A clean slate 4D approach to network control and management
ACM SIGCOMM Computer Communication Review
SANE: a protection architecture for enterprise networks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Ethane: taking control of the enterprise
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Implementing an OpenFlow switch on the NetFPGA platform
Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Scalable flow-based networking with DIFANE
Proceedings of the ACM SIGCOMM 2010 conference
HyperFlow: a distributed control plane for OpenFlow
INM/WREN'10 Proceedings of the 2010 internet network management conference on Research on enterprise networking
CloudPolice: taking access control out of the network
Hotnets-IX Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
Onix: a distributed control platform for large-scale production networks
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
dfence: transparent network-based denial of service mitigation
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Lightweight DDoS flooding attack detection using NOX/OpenFlow
LCN '10 Proceedings of the 2010 IEEE 35th Conference on Local Computer Networks
DevoFlow: scaling flow management for high-performance networks
Proceedings of the ACM SIGCOMM 2011 conference
Revisiting traffic anomaly detection using software defined networking
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Hey, you darned counters!: get off my ASIC!
Proceedings of the first workshop on Hot topics in software defined networks
Using CPU as a traffic co-processing unit in commodity switches
Proceedings of the first workshop on Hot topics in software defined networks
Openflow random host mutation: transparent moving target defense using software defined networking
Proceedings of the first workshop on Hot topics in software defined networks
ICNP '12 Proceedings of the 2012 20th IEEE International Conference on Network Protocols (ICNP)
Towards secure and dependable software-defined networks
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
Towards a secure controller platform for openflow applications
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
OpenFlow vulnerability assessment
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
Hi-index | 0.00 |
Among the leading reference implementations of the Software Defined Networking (SDN) paradigm is the OpenFlow framework, which decouples the control plane into a centralized application. In this paper, we consider two aspects of OpenFlow that pose security challenges, and we propose two solutions that could address these concerns. The first challenge is the inherent communication bottleneck that arises between the data plane and the control plane, which an adversary could exploit by mounting a "control plane saturation attack" that disrupts network operations. Indeed, even well-mined adversarial models, such as scanning or denial-of-service (DoS) activity, can produce more potent impacts on OpenFlow networks than traditional networks. To address this challenge, we introduce an extension to the OpenFlow data plane called "connection migration", which dramatically reduces the amount of data-to-control-plane interactions that arise during such attacks. The second challenge is that of enabling the control plane to expedite both detection of, and responses to, the changing flow dynamics within the data plane. For this, we introduce "actuating triggers" over the data plane's existing statistics collection services. These triggers are inserted by control layer applications to both register for asynchronous call backs, and insert conditional flow rules that are only activated when a trigger condition is detected within the data plane's statistics module. We present Avant-Guard, an implementation of our two data plane extensions, evaluate the performance impact, and examine its use for developing more scalable and resilient SDN security services.