article

PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking

Authors:

Jian MaoAuthors Info & Claims

Journal of Signal Processing Systems, Volume 86, Issue 2-3

Pages 157 - 173

https://doi.org/10.1007/s11265-016-1115-8

Published: 01 March 2017 Publication History

Abstract

Software Defined Networking (SDN) is one type of the flow-rule-driven networks. In SDN, a centralized controller dictates the network behavior and configures network devices via flow rules. Therefore, the validity and consistency of flow rules are the critical for the security of operations in SDN, requiring a secure and efficient mechanism to manage and authenticate flow rules between the controller and network devices. In this paper, we aim to develop solutions to guarantee the validity of flow rules in SDN. We analyze the mechanisms that generate and manage flow rules in SDN, and present PERM-GUARD, a fine-grained permission management and authentication scheme for flow rules in SDN. PERM-GUARD employs a new permission authentication model and introduces an identity-based signature scheme for the controller to verify the validity of flow rules. We conduct theoretical analysis and simulation-based evaluation of PERM-GUARD. The results demonstrate that PERM-GUARD can efficiently identify and reject fake flow rules generated by unregistered applications. Meanwhile, it can also effectively filter out unauthorized flow rules created by valid applications, and trace their creator timely and accurately.

References

[1]

Al-Shaer, E., & Al-Haj, S. (2010). Flowchecker: configuration analysis and verification of federated openflow infrastructures. In Proceedings of the 3rd ACM workshop on assurable and usable security configuration (pp. 37---44). Chicago: ACM.

Digital Library

[2]

Ball, T., BjØrner, N., Gember, A., Itzhaky, S., Karbyshev, A., Sagiv, M., Schapira, M., & Valadarsky, A. (2014). VeriCon: towards verifying controller programs in software-defined networks. In Proceedings of the 35th ACM SIGPLAN conference on programming language design and implementation (pp. 282--- 293).

Digital Library

[3]

Canini, M., Kuznetsov, P., Levin, D., & Schmid, S. (2015). A distributed and robust sdn control plane for transactional network updates. In 2015 IEEE conference on computer communications (INFOCOM) (pp. 190---198).

[4]

Casado, M., Freedman, M. J., Pettit, J., Luo, J., McKeown, N., & Shenker, S. (2007). Ethane: taking control of the enterprise. In Proceedings of the 2007 conference on applications, technologies, architectures, and protocols for computer communications (Vol. 37, pp. 1---12). Kyoto: ACM.

Digital Library

[5]

Casado, M., Garfinkel, T., Akella, A., Freedman, M. J., Boneh, D., McKeown, N., & Shenker, S. (2006). Sane: a protection architecture for enterprise networks. In Proceedings of the 15th conference on USENIX security symposium (Vol. 15, pp. 1---15). USENIX Association.

Digital Library

[6]

Fei, H., Qi, H., & Ke, B. (2014). A survey on software-defined network and openflow: from concept to implementation. IEEE Communications Surveys & Tutorials, 16(4), 2181---2206.

[7]

Ferguson, A. D., Guha, A., Liang, C., Fonseca, R., & Krishnamurthi, S. (2013). Participatory networking: an api for application control of sdns. In Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM (Vol. 43, pp. 327---338). Hong Kong: ACM.

Digital Library

[8]

Floodlight-Project: http://www.projectfloodlight.org.

[9]

Foundation, O.N.O. (2013). Software-defined networking: the new norm for networks. onf white paper. http://book.itep.ru/depository/open_flow/sdn-newnorm.pdf.

[10]

Gentry, C. (2006). Practical identity-based encryption without random oracles. Advances in Cryptology - EUROCRYPT 2006, 4004, 445---464.

Digital Library

[11]

Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., & Shenker, S. (2008). Nox: towards an operating system for networks. SIGCOMM Computer Communication Review, 38(3), 105---110.

Digital Library

[12]

Hinden, R.M. (2014). Sdn and security: why take over the hosts when you can take over the network. In RSA conference 2014, TECH-r03. San Francisco.

[13]

Hong, S., Xu, L., Wang, H., & Gu, G. (2015). Poisoning network visibility in software-defined networks: new attacks and countermeasures. In Proceedings of 2015 annual network and distributed system security symposium. San Diego.

[14]

Klaedtke, F., Karame, G.O., Bifulco, R., & Cui, H. (2014). Access control for sdn controllers. In Proceedings of the third workshop on hot topics in software defined networking (pp. 219---220). Chicago: ACM.

Digital Library

[15]

Kloti, R., Kotronis, V., & Smith, P. (2013). Openflow: a security analysis. In 2013 21St IEEE international conference on network protocols (pp. 1---6). Goettingen.

[16]

Koponen, T., Casado, M., Gude, N., Stribling, J., Poutievski, L., Zhu, M., ..., & Shenker, S. (2010). Onix: a distributed control platform for large-scale production networks. In Proceedings of the 9th USENIX conference on operating systems design and implementation (pp. 1---6). Canada: USENIX Association.

Digital Library

[17]

Kreutz, D., Ramos, F.M.V., Esteves Verissimo, P., Esteve Rothenberg, C., Azodolmolky, S., & Uhlig, S. (2015). Software-defined networking: a comprehensive survey. Proceedings of the IEEE, 103(1), 14---76.

[18]

Mashtizadeh, A.J., Bittau, A., Mazieres, D., & Boneh, D. (2015). Cryptographically enforced control flow integrity. arXiv:1408.1451v1.

[19]

McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., & Turner, J. (2008). Openflow: enabling innovation in campus networks. SIGCOMM Computer Communication Review, 38(2), 69---74.

Digital Library

[20]

nmap: https://nmap.org/.

[21]

Nunes, B.A.A., Mendonca, M., Nguyen, X.N., Obraczka, K., & Turletti, T. (2014). A survey of software-defined networking: past, present, and future of programmable networks. IEEE Communications Surveys & Tutorials, 16(3), 1617---1634.

[22]

(ONF), O.N.F. (2015). Software-defined networking (sdn) definition. https://www.opennetworking.org/sdn-resources/sdn-definition.

[23]

OpenDaylight: http://www.opendaylight.org/.

[24]

Pang, R., Allman, M., Bennett, M., Lee, J., Paxson, V., & Tierney, B. (2005). A first look at modern enterprise traffic. In Proceedings of the 5th ACM SIGCOMM conference on internet measurement (pp. 15---28). Berkeley: USENIX Association.

Digital Library

[25]

Paterson, K., & Schuldt, J. N. (2006). Efficient identity-based signatures secure in the standard model. Information Security and Privacy, 4058, 207---222.

Digital Library

[26]

Porras, P., Cheung, S., Fong, M., Skinner, K., & Yegneswaran, V. (2015). Securing the software-defined network control layer. In Proceedings of 2015 annual network and distributed system security symposium. San Diego.

[27]

Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., & Gu, G. (2012). A security enforcement kernel for openflow networks. In Proceedings of the first workshop on hot topics in software defined networks (pp. 121---126). Helsinki: ACM.

Digital Library

[28]

POX: http://www.noxrepo.org/.

[29]

Ronga, L., Pucci, R., & Del Re, E. (2015). Software defined radio implementation of cloudran gsm emergency service. Journal of Signal Processing Systems 1---7.

Digital Library

[30]

Sanfilippo, S. (2015). Hping home page, http://www.hping.org/.

[31]

Scott-Hayward, S., Kane, C., & Sezer, S. (2014). Operationcheckpoint: Sdn application control. In Proceedings of the 22nd international conference on network protocols (pp. 618---623). IEEE.

Digital Library

[32]

Shin, S., Porras, P., Yegneswaran, V., Fong, M., Gu, G., & Tyson, M. (2013). Fresco: modular composable security services for software-defined networks. In ISOC network and distributed system security symposium (pp. 1---16).

[33]

Shin, S., Song, Y., Lee, T., Lee, S., Chung, J., Porras, P., ..., & Kang, B.B. (2014). Rosemary: a robust, secure, and high-performance network operating system. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security (pp. 78---89). Scottsdale: ACM.

Digital Library

[34]

Shin, S., Wang, H., & Gu, G. (2015). A first step toward network security virtualization: from concept to prototype. IEEE Transactions on Information Forensics and Security, 10(10), 2236---2249.

Digital Library

[35]

Shin, S., Yegneswaran, V., Porras, P., & Gu, G. (2013). Avant-guard: scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security (pp. 413---424). Berlin: ACM.

Digital Library

[36]

Son, S., Seungwon, S., Yegneswaran, V., Porras, P., & Guofei, G. (2013). Model checking invariant security properties in openflow. In 2013 IEEE International conference on communications (pp. 1974---1979). Budapest.

[37]

Wang, H., Xu, L., & Gu, G. (2015). Floodguard: a dos attack prevention extension in software-defined networks. In Proceedings of the 45th annual IEEE/IFIP international conference on dependable systems and networks. Brazil.

Digital Library

[38]

Waters, B. (2005). Efficient identity-based encryption without random oracles. Advances in Cryptology - EUROCRYPT 2005, 3494, 114---127.

Digital Library

[39]

Wen, X., Chen, Y., Hu, C., Shi, C., & Wang, Y. (2013). Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on hot topics in software defined networking (pp. 171---172). Hong Kong: ACM.

Digital Library

[40]

Xia, W., Wen, Y., Foh, C.H., Niyato, D., & Xie, H. (2015). A survey on software-defined networking. IEEE Communications Surveys & Tutorials, 17(1), 27---51.

Digital Library

[41]

Zhou, W., Jin, D., Croft, J., Caesar, M., & Godfrey, P.B. (2015). Enforcing customizable consistency properties in software-defined networks. In 12Th USENIX symposium on networked systems design and implementation. OaklandUSENIX Association.

Digital Library

Cited By

Zhu XChang CXi QZuo Z(2020)Attribute-GuardSecurity and Communication Networks10.1155/2020/63027392020Online publication date: 1-Jan-2020
https://dl.acm.org/doi/10.1155/2020/6302739
Wang RLiu DChen JMa LLiu XZhang H(2020)A Secure Topology Control Mechanism for SDWSNs Using Identity-Based CryptographyWireless Algorithms, Systems, and Applications10.1007/978-3-030-59016-1_39(469-481)Online publication date: 13-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-59016-1_39
Jo HNam JShin S(2018)NOSArmorSecurity and Communication Networks10.1155/2018/91784252018Online publication date: 20-Feb-2018
https://dl.acm.org/doi/10.1155/2018/9178425

Recommendations

PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking
CSCLOUD '15: Proceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud)

Software Defined Networking (SDN) is one of the typical flow-rule-driven networks. In SDN, a centralized controller dictates the network behavior and configures network devices with many flow rules, and the validity and consistency of flow rules could ...
Identity-based strong designated verifier signature schemes: Attacks and new construction

A strong designated verifier signature scheme makes it possible for a signer to convince a designated verifier that she has signed a message in such a way that the designated verifier cannot transfer the signature to a third party, and no third party ...
A novel identity-based strong designated verifier signature scheme

Unlike ordinary digital signatures, a designated verifier signature scheme makes it possible for a signer to convince a designated verifier that she has signed a message in such a way that the designated verifier cannot transfer the signature to a third ...

Comments

Information & Contributors

Information

Published In

cover image Journal of Signal Processing Systems

Journal of Signal Processing Systems Volume 86, Issue 2-3

March 2017

240 pages

ISSN:1939-8018

EISSN:1939-8115

Issue’s Table of Contents

Copyright © Copyright © 2017 Springer Science+Business Media New York.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 March 2017

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhu XChang CXi QZuo Z(2020)Attribute-GuardSecurity and Communication Networks10.1155/2020/63027392020Online publication date: 1-Jan-2020
https://dl.acm.org/doi/10.1155/2020/6302739
Wang RLiu DChen JMa LLiu XZhang H(2020)A Secure Topology Control Mechanism for SDWSNs Using Identity-Based CryptographyWireless Algorithms, Systems, and Applications10.1007/978-3-030-59016-1_39(469-481)Online publication date: 13-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-59016-1_39
Jo HNam JShin S(2018)NOSArmorSecurity and Communication Networks10.1155/2018/91784252018Online publication date: 20-Feb-2018
https://dl.acm.org/doi/10.1155/2018/9178425

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents