New Programmable Data Plane Architecture Based on P4 OpenFlow Agent

Abstract

Software-defined network (SDN) architecture is characterized by the separation between the data plane and the control plane. This feature provides the development of a programmable environment on the network. Despite the numerous benefits provided by this architecture, the security of an SDN network is still an important matter of concern. In particular, Denial of Service (DoS) attacks challenge SDN architectures in several ways. Solutions that act on the control plane require continuous communication with the data plane, which can result in higher processing time delays, which in turn can affect the time required to detect an attack. On the other hand, solutions that work in the data plane seek to reduce this processing time. However, these solutions still need to address a restricted set of traffic analysis functionality, limiting the scope of the security solutions developed in the data plane. This paper proposes a data plane architecture that allows the use of more sophisticated solutions to be implemented directly in the data plane. The proposed architecture is composed of a component that acts alongside the P4 switch and adds flexibility to the switch to handle more complex operations. The architecture also provides support for the OpenFlow protocol, ensuring compatibility with currently deployed controllers. We compared two DoS attack detection techniques (chi-square and entropy) when applied to control and data planes. Experimental results show that the data plane and the control plane yield similar results in terms of detection accuracy, although the data plane requires fewer packets to detect the attack, on average 45% less compared to the control plane.