Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Protection of centralized SDN control plane from high-rate Packet-In messages

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The logically centralized network control in Software Defined Networks (SDN) facilitates global network vision, flexible and automatic network control. Protection of this centralized network control is a primary concern in next-generation networks. One important issue considered in this manuscript is the protection of SDN control plane from high-rate Packet-In messages. A simple solution to this problem can be to offload certain control functions onto the data plane devices; however, it takes away the flexibility offered by the OpenFlow-based networks. Therefore, a more comprehensive approach is required to protect SDN controllers from high-rate Packet-In messages. In this paper, we propose a Packet-In filtering mechanism which categorizes the Packet-In messages and forwards only the necessary Packet-In messages to other core controller modules. We have implemented the proposed mechanism in Floodlight SDN controller by extending the core controller module and introduced another Packet-In listener module which exposes the REST APIs to retrieve various types of Packet-In messages from the controller core. The proposed mechanism enhances the performance of Floodlight SDN controller as it reduces the CPU and memory load by dispatching only the necessary Packet-In message updates to the other Packet-In listener modules.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Research data policy and data availability statements

The results/ data/figure in this manuscript have not been published elsewhere, nor are they under consideration by another publisher. The data sharing not applicable to this article as no datasets were generated or analyzed during the study.

References

  1. Jarraya, Y., Madi, T., Debbabi, M.: A survey and a layered taxonomy of software defined networking. IEEE Commun. Surv. Tutor. 16(4), 1955–1980 (2014)

    Article  Google Scholar 

  2. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)

    Article  Google Scholar 

  3. OpenFlow Switch Specifications Version 1.0: (online). Available: https://www.opennetworking.org/wp-content/uploads/2013/04/openflow-spec-v1.0.0.pdf

  4. OpenFlow Switch Specifications Version 1.1: (online). Available: https://3vf60mmveq1g8vzn48q2o71a-wpengine.netdna-ssl.com/wp-content/uploads/2014/10/openflow-spec-v1.1.0.pdf

  5. OpenFlow Switch Specifications Version 1.2: (online). Available: https://www.opennetworking.org/ images / stories / downloads / sdn - resources / onf - specifications / openflow / openflow- spec- v1.2.pdf

  6. OpenFlow Switch Specifications Version 1.3: (online). Available: https://www.opennetworking.org/ images / stories / downloads / sdn - resources / onf - specifications / openflow / openflow- spec- v1.3.0.pdf

  7. OpenFlow Switch Specifications Version 1.4: (online). Available: https://www.opennetworking.org/ images / stories / downloads / sdn - resources / onf - specifications / openflow / openflow- spec- v1.4.0.pdf

  8. OpenFlow Switch Specifications Version 1.5: (online). Available: https://www.opennetworking.org/wp- content/uploads/ 2014/10/openflow- switch- v1.5.1.pdf

  9. Xiong, B., Yang, K., Zhao, J., Li, W., Li, K.: Performance evaluation of OpenFlow-based software-defined networks based on queueing model. Comput. Netw. 102, 172–185 (2016)

    Article  Google Scholar 

  10. Kotani, D., Okabe, Y.: Packet-In message control for reducing CPU load and control traffic in OpenFlow switches. In: Proceeding of IEEE European Workshop on Software Defined Networking, Oct. 2012

  11. Abdou, A.R., Oorschot, P.C., Wan, T.: comparative analysis of control plane security of SDN and conventional networks. IEEE Comm Surv Tutor 20(04), 3542–3559 (2018)

    Article  Google Scholar 

  12. Jin, C., Lumezanu, C., Xu, Q., Zhang, Z.-L., Jiang, G.: Telekinesis: controlling legacy switch routing with Openflow in hybrid networks. In: Proceedings of ACM SIGCOMM Symposium on Software Defined Networking Research, pp. 1–7 (2015)

  13. Suarez, R., Rincon, D., Sallent, S. : Extending OpenFlow for SDN-enabled synchronous Ethernet networks. In: Proceedings of first IEEE Conference of Network Softwarization (NetSoft) (2015)

  14. Bianchi, G., Bonola, M., Capone, A., Cascone, C.: Openstate: programming platform-independent stateful openflow applications inside the switch. SIGCOMM Comput. Commun. Rev. 44(2), 44–51 (2014)

    Article  Google Scholar 

  15. Curtis, A.R., Mogul, J.C., Tourrilhes, J., Yalagandula, P., Sharma, P., Banerjee, S.: Devoflow: scaling flow management for high- performance networks. SIGCOMM Comput. Commun. Rev. 41(4), 254–265 (2011)

    Article  Google Scholar 

  16. Yu, M., Rexford, J., Freedman, M.J., Wang, J.: Scalable flow-based networking with DIFANE. In: Proceedings of ACM SIGCOMM Conference, pp. 351–362. New York, USA (2010)

  17. Moshref, M., Bhargava, A., Gupta, A., Yu, M., Govindan, R.: Flow-level state transition as a new Switch Primitive for SDN. In: Proceedings of the Third Workshop on Hot topics in SDN, pp. 61–66. ACM (2014)

  18. Sivaraman, A., Budiu, M., Cheung, A., Kim, C., Licking, S., Varghese, G., Balakrishnan, H., Alizadeh, M., McKeown, N.: Packet transactions: high-level programming for line-rate switches. In: Proceedings of ACM Special Interest Group on Data Communication, ACM (2016)

  19. Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: NOX: towards an operating system for networks. Comput. Commun. Rev. 38, 105–110 (2008)

    Article  Google Scholar 

  20. POX: (online) http://www.noxrepo.org/pox/about-pox/

  21. Ryu SDN Framework: (online) https://osrg.github.io/ryu/

  22. Ahmad, S., Mir, A.H.: Scalability, consistency, reliability and security in SDN controllers: a survey of diverse SDN controllers. J. Netw. Syst. Manag. (2021). https://doi.org/10.1007/s10922-020-09575-4

    Article  Google Scholar 

  23. Berde, P., Gerola, M., Hart, J., Higuchi, Y., Kobayashi, M., Koide, T., Lantz, B., O’Connor, B., Radoslavov, P., Snow, W., Parulkar, G.: ONOS: towards an open, distributed SDN OS. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, pp. 1–6. ACM, New York (2014)

  24. OpenDayLight Project: (online) http://www.opendaylight.org/

  25. Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in SDNs. In: Proceedings of ACM SIGSAC Conferenc on Computer and Communications Security (CCS), pp. 413–424. USA (2013)

  26. Kotani, D., Okabe, Y.: A Packet-In message filtering mechanism for protection of control plane in OpenFlow networks. In: Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), Oct. 2014

  27. Floodlight SDN OpenFlow Controller, (online) Available: https://github.com/floodlight/floodlight.git

  28. Mininet: An instant virtual network on your laptop, (online) Available: http://mininet.org/

Download references

Author information

Authors and Affiliations

  1. Computer Science & Engineering Department, University of Kashmir, Srinagar, J&K, 190006, India

    Suhail Ahmad

  2. Electronics and Communication Engineering Department, National Institute of Technology Srinagar, Srinagar, J&K, 190006, India

    Ajaz Hussain Mir

Authors
  1. Suhail Ahmad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ajaz Hussain Mir
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

This work is the research contribution of Suhail Ahmad under the supervision of Prof. A. H. Mir.

Corresponding author

Correspondence to Suhail Ahmad.

Ethics declarations

Conflict of interest

The authors declare that they have no competing interests as defined by Springer, or other interests that might be perceived to influence the results and/or discussion reported in this paper.

Ethical approval

The authors have read the Springer journal policies on author responsibilities and submit this manuscript in accordance with those policies. Further, the authors did not receive support from any agency/organization for the submitted work and this research work does not involve any human participants and/or animals.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ahmad, S., Mir, A.H. Protection of centralized SDN control plane from high-rate Packet-In messages. Int. J. Inf. Secur. 22, 1197–1206 (2023). https://doi.org/10.1007/s10207-023-00685-z

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-023-00685-z

Keywords

Search

Navigation