PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking

Abstract

Software Defined Networking (SDN) is one type of the flow-rule-driven networks. In SDN, a centralized controller dictates the network behavior and configures network devices via flow rules. Therefore, the validity and consistency of flow rules are the critical for the security of operations in SDN, requiring a secure and efficient mechanism to manage and authenticate flow rules between the controller and network devices. In this paper, we aim to develop solutions to guarantee the validity of flow rules in SDN. We analyze the mechanisms that generate and manage flow rules in SDN, and present PERM-GUARD, a fine-grained permission management and authentication scheme for flow rules in SDN. PERM-GUARD employs a new permission authentication model and introduces an identity-based signature scheme for the controller to verify the validity of flow rules. We conduct theoretical analysis and simulation-based evaluation of PERM-GUARD. The results demonstrate that PERM-GUARD can efficiently identify and reject fake flow rules generated by unregistered applications. Meanwhile, it can also effectively filter out unauthorized flow rules created by valid applications, and trace their creator timely and accurately.