SRV: Switch-based rules verification in software defined networking

Abstract

Software defined networking (SDN) is an innovative networking paradigm that allows network administrators to manage network services through the abstraction of higher-level functionality. This is done by decoupling the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane). In the control plane, SDN controller translates the rule-based policies from the network applications(OF app) to the switches over the network. The southbound interfaces such as OpenFlow are used to communicate between the SDN Controller and the switches. The northbound interfaces are used to communicate between the SDN Controller and OF apps. According to OpenFlow specification [1] [2], each OF app can enforce their own rule and the controller applies the rules with the highest priority if a packet_in message matches against several rules at the same time, which we call priority-based mechanism. In this paper, we present a security issue of the priority-based mechanism in SDN. In this attack, the malicious rules with lowest priority can manipulate the entire SDN network. This attack can make all the rules with higher priorities fail. A lightweight solution, switch-based rules verification(SRV), is proposed, by leveraging the centralized management in SDN to obtain a global view of the entire network topology and detects the malicious rules. Once a malicious rule is found, SRV will send the warning messages and refuse this rule immediately. We implement the prototype of SRV in Floodlight as a security module and packaged it as a Java library, making it a lightweight and flexible solution with minimal deployment requirements. The preliminary results of our experiments show that the latency remains as low as 640ms even with the presence of 10 thousands rules.