USING LATTICE TO DYNAMICALLY PREVENT INFORMATION LEAKAGE FOR WEB SERVICES
Evaluation of Authentication Mechanisms in Control Plane Applications for Software Defined Networks (Final SATNAC)
1. Evaluation of Authentication Mechanisms in Control
Plane Applications for Software Defined Networks
Siyabonga N. Masuku1
, Olukayode A. Oki2
Department of Computer Science, University of Zululand, South Africa
Private Bag X1001, KwaDlangezwa, 3886
1201161056@stu.unizulu.ac.za
2okikayode@gmail.com
Abstract— Software Defined Networking (SDN) will change how
we view the design of networks by separating the control plane
from the data plane (or forwarding plane) and therefore offering
network programmability and a global view of the network. SDN
allows the control of the network to be influenced by the third
party application through the northbound API, the application
connects with the network via the SDN controller. The network
programmability offered by SDN presents various advantages.
However, one of the major challenge relating to SDN security is
trust between the network applications and the controller.
In order to address the issue of security in SDN, a few research
works has been conducted on the authentication mechanisms for
SDN. Different authentication mechanisms have been proposed.
However, it is not clear which of them performs better when
subjected to different performance scenarios. Hence, this
research work aims to evaluate the existing authentication
mechanisms in SDN.
Keywords— Authentication, network security, northbound API,
SDN, trust
I. INTRODUCTION
Software Defined Networking (SDN) is a new approach to
computer networking that decouples the control plane from the
data plane, offering high programmability and maintaining a
global view of the network [1]. Open Networking Foundation
(ONF) is the group that is most associated with the
development and standardization of SDN. According to ONF,
SDN is dynamic, manageable, cost-effective and adaptable [2].
Organizations are keen to adopt SDN but high programmability
of the network raises concerns over trust between network
applications and controllers. The adopted architecture shown
in Figure 1, consists mainly of three layers, namely application
layer, control layer and infrastructure layer with their
corresponding application programming interfaces (APIs),
northbound API and southbound API.
In SDN, southbound APIs are used for communication
between the SDN controller and the switches and the routers of
the network. They can be open or proprietary. OpenFlow (a
southbound API) is rapidly becoming a prominent way for
SDN controller to communicate with the switches and the
routers [3]. The applications communicate to the SDN
controller via a northbound API to support traffic management,
energy-efficiency or security in the network [4]. To the best of
our knowledge, there is currently no existing northbound API
standard. The SDN architecture allows networks to be
dynamically reconfigurable by SDN applications hence
controlling the network by using software is the main
Figure 1: A Layered SDN Architecture [3]
characteristic of SDN. However, the same characteristics of
centralized control and high programmability associated with
the SDN architecture pose a threat to the widespread
implementation and adoption of SDN.
In this research work, we aim to evaluate the existing
mechanisms in SDN and recommend a well-performing and
more reliable authentication mechanism to be employed as a
standard northbound API.
II. RELATED WORK
Lack of trust between SDN components prevents the
progress of SDN, because network applications running over
the controller can behave maliciously. In this case, the
controller must be able to identify which network applications
are trustworthy and which are malicious. Thus, a possible
measure to limit the exposure of the controller is applying
mechanisms for certifying network applications and for
establishing chains of trust and attestation [5]. To achieve trust
and attestation between the network applications and the
controller [6] proposed AuthFlow, an authentication and access
control mechanism. AuthFlow mechanism consists of network
applications running over POX OpenFlow controller, and two
other components: Authenticator and RADIUS server.
Authenticator receives messages of IEEE 802.1X standard and
validates the credentials against the RADIUS server [6].
In [4] authors presented OperationCheckpoint, an approach
to secure the northbound interface by introducing a permissions
system that ensures that controller operations are available to
trusted applications only. However, this approach is controller
dependent. In [7] authors presented PermOF, a fine-grained
permission system, as the first line of defense, in order to apply
minimum privilege on applications. [7] summarized a set of 18
2. permissions to be enforced at the API entry of the controller.
In [8] authors presumed that SDN is a flow-rule-driven
network. Therefore, SDN requires a secure and efficient
mechanism to manage and authenticate flow rules between
the application layer and the control layer. [8] analyzed the
mechanisms to generate and insert flow rules in SDN and
presented PERM-GUARD, a fine grained flow rule
production permission authentication scheme.
The centralized controller presents a unique problem in
software defined networks by introducing a single point of
failure [9]. To promote and accelerate SDN security, [10]
constructed a public knowledge repository, called
SDNSecurity (sdnsecurity.org), which has SDN security
vulnerabilities and proposed feasible research projects to
handle security issues.
III. PROPOSED RESEARCH
In this research work, we evaluate the existing
authentication mechanisms in SDN to observe a well-
performing and reliable authentication mechanism. At the
end, we would be able to recommend a well-performing and
more reliable authentication mechanism based on the trust
between the network applications and the controller. This will
be determined by the authenticity of network applications that
were able access the controller. The authentication
mechanism will reside on the control layer specifically the
component we refer to as the SDN controller whereby every
network application will be authenticated before granted
access to the controller.
In the development of this study we shall employ two
research methodologies, literature survey and simulation. We
will employ literature survey as the investigation
methodology, where we focus on relevant information
published previously to get state of the art and simulation as
the sampling methodology, where statistical significance will
be collected.
The combination of these methodologies provide a more
desirable procedure to the set of circumstances where by there
is no standard or open specification. Literature survey shall
provide us with knowledge to know exactly which metrics
should be considered and how proposed authentication
mechanism are being measured. We shall employ two tools
for sampling Mininet and NS3, were matrices will be
measured and they will be based on the number of network
applications, how many network applications are sent to the
controller over a given time, how many are found to be
authenticated, how many are found to be unauthenticated, and
so on.
IV.CONCLUSION
Software Defined Networking (SDN) promises to
introduce flexibility and programmability into the network by
decoupling the control plane of a network into a dedicated
controller entity. The key challenge that is addressed by [4],
[6], [7], [8] is the lack of trust between the network
applications and the controller entity, as there is no existing
northbound API standard. Then the specific concern is which
authentication mechanism is well-performing and more
reliable when subjected to different performance scenarios. In
future work we plan to adopt three authentication
mechanisms and simulate them using Mininet and NS3.
ACKNOWLEDGMENT
The authors would like to thank the work of all the
published papers, Jerome Mhlongo (fellow student at the
University of Zululand) and the Department of Computer
Science at the University of Zululand for the opportunity and
encouragement.
REFERENCES
[1] A. Akhunzada, A. Gani, N. Anuar, A. Abdelaziz, M. Khan and A. H. a.
S. Khan, "Secure and dependable software defined networks," Journal
of Network and Computer Applications, pp. 2-7, 2015.
[2] T. Jose and J. Kurian, "Survey on SDN Security Mechanisms",
International Journal of Computer Applications, Vol. 132, 2015
[3] Ashton, Metzler & Associates, "Ten Thing to Look for in an SDN
Contoller", pp.4
[4] S. Scott-Hayward, C. Kane and S. Sezer, "OperationCheckpoint:SDN
Application Control," in 2014 IEEE 22nd International Conference on
Network Protocols, North Carolina, 2014.
[5] Open Network Foundation, "SDN Architecture Overview version 1.0,"
ONF, 2013.
[6] D.M.F. Mattos, L.H.G. Ferraz and O.C.M. Duarte "AuthFlow:
Authentication and Access Control Mechanism for Software Defined
Networking," Brazil.
[7] X. Wen, Y. Chen, C. Hu, C. Shi, and Y. Wang, “Towards a Secure
Controller Platform for Openflow Applications,” in Proceedings of the
Second ACM SIGCOMM Workshop on Hot Topics in Software Defined
Networking, ser. HotSDN ’13.
[8] M. Wang, J. Liu, J. Chen, and J. Mao. “PERM-GUARD: Authenticating
the validity of Flow Rules in Software Defined Networking.” In Cyber
Security and Cloud Computing (CSCloud), 2015 IEEE 2nd
International
Conference on (pp. 127-132)
[9] K. Cabaj, J. Wytrębowicz, S. Kukliński, P. Radziszewski and K. T. Dinh,
"SDN Architecture Impact on Network Security," in Federated
Conference on Computer Science and Information Systems, 2014.
[10] S. Lee, C. Lee, H. Jo, J. Kim, S. Lee, J. Nam, T. Park, C. Yoon, Y. Kim,
H. Kang and S. Shin, "A Playground for Software-Defined Networking
Security."
Siyabonga N. Masuku is a computer science honours student at
University of Zululand. He studied BSc Applied Mathematics and
Computer Science and graduated in the year 2016 at the University of
Zululand. He enjoys programming and his research interests include
security and databases.