A novel software-defined network packet security tunnel forwarding mechanism

Zhibin Zuo; Rongyu He; Xianwei Zhu; Chaowen Chang; Zhibin Zuo; Rongyu He; Xianwei Zhu; Chaowen Chang

doi:10.3934/mbe.2019217

Mathematical Biosciences and Engineering

2019, Volume 16, Issue 5: 4359-4381. doi: 10.3934/mbe.2019217

Previous Article Next Article

Research article Special Issues

A novel software-defined network packet security tunnel forwarding mechanism

Zhengzhou Institute of Information Science and Technology, Zhengzhou, 450001, China

Received: 28 February 2019 Accepted: 08 May 2019 Published: 17 May 2019

The OpenFlow protocol match field capacity is fixed and limited, and packet forwarding in software-defined network lacks valid authentication of data source, integrity verification, and confidentiality protection mechanism. OpenFlow only supports the MPLS label tunnel establishment, and therefore cannot establish a secure tunnel flexibly. In order to solve these problems, we propose P4Sec, a novel software-defined network packet security tunnel forwarding mechanism. As P4 allows the data plane to be reprogrammed to realize the characteristics of packet forwarding, we build a software-defined network security tunnel to prevent data malicious tampering, stealing, forgery and other malicious network behavior, implementing packet routing and forwarding based on gateway identity. Finally, we construct a P4Sec prototype system based on the software switch BMv2, verify the effectiveness of the mechanism through experimental analysis, and evaluate the overhead of the mechanism. The results demonstrate that P4Sec security mechanism ensure the authenticity, integrity, and confidentiality of forwarded data, and realize the secure forwarding requirements of data packets in software-defined network.
- software-defined network,
- packet forwarding,
- security tunnel,
- P4,
- identity-based signature
Citation: Zhibin Zuo, Rongyu He, Xianwei Zhu, Chaowen Chang. A novel software-defined network packet security tunnel forwarding mechanism[J]. Mathematical Biosciences and Engineering, 2019, 16(5): 4359-4381. doi: 10.3934/mbe.2019217

Related Papers:

Abstract

The OpenFlow protocol match field capacity is fixed and limited, and packet forwarding in software-defined network lacks valid authentication of data source, integrity verification, and confidentiality protection mechanism. OpenFlow only supports the MPLS label tunnel establishment, and therefore cannot establish a secure tunnel flexibly. In order to solve these problems, we propose P4Sec, a novel software-defined network packet security tunnel forwarding mechanism. As P4 allows the data plane to be reprogrammed to realize the characteristics of packet forwarding, we build a software-defined network security tunnel to prevent data malicious tampering, stealing, forgery and other malicious network behavior, implementing packet routing and forwarding based on gateway identity. Finally, we construct a P4Sec prototype system based on the software switch BMv2, verify the effectiveness of the mechanism through experimental analysis, and evaluate the overhead of the mechanism. The results demonstrate that P4Sec security mechanism ensure the authenticity, integrity, and confidentiality of forwarded data, and realize the secure forwarding requirements of data packets in software-defined network.

References

[1]	N. McKeown, How SDN will shape networking, Open Networking Summit, (2011).
[2]	H. Kim and N. Feamster, Improving network management with software defined networking, IEEE Commun. Mag., 51 (2013), 114–119.
[3]	J. A. Wickboldt, W. P. De Jesus, P. H. Isolani, et al., Software-defined networking: management requirements and challenges. IEEE Commun. Mag., 53 (2015), 278–285.
[4]	D. Kreutz, F. M. Ramos, P. Verissimo, et al., Software-defined networking: A comprehensive survey, P. IEEE, 103 (2015), 14–76.
[5]	I. Ahmad, S. Namal, M. Ylianttila, et al., Security in software defined networks: A survey, IEEE Commun. Surv. Tut., 17 (2015), 2317–2346.
[6]	Z. Shu, J. Wan, D. Li, et al., Security in software-defined networking: Threats and countermeasures, Mobile Netw. Appl., 21 (2016), 764–776.
[7]	Z. Cai, C. Hu, K. Zheng, et al., Network security and management in SDN, Secur. Commun. Netw., (2018).
[8]	A. Shaghaghi, M. A. Kaafar, R. Buyya, et al., Software-defined network (sdn) data plane security: Issues, solutions and future directions, (2018), arXiv preprint arXiv:180400262.
[9]	S. Gao, Z. Li, B. Xiao, et al., Security threats in the data plane of software-defined networks, IEEE network, 32 (2018), 108–113.
[10]	N. Mckeown, T. Anderson, H. Balakrishnan, et al., OpenFlow: Enabling innovation in campus networks, ACM SIGCOMM Comp. Com., 38 (2008), 69–74.
[11]	Open Networking Foundation, OpenFlow Switch Specification Version 1.4.0., 2013. Available from: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.4.0.pdf.
[12]	P. Bosshart, D. Daly, G. Gibb, et al., P4: Programming protocol-independent packet processors, ACM SIGCOMM Comp. Com., 44 (2014), 87–95.
[13]	M. Dhawan, R. Poddar, K. Mahajan, et al., SPHINX: Detecting security attacks in software-defined networks, NDSS, (2015), 8–11.
[14]	T. Sasaki, C. Pappas, T. Lee, et al., SDNsec: Forwarding accountability for the SDN data plane, IEEE, (2016), 1–10.
[15]	S. W. Shin and G. Gu, Cloudwatcher: Network security monitoring using openflow in dynamic cloud networks, IEEE, (2012), 1–6.
[16]	P. Bosshart, G. Gibb, H. S. Kim, et al., Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN, ACM SIGCOMM Comp. Com., 43 (2013), 99–110.
[17]	A. Shamir, Identity-based cryptosystems and signature schemes, Springer, (1984), 47–53.
[18]	T. Kivinen and M. Kojo, RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE), 2003. Available from: http://tools.ietf.org/html/rfc3526.
[19]	N. F. Pub, Advanced encryption standard (AES), Federal information processing standards publication, 197 (2001), 0311.
[20]	M. Dworkin, Recommendation for block cipher modes of operation. NIST, (2001).

Reader Comments

Your name:*

Email:*
© 2019 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)