Research On Packet Forwarding Security Of Data Plane In Software Defined Networking

As an emerging network architecture,software-defined network(SDN)has received wide attention from the academic and network industry.The basic feature of SDN architecture is the physical separation of the control plane and the data plane(or forwarding plane),a logically centralized control plane can collect information,maintain network status,and provide instructions to the data plane,which forwards packets based on these instructions.The architecture advantage of control plane and data plane decoupling enables SDN dynamic,flexible network configuration,and rapid deployment of new protocols.However,SDN faces not only the security threat of the traditional network,but also the unique security threat of its architecture.Security issues have become the constraint of the large-scale deployment of SDN.The integrity of packets,the credibility and authenticity of communication are the important guarantees of network security.In SDN,packet forwarding also face malicious node attacks,such as packet forgery and injection,packet tampering,packet dropping and hijacking;and the inconsistency between actual packet transmission path and expected path due to the existing software and hardware defects,network configuration error,inconsistent flow rule updating,etc.SDN lacks the tools to ensure that the data plane follows the policy or proactively checks the actual forwarding behavior of network,so the control plane is blind to the true forwarding behavior of the data plane nodes.Existing SDN data plane packet forwarding security methodology such as packet forwarding verification,data plane security enhancement,forwarding exception detection and path consistency verification is the representative mechanism,which ensure the security of SDN flow packet forwarding,exception detection and path verification effectiveness to a certain extent.However,it faces the following challenges in terms of packet transmission efficiency,network bandwidth overhead,and applicability: Firstly,making use of traditional network methodology,the existing security verification mechanisms insert linear-scale cryptographic tags with the path length in the packet header space,which introduces large bandwidth overhead and computation overhead and reduces network efficiency.Secondly,the packet forwarding verification and data plane security enhancement mechanism lack of effective network abnormality location method.Thirdly,the attacker can launch a hybrid attacks to avoid this kind of packet forwarding abnormality detection mechanism.And finally,injecting a large amount of non-service traffics into the network or inserting linear-scale network status information with path length,the existing path consistency verification mechanisms increase the network load and restraint actual deployment in SDN.This paper focuses on packet forwarding security technology of data plane in SDN.Based on the unique features of centralized control,global network view and programmability in SDN,in view of the security threat of packet forwarding of data plane and path consistency of packet transmission issue,in order to achieve reliable,credible and verifiable packet forwarding,efficient schemes of packet forwarding security and the path consistency of packet transmission are proposed.The core research in this paper is as follows:(1)A constant-size credential based data plane packet forwarding verification method in SDN is proposed.Bandwidth overhead and computational overhead are the key factors of deployment of packet forwarding verification mechanism.In SDN,Adopting methodology of packet forwarding verification solutions in traditional IP network,inserting cryptographic fields in the packet header space that increase linearly with path length,which introduces significant bandwidth overhead and the computation overhead,increases the packet transferring delay,and reduces the network efficiency.A packet forwarding verification mechanism based on constant-size credential is proposed,which ensure the integrity of packets and credibility of communication.The mechanism constructs the Bloom Filter-based packet validation credential of constant-size.The length of credential is independent of the flow path length,and the switch node verifies the integrity of the packet based on the credential.The scheme effectively limits the overhead of the inserted packet header space fields,thus restraining the disadvantage of the existing mechanisms which increase linear-scale fields in packet header space,reducing computation overhead and bandwidth overhead,and less cryptographic operations than the similar mechanism.In addition to the advantage of network performance,the proposed mechanism can also efficiently localize the abnormal links.(2)A Port-address overloading-based data plane packet forwarding security enforcement mechanism in SDN is proposed.In order to enforce security of data plane,ensure the integrity of forwarded-packet,credibility of communication and locate network abnormalities,A port-address overloading-based data plane packet forwarding security enforcement mechanism in SDN is proposed.We design a type of information "overloading" technology.The core idea is probabilistic verification of packet and port-address overloading,which abandons the "origin" integrity verification,the probability verification based on the short message authentication code in stead.Reconstructing the address and port information of the IP packet using the short message authentication code,and the address and port information is overloaded.Thus,there is no need to insert additional fields in header space,and achieve no additional header space overhead.Compared with similar mechanisms,the proposed mechanism not only enhances the security of data planes,but also reduces bandwidth overhead and forwarding delay introduced by inserting extra fields in packet header space,achieves the equilibrium of security and efficiency.In addition,in view of malicious injection and dropping attacks,the exception detection threshold of injection and dropping attacks is presented by theoretical analysis.The proposed mechanism implements detection and location of malicious attacks,and enhances the data plane security effectively.(3)A type of address overloading-based abnormality detection mechanism of data plane in SDN is proposed.By introducing limited computational and communication overhead for efficient packet forwarding,and effective detection of malicious packet injection/tampering,dropping/hijacking attacks during packet transmission,and avoiding the computational and communication overhead problems introduced because of incorporating a new secure communication protocol to the data plane and embedding additional fields,to solve the problem that controller is difficult to capture complex attacks such as insertion,deletion,delay,modification,replay,dropping packets,and conquering issue that the counter-based anomaly detection mechanism strictly depending on time synchronization,the abnormal detection mechanism based on address overloading is proposed.The core idea is the statistical synchronization of packet transmission,and hash-based packet sampling technique.Inspired by the idea of address hopping in moving target defense,the address overloading technology designed surmount the drawback of the existing mechanisms by developing a new secure communication protocol for the data plane that implement packet hop-by-hop verification and detecting anomalies.Based on address overloading technology,the proposed scheme ensures the synchronization of packet statistics and realizes the efficient packets forwarding.By hash-based packet sampling,the controller can effectively detect complex attacks against packet forwarding.The advantage of the scheme is no need to develop a new secure communication protocol for data plane,the modification to the data plane is trivial,it is applicable,and easy to actually deploy.(4)A lightweight in-band network telemetry-based packet forwarding path consistency verification is proposed.The software and hardware defects in SDN such as switch and operating system,wrong network configuration,and possible inconsistent updates of flow rules and malicious modification path can cause the forwarded packets of a flow deviating from the desired forwarding path of the controller.However,most of the existing mechanisms verify the path consistency based on the probes or combined with the in-band network telemetry technology,which introduces a large network overhead.In order to avoid introducing excessive network overhead and reduce the data plane communication load,a lightweight in-band network telemetry-based path consistency verification mechanism is proposed.By combining packets forwarding and network measurement,which effectively reduces the network overhead by two types of sampling methods: Firstly,based on the probability sampling,the embedded telemetry instruction is reduced,and the data plane overhead is reduced;secondly,based on uniform telemetry data updating and sampling,the header space overhead is compressed.The scheme realizes the network-level path consistency verification through heuristic flow selection algorithm.The scheme introduces negligible transmission delay,achieves an equilibrium between transmission efficiency and path consistency verification,and is near-real-time and applicable.