Network security is of paramount importance. However,”legacy” networks fail to provide security mechanisms to protect the network. Recent years have seen the prevalent in Software-defined Networking (SDN), and its programmability simplifies network management and provides possibilities to enhance security. Unfortunately, the full SDN deployment is cost-prohibitive and introduces the performance penalty to the controller due to the heavy traffic analyze workload, and thus influencing the network performance. We argue upgrading only a few legacy switches (LS) to SDN switches can achieve security and management benefits of the full SDN deployment, and implementing certain security network functions on the dataplane can minimize the performance penalty. In this paper, we propose Clé, a programmable dataplane (PD) enabled hybrid SDN security enhancement solution. Clé consists of a smart algorithm to select LSes to upgrade, a unified controller that automatically”attracts” traffic to programmable SDN switches, and the security network functions combined PD that can directly detect and mitigate threats without degrading the performance.
|Original language||English (US)|
|Title of host publication||CoNEXT 2019 Companion - Proceedings of the 15th International Conference on Emerging Networking EXperiments and Technologies, Part of CoNEXT 2019|
|Publisher||Association for Computing Machinery, Inc|
|Number of pages||2|
|State||Published - Dec 9 2019|
|Event||15th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT 2019 - Part of CoNEXT 2019 - Orlando, United States|
Duration: Dec 9 2019 → Dec 12 2019
|Name||CoNEXT 2019 Companion - Proceedings of the 15th International Conference on Emerging Networking EXperiments and Technologies, Part of CoNEXT 2019|
|Conference||15th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT 2019 - Part of CoNEXT 2019|
|Period||12/9/19 → 12/12/19|
Bibliographical noteFunding Information:
the problem is that each flow’s path should have a PSS, where a flow is a ⟨source host, destination host⟩ pair. • Unified Controller attracts traffic to PSSes. It i) gathers address information from the ARP (Address Resolve Protocol) message and ii) uses the information to calculate the routes to each flow. iii) By using the calculated routing information, the controller broadcasts "decoy" ARP messages in the network and tells LSes the PSS knows where to send packets to the destination host. iv) Also, the unified controller generates flow tables to instruct PSSes forwarding packets. v) Upon receiving traffic, PSSes parse packets and detect possible threats with SNFs. • Clé Dataplane can be categorized into two parts. One is PSSes, and another is LSes. Clé does not modify anything on LSes. PSSes leverage the benefit of programmability and combine the basic forwarding functionality with SNFs. We use P4  switches as our PSS and use the P4 language to implement the SNFs. Our PSSes also support security service function chaining that chains multiple SNFs together. We implement simple rule-based FW and IDS on PSSes. Stricter security enhancement may require deep packet inspection, and data can be encrypted which requires complex processing logic. To this end, we forward the packet to the unified controller with the PacktIn message to make further detection. 4 CONCLUSION AND FUTURE WORK We propose a PD enabled hybrid SDN based network security enhancement solution called Clé. It achieves the minimum cost by smartly selecting CLSes to upgrade and realizes full SDN-like security enhancement and simple network management without introducing the performance penalty by using the proposed unified controller along with the SNFs combined PD. Clé is now under development, we present Clé to inspire readers to leverage the benefit of partial SDN deployment and programmable dataplane. ACKNOWLEDGEMENT The work was supported by the National Natural Science Foundation of China under Grant No. U1536112 and the China Scholarship Council under Grant No. 201806470060, and in part by US NSF under Grants CNS-1411636, CNS-1618339, CNS-1617729, CNS-1814322, and CNS-1836772. REFERENCES  Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., and Walker, D. P4: Pro-gramming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev. 44, 3 (July 2014), 87–95.  Jin, C., Lumezanu, C., Xu, Q., Mekky, H., Zhang, Z.-L., and Jiang, G. Magneto: Unified fine-grained path control in legacy and openflow hybrid networks. SOSR ’17, ACM, pp. 75–87.  Zimmer, B. LISA: A practical zero trust architecture. In Enigma 2018 (Enigma 2018) (Jan 2018), USENIX Association.
© 2019 held by the owner/author(s).