Building a reliable and secure management framework for software-defined networks

Abstract

The Software-Defined Networking (SDN) technologies promise to enhance the performance and cost of managing both wired and wireless network infrastructures, functions, controls, and services (i.e., Internet of Things). However, centralized management in softwarization architecture poses new security, reliability, and scalability challenges. Significantly, the current OpenFlow Discovery Protocol (OFDP) in SDN induces substantial issues due to its gossipy, centralized, periodic, and tardy protocol. Furthermore, the problems are aggravated in the wireless and mobile SDN due to the dynamic topology churns and the lack of link-layer discovery methods. In this work, we tackle both security and reliability management issues in SDN. Specifically, we design and build a novel multitemporal cross-stratum discovery proto- col framework, which efficiently orchestrates different reliability monitoring mechanisms over SDN networks and synchronizes the control messages among various applications. It facilitates multiple discovery frequency timers for each target over different stratum instead of using a uniform discovery timer for the entire network. It supports many common reliability monitoring factors for registered applications by analyzing offline and online network architecture information such as network topologies, traffic flows, virtualization architectures, and protocols. The framework consists of traffic-aware discovery (TaDPole), and centrality-aware protocol (CAMLE) facilities. We implemented the framework on Ryu controller. Extensive Mininet experimental results validate that the framework significantly improves discovery message efficiency and makes the control traffic less bursty than OFDP with a uniform timer. It also reduces the network status discovery delay without increasing the control overhead. We then evaluated the security issues in SDN and proposed an SDN-based Wormhole Analysis using the Neighbor Similarity (SWANS) approach as a novel wormhole countermeasure in a Software-defined MANET. As SWANS analyses the similarity of neighbor counts at a centralized SDN controller, it apprehends wormholes not only without requiring any particular location information but also without causing significant communication and coordination overhead. SWANS also countermeasures various false-positive and false-negative scenarios generated by the Link Layer Discovery Protocol (LLDP) vulnerability. We performed extensive studies via both analysis and simulations. Our simulation results show that SWANS can detect wormhole attacks efficiently with low false-positive and false-negative rates.