10,971 research outputs found
SDN Architecture and Southbound APIs for IPv6 Segment Routing Enabled Wide Area Networks
The SRv6 architecture (Segment Routing based on IPv6 data plane) is a
promising solution to support services like Traffic Engineering, Service
Function Chaining and Virtual Private Networks in IPv6 backbones and
datacenters. The SRv6 architecture has interesting scalability properties as it
reduces the amount of state information that needs to be configured in the
nodes to support the network services. In this paper, we describe the
advantages of complementing the SRv6 technology with an SDN based approach in
backbone networks. We discuss the architecture of a SRv6 enabled network based
on Linux nodes. In addition, we present the design and implementation of the
Southbound API between the SDN controller and the SRv6 device. We have defined
a data-model and four different implementations of the API, respectively based
on gRPC, REST, NETCONF and remote Command Line Interface (CLI). Since it is
important to support both the development and testing aspects we have realized
an Intent based emulation system to build realistic and reproducible
experiments. This collection of tools automate most of the configuration
aspects relieving the experimenter from a significant effort. Finally, we have
realized an evaluation of some performance aspects of our architecture and of
the different variants of the Southbound APIs and we have analyzed the effects
of the configuration updates in the SRv6 enabled nodes
The Rise of Mobile and the Diffusion of Technology-Facilitated Trafficking
In this report, researchers at the USC Annenberg Center on Communication Leadership & Policy (CCLP) reveal how those involved in human trafficking have been quick to adapt to the 21st-century global landscape. While the rapid diffusion of digital technologies such as mobile phones, social networking sites, and the Internet has provided significant benefits to society, new channels and opportunities for exploitation have also emerged. Increasingly, the business of human trafficking is taking place online and over mobile phones. But the same technologies that are being used for trafficking can become a powerful tool to combat trafficking. The precise role that digital technologies play in human trafficking still remains unclear, however, and a closer examination of the phenomenon is vital to identify and respond to new threats and opportunities.This investigation indicates that mobile devices and networks have risen in prominence and are now of central importance to the sex trafficking of minors in the United States. While online platforms such as online classifieds and social networking sites remain a potential venue for exploitation, this research suggests that technology facilitated trafficking is more diffuse and adaptive than initially thought. This report presents a review of current literature, trends, and policies; primary research based on mobile phone data collected from online classified sites; a series of firsthand interviews with law enforcement; and key recommendations to policymakers and stakeholders moving forward
The Challenges in SDN/ML Based Network Security : A Survey
Machine Learning is gaining popularity in the network security domain as many
more network-enabled devices get connected, as malicious activities become
stealthier, and as new technologies like Software Defined Networking (SDN)
emerge. Sitting at the application layer and communicating with the control
layer, machine learning based SDN security models exercise a huge influence on
the routing/switching of the entire SDN. Compromising the models is
consequently a very desirable goal. Previous surveys have been done on either
adversarial machine learning or the general vulnerabilities of SDNs but not
both. Through examination of the latest ML-based SDN security applications and
a good look at ML/SDN specific vulnerabilities accompanied by common attack
methods on ML, this paper serves as a unique survey, making a case for more
secure development processes of ML-based SDN security applications.Comment: 8 pages. arXiv admin note: substantial text overlap with
arXiv:1705.0056
Outsmarting Network Security with SDN Teleportation
Software-defined networking is considered a promising new paradigm, enabling
more reliable and formally verifiable communication networks. However, this
paper shows that the separation of the control plane from the data plane, which
lies at the heart of Software-Defined Networks (SDNs), introduces a new
vulnerability which we call \emph{teleportation}. An attacker (e.g., a
malicious switch in the data plane or a host connected to the network) can use
teleportation to transmit information via the control plane and bypass critical
network functions in the data plane (e.g., a firewall), and to violate security
policies as well as logical and even physical separations. This paper
characterizes the design space for teleportation attacks theoretically, and
then identifies four different teleportation techniques. We demonstrate and
discuss how these techniques can be exploited for different attacks (e.g.,
exfiltrating confidential data at high rates), and also initiate the discussion
of possible countermeasures. Generally, and given today's trend toward more
intent-based networking, we believe that our findings are relevant beyond the
use cases considered in this paper.Comment: Accepted in EuroSP'1
Know Your Enemy: Stealth Configuration-Information Gathering in SDN
Software Defined Networking (SDN) is a network architecture that aims at
providing high flexibility through the separation of the network logic from the
forwarding functions. The industry has already widely adopted SDN and
researchers thoroughly analyzed its vulnerabilities, proposing solutions to
improve its security. However, we believe important security aspects of SDN are
still left uninvestigated. In this paper, we raise the concern of the
possibility for an attacker to obtain knowledge about an SDN network. In
particular, we introduce a novel attack, named Know Your Enemy (KYE), by means
of which an attacker can gather vital information about the configuration of
the network. This information ranges from the configuration of security tools,
such as attack detection thresholds for network scanning, to general network
policies like QoS and network virtualization. Additionally, we show that an
attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk
of being detected. We underline that the vulnerability exploited by the KYE
attack is proper of SDN and is not present in legacy networks. To address the
KYE attack, we also propose an active defense countermeasure based on network
flows obfuscation, which considerably increases the complexity for a successful
attack. Our solution offers provable security guarantees that can be tailored
to the needs of the specific network under consideratio
- …