Skip to main content
SpringerLink
Log in

PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking

  • Published:
Journal of Signal Processing Systems Aims and scope Submit manuscript

Abstract

Software Defined Networking (SDN) is one type of the flow-rule-driven networks. In SDN, a centralized controller dictates the network behavior and configures network devices via flow rules. Therefore, the validity and consistency of flow rules are the critical for the security of operations in SDN, requiring a secure and efficient mechanism to manage and authenticate flow rules between the controller and network devices. In this paper, we aim to develop solutions to guarantee the validity of flow rules in SDN. We analyze the mechanisms that generate and manage flow rules in SDN, and present PERM-GUARD, a fine-grained permission management and authentication scheme for flow rules in SDN. PERM-GUARD employs a new permission authentication model and introduces an identity-based signature scheme for the controller to verify the validity of flow rules. We conduct theoretical analysis and simulation-based evaluation of PERM-GUARD. The results demonstrate that PERM-GUARD can efficiently identify and reject fake flow rules generated by unregistered applications. Meanwhile, it can also effectively filter out unauthorized flow rules created by valid applications, and trace their creator timely and accurately.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13
Figure 14
Figure 15
Figure 16
Figure 17

Similar content being viewed by others

Notes

  1. In this paper, we use “production” and ”generation” interchangeably

References

  1. Al-Shaer, E., & Al-Haj, S. (2010). Flowchecker: configuration analysis and verification of federated openflow infrastructures. In Proceedings of the 3rd ACM workshop on assurable and usable security configuration (pp. 37–44). Chicago: ACM.

  2. Ball, T., Bjørner, N., Gember, A., Itzhaky, S., Karbyshev, A., Sagiv, M., Schapira, M., & Valadarsky, A. (2014). VeriCon: towards verifying controller programs in software-defined networks. In Proceedings of the 35th ACM SIGPLAN conference on programming language design and implementation (pp. 282– 293).

  3. Canini, M., Kuznetsov, P., Levin, D., & Schmid, S. (2015). A distributed and robust sdn control plane for transactional network updates. In 2015 IEEE conference on computer communications (INFOCOM) (pp. 190–198).

  4. Casado, M., Freedman, M. J., Pettit, J., Luo, J., McKeown, N., & Shenker, S. (2007). Ethane: taking control of the enterprise. In Proceedings of the 2007 conference on applications, technologies, architectures, and protocols for computer communications (Vol. 37, pp. 1–12). Kyoto: ACM.

  5. Casado, M., Garfinkel, T., Akella, A., Freedman, M. J., Boneh, D., McKeown, N., & Shenker, S. (2006). Sane: a protection architecture for enterprise networks. In Proceedings of the 15th conference on USENIX security symposium (Vol. 15, pp. 1–15). USENIX Association.

  6. Fei, H., Qi, H., & Ke, B. (2014). A survey on software-defined network and openflow: from concept to implementation. IEEE Communications Surveys & Tutorials, 16(4), 2181–2206.

    Article  Google Scholar 

  7. Ferguson, A. D., Guha, A., Liang, C., Fonseca, R., & Krishnamurthi, S. (2013). Participatory networking: an api for application control of sdns. In Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM (Vol. 43, pp. 327–338). Hong Kong: ACM.

  8. Floodlight-Project: http://www.projectfloodlight.org.

  9. Foundation, O.N.O. (2013). Software-defined networking: the new norm for networks. onf white paper. http://book.itep.ru/depository/open_flow/sdn-newnorm.pdf.

  10. Gentry, C. (2006). Practical identity-based encryption without random oracles. Advances in Cryptology - EUROCRYPT 2006, 4004, 445–464.

    Article  MathSciNet  MATH  Google Scholar 

  11. Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., & Shenker, S. (2008). Nox: towards an operating system for networks. SIGCOMM Computer Communication Review, 38(3), 105–110.

    Article  Google Scholar 

  12. Hinden, R.M. (2014). Sdn and security: why take over the hosts when you can take over the network. In RSA conference 2014, TECH-r03. San Francisco.

  13. Hong, S., Xu, L., Wang, H., & Gu, G. (2015). Poisoning network visibility in software-defined networks: new attacks and countermeasures. In Proceedings of 2015 annual network and distributed system security symposium. San Diego.

  14. Klaedtke, F., Karame, G.O., Bifulco, R., & Cui, H. (2014). Access control for sdn controllers. In Proceedings of the third workshop on hot topics in software defined networking (pp. 219–220). Chicago: ACM.

  15. Kloti, R., Kotronis, V., & Smith, P. (2013). Openflow: a security analysis. In 2013 21St IEEE international conference on network protocols (pp. 1–6). Goettingen.

  16. Koponen, T., Casado, M., Gude, N., Stribling, J., Poutievski, L., Zhu, M., ..., & Shenker, S. (2010). Onix: a distributed control platform for large-scale production networks. In Proceedings of the 9th USENIX conference on operating systems design and implementation (pp. 1–6). Canada: USENIX Association.

  17. Kreutz, D., Ramos, F.M.V., Esteves Verissimo, P., Esteve Rothenberg, C., Azodolmolky, S., & Uhlig, S. (2015). Software-defined networking: a comprehensive survey. Proceedings of the IEEE, 103(1), 14–76.

    Article  Google Scholar 

  18. Mashtizadeh, A.J., Bittau, A., Mazieres, D., & Boneh, D. (2015). Cryptographically enforced control flow integrity. arXiv:1408.1451v1.

  19. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., & Turner, J. (2008). Openflow: enabling innovation in campus networks. SIGCOMM Computer Communication Review, 38(2), 69–74.

    Article  Google Scholar 

  20. nmap: https://nmap.org/.

  21. Nunes, B.A.A., Mendonca, M., Nguyen, X.N., Obraczka, K., & Turletti, T. (2014). A survey of software-defined networking: past, present, and future of programmable networks. IEEE Communications Surveys & Tutorials, 16(3), 1617–1634.

    Article  Google Scholar 

  22. (ONF), O.N.F. (2015). Software-defined networking (sdn) definition. https://www.opennetworking.org/sdn-resources/sdn-definition.

  23. OpenDaylight: http://www.opendaylight.org/.

  24. Pang, R., Allman, M., Bennett, M., Lee, J., Paxson, V., & Tierney, B. (2005). A first look at modern enterprise traffic. In Proceedings of the 5th ACM SIGCOMM conference on internet measurement (pp. 15–28). Berkeley: USENIX Association.

  25. Paterson, K., & Schuldt, J. N. (2006). Efficient identity-based signatures secure in the standard model. Information Security and Privacy, 4058, 207–222.

    MATH  Google Scholar 

  26. Porras, P., Cheung, S., Fong, M., Skinner, K., & Yegneswaran, V. (2015). Securing the software-defined network control layer. In Proceedings of 2015 annual network and distributed system security symposium. San Diego.

  27. Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., & Gu, G. (2012). A security enforcement kernel for openflow networks. In Proceedings of the first workshop on hot topics in software defined networks (pp. 121–126). Helsinki: ACM.

  28. POX: http://www.noxrepo.org/.

  29. Ronga, L., Pucci, R., & Del Re, E. (2015). Software defined radio implementation of cloudran gsm emergency service. Journal of Signal Processing Systems 1–7. doi:10.1007/s11265-015-1040-2.

  30. Sanfilippo, S. (2015). Hping home page, http://www.hping.org/.

  31. Scott-Hayward, S., Kane, C., & Sezer, S. (2014). Operationcheckpoint: Sdn application control. In Proceedings of the 22nd international conference on network protocols (pp. 618–623). IEEE.

  32. Shin, S., Porras, P., Yegneswaran, V., Fong, M., Gu, G., & Tyson, M. (2013). Fresco: modular composable security services for software-defined networks. In ISOC network and distributed system security symposium (pp. 1–16).

  33. Shin, S., Song, Y., Lee, T., Lee, S., Chung, J., Porras, P., ..., & Kang, B.B. (2014). Rosemary: a robust, secure, and high-performance network operating system. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security (pp. 78–89). Scottsdale: ACM.

  34. Shin, S., Wang, H., & Gu, G. (2015). A first step toward network security virtualization: from concept to prototype. IEEE Transactions on Information Forensics and Security, 10(10), 2236–2249. doi:10.1109/TIFS.2015.2453936.

    Article  Google Scholar 

  35. Shin, S., Yegneswaran, V., Porras, P., & Gu, G. (2013). Avant-guard: scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security (pp. 413–424). Berlin: ACM.

  36. Son, S., Seungwon, S., Yegneswaran, V., Porras, P., & Guofei, G. (2013). Model checking invariant security properties in openflow. In 2013 IEEE International conference on communications (pp. 1974–1979). Budapest.

  37. Wang, H., Xu, L., & Gu, G. (2015). Floodguard: a dos attack prevention extension in software-defined networks. In Proceedings of the 45th annual IEEE/IFIP international conference on dependable systems and networks. Brazil.

  38. Waters, B. (2005). Efficient identity-based encryption without random oracles. Advances in Cryptology - EUROCRYPT 2005, 3494, 114–127.

    Article  MathSciNet  MATH  Google Scholar 

  39. Wen, X., Chen, Y., Hu, C., Shi, C., & Wang, Y. (2013). Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on hot topics in software defined networking (pp. 171–172). Hong Kong: ACM.

  40. Xia, W., Wen, Y., Foh, C.H., Niyato, D., & Xie, H. (2015). A survey on software-defined networking. IEEE Communications Surveys & Tutorials, 17(1), 27–51.

    Article  Google Scholar 

  41. Zhou, W., Jin, D., Croft, J., Caesar, M., & Godfrey, P.B. (2015). Enforcing customizable consistency properties in software-defined networks. In 12Th USENIX symposium on networked systems design and implementation. OaklandUSENIX Association.

Download references

Acknowledgments

The authors thank anonymous reviewers for their helpful and insightful comments.

Author information

Authors and Affiliations

  1. School of Electronic and Information Engineering, Beihang University, XueYuan Road No.37, Haidian District, Beijing, China

    Mengmeng Wang, Jianwei Liu, Jie Chen, Xiao Liu & Jian Mao

Authors
  1. Mengmeng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jianwei Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jie Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xiao Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jian Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jian Mao.

Additional information

This work was supported by the National Key Basic Research Program (973 program) through project 2012CB315905, by the National Natural Science Foundation through projects 61402029 and 61272501, and by the Beijing Natural Science Foundation through project 4132056.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wang, M., Liu, J., Chen, J. et al. PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking. J Sign Process Syst 86, 157–173 (2017). https://doi.org/10.1007/s11265-016-1115-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11265-016-1115-8

Keywords

Search

Navigation