Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Zhou Boyang,Wu Chunming,Gao Wen,Hong Xiaoyan,Jiang Ming,Chen Shuangxi

DOI: https://doi.org/10.1109/cc.2015.7315065

2015-01-01

China Communications

Abstract:When applying Software-Defined Networks (SDN) to WANs, the SDN flexibility enables the cross-domain control to achieve a better control scalability. However, the control consistence is required by all the cross-domain services, to ensure the data plane configured in consensus for different domains. Such consistence process is complicated by potential failure and errors of WANs. In this paper, we propose. a consistence layer to actively and passively snapshot the cross-domain control states, to reduce the complexities of service realizations. We implement the layer and evaluate performance in the PlanetLab testbed for the WAN emulation. The testbed conditions are extremely enlarged comparing to the real network. The results show its scalability, reliability and responsiveness in dealing with the control dynamics. In the normalized results, the active and passive snapshots are executed with the mean times of 1.873s and 105ms in 135 controllers, indicating its readiness to be used in the real network.

Shaoke Xi,Kai Bu,Wensen Mao,Xiaoyu Zhang,Kui Ren,Xinxin Ren

DOI: https://doi.org/10.1109/tnet.2022.3194970

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Reliable Software-Defined Networking (SDN) should mitigate forwarding anomalies due to cross-plane rule inconsistencies. Most existing countermeasures either inject probe packets to infer forwarding correctness or collect packet traces to detect forwarding anomalies. They, however, cannot detect or filter forwarding anomalies for production packets in real time. In this paper, we propose RuleOut as the first attempt to automatically throttle SDN forwarding anomalies. It disambiguates dependent rules via augmenting their matching fields with unique tags. Leveraging source routing, we further bind each packet with the tag sequence corresponding to rules the packet should match. RuleOut thus renders each packet to match at most one rule on each switch. This completely addresses the root cause of forwarding ambiguity. To implement RuleOut, we develop a non-overlapping rule dependency graph, a series of algorithms for incremental rule update and tag generation upon it, and various optimization techniques toward scalability and efficiency. We prototype RuleOut on the Ryu controller and Open vSwitch and evaluate its performance over public rule sets such as Stanford, Internet2, and Airtel1. RuleOut can use tags of only several bits long to disambiguate thousands to millions of rules and generate tags fairly fast within a few milliseconds.

Qi Li,Yanyu Chen,Patrick P. C. Lee,Mingwei Xu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2018.2853593

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) utilizes a centralized controller to distribute packet processing rules to network switches. However, rules are often generated by the applications developed by different organizations, so they may conflict with each other in data plane and lead to violations with security rules. The problem is similar to firewall conflicts in IP networks. Rule conflict resolution should incur negligible process delay, such that all rules can he correctly and safely enforced in the data plane in real time. However, since SDN allows users to use more than 35 fields to specify rules (including field transition rules), it is much more complicated to prevent enforcement of SDN rules from violating with security rules than to resolve firewall rule violation, and in particular, field transition rules are enforced. Therefore, it is extremely difficult to resolve such rule conflicts in real time before the rules are installed in SDN data plane. In this paper, we investigate the rule conflict problem in SDN and identify new covert channel attacks due to rule conflicts. To the end, we propose the covert channel defender (CCD) that prevents covert channel attacks by verifying and resolving rule conflicts. Specifically, CCD tracks all rule insertion and modification messages from applications running on the controller. It analyzes the correlation among rules based on multiple packet header fields and resolves any identified rule conflict in real time before rule installation. We implement CCD with the Floodlight controller and evaluate its performance with the real-world Stanford topology. We show that CCD can efficiently detect and prevent rule conflicts in the data plane that may raise covert channels within hundreds of microseconds and brings small overhead to the packet delivery.

Peng Zhang,Hui Wu,Dan Zhang,Qi Li

DOI: https://doi.org/10.1109/tnet.2020.2977006

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:Software defined networking (SDN) reshapes the ossified network architectures, by decoupling the control plane and data plane. Due to such a decoupling, SDN assumes that rules issued by the control plane are always correctly enforced by the data plane. However, this assumption breaks as an adversary can prevent the data plane from enforcing the rules, by exploiting the vulnerabilities of switch OS and control channel. The serious consequence is that packets may deviate from their original paths, thereby violating critical security policies like access control. To this end, this paper introduces rule enforcement verification (REV), which enables the controller to check whether switches have correctly enforced the rules that it issues. Since using message authentication code (MAC) can incur heavy switch-to-controller traffic, we propose the compressive MAC, which lets switches compress MACs before reporting to the controller, thereby significantly reducing the bandwidth cost. Finally, we propose a heuristic flow selection algorithm, which allows the controller to verify much less flows for rule coverage. We implement REV based on Open vSwitch with DPDK, and use experiments to show: (1) by using compressive MAC, REV achieves a 97% reduction in switch-to-controller traffic, and an $8\times $ increase in verification throughput; (2) by using the heuristic flow selection algorithm, REV can reduce the number of flows to verify by 40%-60%.

Yunfei Meng,Changbo Ke,Zhiqiu Huang

DOI: https://doi.org/10.1016/j.cose.2024.103850

IF: 5.105

2024-04-19

Computers & Security

Abstract:Software-defined networking (SDN) has been utilized to enforce the security of traditional networks. However, the existing SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane, such as MAC address, IP address or switch ports. These security policies need to be specifically developed by network operators and loaded into the control plane manually. With increasing the scale of underlying network, the existing security policy management mechanisms confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information into the practical flow entries used by Openflow switches automatically, thereby implementing the automatic management of security policies. To achieve this objective, we propose a model transformation based security policy automatic management framework for software-defined networking in this paper. Leveraging its functional modules, the framework can solve the problems of how to find a connected path for each access control rule of security policy model (SPM) in data plane, how to transform the connected path into the system model of flow entries, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the effectiveness and performance of framework, we implement the framework by leveraging POX controller and Mininet emulator. The experimental results illustrate the framework can transform SPM into practical flow entries, synchronously perceive the modifications caused by cutting down one connected path or changing SPM, and continuously keep the data plane holding the security properties defined by SPM at runtime.

computer science, information systems

Kai Bu,Xitao Wen,Bo Yang,Yan Chen,Li Erran Li,Xiaolin Chen

DOI: https://doi.org/10.1109/infocom.2016.7524333

2016-01-01

Abstract:Software-Defined Networking (SDN) promises un-precedentedly flexible network management but it is susceptible to forwarding faults. Such faults originate from data-plane rules with missing faults and priority faults. Yet existing fault detection ignores priority faults because they are not discovered on commercial switches until recently. In this paper, we present RuleScope, a more comprehensive solution for inspecting SDN forwarding. RuleScope offers a series of accurate and efficient algorithms for detecting and troubleshooting rule faults. They inspect forwarding behavior using customized probe packets to exercise data-plane rules. The detection algorithm exposes not only missing faults but also priority faults. Beyond simply detecting rule faults, the troubleshooting algorithms uncover actual data-plane flow tables. They help track real-time forwarding status and benefit reliable network monitoring. We explore various techniques for enhancing algorithm efficiency without sacrificing inspection accuracy. Experiments with our prototype on the Ryu SDN controller and Pica8 P-3297 switch show that RuleScope achieves accurate and efficient forwarding inspection with limited bandwidth and packet-switching overhead.

Jiaqiang Liu,Yong Li,Huandong Wang,Depeng Jin,Li Su,Lieguang Zeng,Thanos Vasilakos

DOI: https://doi.org/10.1016/j.ins.2015.08.019

IF: 8.1

2015-01-01

Information Sciences

Abstract:Network operators employ a variety of security policies for protecting the data and services. However, deploying these policies in traditional network is complicated and security vulnerable due to the distributed network control and lack of standard control protocol. Software-defined network provides an ideal paradigm to address these challenges by separating control plane and data plane, and exploiting the logically centralized control. In this paper, we focus on taking the advantage of software-defined networking for security policies enforcement. We propose a two layer OpenFlow switch topology designed to implement security policies, which considers the limitation of flow table size in a single switch, the complexity of configuring security policies to these switches, and load balance among these switches. Furthermore, we introduce a safe way to update the configuration of these switches one by one for better load balance when traffic distribution changes. Specifically, we model the update process as a path in a graph, in which each node represents a security policy satisfied configuration, and each edge represents a single step of safely update. Based on this model, we design a heuristic algorithm to find an optimal update path in real time. Simulations of the update scheme show that our proposed algorithm is effective and robust under an extensive range of conditions.

Lei Wang,Qing Li,Yong Jiang,Yu Wang,Richard Sinnott,Jianping Wu

DOI: https://doi.org/10.1016/j.comnet.2018.07.027

IF: 5.493

2018-01-01

Computer Networks

Abstract:Software Defined Networking (SDN) enables network innovation and brings flexibility by separation of the control and data planes and logically centralized control. However, this network paradigm complicates flow rule management. Current approaches generally install rules reactively after table misses or pre-installs them by flow prediction. Such approaches consume nontrivial network resources during interactions between the controller and switches (especially for maintaining consistency). In this paper, we explore an intelligent rule management scheme (IRMS), which extends the one-big-switch model and employs a hybrid rule management approach. To achieve this, we first transform all rules into path-based and node-based rules. Path-based rules are pre-installed whilst the paths for flows are selected at the edge switches of the network. To maintain consistency of forwarding paths, we update path-based rules as a whole and employ a lazy update policy. Node-based rules are optimally partitioned into disjoint chunks by an intelligent partition algorithm and organized hierarchically in the flow table. In this way, we significantly reduce the interaction cost between the control and data planes. This scheme enforces an efficient sliding window policy to enhance the hit rate for the installed chunks. We evaluate our scheme by comprehensive experiments. The results show that IRMS reduces the total flow entries by more than 71% on average and the update time by over 56%. IRMS also reduces the flow setup requests by more than one order of magnitude.

Jie Cui,Sheng Zhou,Hong Zhong,Yan Xu,Kewei Sha

DOI: https://doi.org/10.1109/ICCCN.2018.8487415

2018-01-01

Abstract:Software-defined Networking (SDN) brings new vitality to traditional network technology as its nice property of network programmability makes our network more open and flexible. By using interfaces of SDN controllers, different applications with diverse network functions can deploy their needed flow rules into SDN switches. However, some of these flow rules would probably produce conflicts that result in invalidation of network functions and cause security issues. To address this issue, we design a novel approach, Transaction-based flow rule Conflict Detection and Resolution (TCDR), which can isolate the flow rules of different network functions to avoid interference between different network functions. Meanwhile, our proposed method introduces a transaction-based authentication to guarantee the legality of flow rules. Finally, we implement a prototype of our solution, and evaluate its effectiveness and efficiency. The performance evaluation shows that TCDR can reject illegal flow rules and avoid many flow rule conflicts with a small overhead.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108099

IF: 5.493

2021-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. We further explore implementation techniques of packet looping and field swapping that can enable a flow table pipeline on a single TCAM and mitigate packet correlation, respectively. FlowCloak imposes only a 0.01 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Xue Leng,Kaiyu Hou,Yan Chen,Kai Bu,Libin Song

DOI: https://doi.org/10.1016/j.comnet.2019.05.022

2018-01-01

Abstract:SDN-based cloud has the merit of allowing more flexibility in network management, however, the security of network accessing and the correctness of network configuration in SDN-based cloud have not been effectively addressed yet. In this paper, SDNKeeper, a generic and fine-grained policy enforcement system in SDN-based cloud is proposed, which can defend against unauthorized attacks and avoid network resource misconfiguration. With the usage of SDNKeeper, numerous flexible network management policies can be created by administrators, which give administrators the discretionary room on controlling the network resources. To be specific, SDNKeeper can reject any unauthorized network access request at Northbound Interface (NBI), which located between application plane and control plane. Moreover, compared with other traditional policy-based access control systems, SDNKeeper is totally application-transparent and lightweight, which is easy to implement, deploy and runtime configure. Based on the prototype implementation and evaluation, we conclude that SDNKeeper can perform access control accurately with negligible computation overhead whilst the throughput degradation is still within the acceptable range.

Qing Li,Kun Zhao,Yong Jiang,Mingwei Xu,Shu-Tao Xia

DOI: https://doi.org/10.1016/j.comnet.2015.09.025

IF: 5.493

2015-01-01

Computer Networks

Abstract:In Software Defined Networks (SDN), the configuration inconsistency during updates is one main source of network instability. Even if the validity of the initial and final configurations is guaranteed, the interim complex and inconstant network states might cause routing conflicts and transmission disruption. Therefore, an efficient updating scheme with configuration consistency is required. Current schemes well guarantee the packet-level consistent update, but perform poorly for the flow-level case. In this paper, we present a Smart Approach of Rule Division (SARD) for fast flow-level consistent update in SDN. We first provide a simplified mathematical model of the network. Based on this model, we then propose SARD to guarantee the flow-level consistency during configuration updates. In SARD, the controller (1) collects the information of existing flows; (2) computes K optimal prefixes covering these flows, meanwhile with the minimized space; (3) installs the new rule and K old sub-rules with lower and higher priorities respectively. SARD preserves the flow-level consistent property and accelerates the process of configuration update in SDN. We evaluate the performance of SARD by comprehensive experiments. The results show that our scheme reduces the transition time to about 10% of the current method of periodical direct division.

Dingmin Wang,Qing Li,Lei Wang,Richard O. Sinnott,Yong Jiang

DOI: https://doi.org/10.1109/infcomw.2017.8116383

2017-01-01

Abstract:Software Defined Networks (SDN) enables flexible flow control by installing policy rules into switches. However, one of the challenges is the dependencies between rules, which is generated due to the rules overlapping in filed space with different priorities. To keep the forwarding correctness and avoid complicated scenarios caused by the asynchronous removal, controllers usually adopt a hard timeout mechanism. However, such mechanism is inflexible for evolving and dynamic network flows. A large timeout may waste the switch memory, while a short timeout may cause multiple requests (Packet-in events) to occur for the same flow. To handle such rule dependencies flexibly, we propose a hybrid timeout mechanism. When a table miss occurs, we adaptively assign an idle timeout to the table-miss flow rule, and dependent rules are assigned with no timeout, which allow them to be removed using a proactive eviction strategy. We conduct extensive experiments using real packet traces from data centers. The experimental results show that our hybrid mechanism significantly reduces the number of table misses and the flow table occupation, while adapting quickly to changes of network flows.

Yunfei Meng,Changbo Ke,Zhiqiu Huang,Guohua Shen,Chunming Liu,Xiaojie Feng

DOI: https://doi.org/10.48550/arXiv.2301.03790

2023-01-10

Cryptography and Security

Abstract:Software-defined networking (SDN) has been widely utilized to enforce the security of traditional networks, thereby promoting the process of transforming traditional networks into SDN networks. However, SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane. With increasing the scale of underlying network, the current security policy management mechanism will confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information of data plane into the practical flow entries used by the OpenFlow switches automatically, thereby implementing the automation of security policy management. Based on this insight, a practical runtime security policy transformation framework is proposed in this paper. First of all, we specify the security policies used by SDN networks as a system model of security policy (SPM). From the theoretical level, we establish the system model for SDN network and propose a formal method to transform SPM into the system model of flow entries automatically. From the practical level, we propose a runtime security policy transformation framework to solve the problem of how to find a connected path for each relationship of SPM in the data plane, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the feasibility and effectiveness of the framework, we set up an experimental system and implement the framework with POX controller and Mininet emulator.

Yangyang Liu,Laiping Zhao,Jingyu Hua,Wenyu Qu,Suohao Zhang,Sheng Zhong,Zhao Laiping

DOI: https://doi.org/10.1109/tcc.2021.3067456

IF: 5.697

2021-01-01

IEEE Transactions on Cloud Computing

Abstract:In software defined networking, the flat design of distributed control plane enables the management of multi-domain networks that are incapable of deploying a root controller. However, it is very difficult to avoid policy conflicts between independent local controllers due to the lack of centralized arbitration. Moreover, domains without trust may not be always cooperative and could even cheat to maximize their own interests. In this article, we first consider the cooperative scenario and address the problem of traffic engineering in a flat distributed control plane. We propose a fully distributed algorithm, called DisTE, which can provide max-min fair bandwidth allocation for flows and maximize resource utilization. DisTE also preserves the local topology of each domain and achieves policy consistency by multiple rounds of synchronization. We then consider the non-cooperative scenario, where selfish domains may discriminate bandwidth requests from other domains or overstate theirs owns to squeeze more bandwidths.

computer science, information systems, theory & methods

Laiping Zhao,Jingyu Hua,Yangyang Liu,Wenyu Qu,Suohao Zhang,Sheng Zhong

DOI: https://doi.org/10.1109/ICDCS.2019.00056

2019-01-01

Abstract:The increasing scale of software defined networks (SDN) raises the requirement of distributed control plane, for providing scalable, reliable and high performance network management capabilities. In particular, the flat design of distributed control plane enables the management of networks with multiple independent domains that are incapable of deploying a root controller. However, it is very difficult to avoid policy conflicts between multiple controllers in flat plane due to the lack of arbitration. In this paper, we address the problem of traffic engineering in a flat control plane, and design a distributed traffic engineering algorithm, called DisTE, which can provide max-min fair bandwidth allocation for flows and maximize the resource utilization, using a fully distributed arbitration mechanism. DisTE also preserves the local topology of each domain using the topology aggregation method, and supports consistency by multiple rounds of synchronizations. We examine four strategies for determining the synchronization timings, and find that linearly decreasing interval method provides a better trade-off between network utilization and time costs. Experiments on a 717-switches 5-domain network topology demonstrate that DisTE could drive the link utilization ratio to more than 93%, and reduce up to 95% convergence time at cost of 3% relative error on fairness, compared to the centralized approach.

Chen Sun,Jun Bi,Haoxian Chen,Hongxin Hu,Zhilong Zheng,Shuyong Zhu,Chenghui Wu

DOI: https://doi.org/10.1109/tnet.2017.2726550

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:As the prevailing technique of software-defined networking (SDN), open flow introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, open flow only provides a simple "match-action" paradigm and lacks the functionality of stateful forwarding for the SDN data plane, which limits its ability to support advanced network applications. Heavily relying on SDN controllers for all state maintenance incurs both scalability and performance issues. In this paper, we propose a novel stateful data plane architecture (SDPA) for the SDN data plane. A co-processing unit, forwarding processor (FP), is designed for SDN switches to manage state information through new instructions and state tables. We design and implement an extended open flow protocol to support the communication between the controller and FP. To demonstrate the practicality and feasibility of our approach, we implement both software and hardware prototypes of SDPA switches, and develop a sample network function chain with stateful firewall, domain name system (DNS) reflection defense, and heavy hitter detection applications in one SDPA-based switch. Experimental results show that the SDPA architecture can effectively improve the forwarding efficiency with manageable processing overhead for those applications that need stateful forwarding in SDN-based networks.

Xitao Wen,Kai Bu,Bo Yang,Yan Chen,Li Erran Li,Xiaolin Chen,Jianfeng Yang,Xue Leng

DOI: https://doi.org/10.1109/tnet.2017.2686443

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) promises unprecedentedly flexible network management but it is susceptible to forwarding faults. Such faults originate from data-plane rules with missing faults and priority faults. Yet existing fault detection ignores priority faults, because they are not discovered on commercial switches until recently. In this paper, we present RuleScope, a more comprehensive solution for inspecting SDN forwarding. RuleScope offers a series of accurate and efficient algorithms for detecting and troubleshooting rule faults. They inspect forwarding behavior using customized probe packets to exercise data-plane rules. The detection algorithm exposes not only missing faults but also priority faults and the troubleshooting algorithm uncover actual forwarding states of data-plane flow tables. Both of them help track real-time forwarding status and benefit reliable network monitoring. Furthermore, toward fast inspection of dynamic networks, we propose incremental algorithms for rapidly evolving network policies to amortize detection and troubleshooting overhead without sacrificing accuracy. Experiments with our prototype on the Ryu SDN controller and Pica8 P-3297 switch show that the RuleScope achieves accurate fault detection on 320-entry flow tables with a cost of 1500+ probe packets within 16 s.