{"title":"在受损的OpenFlow交换机上快速检测不服从转发","authors":"Yen-Chun Chiu, Po-Ching Lin","doi":"10.1109/ICCNC.2017.7876210","DOIUrl":null,"url":null,"abstract":"Software-defined networking (SDN) allows network administrators to manage network flows easily from a centralized controller. However, it also leads to new security threats to applications, controllers, OpenFlow switches, topology management and so on. In this work, we design a method to detect disobedient forwarding in the flow table by compromising a switch. To enhance detection efficiency and minimize additional network traffic, we reduce the number of detection packets necessary by aggregating the flow entries. This method selects the flow entries whose match fields can compose a valid packet from multiple switches. The switches on which the entries are form a path that allows the packet to travel through for rapid detection. We evaluate the efficiency of this detection method for various topology types in typical data center networks by Mininet simulation. The experimental results demonstrate that this method can examine the forwarding correctness of around 3 flow entries simultaneously for each detection packet in fat-tree topology. Furthermore, the scale of the network topology does not affect the efficiency of the method significantly.","PeriodicalId":135028,"journal":{"name":"2017 International Conference on Computing, Networking and Communications (ICNC)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":"{\"title\":\"Rapid detection of disobedient forwarding on compromised OpenFlow switches\",\"authors\":\"Yen-Chun Chiu, Po-Ching Lin\",\"doi\":\"10.1109/ICCNC.2017.7876210\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Software-defined networking (SDN) allows network administrators to manage network flows easily from a centralized controller. However, it also leads to new security threats to applications, controllers, OpenFlow switches, topology management and so on. In this work, we design a method to detect disobedient forwarding in the flow table by compromising a switch. To enhance detection efficiency and minimize additional network traffic, we reduce the number of detection packets necessary by aggregating the flow entries. This method selects the flow entries whose match fields can compose a valid packet from multiple switches. The switches on which the entries are form a path that allows the packet to travel through for rapid detection. We evaluate the efficiency of this detection method for various topology types in typical data center networks by Mininet simulation. The experimental results demonstrate that this method can examine the forwarding correctness of around 3 flow entries simultaneously for each detection packet in fat-tree topology. Furthermore, the scale of the network topology does not affect the efficiency of the method significantly.\",\"PeriodicalId\":135028,\"journal\":{\"name\":\"2017 International Conference on Computing, Networking and Communications (ICNC)\",\"volume\":\"22 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"1900-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"14\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 International Conference on Computing, Networking and Communications (ICNC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICCNC.2017.7876210\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Computing, Networking and Communications (ICNC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCNC.2017.7876210","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Rapid detection of disobedient forwarding on compromised OpenFlow switches
Software-defined networking (SDN) allows network administrators to manage network flows easily from a centralized controller. However, it also leads to new security threats to applications, controllers, OpenFlow switches, topology management and so on. In this work, we design a method to detect disobedient forwarding in the flow table by compromising a switch. To enhance detection efficiency and minimize additional network traffic, we reduce the number of detection packets necessary by aggregating the flow entries. This method selects the flow entries whose match fields can compose a valid packet from multiple switches. The switches on which the entries are form a path that allows the packet to travel through for rapid detection. We evaluate the efficiency of this detection method for various topology types in typical data center networks by Mininet simulation. The experimental results demonstrate that this method can examine the forwarding correctness of around 3 flow entries simultaneously for each detection packet in fat-tree topology. Furthermore, the scale of the network topology does not affect the efficiency of the method significantly.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
