Security attacks and solutions on SDN control plane: A survey

Sommario Software Defined Networks (SDN) è un modello di rete programmabile aperto promosso da ONF , che è stato un fattore chiave per le recenti tendenze tecnologiche. SDN esplora la separazione dei dati e del piano di controllo . Diversamente dai concetti passati, SDN introduce l’idea di separazione del piano di controllo (decisioni di instradamento e traffico) e piano dati (decisioni di inoltro basate sul piano di controllo) che sfida l’integrazione verticale raggiunta dalle reti tradizionali, in cui dispositivi di rete come router e switch accumulano entrambe le funzioni. SDN presenta alcuni vantaggi come la gestione centralizzata e la possibilità di essere programmato su richiesta. Oltre a questi vantaggi, SDN presenta ancora vulnerabilità di sicurezza e, tra queste,le più letali prendono di mira il piano di controllo. Come i controllers che risiedono sul piano di con- trollo gestiscono l’infrastruttura e i dispositivi di rete sottostanti (es. router/switch), anche qualsiasi insicurezza, minacce, malware o problemi durante lo svolgimento delle attività da parte del controller, possono causare interruzioni dell’intera rete. In particolare, per la sua posizione centralizzata, il con- troller SDN è visto come un punto di fallimento. Di conseguenza, qualsiasi attacco o vulnerabilità che prende di mira il piano di controllo o il controller è considerato fatale al punto da sconvolgere l’intera rete. In questa tesi, le minacce alla sicurezza e gli attacchi mirati al piano di controllo (SDN) sono identificati e classificati in diversi gruppi in base a come causano l’impatto sul piano di controllo. Per ottenere risultati, è stata condotta un’ampia ricerca bibliografica attraverso uno studio appro- fondito degli articoli di ricerca esistenti che discutono di una serie di attacchi e delle relative soluzioni per il piano di controllo SDN. Principalmente, come soluzioni intese a rilevare, mitigare o proteggere il (SDN) sono stati presi in considerazione le potenziali minacce gli attachi al piano di controllo. Sulla base di questo compito, gli articoli selezionati sono stati classificati rispetto al loro impatto potenziale sul piano di controllo (SDN) come diretti e indiretti. Ove applicabile, è stato fornito un confronto tra le soluzioni che affrontano lo stesso attacco. Inoltre, sono stati presentati i vantaggi e gli svantaggi delle soluzioni che affrontano diversi attacchi . Infine, una discussione sui risultati e sui esitti ottenuti durante questo processo di indagine e sono stati affrontatti suggerimenti di lavoro futuri estratti du- rante il processo di revisione. Parole chiave : SDN, Sicurezza, Piano di controllo, Denial of Service, Attacchi alla topologiaAbstract Software Defined Networks (SDN) is an open programmable network model promoted by ONF that has been a key-enabler of recent technology trends. SDN explores the separation of data and control plane. Different from the past concepts, SDN introduces the idea of separation of the control plane (routing and traffic decisions) and data plane (forwarding decisions based on the control plane) that challenges the vertical integration achieved by the traditional networks, in which network devices such as router and switches accumulate both functions. SDN presents some advantages such as centralized management and the ability to be programmed on demand. Apart from these benefits, SDN still presents security vulnerabilities and among them, the most lethal ones are targeting the control plane. As the controllers residing on the control plane manages the underlying networking infrastructure and devices (i.e., routers/switches), any security threat, malware, or issues during the carrying out of activities by the controller can lead to disruption of the entire network. In particular, due to its centralized position, the (SDN) controller is seen as a single point of failure. As a result, any attack or vulnerability targeting the control plane or controller is considered fatal to the point of disrupting the whole network. In this thesis, the security threats and attacks targeting the (SDN) control plane are identified and categorized into different groups by considering how they cause an impact to the control plane. To obtain results, extensive literature research has been carried out by performing an in-depth study of the existing research articles that discusses an array of attacks and their corresponding solutions for the (SDN) control plane. Mainly, the solutions intended to detect, mitigate, or protect the (SDN) control plane against potential threats and attacks have been considered. On basis of this task, the potential articles selected were categorized with respect to their impact to the (SDN) control plane as direct and indirect. Where applicable a comparison of the solutions addressing the same attack has been provided. Moreover, the advantages and disadvantages of the solutions addressing the respective attacks are presented. Finally, a discussion regarding the findings and results obtained during this su- veying process and future work suggestions extracted during the review process have been discussed. Keywords: SDN, Security, Control Plane, Denial of Service, Topology Attacks, Openflo

Software Defined Based Pure VPN Protocol for Preventing IP Spoofing Attacks in IOT

The Internet of things (IoT) is the network of devices, vehicles, and home appliances that contain electronics, software, actuators, and connectivity which allows these things to connect, interact and exchange data. IoT involves extending Internet connectivity beyond standard devices, such as desktops, laptops, smart phones and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the Internet, and they can be remotely monitored and controlled. Traditionally, current internet packet delivery only depends on packet destination IP address and forward devices neglect the validation of packet’s IP source address. It makes attacks can leverage this flow to launch attacks with forge IP source address so as to meet their violent purpose and avoid to be tracked. In order to reduce this threat and enhance internet accountability, many solution proposed in the inter domain and intra domain aspects. Furthermore, most of them faced with some issues hard to cope, i.e., data security, data privacy. And most importantly code cover PureVPN protocol for both inter and intra domain areas. The novel network architecture of SDN possess whole network PureVPN protocol rule instead of traditional SDN switches, which brings good opportunity to solve IP spoofing problems. However, use authentication based on key exchange between the machines on your network; something like IP Security protocol will significantly cut down on the risk of spoofing. This paper proposes a SDN based PureVPN protocol architecture, which can cover both inter and intra domain areas with encrypted format effectively than SDN devices. The PureVPN protocol scheme is significant in improving the security and privacy in SDN for IoT

FS-OpenSecurity : A taxonomic modeling of security threats in SDN for future sustainable computing

Peer reviewedPublisher PD

Content delivery network for secure of software defined networking by using IPv4, OpenFlow, and ALTO

Software defined networking is a programmability function network by easiness for maintenance and configuration. The administrators of network can change the traffic rules during the commuting process. SDN is an arising network structure with programmability and centralization and this leads to introduce potential security concerns. Though the TLS ability support secure for control plane but computationally aggravating and complex to configure as well as not compatible with OpenFlow protocol. For this reason, a content delivery network can be used to increase the ability of network services dynamically and automatically. In order that relieve the threat we proposed architecture for SDN depending on CDN. In our proposed architecture, we use application layer traffic optimization (ALTO) protocol to be as servers enable mapping for the network to produce a summarized vision. We also hide the identity of the forwarding devices by take advantage of IPv4 and OpenFlow transaction identification fields into the control packets through implement of two authentication structures via efficient Salsa20 stream cipher. Finally, the work results explain the proposed architecture can efficiently eliminate of attack types and provide more detectability to attackers