Abstract
Network Function Virtualization (NFV) and Software Defined Networking (SDN) empower Service Function Chaining (SFC), which integrates an ordered list of Virtualized Network Functions (VNFs) together for implementing a particular service. However, the high-level SFC policy specification cannot guarantee that the VNFs are always chained in an expected manner (or the packet flows of the service are forwarded to the VNFs of concern in a predefined order). An attacker can manage to bypass or evade the security VNFs (e.g., firewall, virus scanner, DPI) and deviate the packets flows from the pre-specified path. It is thus a significant need to have an efficient self-checking mechanism in place, ensuring the SFC to be implemented in a secure and correct way. We develop such a scheme based on an improved crypto primitive, Lite identity-based ordered multisignature, which enforces all the VNFs in the same service chain to sequentially sign the packets received. Then the last hop of the chain will verify the aggregate signature, so as to validate the authenticity of the VNFs, as well as their orders in the chain. We leverage the IETF Network Service Header (NSH) to implement our scheme and run the experiments in a real-world environment to evaluate its performance in terms of computational overhead and latency.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For the first signer (\(i=1\)), \(\sigma \) is defined as \((1_\mathbb {G}, 1_\mathbb {G}, 1_\mathbb {G})\).
- 2.
If the intended signing order fixed, then s needs be computed only once. Whenever the intended signing sequence change, this step needs to be re-executed.
- 3.
If the intended signing order fixed, then s, S, T needs be computed only once. Otherwise, this step needs to be re-executed.
- 4.
When signing probability is set as \(100\%\), every packets have to be signed. While \(10\%\) and \(50\%\) mean on average only 10 and 50 out of every 100 packets will be signed.
References
Barker, E.B., Barker, W.C., Burr, W.E., Polk, W.T., Smid, M.E.: SP 800-57. Recommendation for key management, Part 1: General (revised). Technical report (2007)
Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures with applications to secure routing. In: CCS 2007, pp. 276–285 (2007)
Chi, P.W., Kuo, C.T., Guo, J.W., Lei, C.L.: How to detect a compromised SDN switch. In: NetSoft 2015, pp. 1–6, April 2015
Dhawan, J., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks. In: NDSS 2015, pp. 1–15, February 2015
Eichelberger, R.A., Ferreto, T., Tandel, S., Duarte, P.A.P.R.: SFC path tracer: a troubleshooting tool for service function chaining. In: IM 2017, pp. 568–571 (2017)
Flittner, M., et al.: ChainGuard: controller-independent verification of service function chaining in cloud computing. In: NFV-SDN 2017, pp. 1–7 (2017)
Halpern, J., Pignataro, C.: Service function chainning (SFC) architecture, October 2015. https://tools.ietf.org/html/rfc7665
Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS 2015, pp. 1–15 (2015)
Kim, T.H.J., Basescu, C., Jia, L., Lee, S.B., Hu, Y.C., Perrig, A.: Lightweight source authentication and path validation. In: SIGCOMM 2014 (2014)
Li, Q., Zou, X., Huang, Q., Zheng, J., Lee, P.P.C.: Dynamic packet forwarding verification in SDN. IEEE Trans. Dependable Sec. Comput. 16, 1–16 (2018)
Liu, W., Li, H., Huang, O., et al.: Service function chaining (SFC) general use cases, September 2014. https://tools.ietf.org/html/draft-liu-sfc-use-cases-08
Medhat, A.M., et al.: Service function chaining in next generation networks: state of the art and research challenges. Commun. Mag. 55(2), 216–223 (2017)
OpenDaylight fluorine release, August 2018. https://www.opendaylight.org/what-we-do/current-release/fluorine
OpenFlow switch specification, June 2012. https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-spec-v1.3.0.pdf
Quinn, P., Elzur, U., Pignataro, C.: Network service hearder (NSH), January 2018. https://www.rfc-editor.org/rfc/pdfrfc/rfc8300.txt.pdf
Pairing-based cryptography library (2006). https://crypto.stanford.edu/pbc/
Pattaranantakul, M., He, R., Song, Q., Zhang, Z., Meddahi, A.: NFV security survey: from use case driven threat analysis to state-of-the-art countermeasures. IEEE Commun. Surv. Tutor. 20(4), 3330–3368 (2018)
Python binding for PBC, November 2017. https://github.com/debatem1/pypbc
Quinn, P., Nadeau, T.: Problem statement for service function chaining, April 2015. https://tools.ietf.org/html/rfc7498#page-6
Sasaki, T., Pappas, C., Lee, T., Hoefler, T., Perrig, A.: SDNsec: forwarding accountability for the SDN Data plane. In: ICCCN 2016, pp. 1–10 (2016)
Sim, Y., Lee, H.Y.: Poster: denial-of-service attack using host location hijacking in software-defined network. In: Euro S&P 2016, pp. 1–2 (2016)
Tschaen, B., Zhang, Y., et al.: SFC-checker: checking the correct forwarding behavior of Service Function Chaining. In: NFV-SDN 2016, pp. 134–140 (2016)
Zhang, P.: Towards rule enforcement verification for software defined networks. In: IEEE INFOCOM 2017, pp. 1–9 (2017)
Zhang, Y., Wu, W., Banerjee, S., Kang, J., et al.: SLA-verifier: stateful and quantitative verification for service chaining. In: IEEE INFOCOM 2017, pp. 1–9 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Pattaranantakul, M., Song, Q., Tian, Y., Wang, L., Zhang, Z., Meddahi, A. (2019). Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 305. Springer, Cham. https://doi.org/10.1007/978-3-030-37231-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-37231-6_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37230-9
Online ISBN: 978-3-030-37231-6
eBook Packages: Computer ScienceComputer Science (R0)