Application-aware and Dynamic Security Function Chaining for Mobile Networks

Abstract

Mobile networks have urgent demands of fine-grained, cost-effective and flexible service provision for diversified user traffic. To cope with these demands, researchers have proposed various Service Function Chaining (SFC) solutions with the rise of Software Defined Networking (SDN) and Network Function Virtualization (NFV) technologies. However, most of them are performed based on MAC address and/or OpenFlow protocols without Network Service Header (NSH) support, having drawbacks in complexity, scalability and flexibility. NSH-based approaches are more promising for mobile networks, since they support metadata-based packet information sharing and policy enforcement. Moreover, a hierarchical SFC (hSFC) architecture is proposed to alleviate the scalability and management problems in large-scale networks. Nevertheless, how to realize application awareness and on-demand service provision has not been investigated thoroughly in the hSFC environment. Thus, in this paper, we propose a proactive-based branching approach for application-aware and dynamic security function chaining, where application features are analyzed at first, and then carried in the metadata of NSHs for subsequent processes by the relevant security functions. In this way, the data plane is able to redirect traffic based on metadata without the participation of control plane. Besides, we verify the proposed approach through our prototype system via two typical use cases, the application-aware traffic control and lawful interception, and the related experiment results confirm its feasibility and elasticity