1 research outputs found
A Framework and Comparative Analysis of Control Plane Security of SDN and Conventional Networks
Software defined networking implements the network control plane in an
external entity, rather than in each individual device as in conventional
networks. This architectural difference implies a different design for control
functions necessary for essential network properties, e.g., loop prevention and
link redundancy. We explore how such differences redefine the security
weaknesses in the SDN control plane and provide a framework for comparative
analysis which focuses on essential network properties required by typical
production networks. This enables analysis of how these properties are
delivered by the control planes of SDN and conventional networks, and to
compare security risks and mitigations. Despite the architectural difference,
we find similar, but not identical, exposures in control plane security if both
network paradigms provide the same network properties and are analyzed under
the same threat model. However, defenses vary; SDN cannot depend on edge based
filtering to protect its control plane, while this is arguably the primary
defense in conventional networks. Our concrete security analysis suggests that
a distributed SDN architecture that supports fault tolerance and consistency
checks is important for SDN control plane security. Our analysis methodology
may be of independent interest for future security analysis of SDN and
conventional networks