Abstract:While the centralization of SDN brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties like 'security' or 'dependability'. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. As a general concept, we propose ANCHOR, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on 'security' in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms, in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the paper that centralizing such mechanisms is key for their effectiveness, by allowing us to: define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is how to effectively achieve the logical centralized management of non - functional properties (such as security, reliability, quality of service, etc.) in Software - Defined Networking (SDN). Specifically, the paper points out that although SDN brings higher flexibility and programmability by decoupling the control plane from the data plane, which promotes rapid innovation, this decoupling also destroys some natural defense mechanisms in the traditional network architecture, introduces new attack vectors, and changes the threat surface. In particular, the security problem of SDN has become particularly prominent because the current SDN architecture lacks a systematic, top - down approach to enforce non - functional properties. The main contributions of the paper include: 1. **Logical Centralization Concept**: Proposed a logically centralized architecture for managing and implementing non - functional properties in SDN. 2. **Architecture Framework**: Designed a middleware - based architecture framework, which consists of a central "anchor" and local "hooks" in the controller and devices to ensure the implementation of these properties. 3. **Gap Analysis in the Security Field**: Through case studies in the security field, analyzed the obstacles in the process of implementing non - functional properties, such as security performance gaps, complexity - robustness gaps, global security policy gaps, and resilient root - of - trust gaps. 4. **Design and Implementation of Mechanisms and Algorithms**: Defined, designed, and implemented the mechanisms and algorithms required to fill these gaps in order to achieve a reliable and efficient logically centralized security architecture. 5. **Implementation of Strong Properties**: Achieved strong properties such as post - quantum security, perfect forward secrecy, and post - compromise recovery. 6. **Formal Verification of Protocols**: Formalized the main protocols using symbolic models and verified their core security properties using the Tamarin verifier. 7. **Mechanism Evaluation**: Evaluated the proposed mechanisms and demonstrated the advantages compared to existing SDN security schemes. In summary, this paper aims to solve the challenges of non - functional property management in SDN through a logically centralized architecture, especially in terms of security, and provides a more efficient and robust solution.

ANCHOR: logically-centralized security for Software-Defined Networks

Guarding the Perimeter of Cloud-Based Enterprise Networks: an Intelligent SDN Firewall

Design and analysis of a robust security layer for software defined network framework

SDN Oriented Software-Defined Security Architecture

Trust Anchors in Software Defined Networks

Security in Software-Defined Networking: Threats and Countermeasures

A Comprehensive Security Architecture for SDN.

A Policy based Security Architecture for Software Defined Networks

SecSDN-Cloud: Defeating Vulnerable Attacks Through Secure Software-Defined Networks

Software‐defined networking security for private data center networks and clouds: Vulnerabilities, attacks, countermeasures, and solutions

SDNShield: Towards More Comprehensive Defense Against DDoS Attacks on SDN Control Plane

Software-Defined Network (SDN) Data Plane Security: Issues, Solutions and Future Directions

DESIGN AND DEVELOPMENT OF SECURE AND SUSTAINABLE SOFTWARE DEFINED NETWORKS

Security Evaluation in Software-Defined Networks

Modeling Software Defined Security Using Multi-Level Security Mechanism for SDN Environment

A Software-Defined Architecture for Integrating Heterogeneous Space and Ground Networks

The KISS principle in Software-Defined Networking: An architecture for Keeping It Simple and Secure

SD-Access: Practical Experiences in Designing and Deploying Software Defined Enterprise Networks

Enhancing security in SDN: Systematizing attacks and defenses from a penetration perspective

Validating User Flows to Protect Software Defined Network Environments

Enhancing Network Security through Software Defined Networking (SDN)