P4-sKnock: A Two Level Host Authentication and Access Control Mechanism in P4 based SDN

Abstract

The adoption of Software-Defined Networks (SDN) and the shift towards programmable data planes have led to better network management. However, this has not been accompanied with the implementation of robust host authentication or access control mechanisms to improve network security and prevent unauthorized access to the network. The current literature has explored the implementation of the widely adopted authentication mechanism - port knocking in SDN to address the former. However, they suffer from two major drawbacks making them vulnerable to MITM (Man-In-The-Middle) attacks: unsecured transfer of the port knocking sequences between the SDN controller and hosts, and the lack of host identity verification mechanisms post port knocking authentication. This paper introduces P4-sKnock: a P4 based two level host authentication and access control mechanism. The first level introduces encrypted dynamic port knocking to secure the transfer of port knocking sequences over a compromised channel by encrypting them. Further, a challenge-response host identity verification mechanism is introduced as a second level authentication measure following which a host can be authorized, quarantined or blocked owing to the programmability of the P4 switch providing robust access control. Experimental analysis shows that P4-sKnock can authenticate a new SDN host within 500 ms and mitigate MITM attacks like IP spoofing and replay attacks making it significantly more secure than previous P4 based port knocking authentication systems.