Lightweight framework for preserving network policies in dynamic SDN topologies

Abstract

Software Defined Network (SDN) is an emerging paradigm in networking to add programmability to traditional networks as well as reducing hardware cost by decoupling control plane and management plane from data plane in SDN device. The control plane is responsible for translating network policies to rules applied on SDN devices using communication protocol (OpenFlow). These policies are configured in network applications. SDN rules can be applied with spoofed addresses in SDN devices that make conflict with each other, because these rules are generated from different sources. This conflict is a security concern that can be used to exploit network policies. In this paper, a proposed technique for protection against rules insertion conflict with spoofed addresses is presented in dynamic network topologies. The proposed technique replaces physical and logical addresses in rules to SDN devices port numbers as a way for representing hosts address positions in SDN network. These positions are updated up-on network topology changes by using DHCP and link discovery services in SDN controller. Next, a HashMap is used for storing the replaced rules to detect inserted rules by spoofed addresses in rule insertion process. Extensive simulations using different numbers of rules show the ability of proposed technique to detect conflict accurately with low processing overhead.