Consider Again the Sdn Openflow Network Shown in Figure 4 30 Longest Prefix Match
Every bit the well-nigh competitive solution for adjacent-generation network, SDN and its dominant implementation OpenFlow are attracting more than and more interests. Only also convenience and flexibility, SDN/OpenFlow besides introduces new kinds of limitations and security bug. Of these limitations, the nearly obvious and maybe the about neglected one is the flow table capacity of SDN/OpenFlow switches. In this paper, nosotros proposed a novel inference assault targeting at SDN/OpenFlow network, which is motivated by the express menses table capacities of SDN/OpenFlow switches and the following measurable network operation decrease resulting from frequent interactions between data and control aeroplane when the flow tabular array is full. To the best of our cognition, this is the first proposed inference assail model of this kind for SDN/OpenFlow. Nosotros implemented an inference attack framework according to our model and examined its efficiency and accuracy. The evaluation results demonstrate that our framework tin can infer the network parameters (menstruation table chapters and usage) with an accuracy of 80% or higher. Nosotros also proposed two possible defense strategies for the discovered vulnerability, including routing aggregation algorithm and multilevel menses table compages. These findings give usa a deeper understanding of SDN/OpenFlow limitations and serve as guidelines to future improvements of SDN/OpenFlow.
1. Introduction
By decoupling the control airplane from the data plane, Software-Defined Network (SDN) makes programmability a built-in feature for networks, thereby introducing automaticity and flexibility to the networking management. SDN has therefore been foreseen as the key technology that enables the next generation of networking paradigm. Despite its hope, i of the virtually meaning barriers towards SDN'due south broad practical deployment resides in overwhelming security concerns [1]. Therefore, proactively detecting, quantifying, and mitigating its security vulnerabilities become of primal importance.
In spite of its novelty, SDN indeed reuses various pattern and implementation elements ranging from architectures and protocols to systems from traditional network. It is non surprising that SDN inheres the vulnerabilities intrinsic to these elements. For example, like to any networked service, secure channels between controllers and switches might exist disrupted by DDoS attacks; like firewall rules, the flow entries may also disharmonize with each other, leaking unwanted traffic; malicious arp spoofing generated by attackers may poison the controller MAC table, disturbing the normal topology information gathering and parcel forwarding; untrusted applications may instrument SDN controller to perform malicious behaviors without proper access control, which is one of the blueprint objectives for modernistic operating systems. In response, existing research in the context of SDN security mainly focuses on detecting and mitigating these vulnerabilities. For example, [2] evaluates man-in-the-heart attacks that target at SDN/OpenFlow secure channels; FortNOX [three] brings security enforcement module into NOX [four] and enables real-time catamenia entry conflict check; VeriFlow [5] detects network-wide invariant violations by interim as a transparent layer between control plane and data airplane.
In this paper, we introduce a novel SDN vulnerability. The novelty of this vulnerability stems from the feedback-loop nature of SDN, a fundamental difference compared with traditional networks. Particularly, this vulnerability can be extremely severe in SDN-based networks where network traffic from different sources shares the same SDN switch's menstruum table, for instance, different tenants in a SDN-based deject computing network.
Specifically, most commercial SDN/OpenFlow switches have limited flow table capacities, ranging from hundreds to thousands [6]. Such capacity is usually insufficient to handle millions of flows that are typical for enterprise and information center networks [7]. Nevertheless, the flow table chapters was just considered as a potential clogging of resource consuming attacks in the past, motivating researches on flow caching systems similar [viii–ten]. Simply according to our assay, the flow tabular array capacity can lead to inference attack and privacy leakage under certain circumstances.
Every bit a outcome of period tabular array overflow, the SDN controller needs to dynamically maintain the catamenia table past inserting and deleting period entries. The maintaining process typically includes packet data transferring, routing dominion calculation, and flow entry deployment, which leads to measurable network functioning subtract.
Specially, once the menses table is full, extra interactions betwixt controller and switch are needed to remove certain existing flow entries to make room for newly generated flow entries, resulting in further network performance decrease. An attacker can therefore leverage the perceived performance change to deduce the internal state of the SDN. To be more than specific, we consider the scenario that an attacker resides in a network that is managed by a SDN. The attacker can then actively generate network traffic, triggering the interactions between the controller and switch with respect to flow entry insertion and deletion. The attacker can then measure the alter of the network performance to gauge the internal state of the SDN including the flow table capacity and flow table usage. We have designed innovative algorithms to exploit this vulnerability and quantify their effectiveness on exploiting this vulnerability based on extensive evaluation.
Additionally, to mitigate this vulnerability, nosotros have proposed two possible defense strategies. The first strategy is a new routing aggregation algorithm to compress the flow entries so they will swallow less flow table space. The 2nd strategy is edifice a multilevel menses table compages. Multilevel flow table architecture can implement flow tables with larger capacities without introducing additional ability assumption or charges.
To summarize, in this newspaper nosotros made the following contributions: (i) We take identified a novel vulnerability introduced by the express flow table capacities of SDN/OpenFlow switches and formalized that threat. (two) We have designed effective algorithms that can successfully exploit this vulnerability to accurately infer the internal states of the SDN network including menstruum tabular array capacity and flow table usage. (iii) We have performed extensive evaluation to quantify the effectiveness of proposed algorithms. The experimental results have demonstrated that the discovered vulnerability indeed leads to meaning security concerns: our algorithm can infer the network parameters with an accurateness of lxxx% or higher beyond various network settings. (iv) We take proposed two possible defense strategies for the discovered vulnerability, including routing aggregation algorithm to compress the flow entries, and multilevel flow table architecture to implement flow tables with larger capacities.
The rest of this paper is organized equally follows. Section 2 gives an overall statement of the inference attack problem. Department 3 gives detailed inference algorithms targeting at FIFO and LRU replacement algorithms, respectively. Department four gives a detailed evaluation of the simulation results. Department 5 proposes two possible defense methods against this kind of inference attack. Section 6 is a cursory discussion about our findings and future inquiry. Section 7 describes some related works in this area. Finally, Section viii concludes this paper.
two. Problem Statement
The vulnerability of flow table overflow in SDN potentially exists in SDN-based deject calculating network and other important SDN-based networking systems [xi, 12].
Subsequently analyzing current structure and implementation of SDN/OpenFlow, its decoupled nature gives u.s.a. inspiration: the interactions between control plane and data plane will lead to network functioning subtract, which tin exist measured through functioning parameters like circular trip fourth dimension (RTT). If a menstruation matches one flow entry, the menstruum will be forwarded directly according to the matched entry. This process is fast and will cost niggling time. When the menses table is full, some catamenia entry will be removed, then the controller has to summate the rule and send a new flow entry to the switch, and this process is more than circuitous and has more interactions betwixt controller and switch than the previous case, which volition cost more time.
Effigy one gives an overall flowchart of packet processing in an OpenFlow switch. The iii rectangular regions surrounded past dotted line represent 3 possible bundle processing branches, respectively. When the switch encounters an incoming packet, information technology will parse it and send the parsed packet into the subsequent processing pipeline.
And then as the get-go step of the pipeline, the switch will look upwardly its menses table to search flow entries matching the parcel. When there is a match, the switch will straight forrard the packet according to actions associated with the respective flow entry. This branch is illustrated in the innermost rectangle of Figure i.
When there is no corresponding flow entry in the flow table, extra steps will exist introduced into the process. Additional interactions betwixt the switch and the controller will happen to acquire respective routing rules, including package information transferring, routing rule calculation, and flow entry deployment. The center rectangle of Figure 1 illustrates this process.
Earlier the switch inserts the newly generated flow entry, it has to check the flow tabular array status to make sure that there is plenty space in the flow table. When the flow table is full, the controller has to perform menstruum table replacement operations to make room for the upcoming menses entry. These operations include deciding which old catamenia entry to delete according to certain menstruation table replacement algorithm and flow entry deletion. The outermost rectangle in Effigy 1 stands for this co-operative.
That is exactly where the vulnerability lies. In traditional networks, the switches and routers are autonomous, which means they can maintain their routing tables locally without interacting with an external device. Simply due to the decoupled nature of SDN/OpenFlow, maintaining switch flow tables needs frequent interactions between switches and controllers, making it possible for an attacker to leverage the perceived performance modify to deduce the internal country of the SDN network.
Every bit shown in Effigy ane, the rectangular regions surrounded by dotted line correspond to dissimilar possible bundle processing branches. The larger a rectangle is, the longer the processing time of that branch volition be because of the extra steps that rectangle contains. When at that place is a match in the flow table, the processing time will be the shortest; when at that place is no lucifer in the flow table and the flow tabular array is not full, the processing fourth dimension will exist longer because of addition routing calculation and flow entry deployment; when there is no lucifer in the flow table and the flow tabular array is full, the processing time volition be the longest considering a flow table replacement functioning has to be performed. So equally a network parameter directly influenced by the processing fourth dimension, the RTT of a package can serve as an indicator of menstruum tabular array state and catamenia entry land.
The process of deciding RTT thresholds for period table state detection is shown in Effigy 2.
(a)
(b)
Figures ii(a) and 2(b) correspond two cooperating threads, the -axis represents the packet sequence, and the -centrality represents the recorded RTT of every package. Firstly, in the upper thread, we generate a packet with a specific combination, calling it . Send to the target OpenFlow switch and record the respective RTT every bit . Currently there is no respective flow entry in the OpenFlow switch because is a new packet. Later on a fourth dimension span , transport to the target OpenFlow switch once more and record the corresponding RTT as . If is chosen properly, the newly installed flow entry matching should still be in the OpenFlow switch. Next, in the lower thread, nosotros continuously generate packets , each with a different combination of and transport these packets to the target OpenFlow switch with the time bridge of . Because in that location are no flow entries matching their packets in the OpenFlow switch, the recorded RTTs volition be approximately the same as . Go along generating and sending packets until nosotros observe a sudden increment of the RTT, which indicates that the flow tabular array is full. Then in the upper thread nosotros send once more immediately and tape the RTT as . To achieve higher precision, we can repeat the procedure and apply average values of , , and equally final results.
From the process above nosotros can meet that , , and will serve equally thresholds for catamenia table state detection: when the measured RTT is effectually , we can infer that there is respective flow entry in the flow table; when the measured RTT is effectually , we tin infer that in that location is no corresponding flow entry in the flow tabular array and the flow table is not total; when the measured RTT is around , we tin infer that at that place is no respective flow entry in the flow tabular array and the period table is full.
We model the SDN/OpenFlow network equally a black box and notice its response (RTT) to unlike input (network packets), and so we use the response to guess the flow table state and flow entry land and perform further inference. The whole process comes in three steps.
Firstly, we send probing packets into the network to trigger the interaction. As there is notwithstanding no mature routing aggregation algorithm or hierarchical routing rule solution, current SDN/OpenFlow switches typically use verbal match rules. That means if we send packets with different faked metainformation like src_ip and dst_ip, at that place will be newly generated flow entries inserted into the period table. If we send excessive probing packets in a short period of fourth dimension, the catamenia table will overflow and then the interaction process will be triggered. Secondly, we measure RTTs of the responded packets and infer the flow tabular array country and menstruum entry state. Thirdly, we use observed flow table states and flow table states equally controlling signals in our inference algorithm and perform flow table chapters inference.
Having to attain a hit charge per unit as high every bit possible in a rather limited space, catamenia table serves like a "cache" in operating systems and web proxy servers. In this paper we choose FIFO and LRU because they are common and pop [xiii].
3. Inference Algorithm
The logical structure of our inference algorithm is shown in Effigy 3. The inference algorithm consists of two primary part: menstruum table state detection and flow table state control. For flow table land detection, we perform RTT measurement to classify the different states of period table and specific flow entry. For flow tabular array state control, we generate specific sequence of attacking network packets to dispense the land of flow entries. For different menstruation tabular array replacement algorithms, the relation betwixt network traffic sequence and menses entry country will exist different, so we will have different network traffic generation strategy for dissimilar flow table replacement algorithms like FIFO and LRU. We will introduce the inference algorithms for FIFO and LRU, respectively.
iii.1. FIFO Inference Algorithm
Equally mentioned in Section ii, the inference process of FIFO algorithm volition be as follows: we generate and send a huge amount of probing packets each with a unlike combination of src_ip, dst_ip, src_mac, and dst_mac, and the newly inserted menstruation entries matching the generated packets will "push" the other users' flow entries out of the catamenia tabular array. We tin detect if the flow table is total and the beingness of our flow entries. Combined with the number of inserted menstruum entries we recorded, we tin infer the flow tabular array capacity and flow table usage. The process of menstruum table land transformation is shown in Figure 4.
We use to represent the number of our inserted menses entries and use to represent the number of catamenia entries from other users in the flow table. Both and are functions of time. We utilize , , , and to represent four time points respective to four subfigures, respectively, and employ to correspond the flow table chapters.
Figure iv () shows the flow table and the flow entries it contains just before the experiment starts. The rectangle items represent the period entries from other users sharing the OpenFlow switch. The current number of other users' menses entries tin exist expressed as .
Figure iv () illustrates the time when nosotros showtime to send generated packets, inserting new menstruation entries into the menstruation tabular array. The grey rectangles represent the menstruum entries inserted by us. As we can encounter, our catamenia entries keep pushing other users' flow entries to the front of the FIFO queue. During the experiment, we should continue a record of the generated packets, including their attributes and serial numbers.
Figure 4 () shows the time when we detect the flow tabular array is full. At this point of time, menstruum entries from usa and other users add upward to fill the whole period table precisely. We have
Effigy 4 () shows the time when we detect that one of our inserted menstruation entries has been deleted. That means the flow tabular array is now full of our flow entries, without any menstruation entries from other users. We take
Combine the 2 equations higher up; we have
Co-ordinate to the assay in a higher place, we describe the inference process for FIFO algorithm as shown in Algorithm ane.
| Crave: | |
| Parcel-Sending Function: ; | |
| List of IP: ; | |
| Ensure: | |
| The menstruation table chapters: ; | |
| The number of other users' flow entries: ; | |
| whileexercise | |
| SENDPACKET | |
| if Menstruum table is full then | |
| proceed | |
| stop if | |
| if One of our period entries is deleted so | |
| break | |
| end if | |
| end while | |
| render , |
The master error of the inference comes from the flow entries inserted by other users when our insertion is in progress. We assume that our flow entry insertion speed is fast plenty then that, during the flow of experiment, the newly inserted period entries are all from usa. But that is not ever the truth. Ignoring the possible flow entries inserted by other users will make our inference outcome smaller than the actual value.
Considering the menstruation entries inserted by other users, the actual equations are listed beneath.
When nosotros detect the period table is full, if we use to represent the number of just inserted flow entries from other users from time point to time point , the equation becomes
And when we find that one of our inserted period entries is deleted, the equation becomes
Combine the 2 equations above; we have
Then the actual equation considering menstruum entry insertions during inference should be
Compared with our former equation ignoring menstruation entry insertions,
We can run into that the inferred menstruum tabular array usage and the inferred flow table chapters volition both exist smaller than the actual value.
iii.ii. LRU Inference Algorithm
The experiment principle of LRU algorithm has something in common with that of FIFO algorithm, because under these two circumstances nosotros tin both keep our period entries stay in the dorsum of the cache queue using certain operations. However, in that location are still differences lies in the flow entry maintaining process.
The nature of FIFO algorithm ensures that the position of the period entries simply depends on the time they are inserted. The earlier inserted menses entries are sure to exist nearer to the forepart of the cache queue compared with the later inserted flow entries. Merely in LRU algorithm, the positions of the period entries depend not only on the fourth dimension they are inserted, but likewise on the last time they are accessed. In order to keep our period entries stay in the dorsum of the cache queue, we need to continuously access the previously inserted menses entries.
During the maintain process, every fourth dimension nosotros insert a new flow entry, we demand to access all previously inserted period entries for once to "lift" them to the back of the cache queue. The access history may be similar , and we call it a "rolling" maintaining procedure. The maintaining algorithm is shown in Algorithm 2. According to the assay higher up, we depict the inference procedure for LRU in Algorithm 3.
| Require | |
| Packet-Sending Office: ; | |
| List of Inserted IP: ; | |
| office ROLLINGPACKETDue southENDER | |
| whilepractise | |
| for ; ; do | |
| SENDPACKET | |
| end for | |
| stop while | |
| end function |
| Crave: | |
| Bundle-Sending Role: ; | |
| List of IP: ; | |
| Ensure: | |
| The flow tabular array capacity: ; | |
| The number of other users' period entries: ; | |
| ) | |
| whiledo | |
| ROLLINGPACKETSENDER | |
| if Flow table is full then | |
| continue | |
| finish if | |
| if One of our period entries is deleted then | |
| break | |
| end if | |
| end while | |
| return , |
The feasibility and error analysis of LRU algorithm is similar to that of FIFO algorithm. The inferred period tabular array usage and the inferred period table capacity will both be smaller than the actual value because of ignoring the flow entries inserted by other users during the experiment.
4. Evaluation
four.i. Implementation
The emulation surround of our experiment consists of three parts: a network prototyping organization used to emulate host and switch, a network controller, and our inference attack toolkit.
We choose Mininet [14] as the network prototyping system because it encapsulates host and switch emulation and thus like shooting fish in a barrel to use. Our emulated network prototype for evaluation uses a star topology, consisting of hosts connected to a single OpenFlow switch. Nosotros build FIFO and LRU controller applications using Python on the basis of POX [15] OpenFlow controller. Every bit for the inference attack toolkit, we use libnet [16] to generate probing packets, and libpcap [17] to capture replied packets. To simulate the groundwork traffic in real network, we built a SDN testbed using Mininet and POX. On the SDN testbed, nosotros performed a series of bones SDN operations. These operations include building a customized SDN network topology, setting upwards the link between SDN switches and performing the ping test betwixt all SDN nodes. We captured the network traffic generated during these operations and use them equally the groundwork network traffic sample.
4.two. RTT Measurement
Equally we accept mentioned in Department 2, the deviation between traditional network and SDN/OpenFlow network in handling previously unseen packets gives u.s.a. a possible indicator of the flow table state and the flow entry living land, RTT. When at that place is not corresponding flow entry existing in the flow table, the RTT of a package will significantly increase due to the interactions betwixt controller and switch in order to larn new flow entries. That is the case when there is still space in the menses table. Once the period table is full, the RTT of a packet will further increment every bit a result of extra period table replacement operations. To bear witness the effectiveness of using RTT equally the flow tabular array land and flow entry land indicator, nosotros measured packet RTTs corresponding to dissimilar menstruation tabular array state and period entry state.
Figure 5 gives the RTT measurement result showing the difference. The points with unlike symbols represent the full 300 times of RTT measurements we have conducted, 100 times of measurement for each combination of flow table state and menstruum entry state. The foursquare points stand for RTTs when menstruation entry exists in flow table. The circle points and triangle points both stand for RTTs when catamenia entry does not exist in menstruum tabular array; the circumvolve points are measured when the menstruum tabular array is full, and the triangle points are measured when the flow table is not total.
Every bit tin exist seen from the figure, when flow entry exists in period table, the parcel RTTs are highly full-bodied in the range of 0.two~0.3 ms; when menstruum entry does not exist in flow table and flow tabular array is not full, the parcel RTTs will increase to well-nigh 3~5 ms; when menses entry does not exist in menstruum table and flow table is full, the packet RTTs volition be the highest, ranging from ms to ms. These three groups of RTTs all distribute intensively in a minor range without overlapping other groups, showing the first-class discrimination of using RTT as a flow tabular array land and flow entry land indicator.
iv.3. Timeout
4.3.1. Default Timeout Values
Co-ordinate to our previous assay, the feasibility of our inference set on depends on whether we can generate plenty period entries to fulfill the flow tabular array within a single timeout bike. That means we must have the ability to generate every bit many menses entries every bit the flow entry tin hold during a timeout menstruum. So we clarify several popular open-source controllers and search for their default timeout values in the born applications. The result is presented in Table 1. The zero values in the table hateful the corresponding timeout volition non take issue, or in other words the timeout value is "permanent." As tin exist seen from the table, most bachelor controllers have timeout values in the range of 5 s to 30 s.
| | ||
| Controller | Hard_timeout | Idle_timeout |
| | ||
| Ryu | 0 | 0 |
| Buoy | 0 | 5 southward |
| Floodlight | 0 | 5 s |
| NOX | 0 | 5 s |
| POX | thirty s | x s |
| Trema | 0 | sixty due south |
| Maestro | 180 due south | 30 southward |
| | ||
If we take the menses tabular array capacity of flow entries as an instance, the minimum parcel generating speed required will be packets per 2nd, while libnet can generate tens of thousand packets per second. So the default timeout values ensure the feasibility of our inference assail.
4.three.2. Timeout Measurement
Though default timeout values of mainstream OpenFlow controllers can be read from their source codes, it is notwithstanding possible for SDN network administrators to manually modify the default timeout values. In order to handle nondefault timeout values and provide basis for adjusting package generating speed, information technology is essential to examine the accurateness of passive timeout measurement.
Figure 6 illustrates relative errors (see equation (9)) of hard_timeout and idle_timeout measurement, respectively. We manually alter hard_timeout and idle_timeout values of POX OpenFlow controller to 5 s, ten southward, 15 due south, 20 s, 25 s, and 30 s, and so we use timeout measurement algorithm mentioned in Department two to measure these timeout values and calculate relative errors:
(a)
(b)
Every line in Figures 6(a) and 6(b) corresponds to times of repeated measurements conducted under a sure timeout setting from five s to thirty s. The margin stays in the range of plus-or-minus 10 percent, showing the effectiveness and high accuracy of our timeout measurement algorithm.
4.four. Flow Table Capacity
Menstruum capacity is the principal target of our inference set on. It reflects the hardware specification of an OpenFlow switch. Effigy 7 illustrates the flow tabular array chapters measurement result when controller adopts FIFO replacement algorithm. Nosotros manually limited the switch flow table capacity to different values from catamenia entries to flow entries and used our framework to perform the inference.
The dark bars stand for the manually fix period table capacities or existent capacities. The light bars stand for the measured flow tabular array capacities. For every manually ready menstruation table capacity, we comport times of repeated measurements and have their hateful value every bit the final upshot. From the figure we tin run across that the measured capacities are quite shut to the real capacities, indicating the high accurateness of our inference framework. For case, when the existent capacity is menses entries, our measured chapters is flow entries with an error of only flow entries. As the existent capacity grows, the packet generating speed required becomes faster, placing higher requirements on package sending, receiving synchronization and accurate timing. Just our inference algorithm shows unbelievable stability and accuracy: when the existent capacity is flow entries, our measured capacity is flow entries with an mistake of just flow entries.
Like Figure 7, Figure viii as well illustrates the flow table capacity measurement results, with the only divergence of existence performed under LRU replacement algorithm instead of FIFO.
Co-ordinate to our previous analysis, the inference principle of LRU replacement algorithm is more complex because of the unavoidable mixed nature of menses entries in the flow table and the rolling maintaining process. Simply our inference framework still shows high accuracy and reliability. Fifty-fifty when the real flow table capacities are prepare to exist rather large values like and , the errors of our measure capacities are just around period entries.
Only illustrating the hateful value of measured flow table capacities may not be enough: the mean value may be the result of mistake compensations and hide the detailed measurement errors of every separate experiment. So in Figure ix we illustrate the relative error of every single flow table capacity measurement.
(a)
(b)
We choose groups of different flow table capacities from flow entries to flow entries and perform times of measurements under every single flow tabular array capacity value. Figure 9(a) stands for relative mistake of menstruation tabular array capacity measurements conducted nether FIFO replacement algorithm, showing that the margin is no larger than plus-or-minus per centum. Figure 9(b) stands for relative mistake of flow table capacity measurements conducted under LRU replacement algorithm. Due to the more circuitous inference principle and the rolling maintaining process, the margin becomes larger but still has not exceeded per centum even in the worst case.
The in a higher place inference attacks are performed without any background network traffic. When performing inference attack in real networks, the affect of groundwork network traffic cannot exist ignored. And so it is necessary to examine the efficiency of our inference algorithm under these circumstances.
In this evaluation, we choose the background network traffic dataset from a SDN testbed. Figures x and eleven have the aforementioned experiment setting with Figures 7 and 8, with the only departure of replaying groundwork traffic captured from SDN testbed during the inference attack process. Even with the affect of background traffic, our inference algorithm still shows high accuracy.
4.five. Flow Table Usage
In this department we evaluated our framework's efficiency of inferring the number of flow entries from other users sharing the same menstruum table or the flow tabular array usage. Flow table usage is our secondary inference target, and it reflects the network resources consuming condition of other tenants in the aforementioned SDN network. Figures 12 and 13 illustrate the flow table usage measurement results conducted under FIFO and LRU replacement algorithm, respectively.
Again we manually set different period tabular array usage values from to flow entries by manually generating and inserting corresponding number of flow entries into the catamenia table beforehand. Then we use our inference algorithm to infer the flow table usage and accept hateful values of every times of measurements every bit the last results. The errors of all these measurements prove the high accuracy, stability and reliability of our inference algorithm.
We also conducted the flow tabular array usage inference assault with background traffic. Experiment results with testbed background traffic are shown in Figures 14 and 15. Our inference algorithm tin smoothly handle the bear on of background traffic, which ensures the stability and robustness demonstrated in the experiment results.
The relative errors are shown in Figure 16. Nosotros emulate groups of different flow table usage values and conducted times of flow table usage inference for every single value. For both FIFO and LRU replacement algorithm, the relative errors of flow table usage inference stay in a quite modest range. The results prove that our algorithm can infer other tenants' flow table usage condition in high accuracy.
five. Defence
From the previous sections we tin conclude that the inference attack is rooted in the period tabular array overflow. To defend that kind of inference attack, nosotros have to forestall flow table overflow in two aspects: i aspect is to shrink the catamenia entries to save catamenia table space, and the other one is to implement a larger flow table to store more flow entries.
five.ane. Routing Aggregation
Routing assemblage is to combine multiple entries in the menstruum table without changing the adjacent hops for packet forwarding. This approach is particularly appealing because it can be done by a software upgrade at the OpenFlow switch and its impact is express within that switch. Routing aggregation has already been used in traditional networks, merely it has non been deployed in SDN/OpenFlow networks. To fully utilize the flexibility of SDN/OpenFlow network under certain scenarios similar load balancing, nosotros proposed a global routing schedule using packing optimization algorithms.
Traditional routing aggregation algorithms [18] tin exist used to compress the flow tabular array, but their effectiveness cannot be ensured. If the matching fields and adjacent hops are dispersed enough, chances are that we may not be able to perform any routing aggregation because we cannot find flow entries sharing common matching fields and next hops. This is oftentimes the case when dealing with web traffic, for example, load balancing services. For that reason, we introduced an extra phase of routing aggregation: global routing schedule optimization. First nosotros model this routing aggregation problem as a packing optimization trouble and solve it, then nosotros perform global routing reschedule by rewriting the flow entries according to the optimization issue, and finally nosotros perform another time of traditional routing aggregation on these new flow entries. After the global routing reschedule, there will be much more than aggregatable flow entries, and so the effectiveness of routing aggregation is ensured.
5.2. Multilevel Flow Tabular array Architecture
It is important to note that routing aggregation is not a replacement for the long-term architectural solutions because it does not accost the root causes of the period tabular array scalability trouble and the post-obit inference attack. To eliminate the inference assail vulnerability, a flow tabular array architecture with larger capacity is required, which can be achieved through multilevel flow tabular array consisting of both TCAM and SRAM.
The original single-level flow table architecture is shown in Effigy 17. In this architecture, the flow table is completely implemented using TCAM. An input packet will traverse from table to tabular array and add together respective actions to the action set. Then all deportment in the action gear up are executed and the packet is forwarded co-ordinate to these actions.
Our proposed multilevel flow table architecture is shown in Effigy 18. Besides flow tabular array implemented using TCAM, nosotros add some other flow tabular array implemented using SRAM, which is cheaper and tin can provide larger menstruum tabular array infinite. Under this multilevel catamenia table compages, the package processing pipeline will be different: beginning an input parcel will detect matching catamenia entries in TCAM menstruum table, just like in the original single-level flow tabular array architecture. If there is a lucifer, the packet will execute the corresponding actions and become forwarded. If in that location is no match, the packet will proceed its lookup in the SRAM flow table. If in that location is a match in the SRAM menses table, the bundle can then be forwarded; otherwise it will be sent to the controller.
From the procedure above, we can meet that if the chapters of TCAM menstruation tabular array is , the capacity of SRAM menstruation table is , and and so the multilevel flow table volition have a capacity of . Actually is far more larger than , and so this approach tin can greatly increment the flow table chapters, thus preventing menstruation table overflow.
6. Discussion
SDN/OpenFlow has become a competitive solution for side by side-generation network and is beingness more and more widely used in modern datacenters. But considering its fundamental role as the fundamental infrastructure, we have to admit that the security problems of SDN/OpenFlow take not been explored to a big extent. Particularly, the catamenia table chapters of SDN/OpenFlow switch is only considered as a vulnerable part for DDoS and flooding attacks in published researches. But co-ordinate to our assay in previous sections, the catamenia table capacity tin pb to potential inference attack if combined with reasonable assumptions and RTT measurements.
Firstly, nosotros constitute in Department two that exact match flow entries as well as the lack of road aggregation would consume a lot of flow table infinite, making it impossible to process millions of flows per seconding using SDN/OpenFlow. Secondly, nosotros found in Section 4 that assigning the conclusion making job of flow table replacement to the controller would lead to meaning network performance decrease, which had to exist changed in time. Thirdly, there is currently no mature attack detection mechanism for SDN/OpenFlow network, so it is quite easy for criminals to exploit system vulnerabilities or invoke DDoS attacks.
The inference method proposed in this paper but uses some basic elements and parameters of OpenFlow, such as idle timeout and hard timeout, which are significant for the implementation of SDN. These features volition not be removed except very huge changes made. On the other hand, although some security frameworks [iii] were proposed to notice the malicious insertion of flow rules, attackers can likewise featherbed the detection by some well-designed insertion strategies.
All these security bug call for improvements to current OpenFlow switch and flow table design. The improvements should at least comprise the post-obit aspects: (1) New OpenFlow switch architecture, like embedding local caches in the switch or implementing multilevel flow table to accomplish a much larger menses table capacity. With larger flow table chapters, the switch will not take to query the controller for flow entries, which will reduce the interaction latency to a large extent. (2) New menses table maintaining mechanism, similar transferring the flow entry deleting workload from controller to switch. Switch itself can determine which flow entry to delete and and so sync land with controller, and during the menstruum entry deleting process, the controller'southward intervention is not needed. In the widely used OpenFlow Switch Specification one.iv.0 [19], this mechanism has been added every bit an optional feature, only without whatsoever mature implementation so far. (3) Routing assemblage. Routing aggregation can friction match a group of flows using 1 flow entry, which will reduce the flow tabular array consuming significantly compared with exact friction match. (4) Inference attack detection. Administrators tin develop inference attack detecting applications and then perform defenses similar portspeed limiting or network address validation.
From the give-and-take above, we can see that there is yet a long route to go earlier SDN/OpenFlow becomes a truly mature and reliable network prototype. There are all the same urgent and severe problems to solve, which have been neglected in the past. Only past solving these security issues and architectural vulnerabilities tin SDN/OpenFlow be widely deployed in real-earth commercial datacenters and fully demonstrate its revolutionary flexibility and intelligence.
The inference attack proposed in this newspaper is motivated by the limited flow tabular array capacity of SDN/OpenFlow switches. The flow tabular array chapters outcome has been presented in many previous works like [twenty–24]. They all point out the limitation of switch flow table retentiveness and potential scalability and security issue. Nonetheless, these works do not give farther analysis on the inference attack and data leakage caused by the express flow tabular array capacity.
Klöti et al. [25] present potentially problematic bug in SDN/OpenFlow including information disclosure through timing analysis. However, this information disclosure requires disclosing existing flows with side aqueduct attack, which is difficult to perform in real globe. Compared with their approach, our inference attack is self-contained and requires no prior knowledge.
Gong et al. [26] present a kind of inference assail using RTT measurement to infer which website the victim is browsing. They recover victims' network traffic patterns based on the queuing side channel happened at the Net router. Still, the scenario of their piece of work is in the public Cyberspace, while our approach focuses on SDN/OpenFlow infrastructures in cloud computing network. Compared with public Internet and website inference, the inference attack and data leakage in mod information centers are more sensitive and valuable.
Shin and Gu [27] demonstrate a novel attack targeting at SDN networks. This attack includes fingerprinting SDN networks and farther flooding the data airplane flow table past sending specifically crafted fake period requests in high speed. In the fingerprinting phase, header field change scanning is used to collect the different response time (RTT) for new flow and existing catamenia. The fingerprinting upshot is and so analyzed to estimate if the target network used SDN technology. The RTT measurement and analysis they used in fingerprinting are similar to our approach. But they just perform DoS attacks to the SDN network, without performing any further data leakage or network parameter inference.
As for flow tabular array overflow defending strategy, Shelly et al. [28] and Katta et al. [29] introduce flow entry caching mechanism into SDN/Openflow network by inserting a transparent intermediate layer betwixt controller and switch. Yan et al. [9] use CAB to generate wildcard flow entries dynamically and reactively to handle bursting network traffic. Kannan and Banerjee [thirty] present a flow entry compaction algorithm to salvage TCAM menstruation tabular array space. This algorithm uses flow entry tags instead of matching fields equally forwarding rules. Kim et al. [31] develop a new menstruum entry management scheme to reduce the controller overhead.
8. Decision
In this paper, we have explored the structure of SDN/OpenFlow network and some of the possible security issues it brings. Afterward our detailed assay of the SDN/OpenFlow network, nosotros proposed a novel inference attack model targeting at the SDN/OpenFlow network, which is the first proposed inference attack model of this kind in the SDN/OpenFlow area. This inference set on is introduced past the OpenFlow switch, especially past its limited menstruation table capacity. The inference attack can be done in a completely passive way, making it hard to discover and defend. We besides implemented the inference attack framework and examined the efficiency and accuracy of it using network traffic data from different sources. The simulation results bear witness that the inference attack framework can infer the network parameter (flow tabular array capacity and flow table usage) with an accuracy of up to 80% or college. Nosotros also proposed ii possible defence strategies for the discovered vulnerability, including routing aggregation algorithm and multilevel period tabular array architecture.
Conflicts of Involvement
The authors declare that they accept no conflicts of interest.
Acknowledgments
The research presented in this newspaper is supported in part past the National Primal Research and Development Program of China (no. 2016YFB0800100), the Fund of China National Aeronautical Radio Electronics Research Plant (PM-12210-2016-001), the National Natural Science Foundation (61572397, U1766215, U1736205, 61502383, 61672425, and 61702407), and State Grid Corporation of China (DZ71-16-030).
Copyright
Copyright © 2018 Yadong Zhou et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
huberttheeninfam1945.blogspot.com
Source: https://www.hindawi.com/journals/scn/2018/4760632/
0 Response to "Consider Again the Sdn Openflow Network Shown in Figure 4 30 Longest Prefix Match"
Post a Comment