CLÉ: Enhancing security with programmable dataplane enabled hybrid SDN

Wendi Feng, Chuanchang Liu, Zhi Li Zhang, Junliang Chen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations


Network security is of paramount importance. However,”legacy” networks fail to provide security mechanisms to protect the network. Recent years have seen the prevalent in Software-defined Networking (SDN), and its programmability simplifies network management and provides possibilities to enhance security. Unfortunately, the full SDN deployment is cost-prohibitive and introduces the performance penalty to the controller due to the heavy traffic analyze workload, and thus influencing the network performance. We argue upgrading only a few legacy switches (LS) to SDN switches can achieve security and management benefits of the full SDN deployment, and implementing certain security network functions on the dataplane can minimize the performance penalty. In this paper, we propose Clé, a programmable dataplane (PD) enabled hybrid SDN security enhancement solution. Clé consists of a smart algorithm to select LSes to upgrade, a unified controller that automatically”attracts” traffic to programmable SDN switches, and the security network functions combined PD that can directly detect and mitigate threats without degrading the performance.

Original languageEnglish (US)
Title of host publicationCoNEXT 2019 Companion - Proceedings of the 15th International Conference on Emerging Networking EXperiments and Technologies, Part of CoNEXT 2019
PublisherAssociation for Computing Machinery, Inc
Number of pages2
ISBN (Electronic)9781450370066
StatePublished - Dec 9 2019
Event15th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT 2019 - Part of CoNEXT 2019 - Orlando, United States
Duration: Dec 9 2019Dec 12 2019

Publication series

NameCoNEXT 2019 Companion - Proceedings of the 15th International Conference on Emerging Networking EXperiments and Technologies, Part of CoNEXT 2019


Conference15th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT 2019 - Part of CoNEXT 2019
CountryUnited States

Bibliographical note

Funding Information:
the problem is that each flow’s path should have a PSS, where a flow is a ⟨source host, destination host⟩ pair. • Unified Controller attracts traffic to PSSes. It i) gathers address information from the ARP (Address Resolve Protocol) message and ii) uses the information to calculate the routes to each flow. iii) By using the calculated routing information, the controller broadcasts "decoy" ARP messages in the network and tells LSes the PSS knows where to send packets to the destination host. iv) Also, the unified controller generates flow tables to instruct PSSes forwarding packets. v) Upon receiving traffic, PSSes parse packets and detect possible threats with SNFs. • Clé Dataplane can be categorized into two parts. One is PSSes, and another is LSes. Clé does not modify anything on LSes. PSSes leverage the benefit of programmability and combine the basic forwarding functionality with SNFs. We use P4 [1] switches as our PSS and use the P4 language to implement the SNFs. Our PSSes also support security service function chaining that chains multiple SNFs together. We implement simple rule-based FW and IDS on PSSes. Stricter security enhancement may require deep packet inspection, and data can be encrypted which requires complex processing logic. To this end, we forward the packet to the unified controller with the PacktIn message to make further detection. 4 CONCLUSION AND FUTURE WORK We propose a PD enabled hybrid SDN based network security enhancement solution called Clé. It achieves the minimum cost by smartly selecting CLSes to upgrade and realizes full SDN-like security enhancement and simple network management without introducing the performance penalty by using the proposed unified controller along with the SNFs combined PD. Clé is now under development, we present Clé to inspire readers to leverage the benefit of partial SDN deployment and programmable dataplane. ACKNOWLEDGEMENT The work was supported by the National Natural Science Foundation of China under Grant No. U1536112 and the China Scholarship Council under Grant No. 201806470060, and in part by US NSF under Grants CNS-1411636, CNS-1618339, CNS-1617729, CNS-1814322, and CNS-1836772. REFERENCES [1] Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., and Walker, D. P4: Pro-gramming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev. 44, 3 (July 2014), 87–95. [2] Jin, C., Lumezanu, C., Xu, Q., Mekky, H., Zhang, Z.-L., and Jiang, G. Magneto: Unified fine-grained path control in legacy and openflow hybrid networks. SOSR ’17, ACM, pp. 75–87. [3] Zimmer, B. LISA: A practical zero trust architecture. In Enigma 2018 (Enigma 2018) (Jan 2018), USENIX Association.

Publisher Copyright:
© 2019 held by the owner/author(s).

Fingerprint Dive into the research topics of 'CLÉ: Enhancing security with programmable dataplane enabled hybrid SDN'. Together they form a unique fingerprint.

Cite this