDN-based core networks[C]//Proceedings of the 2013 25th International Teletraffic Congress (ITC).2013:1-9.
[64]MOGUL J C.DevoFlow:Cost-effective flow management forhigh performance enterprise networks[C]//Acm Sigcomm Workshop on Hot Topics in Networks.2010:1-6.
[65]GE J G,SHEN H J,PENG Y E,et al.An OpenFlow-based dynamic path adjustment algorithm for multicast spanning trees[C]//12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.2013:1478-1483.
[66]KEMPF J.Scalable fault management for OpenFlow[C]//IEEE International Conference on Communications (ICC).2012:6606-6610.
[67]Porras P.A security enforcement kernel for OpenFlow networks[C]//ACM SIGCOMM Workshop on Hot Topics in Software Defined Networks.2012:121-126.
[68]AL-SHAER E,AL-HAJ S.FlowChecker:Configuration analysis and verification of federated openflow infrastructures[C]//Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration.2010:37-44.
[69]FAN Z,XIAO Y,NAYAK A.et al.An improved network security situation assessment approach in software defined networks[J].Peer-to-Peer Networking and Applications,2019,12(2):295-309.
[70]NAYAK A K,REIMERS A,FEAMSTER N,et al.Resonance:dynamic access control for enterprise networks[C]//Proc 1st ACM Workshop Res.Enterprise Network,2009:11-18.
[71]KEROMYTIS A.Voice-over-IP security:Research and practice[J].IEEE Security Privacy,2010,8(2):76-78.
[72]SHIN S,GU G.Attacking software-defined networks:a firstfeasibility study[C]//Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.2013:165-166.
[73]TOOTOONCHIAN A,GORBUNOV S,GANJALI Y,et al.On controller performance in software-defined networks[C]//Proc.USENIX Workshop Hot-ICE,2012:10.
[74]GREENBERG A.A clean slate 4D approach to network control and management[J].Computer communication review,2005,35(5):43-54.
[75]CASADO M,GARFINKEL T,AKELLA A,et al.SANE:AProtection Architecture for Enterprise Networks[C]//Confe-rence on Usenix Security Symposium.USENIX Association,2006.
[76]CASADO M,FREEDMAN M J,PETTIT J,et al.ETHANE:Taking Control of the Enterprise[C]//Proceedings of the ACM SIGCOMM 2007 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications.Kyoto,Japan,2007:27-31.
[77]WANG L,LI Q,JIANG Y,et al.Woodpecker:Detecting andmitigating link-flooding attacks via SDN[J].Computer Networks,2018,147:1-13.
[78]LI C,WU Y,YUAN X,et al.Detection and defense of DDoS attack-based on deep learning in OpenFlow-based SDN[J].International Journal of Communication Systems,2018,31(5):e3497.
[79]JENNINGS B,MEER S V D,BALASUBRAMANIAM S,et al.Towards autonomic management of communications networks[J].IEEE Communication Magazine,2007,45(10):112-121.
[80]HAMED H,AL-SHAER E.Taxonomy of conflicts in network security policies[J].Communications Magazine,IEEE,2006,44(3):134-141.
[81]WOOL A.A quantitative study of firewall configuration errors[J].Computer,2004,37(6):62-67.
[82]KIM H,FEAMSTER N.Improving network management with software defined networking[J].IEEE Communication Magazine,2013,51(2):114-119.
[83]Software-defined networking:The new norm for networks[EB/OL].https://www.opennetworking.org/sdn-resources/sdn-library/whitepapers/benefits-of-OFB-SDN.
[84]KIM W,SHARMA P,LEE J,et al.Automated and ScalableQoS Control for Network Convergence[C]//Proc.Internet Network Management Workshop/Workshop on Research on Enterprise Networking (INM/WREN).2010.
[85]MATTOS D M.OMNI:OpenFlow management infrastructure[C]//International Conference on the Network of the Future.2011:52-56.
[86]REXFORD J,DOVROLIS C.Future internet architecture:clean-slate versus evolutionary research[J].Communications of the ACM,2010,53(9):36-40.
[87]LI T.Design goals for scalable internet routing[OL].https://www.rfc-editor.org/rfc/pdfrfc/rfc6227.txt.pdf.
[88]GURTOV A.Host Identity Protocol (HIP):Towards the Secure Mobile Internet[M/OL].https://onlinelibrary.wiley.com/doi/book/10.1002/9780470772898.
[89]QIN X,TANG G D,CHANG C W.SDN security control and forwarding method based on cipher identification[J].Journal on Communications,2018,39(2):31-42.
[1] ZHOU Jian-xin, ZHANG Zhi-peng, ZHOU Ning. Load Balancing Technology of Segment Routing Based on CKSP [J]. Computer Science, 2020, 47(4): 256-261.
[2] YANG Ren-yu, HAN Yi-gang, ZHANG Fan, FENG Fei. Survey of Content Centric Network Based on SDN [J]. Computer Science, 2019, 46(1): 13-20.
[3] SUN Tao, ZHANG Jun-xing. Review of SDN Performance Optimization Technology [J]. Computer Science, 2018, 45(11A): 84-91.
[4] WU Qi, WANG Xing-wei, HUANG Min. OpenFlow Switch Packets Pipeline Processing Mechanism Based on SDN [J]. Computer Science, 2018, 45(10): 295-299.
[5] YE Xiao-qin, REN Yan-yang, SUN Ting and HENIGULI·Wumaier. Cache Location Decision and Operating Allocation Schema Based on SDN in WMN [J]. Computer Science, 2017, 44(8): 95-99.
[6] NONG Huang-wu, HUANG Chuan-he and HUANG Xiao-peng. SDN-based Multipath Routing Algorithm for Fat-tree Data Center Networks [J]. Computer Science, 2016, 43(6): 32-34.
[7] ZHU Ge, ZENG Guo-sun, DING Chun-ling and WANG Wei. Analysis and Verification for OpenFlow Multi-switch Protocol Based on Model Checking [J]. Computer Science, 2016, 43(10): 74-80.
[8] XU Ming-guang, LIU Ya-ping and DENG Wen-ping. Research and Analysis of OpenDaylight Controller [J]. Computer Science, 2015, 42(Z6): 249-252.
[9] ZENG Shan, CHEN Gang and QI Fa-zhi. Survey on Performance of Software Defined Networking [J]. Computer Science, 2015, 42(Z6): 243-248.
[10] LOU Heng-yue and DOU Jun. Research on DoS Attacks Against Control Level in OpenFlow-based SDN [J]. Computer Science, 2015, 42(Z11): 341-344.
[11] WU Jie, FU Bin-zhang, CHEN Ming-yu and ZHANG Li-xin. Quantitative Analysis of Flow-setup Cost in OpenFlow Network [J]. Computer Science, 2015, 42(11): 59-62.
[12] LI Hua,HE Nan,DONG Lu-lu and LV Liang-liang. Research on OpenFlow Modeling Based on Hierarchical CPN [J]. Computer Science, 2014, 41(7): 114-118.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.