Software well as security threats. This paper

 

Software Defined Networks: A
Survey with Simulation

 

 

 

ABSTRACT:

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

Software
Defined Networking (SDN) is a major paradigm in controlling and managing number
of heterogeneous networks. Securing such complex heterogeneous networks is
however a real challenge in network security. The centralization of the
intelligence in network presents both an opportunity as well as security
threats. This paper focuses on various potential security challenges at the
various levels of SDN architecture such as saturation attacks, man-in –the-
middle attack, Denial of service (DoS) attack and its countermeasures. This
survey of potential attacks is a step to further initiate research in SDN
security .

 

Index
Terms—Software defined network, SDN security, DoS(Denial of Service )

 

 

 

To
summarise , SDN focuses on the key features:
a)Separation of the control plane from the data plane

 

b)A centralized controller and view of the network

 

c) Open interfaces between the devices in the control plane
(controllers) and those in the data plane.

 

The
rest of the paper is organized as follows. Section II discusses the difference
between the traditional network view and the SDN architecture. Section III
discusses SDN and its security loopholes and analysis the potential attacks on
the layered structure of SDN. Section IV discusses the crucial attacks .Section
V concludes the paper with research conclusions

 

II
Traditional network view versus SDN view

 

2.1
Networking the Traditional way

 

I.        
Introduction

 

Software defined networking is a network technology where
the control plane logic is decoupled from the forwarding plane and has the
ability to control, change and manage network behaviour dynamically through
software via open interfaces. The data-plane represents all of the data that is
being forwarded through the network, such as packets and the hardware that is
used to forward it, such as switches. The control-plane represents all logic
and devices that are responsible for deciding how and to where data in the
data-plane is to be sent. Traditional networks combine these two planes on the
same devices, forcing each device to make its own forwarding decisions based on
distributed routing protocols. SDN, on the other hand, allows for the
control-plane to have a global view of the network, allowing for policies to be
applied that take into account all of the network state, rather than

what
is exposed to a single device.

 

In
traditional networks, as shown in Fig.2.1 the routers and switches have both
control and data planes combined in a network node. The control plane is
responsible for traffic management i.e. node and path configuration which are
to be used for data flows. Once these paths are determined, packets are pushed
down to the data plane. Data plane routes traffic to the destination .Data
forwarding at the hardware level is based on this control information. In this
traditional approach, once the forwarding policy has been defined, the only way
to make an adjustment to the policy is via changes to the configuration of the
devices. The main concept of SDN lies in the notion of decoupling the control
and data planes that is shown in figure 2.1(b). In SDN, the control plane is no
longer distributed among network nodes, as in the traditional network, but
instead centralized at the controller which communicates with network nodes to
setup the data plane through a southbound SDN protocol.

 

 

 

 

 

 

 

 

 

a)TraditionalApproach          b) SDN Approach

 

Fig 2.1 Traditional network view compared
with SDN network view

 

2.2
Networking the SDN way

 

SDN
has emerged from service-focused requirements. Control is moved out of the
individual network nodes and into the separate, centralized controller. SDN
switches are controlled by a network operating system that collects information
using the API shown in Fig. 2.1 and manipulates their forwarding plane,
providing an abstract model of the network topology to the SDN controller
hosting the applications. Using SDN in network, we can use policies, templates,
or profiles to define traffic flows on the network .It enables new features to
be added through software. SDN can provide increased consistency of user mobile
and enable workload mobility, easier data center migrations and higher level of
redundancy .

 

 

III. OPENFLOW PROTOCOL

 

The OpenFlow protocol is standardized
protocol for interacting with the forwarding behavior of switches from multiple
vendors. This provides us a way to control a behavior of switches throughout
the network dynamically and programmatically. OpenFlow is a key protocol in
many SDN solutions. OpenFlow is a

protocol

that

allows

a server to

tell network switches where

to

send
packets.

In  
a

conventional

network,

each

switch

has

proprietary software that 
tells  it

what

to  do.

With

 

OpenFlow, the packet-moving decisions are
centralized, so that the network can be programmed independently of the
individual switches .

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 3.1: OpenFlow
Architecture

The SDN Architecture
is divided into 3

 

Layers:

 

•      
Data Forwarding Layer or Infrastructure
Layer: The data plane comprises a set of one or more network elements, each of
which contains a set of traffic forwarding or traffic processing resources.

 

•       Control
Layer: The controller plane comprises a set of SDN controllers, each of which
has exclusive control over a set of resources exposed by one or more network
elements in the data plane (its span of control).

 

•      
Apphlication Layer: The application plane
comprises one or more applications, each of which has exclusive control of a
set of resources exposed by one or more SDN controllers.

 

OpenFlow Operation: As we
see in Figure 3. 2, the switch flow tables are empty in the initial
startup phase. When a new packet arrives in step 1, since no match is found in
the switch flow table, it is forwarded to the controller (step 2). The
controller observes the packet and decides on the action that should be taken
(forward or drop) and creates a flow entry accordingly. This flow entry is sent
to the switches in the path that the packet will traverse (step 3). The packet
is then sent through to the receiving host in steps 4 and 5. In steps 6, 7, and
8 any new packets belonging to the same flow are routed directly since they
would match the new entry in the flow tables. 13

 

 

 

 

 

 

 

 

 

 

 

 

Figure 3. 2 OpenFlow Flow
Processing Procedure

 

The priority is very important as flow
entries are sorted by their priorities. So if two flow entries match a packet
in the same flow table, the one with the higher priority will be used and the
other one will be ignored.

 

IV.        TYPES OF ATTACKS IN SDN

 

With increasing popularity of SDN, it has
become important to understand the security issues and vulnerabilities of it
before any large scale evolvement. As per the OpenFlow architecture we have
divided the types of attacks on the basis of three layers of the protocol viz.
Data forwarding layer, Control layer and Application layer.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 4: Possible attacks on SDN Architecture

 

 

1.  Attack on Data Forwarding Layer

 

The
data forwarding layer is nothing but the collection of number of switches
connected to each other. These switches are responsible for performing an
action on the arrived packet according to flow rule specified in the flow
table. Whenever a new packet enters the switch, it stores that packet into
buffer. The buffered packet is then checked for its availability in flow table.
If there is no flow rule available in the flow table, the packet-IN message is
sent to the controller to generate new flow

 

rule
for that specific packet. This new flow rule is then entered to the flow table
of the switch.

 

 

Thus,
buffer and flow table having limited memory space, these two components of the
switch are vulnerable to the DoS attack. Since packets with an unknown
destination address will cause a new rule to be inserted in the switch, an
attacker can generate large amounts of packets destined to unknown network
hosts in
a short time, and in this way quickly filling up a switch’s limited Flow Table
storage capacity. When the Flow Table is saturated by attacker’s generated
traffic, legal
traffic will not be forwarded correctly, as there will be no more available
capacity for inserting new rules.

 

Similarly, buffer is the target of DoS
attack. As described above, before packets are forwarded out, they are buffered
in the Flow Buffer waiting for the results of the rule search or the insertion
of a new rule. Packets in the Flow Buffer will be marked for deletion on a
First in First out (FIFO) basis to release the storage space. Attackers can
flood large packets belonging to a different flow than that encountered by the
switch normally; the switch has to buffer these large packets and this leads to
the saturation of the Flow Buffer 4.

 

2. 
Attack on Control Layer

 

Control layer is the brain of network.
Control layer manages and controls whole network. In SDN, the network node
which performs functions of Control layer is called as SDN Controller. The SDN
controller communicates with the switch through a standard protocol, e.g.,
OpenFlow. Due to the openness of

 

programmability and complexity of its
functionality, the controller’s software is inevitably vulnerable, and this

 

can be exploited for
malicious attacks 3.

 

As stated in previous attack, when switch
receives packet which is not in flow table, it buffers the packet

 

before actually connecting to the controller.
The limited capacity of switch’s buffer makes it vulnerable to attacks. Because
of this, switch has to send packets to the controller, which may occupy most of
controller bandwidth. As entire bandwidth is occupied, Controller will be
unable to install new flow rules in flow table.

 

This originates the concern of packet loss in
either of the following ways,

 

1)    
Because
of large number of packet arrival, the link between the switch and controller
get thronged and packet-IN message itself cannot be sent which results in
packet loss

 

2)    
The traffic between switch and controller
introduce

 

latency in control channel, which means, if
switch does not receive flow-MOD message as a acknowledgement from controller
that particular packet will get discarded and so results in packet loss.

 

3.  Attack on Application Layer

 

Application
layer consist of large number of network nodes, among which one network node
(act as a sender) send packets to another network node (act as a receiver). At
application layer, the attacker may flood suspicious data to control the
network node which can be used to infect other network nodes which are
connected to it. The attacker can get illegal access to network node by
injecting malicious code to control the flow of packets in network and to steal
important information.

 

V.        
MITIGATION STRATEGIES

 

 

Amongst
various online attacks hampering IT security, Denial of Service (DoS) has the
most devastating effects. This paper lays down mitigation strategies for the
attackers which we have covered in this paper.

 

This
paper aims to prevent the attacks at data forwarding layer and control layer by
considering attacks at this level more crucial. First strategy to prevent the
attack on control layer bandwidth is using Rate Limiting. This will sets up the
threshold limit of traffic that the server would be able to withstand. The best
feature of this technique is that the network administrator is capable of
deciding how much traffic to let to the network.

 

The
flow table contains flow rules for each packet. Therefore if controller can
successfully recognize that its capacity is not sufficient to handle all the
packets that are arrived, it could install the flow rule on one of the switch
in the network instructing to send packet at lower rate. This will certainly
affect all the flow rules as there will be legitimate nodes as well. In spite
of this, this can prevent controller from being freeze.

 

Another
strategy is to prevent switch’s flow table from being
thronged with flow rules. Each flow rule is assigned with two different
timeout values, idle timeout sets up to indicate the flow rule is inactive and
hard timeout sets up to indicate the expiry of allocated time for that
particular flow rule. One way to restrict the entries in flow table can be
setting optimal time out for the flow rules. By removing flow rules with
specific time out will avoid switch’s flow table from being

 

overflowed. Other solution can be flow
aggregation in which each flow rule matches multiple network flows. This
results in reducing the number of flow rules required to match network traffic.
Using flow rule provides security to the flow table and controller will also
receives fewer loads on the channel 9.

 

 

VI.      EXPERIMENTAL SETUP

 

A. Emulation Environment

 

System
Specification and Software Requirements are as follows:

 

•  CPU: Intel(R)Core(TM)  [email protected]

 

•    Primary  Memory: 
16GiB  (2  x  8GiB  DDR3

 

 

Synchronous
1600 MHz (0.6 ns))

 

 

 

•  Hard disk: 200GiB

 

 

 

 

•  Virtual box: VirtualBox 5.1.4 for Windows
hosts

 

•      
Mininet: 
 Mininet 2.2.1 on Ubuntu 14.04

 

B. Experiment Topology

 

The topology consists of the minimum number
of hosts (H1, H2) required to emulate the attacks and and a switch (S1) and
controller (C0) as depicted in figure 6.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Fig 6.1 :Single Topology

 

This depicted topology is designed using
mininet simulator as shown in figure 6.2

 

C. Mininet Simulator:

 

We performed installation of virtual box and
created virtual machine for running the Mininet. Mininet is a network emulator
which creates a network of virtual hosts, switches, controllers, and links 5.
It runs a collection of end-hosts, switches, routers, and links on a single
Linux kernel. It uses lightweight virtualization to make a single system look
like a complete network, running the same kernel, system, and user code. A

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 6.2 Design of
experimental topology on mininet

 

VII     CONCLUSION

 

Software
defined networking (SDN) has established a new method for bringing
heterogeneous networks together . SDN provides several features that allow for
easy mitigation of certain types of attacks, such as DoS. However, SDN also
introduces new vulnerabilities that are not present in traditional networks,
such as a communication bottleneck between the control-plane and the
data-plane. In this paper , we have presented a current review on research on
SDN security. It is important for network operators to understand the security
risks involved in SDN. A complete review of SDN security issues and its
countermeasures was analyzed on basis of the 3 layers :the data forwarding
layer, the control layer and the application layer. The future scope would be
to work on security challenges pertaining to Denial of Service attacks on the
control and data plane.

 

 

 

 

 

infr