Software-defined networking (SDN) emerged as an attempt to introduce network innovations faster, and to radically simplify and automate the management of large networks. SDN traditionally leverages OpenFlow as device-level abstraction. Since OpenFlow permits the programmer to "just" abstract a static flow-table, any stateful control and processing intelligence is necessarily delegated to the network controller. Motivated by the latency and signaling overhead that comes along with such a two-tiered SDN programming model, in the last couple of years several works have proposed innovative switch-level (data plane) programming abstractions capable to deploy some smartness directly inside the network switches, e.g., in the form of localized stateful flow processing. Furthermore, the possible inclusion of states and state maintenance primitives inside the switches is currently being debated in the OpenFlow standardization community itself. In this paper, after having provided the reader with a background on such emerging stateful SDN data plane proposals, we focus our attention on the security implications that data plane programmability brings about. Also via the identification of potential attack scenarios, we specifically highlight possible vulnerabilities specific to stateful in-switch processing (including denial of service and saturation attacks), which we believe should be carefully taken into consideration in the ongoing design of current and future proposals for stateful SDN data planes.

Dargahi, T., Caponi, A., Ambrosin, M., Bianchi, G., Conti, M. (2017). A Survey on the Security of Stateful SDN Data Planes. IEEE COMMUNICATIONS SURVEYS AND TUTORIALS, 19(3), 1701-1725 [10.1109/COMST.2017.2689819].

A Survey on the Security of Stateful SDN Data Planes

Caponi A.;Bianchi G.;
2017-01-01

Abstract

Software-defined networking (SDN) emerged as an attempt to introduce network innovations faster, and to radically simplify and automate the management of large networks. SDN traditionally leverages OpenFlow as device-level abstraction. Since OpenFlow permits the programmer to "just" abstract a static flow-table, any stateful control and processing intelligence is necessarily delegated to the network controller. Motivated by the latency and signaling overhead that comes along with such a two-tiered SDN programming model, in the last couple of years several works have proposed innovative switch-level (data plane) programming abstractions capable to deploy some smartness directly inside the network switches, e.g., in the form of localized stateful flow processing. Furthermore, the possible inclusion of states and state maintenance primitives inside the switches is currently being debated in the OpenFlow standardization community itself. In this paper, after having provided the reader with a background on such emerging stateful SDN data plane proposals, we focus our attention on the security implications that data plane programmability brings about. Also via the identification of potential attack scenarios, we specifically highlight possible vulnerabilities specific to stateful in-switch processing (including denial of service and saturation attacks), which we believe should be carefully taken into consideration in the ongoing design of current and future proposals for stateful SDN data planes.
2017
Pubblicato
Rilevanza internazionale
Articolo
Esperti anonimi
Settore ING-INF/03 - TELECOMUNICAZIONI
English
Software-defined networking (SDN); stateful SDN data planes; data plane programmability; SDN security; vulnerability assessment; OpenFlow; OpenState; P4
Dargahi, T., Caponi, A., Ambrosin, M., Bianchi, G., Conti, M. (2017). A Survey on the Security of Stateful SDN Data Planes. IEEE COMMUNICATIONS SURVEYS AND TUTORIALS, 19(3), 1701-1725 [10.1109/COMST.2017.2689819].
Dargahi, T; Caponi, A; Ambrosin, M; Bianchi, G; Conti, M
Articolo su rivista
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2108/200389
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 161
  • ???jsp.display-item.citation.isi??? 120
social impact