Skip to main content
SpringerLink
Log in

Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2019)

Abstract

Network Function Virtualization (NFV) and Software Defined Networking (SDN) empower Service Function Chaining (SFC), which integrates an ordered list of Virtualized Network Functions (VNFs) together for implementing a particular service. However, the high-level SFC policy specification cannot guarantee that the VNFs are always chained in an expected manner (or the packet flows of the service are forwarded to the VNFs of concern in a predefined order). An attacker can manage to bypass or evade the security VNFs (e.g., firewall, virus scanner, DPI) and deviate the packets flows from the pre-specified path. It is thus a significant need to have an efficient self-checking mechanism in place, ensuring the SFC to be implemented in a secure and correct way. We develop such a scheme based on an improved crypto primitive, Lite identity-based ordered multisignature, which enforces all the VNFs in the same service chain to sequentially sign the packets received. Then the last hop of the chain will verify the aggregate signature, so as to validate the authenticity of the VNFs, as well as their orders in the chain. We leverage the IETF Network Service Header (NSH) to implement our scheme and run the experiments in a real-world environment to evaluate its performance in terms of computational overhead and latency.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For the first signer (\(i=1\)), \(\sigma \) is defined as \((1_\mathbb {G}, 1_\mathbb {G}, 1_\mathbb {G})\).

  2. 2.

    If the intended signing order fixed, then s needs be computed only once. Whenever the intended signing sequence change, this step needs to be re-executed.

  3. 3.

    If the intended signing order fixed, then sST needs be computed only once. Otherwise, this step needs to be re-executed.

  4. 4.

    When signing probability is set as \(100\%\), every packets have to be signed. While \(10\%\) and \(50\%\) mean on average only 10 and 50 out of every 100 packets will be signed.

References

  1. Barker, E.B., Barker, W.C., Burr, W.E., Polk, W.T., Smid, M.E.: SP 800-57. Recommendation for key management, Part 1: General (revised). Technical report (2007)

    Google Scholar 

  2. Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures with applications to secure routing. In: CCS 2007, pp. 276–285 (2007)

    Google Scholar 

  3. Chi, P.W., Kuo, C.T., Guo, J.W., Lei, C.L.: How to detect a compromised SDN switch. In: NetSoft 2015, pp. 1–6, April 2015

    Google Scholar 

  4. Dhawan, J., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks. In: NDSS 2015, pp. 1–15, February 2015

    Google Scholar 

  5. Eichelberger, R.A., Ferreto, T., Tandel, S., Duarte, P.A.P.R.: SFC path tracer: a troubleshooting tool for service function chaining. In: IM 2017, pp. 568–571 (2017)

    Google Scholar 

  6. Flittner, M., et al.: ChainGuard: controller-independent verification of service function chaining in cloud computing. In: NFV-SDN 2017, pp. 1–7 (2017)

    Google Scholar 

  7. Halpern, J., Pignataro, C.: Service function chainning (SFC) architecture, October 2015. https://tools.ietf.org/html/rfc7665

  8. Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS 2015, pp. 1–15 (2015)

    Google Scholar 

  9. Kim, T.H.J., Basescu, C., Jia, L., Lee, S.B., Hu, Y.C., Perrig, A.: Lightweight source authentication and path validation. In: SIGCOMM 2014 (2014)

    Google Scholar 

  10. Li, Q., Zou, X., Huang, Q., Zheng, J., Lee, P.P.C.: Dynamic packet forwarding verification in SDN. IEEE Trans. Dependable Sec. Comput. 16, 1–16 (2018)

    Google Scholar 

  11. Liu, W., Li, H., Huang, O., et al.: Service function chaining (SFC) general use cases, September 2014. https://tools.ietf.org/html/draft-liu-sfc-use-cases-08

  12. Medhat, A.M., et al.: Service function chaining in next generation networks: state of the art and research challenges. Commun. Mag. 55(2), 216–223 (2017)

    Article  Google Scholar 

  13. OpenDaylight fluorine release, August 2018. https://www.opendaylight.org/what-we-do/current-release/fluorine

  14. OpenFlow switch specification, June 2012. https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-spec-v1.3.0.pdf

  15. Quinn, P., Elzur, U., Pignataro, C.: Network service hearder (NSH), January 2018. https://www.rfc-editor.org/rfc/pdfrfc/rfc8300.txt.pdf

  16. Pairing-based cryptography library (2006). https://crypto.stanford.edu/pbc/

  17. Pattaranantakul, M., He, R., Song, Q., Zhang, Z., Meddahi, A.: NFV security survey: from use case driven threat analysis to state-of-the-art countermeasures. IEEE Commun. Surv. Tutor. 20(4), 3330–3368 (2018)

    Article  Google Scholar 

  18. Python binding for PBC, November 2017. https://github.com/debatem1/pypbc

  19. Quinn, P., Nadeau, T.: Problem statement for service function chaining, April 2015. https://tools.ietf.org/html/rfc7498#page-6

  20. Sasaki, T., Pappas, C., Lee, T., Hoefler, T., Perrig, A.: SDNsec: forwarding accountability for the SDN Data plane. In: ICCCN 2016, pp. 1–10 (2016)

    Google Scholar 

  21. Sim, Y., Lee, H.Y.: Poster: denial-of-service attack using host location hijacking in software-defined network. In: Euro S&P 2016, pp. 1–2 (2016)

    Google Scholar 

  22. Tschaen, B., Zhang, Y., et al.: SFC-checker: checking the correct forwarding behavior of Service Function Chaining. In: NFV-SDN 2016, pp. 134–140 (2016)

    Google Scholar 

  23. Zhang, P.: Towards rule enforcement verification for software defined networks. In: IEEE INFOCOM 2017, pp. 1–9 (2017)

    Google Scholar 

  24. Zhang, Y., Wu, W., Banerjee, S., Kang, J., et al.: SLA-verifier: stateful and quantitative verification for service chaining. In: IEEE INFOCOM 2017, pp. 1–9 (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IMT Lille Douai, Institute Mine-Télécom, Lille, France

    Montida Pattaranantakul, Qipeng Song, Zonghua Zhang & Ahmed Meddahi

  2. Beijing University of Posts and Telecommunications, Beijing, China

    Yanmei Tian & Licheng Wang

  3. CNRS UMR 5157 SAMOVAR Lab, Télécom SudParis, Évry, France

    Montida Pattaranantakul & Zonghua Zhang

  4. National Electronics and Computer Technology Center, Pathumthani, Thailand

    Montida Pattaranantakul

Authors
  1. Montida Pattaranantakul
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qipeng Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yanmei Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Licheng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Zonghua Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ahmed Meddahi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Montida Pattaranantakul .

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Songqing Chen

  2. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Boston University, Lowell, MA, USA

    Xinwen Fu

  4. Virginia Tech, Blacksburg, VA, USA

    Wenjing Lou

  5. University of Central Florida, Orlando, FL, USA

    Aziz Mohaisen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Pattaranantakul, M., Song, Q., Tian, Y., Wang, L., Zhang, Z., Meddahi, A. (2019). Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 305. Springer, Cham. https://doi.org/10.1007/978-3-030-37231-6_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-37231-6_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-37230-9

  • Online ISBN: 978-3-030-37231-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation