Research article Special Issues

A novel software-defined network packet security tunnel forwarding mechanism

  • Received: 28 February 2019 Accepted: 08 May 2019 Published: 17 May 2019
  • The OpenFlow protocol match field capacity is fixed and limited, and packet forwarding in software-defined network lacks valid authentication of data source, integrity verification, and confidentiality protection mechanism. OpenFlow only supports the MPLS label tunnel establishment, and therefore cannot establish a secure tunnel flexibly. In order to solve these problems, we propose P4Sec, a novel software-defined network packet security tunnel forwarding mechanism. As P4 allows the data plane to be reprogrammed to realize the characteristics of packet forwarding, we build a software-defined network security tunnel to prevent data malicious tampering, stealing, forgery and other malicious network behavior, implementing packet routing and forwarding based on gateway identity. Finally, we construct a P4Sec prototype system based on the software switch BMv2, verify the effectiveness of the mechanism through experimental analysis, and evaluate the overhead of the mechanism. The results demonstrate that P4Sec security mechanism ensure the authenticity, integrity, and confidentiality of forwarded data, and realize the secure forwarding requirements of data packets in software-defined network.

    Citation: Zhibin Zuo, Rongyu He, Xianwei Zhu, Chaowen Chang. A novel software-defined network packet security tunnel forwarding mechanism[J]. Mathematical Biosciences and Engineering, 2019, 16(5): 4359-4381. doi: 10.3934/mbe.2019217

    Related Papers:

  • The OpenFlow protocol match field capacity is fixed and limited, and packet forwarding in software-defined network lacks valid authentication of data source, integrity verification, and confidentiality protection mechanism. OpenFlow only supports the MPLS label tunnel establishment, and therefore cannot establish a secure tunnel flexibly. In order to solve these problems, we propose P4Sec, a novel software-defined network packet security tunnel forwarding mechanism. As P4 allows the data plane to be reprogrammed to realize the characteristics of packet forwarding, we build a software-defined network security tunnel to prevent data malicious tampering, stealing, forgery and other malicious network behavior, implementing packet routing and forwarding based on gateway identity. Finally, we construct a P4Sec prototype system based on the software switch BMv2, verify the effectiveness of the mechanism through experimental analysis, and evaluate the overhead of the mechanism. The results demonstrate that P4Sec security mechanism ensure the authenticity, integrity, and confidentiality of forwarded data, and realize the secure forwarding requirements of data packets in software-defined network.


    加载中


    [1] N. McKeown, How SDN will shape networking, Open Networking Summit, (2011).
    [2] H. Kim and N. Feamster, Improving network management with software defined networking, IEEE Commun. Mag., 51 (2013), 114–119.
    [3] J. A. Wickboldt, W. P. De Jesus, P. H. Isolani, et al., Software-defined networking: management requirements and challenges. IEEE Commun. Mag., 53 (2015), 278–285.
    [4] D. Kreutz, F. M. Ramos, P. Verissimo, et al., Software-defined networking: A comprehensive survey, P. IEEE, 103 (2015), 14–76.
    [5] I. Ahmad, S. Namal, M. Ylianttila, et al., Security in software defined networks: A survey, IEEE Commun. Surv. Tut., 17 (2015), 2317–2346.
    [6] Z. Shu, J. Wan, D. Li, et al., Security in software-defined networking: Threats and countermeasures, Mobile Netw. Appl., 21 (2016), 764–776.
    [7] Z. Cai, C. Hu, K. Zheng, et al., Network security and management in SDN, Secur. Commun. Netw., (2018).
    [8] A. Shaghaghi, M. A. Kaafar, R. Buyya, et al., Software-defined network (sdn) data plane security: Issues, solutions and future directions, (2018), arXiv preprint arXiv:180400262.
    [9] S. Gao, Z. Li, B. Xiao, et al., Security threats in the data plane of software-defined networks, IEEE network, 32 (2018), 108–113.
    [10] N. Mckeown, T. Anderson, H. Balakrishnan, et al., OpenFlow: Enabling innovation in campus networks, ACM SIGCOMM Comp. Com., 38 (2008), 69–74.
    [11] Open Networking Foundation, OpenFlow Switch Specification Version 1.4.0., 2013. Available from: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.4.0.pdf.
    [12] P. Bosshart, D. Daly, G. Gibb, et al., P4: Programming protocol-independent packet processors, ACM SIGCOMM Comp. Com., 44 (2014), 87–95.
    [13] M. Dhawan, R. Poddar, K. Mahajan, et al., SPHINX: Detecting security attacks in software-defined networks, NDSS, (2015), 8–11.
    [14] T. Sasaki, C. Pappas, T. Lee, et al., SDNsec: Forwarding accountability for the SDN data plane, IEEE, (2016), 1–10.
    [15] S. W. Shin and G. Gu, Cloudwatcher: Network security monitoring using openflow in dynamic cloud networks, IEEE, (2012), 1–6.
    [16] P. Bosshart, G. Gibb, H. S. Kim, et al., Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN, ACM SIGCOMM Comp. Com., 43 (2013), 99–110.
    [17] A. Shamir, Identity-based cryptosystems and signature schemes, Springer, (1984), 47–53.
    [18] T. Kivinen and M. Kojo, RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE), 2003. Available from: http://tools.ietf.org/html/rfc3526.
    [19] N. F. Pub, Advanced encryption standard (AES), Federal information processing standards publication, 197 (2001), 0311.
    [20] M. Dworkin, Recommendation for block cipher modes of operation. NIST, (2001).
  • Reader Comments
  • © 2019 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

Metrics

Article views(4235) PDF downloads(513) Cited by(3)

Article outline

Figures and Tables

Figures(16)  /  Tables(3)

/

DownLoad:  Full-Size Img  PowerPoint
Return
Return

Catalog