Export file:

Format

  • RIS(for EndNote,Reference Manager,ProCite)
  • BibTex
  • Text

Content

  • Citation Only
  • Citation and Abstract

A novel software-defined network packet security tunnel forwarding mechanism

Zhengzhou Institute of Information Science and Technology, Zhengzhou, 450001, China

Special Issues: Security and Privacy in Smart Computing

The OpenFlow protocol match field capacity is fixed and limited, and packet forwarding in software-defined network lacks valid authentication of data source, integrity verification, and confidentiality protection mechanism. OpenFlow only supports the MPLS label tunnel establishment, and therefore cannot establish a secure tunnel flexibly. In order to solve these problems, we propose P4Sec, a novel software-defined network packet security tunnel forwarding mechanism. As P4 allows the data plane to be reprogrammed to realize the characteristics of packet forwarding, we build a software-defined network security tunnel to prevent data malicious tampering, stealing, forgery and other malicious network behavior, implementing packet routing and forwarding based on gateway identity. Finally, we construct a P4Sec prototype system based on the software switch BMv2, verify the effectiveness of the mechanism through experimental analysis, and evaluate the overhead of the mechanism. The results demonstrate that P4Sec security mechanism ensure the authenticity, integrity, and confidentiality of forwarded data, and realize the secure forwarding requirements of data packets in software-defined network.
  Figure/Table
  Supplementary
  Article Metrics

Keywords software-defined network; packet forwarding; security tunnel; P4; identity-based signature

Citation: Zhibin Zuo, Rongyu He, Xianwei Zhu, Chaowen Chang. A novel software-defined network packet security tunnel forwarding mechanism. Mathematical Biosciences and Engineering, 2019, 16(5): 4359-4381. doi: 10.3934/mbe.2019217

References

  • 1. N. McKeown, How SDN will shape networking, Open Networking Summit, (2011).
  • 2. H. Kim and N. Feamster, Improving network management with software defined networking, IEEE Commun. Mag., 51 (2013), 114–119.
  • 3. J. A. Wickboldt, W. P. De Jesus, P. H. Isolani, et al., Software-defined networking: management requirements and challenges. IEEE Commun. Mag., 53 (2015), 278–285.
  • 4. D. Kreutz, F. M. Ramos, P. Verissimo, et al., Software-defined networking: A comprehensive survey, P. IEEE, 103 (2015), 14–76.
  • 5. I. Ahmad, S. Namal, M. Ylianttila, et al., Security in software defined networks: A survey, IEEE Commun. Surv. Tut., 17 (2015), 2317–2346.
  • 6. Z. Shu, J. Wan, D. Li, et al., Security in software-defined networking: Threats and countermeasures, Mobile Netw. Appl., 21 (2016), 764–776.
  • 7. Z. Cai, C. Hu, K. Zheng, et al., Network security and management in SDN, Secur. Commun. Netw., (2018).
  • 8. A. Shaghaghi, M. A. Kaafar, R. Buyya, et al., Software-defined network (sdn) data plane security: Issues, solutions and future directions, (2018), arXiv preprint arXiv:180400262.
  • 9. S. Gao, Z. Li, B. Xiao, et al., Security threats in the data plane of software-defined networks, IEEE network, 32 (2018), 108–113.
  • 10. N. Mckeown, T. Anderson, H. Balakrishnan, et al., OpenFlow: Enabling innovation in campus networks, ACM SIGCOMM Comp. Com., 38 (2008), 69–74.
  • 11. Open Networking Foundation, OpenFlow Switch Specification Version 1.4.0., 2013. Available from: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.4.0.pdf.
  • 12. P. Bosshart, D. Daly, G. Gibb, et al., P4: Programming protocol-independent packet processors, ACM SIGCOMM Comp. Com., 44 (2014), 87–95.
  • 13. M. Dhawan, R. Poddar, K. Mahajan, et al., SPHINX: Detecting security attacks in software-defined networks, NDSS, (2015), 8–11.
  • 14. T. Sasaki, C. Pappas, T. Lee, et al., SDNsec: Forwarding accountability for the SDN data plane, IEEE, (2016), 1–10.
  • 15. S. W. Shin and G. Gu, Cloudwatcher: Network security monitoring using openflow in dynamic cloud networks, IEEE, (2012), 1–6.
  • 16. P. Bosshart, G. Gibb, H. S. Kim, et al., Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN, ACM SIGCOMM Comp. Com., 43 (2013), 99–110.
  • 17. A. Shamir, Identity-based cryptosystems and signature schemes, Springer, (1984), 47–53.
  • 18. T. Kivinen and M. Kojo, RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE), 2003. Available from: http://tools.ietf.org/html/rfc3526.
  • 19. N. F. Pub, Advanced encryption standard (AES), Federal information processing standards publication, 197 (2001), 0311.
  • 20. M. Dworkin, Recommendation for block cipher modes of operation. NIST, (2001).

 

Reader Comments

your name: *   your email: *  

© 2019 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution Licese (http://creativecommons.org/licenses/by/4.0)

Download full text in PDF

Export Citation

Copyright © AIMS Press All Rights Reserved