A trust-aware openflow switching framework for software defined networks (SDN)

Abstract

Software Defined Networks (SDN) and Network Function Virtualisation (NFV) are prime driving technologies behind 5G and Beyond 5G (B5G) communications. The network control intelligence segregation in the SDN infrastructure enables dynamic network features (such as dynamic end-to-end management of security and quality of service (QoS)) offering significantly improved network performance. Even if one assumes that the centralised SDN controller can be security hardened and hence can be trusted, a fundamental challenge in such networks is that the data plane and switching devices are susceptible to cyberattacks. A malicious adversary can compromise them during run-time making them unreliable for secure and trusted communications. Furthermore, the controller communicating with OpenFlow switching devices is unable to accurately assess the state of the switching devices, which serves as the communication base for NFVs in 5G networks. Vulnerable switching devices can put the whole 5G network infrastructure at risk. Hence, there is a clear need for the controller and the management layer to determine the trustworthiness of the switching devices at run-time. The current trend is for many such devices to deploy trusted computing functionality such as Trusted Platform Module (TPM) or Software Guard Extension (SGx) to achieve local as well as remote attestation. In this paper, we present a dynamic trust management framework for evaluating the trustworthiness of the OpenFlow switching devices deployed in the SDN based networks. We formulate device properties that need to be assessed to determine the trust status of the device. We develop a trust enhanced security architecture which can be used to evaluate the trustworthiness of devices and determine their deployment in the provision of network services. The proposed framework uses subjective logic based techniques to derive trust levels of the switching devices at run-time, which are then used by the architecture to make trust enhanced decisions on the provision of network services. A prototype implementation of the proposed architecture is described, which demonstrates how the trustworthiness of the OpenFlow devices are assessed at run-time. The paper concludes with the performance and security analysis of the implemented trust enhanced architecture services.