A new approach for detecting violation of data plane integrity in Software Defined Networks

What is it about?

In this paper, we propose a new security approach for OpenFlow-based SDN in order to detect violation of switches flow tables integrity and successfully locate the compromised switches online. We cover all aspects of integrity violation including flow rule adding, modifying and emoving by an unauthorized entity. We achieve this by using the cookie field in the OpenFlow protocol to put in a suitable digest (hash) value for each flow entry. Moreover, we optimize our method performance by calculating a global digest value for the entire switch’s flow table that decides whether a switch is suspected of being compromised. Our method is also able to determine and handle false alarms that affect the coherence of a corresponding table digest. The implementation is a reactive java module integrated with the Floodlight controller. In addition, we introduce a performance evaluation for three different SDN topologies.

Featured Image

Photo by Jordan Harrison on Unsplash

Photo by Jordan Harrison on Unsplash

Why is it important?

We introduce a new security solution to OpenFlow-based Software Defined Networks (SDN) that could detect violation of data plane integrity and determine the compromised switches. adding or modifying entries, will not trigger any notification event, so the controller could not detect any possible violation of a switch’s flow table. Unfortunately, OpenFlow-based switches (e.g.,OVS) are not equipped with any integrity validation technique of Flow-Mod messages that could add, delete or modify flow entries.

Perspectives