Abstract
OpenFlow makes a network highly flexible and fast-evolving by separating control and data planes. The control plane thus becomes responsive to changes in topology and load balancing requirements. OpenFlow also offers a new approach to handle security threats accurately and responsively. Therefore, it is used as an innovative firewall that acts as a first-hop security to protect networks against malicious users. However, the firewall provided by OpenFlow suffers from Internet protocol version 6 (IPv6) fragmentation, which can be used to bypass the OpenFlow firewall. The OpenFlow firewall cannot identify the message payload unless the switch implements IPv6 fragment reassembly. This study tests the IPv6 fragmented packets that can evade the OpenFlow firewall, and proposes a new mechanism to guard against attacks carried out by malicious users to exploit IPv6 fragmentation loophole in OpenFlow networks. The proposed mechanism is evaluated in a simulated environment by using six scenarios, and results exhibit that the proposed mechanism effectively fixes the loophole and successfully prevents the abuse of IPv6 fragmentation in OpenFlow networks.
Highlights
The use of software-defined networking (SDN) has rapidly increased in the last decade, and this increased usage has resulted in a new technique to control and manage a network from a centralized controller [1]
The OpenFlow networks are managed and controlled by the centralized controllers where switches adhere to policies to passthrough/drop packets based on flow entries provided by the controllers
In the second type (Type-2), the attacker hides both the last Header and the Upper-Layer header; the switch cannot determine the type of Upper-Layer protocol. This concealment can be achieved by using Fragment Header and two Extension Headers (i.e., Destination Options Header, Hop-By-Hop, or Routing Header)
Summary
The use of software-defined networking (SDN) has rapidly increased in the last decade, and this increased usage has resulted in a new technique to control and manage a network from a centralized controller [1]. Despite the capability of OpenFlow switches to reassemble the IPv6 fragmented packet and prevent these attacks, the reassembly approach is not ideal and not even a valid solution for real-world network designs. RFC7112 recommends that intermediate systems (e.g., firewall or router) discard these fragmented packets [14] These protection techniques are not applicable and cannot be used to prevent attacks carried by using IPv6 fragments in OpenFlow networks. The OpenFlow networks are managed and controlled by the centralized controllers where switches adhere to policies to passthrough/drop packets based on flow entries provided by the controllers. These techniques seem impractical as network administrators are forced to configure all switches manually in the network [15].
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
