Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Dezhang Kong,Chunming Wu,Yi Shen,Xiang Chen,Hongyan Liu,Dong Zhang

DOI: https://doi.org/10.1109/globecom48099.2022.10001437

2022-01-01

Abstract:One of the most important components of Software-Defined Networking (SDN) is the flow table. It receives flow rules from the controller and uses them to handle network traffic. However, a flow table can only store a few thousand flow rules, which makes it an attractive target for table overflow attacks. These attacks force the controller to populate the flow table with a large number of meaningless flow rules, which prevents normal flows from finding matching rules and therefore having to be reported to the controller. It results in a significant latency overhead, degrading the performance of the whole network. In this paper, we present a key characteristic of table overflow attacks: even though attackers can change some critical attack parameters (e.g., attack speed) to avoid detection, proactive flows from the attacked port always occupy a stable proportion in the flow table regardless of the attack form. In light of this finding, we propose TableGuard, a novel security mechanism that uses the proactive flow rule number as the detection metric and applies a statistical approach to help filter malicious flows. The experiments demonstrate that TableGuard can mitigate both high-rate and low-rate table overflow attacks. Compared with existing defenses, TableGuard has the best mitigation performance and the minimal overhead on normal flows.

Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.3390/app13127210

2023-01-01

Applied Sciences

Abstract:Software-defined networking (SDN) enables dynamic management and flexible network control by employing reactive rule installation. Due to high power consumption and cost, current OpenFlow switches only support a limited number of flow rules, which is a major limitation for deploying massive fine-grained policies. This bottleneck can be exploited by attackers to launch saturation attacks to overflow the flow table. Moreover, flow table overflow can occur in the absence of malicious attackers. To cope with this, researchers have developed many proposals to relieve the load under benign conditions. Among them, the dynamic timeout mechanism is one of the most effective solutions. We notice that when the SDN controller adopts dynamic timeouts, existing flow table saturation attacks can fail, or even expose the attackers, due to inaccurate inferring results. In this paper, we extract the common features of dynamic timeout strategies and propose an advanced flow table saturation attack. We explore the definition of flow rule lifetime and use a timing-based side-channel to infer the timeout of flow rules. Moreover, we leverage the dynamic timeout mechanisms to proactively interfere with the decision of timeout values and perform an attack. We conduct extensive experiments in various settings to demonstrate its effectiveness. We also notice that some replacement strategies work differently when the controller assigns dynamic timeouts. The experiment results show that the attack can incur significant network performance degradation and carry out the attack in a stealthy manner.

Zixuan Ma,Yuqi Zhang,Ruibang You,Chen Li

DOI: https://doi.org/10.1109/cscwd57460.2023.10152559

2023-01-01

Abstract:Software-Defined Networking (SDN) decouples the data plane from the control plane, enabling centralized control and open programmability of the network. OpenFlow flow rules are the key carrier for the SDN application to configure and manage the data plane through the control plane, and the processing efficiency of flow rules of the SDN controller in the control plane is critical as it will directly impact the instantaneity of configuring and managing the data plane. Currently, the controller increases the processing efficiency of flow rules by means of multi-threaded parallel processing. However, in the experiments of the widely used SDN controller ONOS, we found a new bottleneck in the parallel processing of flow rules that causes the performance gains from parallelism to be offset. Therefore, in this paper, we locate the bottleneck and analyze its causes through source code analysis and timestamp tests, propose a parallel event queue to resolve the bottleneck, and implement it in ONOS. Experiments show that our improved ONOS effectively resolves the bottleneck problem and achieves an average 3.57x improvement in the processing efficiency of flow rules compared to the original ONOS.

Cheng Ren,Sheng Wang,Jing Ren,Xiong Wang,Tongyu Song,Dehao Zhang

DOI: https://doi.org/10.1109/GLOCOM.2016.7841819

2016-01-01

Abstract:Hybrid Software-Defined Networking (HSDN) is a transitional networking form of SDN where SDN elements are partially deployed in traditional networks. Previous researches show that redirecting every flow of source-destination pair through at least one SDN switch can obtain flow manageability, e.g., access control and traffic measurement. Intuitively, the selection of SDN switch as the waypoint for every flow has a significant effect on the Traffic Engineering (TE) performance, such as maximum link utilization and routing efficiency. And it is worth noting that SDN switch can split traffic to the outgoing links to exactly profit the TE performance. In this paper, from the perspective of TE performance, we propose a flow routing and splitting (FRS) algorithm whereby we jointly determine an appropriate SDN switch for every flow as the waypoint, as well as optimizing the traffic splitting fractions for every SDN switch among its outgoing links to minimize the maximum link utilization. We conduct simulations with different SDN deployment rate. The results indicate that, when 20% of the SDN switches are deployed, the proposed FRS algorithm can obtain a lower maximum link utilization compared with other state-of-art works. Not only that, FRS algorithm can also generate a little longer paths for every flow on the average, which has a limited influence on the routing efficiency.

Xiang-yang ZHU,Bing CHEN

DOI: https://doi.org/10.3969/j.issn.1673-629X.2016.12.003

2017-01-01

Abstract:The timeout mechanism and capacity limitation of flow table in OpenFlow switches,together with the traffic characteristics in data centers,have brought scalability problems in the application of Software-Defined Network ( SDN) . Due to the frequent and repeat-able routing request invocations by mice flows and flow table timeouts,the SDN control plane and OpenFlow secure channel will become the performance bottleneck of whole SDN architecture,and thus cannot provide QoS guaranteed services according to network resources and business requests. Two improvement measures are put forward from two aspects. The switches are configured with destination address oriented wildcard flow table entries for mice flows,making that most of mice flows are handled by forwarding plane directly without ask-ing control plane. A dynamic-index hash cache layer is added between the control plane and the forwarding plane,and flow table entries will be put into the cache layer when they are evicted from flow table because of timeout or other reasons,which can avoid repeatable rou-ting calculations. Experimental results show that wildcard flow table entries can effectively reduce the network delay and the number of flow table entries,and the cache strategy proposed has higher hit rate and looking up speed.

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Liang Xie,Zhifeng Zhao,Yifan Zhou,Gang Wang,Qianlan Ying,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2014.6992181

2014-01-01

Abstract:Software Defined Network (SDN) is undergoing an increasingly high popularity among various schemes of networking deployment. The main advantage of SDN lies in its flexibility in controlling network traffic, which arises from decoupling the control plane and the data plane of network devices. However, despite of the valuable merits of SDN, the outage of data forwarding should not be ignored. The drawback mainly results from the length limitation of switch flow tables, the congestion between controllers and switches, and the deficiency of the controller capacity, which are all closely related to the timeout mechanism of flow table. In our study, the deficiency of SDN system will be analyzed explicitly. Moreover, we propose an adaptive control mechanism aiming at optimizing the idle timeout reset of flow tables and cooperation between controllers and switches. Our mechanism achieves higher matching ratio of flow tables as well as alleviates the congestion in the control channel, enabling more fluent data forwarding in SDN.

Ihsan H. Abdulqadder,Deqing Zou,Israa T. Aziz,Bin Yuan

DOI: https://doi.org/10.1109/icct.2017.8359852

2017-01-01

Abstract:Software Defined Networking (SDN) support several administrators for quicker access of resources due to its manageability, cost-effectiveness and adaptability. Even though SDN is beneficial it also exists with security based challenges due to many vulnerable threats. Participation of such threats increases their impact and risk level. In this paper a multi-level security mechanism is proposed over SDN architecture design. In each level the flow packet is analyzed using different metric and finally it reaches a secure controller for processing. Benign flow packets are differentiated from non-benign flow by means of the packet features. Initially routers verify user, secondly policies are verified by using dual-fuzzy logic design and thirdly controllers are authenticated using signature based authentication before assigning flow packets. This work aims to enhance entire security of developed SDN environment. SDN architecture is implemented in OMNeT++ simulation tool that supports OpenFlow switches and controllers. Finally experimental results show better performances in following performance metrics as throughput, time consumption and jitter.

Zhiyuan Hu,Mingwen Wang,Xueqiang Yan,Yueming Yin,Zhigang Luo

DOI: https://doi.org/10.1109/icin.2015.7073803

2015-01-01

Abstract:SDN enables the administrators to configure network resources very quickly and to adjust network-wide traffic flow to meet changing needs dynamically. However, there are some challenges for implementing a full-scale carrier SDN. One of the most important challenges is SDN security, which is beginning to receive attention. With new SDN architecture, some security threats are common to traditional networking, but the profile of these threats (including their likelihood and impact and hence their overall risk level) changes. Moreover, there are some new security challenges such as bypassing predefined mandatory policies by overwriting flow entries and data eavesdropping by inserting fraudulent flow entries. This paper is to design open-flow specific security solutions and propose a comprehensive security architecture to provide security services such as enforcing mandatory network policy correctly and receiving network policy securely for SDN in order to solve these common security issues and new security challenges. It can also help the developers to implement security functions to provide security services when developing the SDN controller.

Shuyong Zhu,Jun Bi,Chen Sun,Chenghui Wu,Hongxin Hu

DOI: https://doi.org/10.1109/icnp.2015.45

2015-01-01

Abstract:As the prevailing technique of Software-Defined Networking (SDN), OpenFlow introduces significant programmability, granularity and flexibility for many network applications to effectively manage and process network flows. However, OpenFlow only provides a simple "match-action" paradigm and lacks the function of stateful forwarding for SDN data plane, which limits it to support advanced network applications. Heavily relying on SDN controllers for all state maintenance incurs both scalability and performance issues. In this paper, we propose a novel Stateful Data Plane Architecture (SDPA) for SDN data plane. A co-processing unit, Forwarding Processor (FP), is designed for SDN switches to manage state information through new instructions and state tables. We design and implement an extended OpenFlow protocol to implement the communication between the controller and FP. To demonstrate the practicality and feasibility of our approach, we implement both software and hardware prototypes of SDPA switches, and develop a sample network function chain with stateful firewall, DNS reflection attack defense and NAT applications in one SDPA-based switch. Experimental results show that the SDPA architecture can effectively improve the forwarding efficiency with manageable processing overhead for those applications that need stateful forwarding in SDN-based networks.

Bin Yuan,Deqing Zou,Shui Yu,Hai Jin,Weizhong Qiang,Jinan Shen

DOI: https://doi.org/10.1109/tsc.2016.2602861

IF: 11.019

2019-01-01

IEEE Transactions on Services Computing

Abstract:The Software-Defined Network (SDN) is a new and promising network architecture. At the same time, SDN will surely become a new target of cyber attackers. In this paper, we point out one critical vulnerability in SDNs, the size of flow table, which is most likely to be attacked. Due to the expensive and power-hungry features of Ternary Content Addressable Memory (TCAM), a flow table usually has a limited size, which can be easily disabled by a flow table overloading attack (a transformed DDoS attack). To provide a security service in SDN, we proposed a QoS-aware mitigation strategy, namely, peer support strategy, which integrates the available idle flow table resource of the whole SDN system to mitigate such an attack on a single switch of the system. We established a practical mathematical model to represent the studied system, and conducted a thorough analysis for the system in various circumstances. Based on our analysis, we found that the proposed strategy can effectively defeat the flow table overloading attacks. Extensive simulations and testbed-based experiments solidly support our claims. Moreover, our work also shed light on the implementation of SDN networks against possible brute-force attacks.

Ping Song,Yi Liu,Chi Liu,Depei Qian

DOI: https://doi.org/10.1016/j.jnca.2017.03.009

IF: 7.574

2017-01-01

Journal of Network and Computer Applications

Abstract:Using Software-Defined Networking (SDN), the flexibility and programmability of networks can be significantly increased through the decoupling of the control and data planes. However, network scale-up in large-scale data centers can rapidly increase the computational complexity of operations such as the shortest path calculation on the network topology or Quality-of-Service (QoS) routing, which, in turn, can cause scalability problems in current SDN controllers. This paper proposes ParaFlow, a multithreaded SDN controller that supports fine-grained parallelism by exploiting application parallelism and utilizing multi-/many-core resources to accelerate event processing. ParaFlow also provides a flow-based programming interface that allows application developers to program with network flows rather than various types of low-level events. Experimental results show that ParaFlow achieves satisfactory performance and scalability in the multithreaded case.

Yazhe TANG,Yongqi ZHANG,Zijian YAN,Guiying ZHU

DOI: https://doi.org/10.7652/xjtuxb201802002

2018-01-01

Abstract:A new multilevel flow table architecture based on Bloom Filter is proposed to solve the problem of the explosive growth of the flow table's space occupation and look-up overhead due to the fine grained flow matching mechanism in SDN networks.This architecture follows the hybrid flow table paradigm and uses a Bloom Filter pipeline to store flow entries.The motivation is to construct secondary flow tables with very high capacity and to speed up the matching speed of flow table items.An intermediate adaptation layer between controllers and OpenFlow switches is designed to transform the corresponding messages and to avoid possible semantic conflicts.Experiments results show that when the flow table becomes more fine-grained,the space occupation of the proposed scheme is more effectively reduced,up to 90.7％,and when the number of the flow entries increases,the packet matching time is greatly reduced and the maximum reduction of matching time is 99.4％.The solution of the problem is expected to lay a solid foundation in data plane for the large-scale practical deployment of SDN networks.

Chen Sun,Jun Bi,Haoxian Chen,Hongxin Hu,Zhilong Zheng,Shuyong Zhu,Chenghui Wu

DOI: https://doi.org/10.1109/tnet.2017.2726550

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:As the prevailing technique of software-defined networking (SDN), open flow introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, open flow only provides a simple "match-action" paradigm and lacks the functionality of stateful forwarding for the SDN data plane, which limits its ability to support advanced network applications. Heavily relying on SDN controllers for all state maintenance incurs both scalability and performance issues. In this paper, we propose a novel stateful data plane architecture (SDPA) for the SDN data plane. A co-processing unit, forwarding processor (FP), is designed for SDN switches to manage state information through new instructions and state tables. We design and implement an extended open flow protocol to support the communication between the controller and FP. To demonstrate the practicality and feasibility of our approach, we implement both software and hardware prototypes of SDPA switches, and develop a sample network function chain with stateful firewall, domain name system (DNS) reflection defense, and heavy hitter detection applications in one SDPA-based switch. Experimental results show that the SDPA architecture can effectively improve the forwarding efficiency with manageable processing overhead for those applications that need stateful forwarding in SDN-based networks.

Lishui Chen,Yongqi Zhang,Yazhe Tang

DOI: https://doi.org/10.1109/iccis53528.2021.9646059

2021-01-01

Abstract:In SDN network, the fine grained flow matching mechanism makes number of flow entries extremely huge so that flow tables have become the bottleneck of large-scale deployment of SDN. To solve this problem, one of the known solutions is to make a hybrid flow table structure that utilizes both TCAM and other memory, such as SRAM. The motivation is to store flow entries with many wildcards or frequently used in TCAM and to store other flow entries especially those need fine grained matching in other memory to get a cheaper, high capacity flow table with acceptable matching speed. This paper follows the hybrid flow table architecture and focuses mainly on how to make high capacity and accepted matching speed flow tables. We use a Bloom Filter pipeline to store flow entries, design and implement an intermediate adaptation layer between controllers and Openflow switches to transform the corresponding messages. The experiments results show that the flow table space can be effectively reduced to 33 bits for one flow entry, and the packet matching time can be substantially reduced compared with CPqD software switch.

Yunfei Meng,Changbo Ke,Zhiqiu Huang

DOI: https://doi.org/10.1016/j.cose.2024.103850

IF: 5.105

2024-04-19

Computers & Security

Abstract:Software-defined networking (SDN) has been utilized to enforce the security of traditional networks. However, the existing SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane, such as MAC address, IP address or switch ports. These security policies need to be specifically developed by network operators and loaded into the control plane manually. With increasing the scale of underlying network, the existing security policy management mechanisms confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information into the practical flow entries used by Openflow switches automatically, thereby implementing the automatic management of security policies. To achieve this objective, we propose a model transformation based security policy automatic management framework for software-defined networking in this paper. Leveraging its functional modules, the framework can solve the problems of how to find a connected path for each access control rule of security policy model (SPM) in data plane, how to transform the connected path into the system model of flow entries, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the effectiveness and performance of framework, we implement the framework by leveraging POX controller and Mininet emulator. The experimental results illustrate the framework can transform SPM into practical flow entries, synchronously perceive the modifications caused by cutting down one connected path or changing SPM, and continuously keep the data plane holding the security properties defined by SPM at runtime.

computer science, information systems

Yadong Zhou,Kaiyue Chen,Junjie Zhang,Junyuan Leng,Yazhe Tang

DOI: https://doi.org/10.1155/2018/4760632

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:As the most competitive solution for next-generation network, SDN and its dominant implementation OpenFlow are attracting more and more interests. But besides convenience and flexibility, SDN/OpenFlow also introduces new kinds of limitations and security issues. Of these limitations, the most obvious and maybe the most neglected one is the flow table capacity of SDN/OpenFlow switches. In this paper, we proposed a novel inference attack targeting at SDN/OpenFlow network, which is motivated by the limited flow table capacities of SDN/OpenFlow switches and the following measurable network performance decrease resulting from frequent interactions between data and control plane when the flow table is full. To the best of our knowledge, this is the first proposed inference attack model of this kind for SDN/OpenFlow. We implemented an inference attack framework according to our model and examined its efficiency and accuracy. The evaluation results demonstrate that our framework can infer the network parameters (flow table capacity and usage) with an accuracy of 80% or higher. We also proposed two possible defense strategies for the discovered vulnerability, including routing aggregation algorithm and multilevel flow table architecture. These findings give us a deeper understanding of SDN/OpenFlow limitations and serve as guidelines to future improvements of SDN/OpenFlow.

Dezhang Kong,Xiang Chen,Chunming Wu,Yi Shen,Zhengyan Zhou,Qiumei Cheng,Xuan Liu,Mingliang Yang,Yubing Qiu,Dong Zhang,Muhammad Khurram Khan

DOI: https://doi.org/10.1109/tifs.2024.3472477

IF: 7.231

2024-10-15

IEEE Transactions on Information Forensics and Security

Abstract:The flow table is a critical component of Software-Defined Networking (SDN). However, flow tables' limited capacity makes them highly vulnerable to flow table overflow attacks (FTOAs). Due to the low attack cost and highly flexible attack forms, it is hard to eradicate FTOAs. This paper addresses three unsolved problems for table security and proposes a robust defense accordingly. First, we reveal that the existing defenses with fixed defense speeds will cause severe packet loss when handling diverse traffic. We prove that deleting multiple rules can efficiently solve this problem and give a rigorous derivation to calculate the suitable deletion number according to the environment. Second, we illustrate that abnormal table occupancy squeezing is a constant characteristic of FTOAs regardless of attack forms. It can be used to identify attacked ports accurately in different scenarios. Third, we mathematically prove that random deletion can guarantee the continuous decrease of malicious flow rules after confirming attacked ports. It achieves fast speed and robust effectiveness in different environments. Based on these findings, we design rDefender, a robust and lightweight defense prototype. We evaluate its effect by designing diverse, powerful attacks and using real-world datasets and topology. The results demonstrate that it achieves the best overall performance compared to six existing mainstream defenses, providing stable security for switch flow tables.

computer science, theory & methods,engineering, electrical & electronic

Wen Wang,Wenbo He,Jinshu Su

DOI: https://doi.org/10.1109/icc.2017.7996839

2017-01-01

Abstract:A lot of researches exploit the flexibility of Software-Defined Networking (SDN) to conduct traffic engineering in order to improve network performance and enhance robustness to failures. As the upgrade of a traditional network to a full SDN deployment is an incremental process, the coexistence of SDN switches and legacy switches forms a hybrid SDN. Due to the different forwarding characteristics of these switches, it is essential to coordinate the forwarding of SDN control and distributed routing to avoid inconsistency and achieve high network utilization. In this paper, we note that the effectiveness of traffic engineering in hybrid SDN strongly depends on both the structures of forwarding graphs and traffic distribution, while existing approaches mainly focus on the latter. We first define the consistent forwarding graph, and then construct forwarding graphs with potential high throughput for effective traffic engineering, while maintaining forwarding consistency. The evaluation results show that the proposed forwarding graph construction approach improves network throughput and achieves better load balancing compared with existing simple forwarding path constructing approaches, especially with more fraction of SDN deployment.