ControllerSEPA: a security-enhancing SDN controller plug-in for openflow applications

Abstract : Software-defined networking (SDN), as a new network paradigm, has the advantage of centralizing control and global visibility over a network. However, security issues remain a major concern and prevent SDN from being widely adopted. One of the challenges is the prevention of malicious OpenFlow application (OF app) access to the SDN controller as it opens a programmable northbound interface for third party applications. In this paper, we address app-to-control security issues with focus on five main attack vectors: unauthorized access, illegal function calling, malicious rules injection, resources exhausting and manin-the-middle attack. Based on the identified threat models, we develop a light-weight plug-in, which is called ControllerSEPA, by using RESTful API to defend SDN controller against malicious OF apps. Specifically, ControllerSEPA can provide the services including OF app-based AAA control (unlike OpenDaylight and ONOS which offer user-based or role-based AAA control), rule conflict resolution, OF app isolation, fine-grained access control and encryption. Furthermore, we study the feasibility of deploying ControllerSEPA on five open source SDN controllers: OpenDaylight, ONOS, Floodlight, Ryu and POX. Results show that the deployment operates with very low complexity, and most of time the modification of source codes is unnecessary. In our implementations, the repacked services in ControllerSEPA create negligible latency (0.1% to 0.3%) and can provide more rich services to OF apps
Type de document :
Communication dans un congrès
Parallel and Distributed Computing, Applications and Technologies (PDCAT), 2016 17th International Conference on, Dec 2016, Guangzhou, China. IEEE Computer Society, Proceedings Parallel and Distributed Computing, Applications and Technologies (PDCAT), 2016 17th International Conference on, pp.268 - 273, 2016, 〈10.1109/PDCAT.2016.064〉
Liste complète des métadonnées

https://hal.archives-ouvertes.fr/hal-01738747
Contributeur : Médiathèque Télécom Sudparis & Institut Mines-Télécom Business School <>
Soumis le : mardi 20 mars 2018 - 17:25:41
Dernière modification le : jeudi 24 janvier 2019 - 01:16:15

Identifiants

Citation

Yuchia Tseng, Zonghua Zhang, Farid Naït-Abdesselam. ControllerSEPA: a security-enhancing SDN controller plug-in for openflow applications. Parallel and Distributed Computing, Applications and Technologies (PDCAT), 2016 17th International Conference on, Dec 2016, Guangzhou, China. IEEE Computer Society, Proceedings Parallel and Distributed Computing, Applications and Technologies (PDCAT), 2016 17th International Conference on, pp.268 - 273, 2016, 〈10.1109/PDCAT.2016.064〉. 〈hal-01738747〉

Partager

Métriques

Consultations de la notice

23