Journal of Information Processing Systems

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Security in Network Virtualization: A Survey

  • Jee, Seung Hun (Dept. of Computer Science, Korea National Open University) ;
  • Park, Ji Su (Dept. of Computer Science and Engineering, Jeonju University) ;
  • Shon, Jin Gon (Dept. of Computer Science, Korea National Open University)
  • Received : 2020.01.20
  • Accepted : 2020.07.12
  • Published : 2021.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Network virtualization technologies have played efficient roles in deploying cloud, Internet of Things (IoT), big data, and 5G network. We have conducted a survey on network virtualization technologies, such as software-defined networking (SDN), network functions virtualization (NFV), and network virtualization overlay (NVO). For each of technologies, we have explained the comprehensive architectures, applied technologies, and the advantages and disadvantages. Furthermore, this paper has provided a summarized view of the latest research works on challenges and solutions of security issues mainly focused on DDoS attack and encryption.

Keywords

References

  1. C. Clos, "A study of non-blocking switching networks," Bell System Technical Journal, vol. 32, no. 2, pp. 406-424, 1953. https://doi.org/10.1002/j.1538-7305.1953.tb01433.x
  2. M. F. Bari, R. Boutaba, R. Esteves, L. Z. Granville, M. Podlesny, M. G. Rabbani, Q. Zhang, and M. F. Zhani, "Data center network virtualization: a survey," IEEE Communications Surveys & Tutorials, vol. 15, no. 2, pp. 909-928, 2012.
  3. R. Jain and S. Paul, "Network virtualization and software defined networking for cloud computing: a survey," IEEE Communications Magazine, vol. 51, no. 11, pp. 24-31, 2013. https://doi.org/10.1109/MCOM.2013.6658648
  4. S. Scott-Hayward, G. O'Callaghan, and S. Sezer, "SDN security: a survey," in Proceedings of 2013 IEEE SDN for Future Networks and Services (SDN4FNS), Trento, Italy, 2013, pp. 1-7.
  5. L. Schehlmann, S. Abt, and H. Baier, "Blessing or curse? Revisiting security aspects of software-defined networking," in Proceedings of the 10th International Conference on Network and Service Management (CNSM) and Workshop, Rio de Janeiro, Brazil, 2014, pp. 382-387.
  6. W. Xia, Y. Wen, C. H. Foh, D. Niyato, and H. Xie, "A survey on software-defined networking," IEEE Communications Surveys & Tutorials, vol. 17, no. 1, pp. 27-51, 2014. https://doi.org/10.1109/COMST.2014.2330903
  7. I. Ahmad, S. Namal, M. Ylianttila, and A. Gurtov, "Security in software defined networks: a survey," IEEE Communications Surveys & Tutorials, vol. 17, no. 4, pp. 2317-2346, 2015. https://doi.org/10.1109/COMST.2015.2474118
  8. D. Kreutz, F. M. Ramos, P. E. Verissimo, C. E. Rothenberg, S. Azodolmolky, and S. Uhlig, "Software-defined networking: a comprehensive survey," Proceedings of the IEEE, vol. 103, no. 1, pp. 14-76, 2015. https://doi.org/10.1109/JPROC.2014.2371999
  9. Z. Yao and Z. Yan, "Security in software-defined-networking: a survey," in Security, Privacy and Anonymity in Computation, Communication and Storage. Cham, Switzerland: Springer, 2016, pp. 319-332.
  10. M. A. Nadeem and T. Karamat, "A survey of cloud network overlay protocols," in Proceedings of 2016 6th International Conference on Digital Information and Communication Technology and its Applications (DICTAP), Konya, Turkey, 2016, pp. 177-182.
  11. A. Abdou, P. C. Van Oorschot, and T. Wan, "Comparative analysis of control plane security of SDN and conventional networks," IEEE Communications Surveys & Tutorials, vol. 20, no. 4, pp. 3542-3559, 2018. https://doi.org/10.1109/COMST.2018.2839348
  12. B. Yi, X. Wang, K. Li, and M. Huang, "A comprehensive survey of network function virtualization," Computer Networks, vol. 133, pp. 212-262, 2018. https://doi.org/10.1016/j.comnet.2018.01.021
  13. M. Pattaranantakul, R. He, Q. Song, Z. Zhang, and A. Meddahi, "NFV security survey: from use case driven threat analysis to state-of-the-art countermeasures," IEEE Communications Surveys & Tutorials, vol. 20, no. 4, pp. 3330-3368, 2018. https://doi.org/10.1109/COMST.2018.2859449
  14. A. M. Alwakeel, A. K. Alnaim, and E. B. Fernandez, "A survey of network function virtualization security," in Proceedings of the IEEE SoutheastCon, St. Petersburg, FL, 2018, pp. 1-8.
  15. Y. Liu, B. Zhao, P. Zhao, P. Fan, and H. Liu, "A survey: typical security issues of software-defined networking," China Communications, vol. 16, no. 7, pp. 13-31, 2019. https://doi.org/10.23919/j.cc.2019.07.002
  16. Open Networking Foundation, "Software-Defined Networking (SDN) Definition," 2021 [Online]. Available: https://www.opennetworking.org/sdn-definition.
  17. M. Casado, T. Garfinkel, A. Akella, M. J. Freedman, D. Boneh, N. McKeown, and S. Shenker, "SANE: a protection architecture for enterprise networks," in Proceedings of the 15th USENIX Security Symposium, Vancouver, Canada, 2006.
  18. M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker, "Ethane: taking control of the enterprise," ACM SIGCOMM Computer Communication Review, vol. 37, no. 4, pp. 1-12, 2007. https://doi.org/10.1145/1282427.1282382
  19. Linux Foundation, "What is Open vSwitch," 2016 [Online]. Available: https://docs.openvswitch.org/en/latest/intro/what-is-ovs.
  20. B. Lantz, B. Heller, and N. McKeown, "A network in a laptop: rapid prototyping for software-defined networks," in Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, Monterey, CA, 2010, pp. 1-6.
  21. Open Networking Foundation, "OpenFlow Switch Specification version 1.5.1," 2015 [Online]. Available: https://opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf.
  22. N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69-74, 2008. https://doi.org/10.1145/1355734.1355746
  23. R. Enns, M. Bjorklund, J. Schoenwaelder, and A. Bierman, "Network configuration protocol (NETCONF)," Internet Engineering Task Force, RFC6241, 2011.
  24. M. Bjorklund, "YANG: a data modeling language for the network configuration protocol (NETCONF)," Internet Engineering Task Force, RFC6020, 2010.
  25. R. T. Fielding, "Architectural styles and the design of network-based software architectures," Ph.D. dissertation, University of California, Irvine, CA, 2000.
  26. W. Zhou, L. Li, M. Luo, and W. Chou, "Requirements and Design Patterns for REST Northbound API in SDN," Internet Engineering Task Force, Internet Draft, 2016.
  27. Chef [Online]. Available: https://www.chef.io.
  28. Puppet [Online]. Available: https://puppet.com.
  29. Ansible [Online]. Available: https://www.ansible.com.
  30. S. Yoon, T. Ha, S. Kim, Y. Kim, and H. Lim, "Hiding MAC addresses for cyber security on software-defined networks," in Proceedings of Symposium of the Korean Institute of Communications and Information Sciences (KICS), 2018, pp. 1452-1452.
  31. J. H. Won, J. W. Hong, and Y. Y. You, "A study on the improvement of security threat analysis and response technology by IoT layer," Journal of Convergence for Information Technology, vol. 8, no. 6, pp. 149-157, 2018.
  32. R. Sahay, G. Blanc, Z. Zhang, and H. Debar, "ArOMA: an SDN based autonomic DDoS mitigation framework," Computers & Security, vol. 70, pp. 482-499, 2017. https://doi.org/10.1016/j.cose.2017.07.008
  33. S. Shirali-Shahreza and Y. Ganjali, "Efficient implementation of security applications in OpenFlow controller with FleXam," in Proceedings of 2013 IEEE 21st Annual Symposium on High-Performance Interconnects, San Jose, CA, 2013, pp. 49-54.
  34. M. Huang and B. Yu, "FuzzyGuard: a DDoS attack prevention extension in software-defined wireless sensor networks," KSII Transactions on Internet and Information Systems (TIIS), vol. 13, no. 7, pp. 3671-3689, 2019. https://doi.org/10.3837/tiis.2019.07.019
  35. M. Wang, H. Zhou, and J. Chen, "A moving window principal components analysis based anomaly detection and mitigation approach in SDN network," KSII Transactions on Internet and Information Systems (TIIS), vol. 12, no. 8, pp. 3946-3965, 2018. https://doi.org/10.3837/tiis.2018.08.022
  36. Q. Wei, Z. Wu, K. Ren, and Q. Wang, "An OpenFlow user-switch remapping approach for DDoS defense," KSII Transactions on Internet and Information Systems (TIIS), vol. 10, no. 9, pp. 4529-4548, 2016. https://doi.org/10.3837/tiis.2016.09.027
  37. M. Afaq, S. Rehman, and W. C. Song, "Large flows detection, marking, and mitigation based on sFlow standard in SDN," Journal of Korea Multimedia Society, vol. 18, no. 2, pp. 189-198, 2015. https://doi.org/10.9717/kmms.2015.18.2.189
  38. G. Bang, D. Choi, and S. Bang, "A protection method using destination address packet sampling for SYN flooding attack in SDN environments," Journal of Korea Multimedia Society, vol. 18, no. 1, pp. 35-41, 2015. https://doi.org/10.9717/kmms.2015.18.1.035
  39. M. Nugraha, I. Paramita, A. Musa, D. Choi, and B. Cho, "Utilizing OpenFlow and sFlow to detect and mitigate SYN flooding attack," Journal of Korea Multimedia Society, vol. 17, no. 8, pp. 988-994, 2014. https://doi.org/10.9717/kmms.2014.17.8.988
  40. S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "Avant-guard: scalable and vigilant switch flow management in software-defined networks," in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany, 2013, pp. 413-424.
  41. M. Ambrosin, M. Conti, F. De Gaspari, and R. Poovendran, "LineSwitch: tackling control plane saturation attacks in software-defined networking," IEEE/ACM Transactions on Networking, vol. 25, no. 2, pp. 1206-1219, 2016. https://doi.org/10.1109/TNET.2016.2626287
  42. R. Mohammadi, R. Javidan, and M. Conti, "SLICOTS: an SDN-based lightweight countermeasure for TCP SYN flooding attacks," IEEE Transactions on Network and Service Management, vol. 14, no. 2, pp. 487-497, 2017. https://doi.org/10.1109/TNSM.2017.2701549
  43. K. Hong, Y. Kim, H. Choi, and J. Park, "SDN-assisted slow HTTP DDoS attack defense method," IEEE Communications Letters, vol. 22, no. 4, pp. 688-691, 2017. https://doi.org/10.1109/lcomm.2017.2766636
  44. R. Deb and S. Roy, "Dynamic vulnerability assessments of software-defined networks," Innovations in Systems and Software Engineering, vol. 16, no. 1, pp. 45-51, 2020. https://doi.org/10.1007/s11334-019-00337-3
  45. European Telecommunications Standards Institute (ETSI), "Network Functions Virtualisation (NFV)," 2021 [Online]. Available: https://www.etsi.org/technologies/nfv.
  46. sdxcentral, "What are virtual network functions or VNFs?," 2014 [Online]. Available: https://www.sdxcentral.com/networking/nfv/definitions/virtual-network-function.
  47. European Telecommunications Standards Institute (ETSI), "Network Functions Virtualisation - Introductory White Paper," 2012 [Online]. Available: https://portal.etsi.org/NFV/NFV_White_Paper.pdf.
  48. European Telecommunications Standards Institute (ETSI), "Network Functions Virtualisation (NFV); Architectural Framework," 2014 [Online]. Available: https://www.etsi.org/deliver/etsi_gs/NFV/001_099/002/01.02.01_60/gs_NFV002v010201p.pdf.
  49. OPNFV, "Open Platform for NFV (OPNFV) - technical overview," [Online]. Available: https://www.opnfv.org/software/technical-overview.
  50. T. Park, Y. Kim, J. Park, H. Suh, B. Hong, and S. Shin, "QoSE: quality of security a network security framework with distributed NFV," in Proceedings of 2016 IEEE International Conference on Communications (ICC), Kuala Lumpur, Malaysia, 2016, pp. 1-6.
  51. S. Lal, T. Taleb, and A. Dutta, "NFV: Security threats and best practices," IEEE Communications Magazine, vol. 55, no. 8, pp. 211-217, 2017. https://doi.org/10.1109/MCOM.2017.1600899
  52. C. C. Liu, B. S. Huang, C. W. Tseng, Y. T. Yang, and L. D. Chou, "SDN/NFV-based moving target DDoS defense mechanism," in Recent Trends in Data Science and Soft Computing. Cham, Switzerland: Springer, 2019, pp. 548-556.
  53. H. Kim, S. Park, and J. Ryou, "Research on DDoS Detection using AI in NFV," Journal of Digital Contents Society, vol. 19, no. 4, pp. 837-844, 2018. https://doi.org/10.9728/DCS.2018.19.4.837
  54. J. T. Kim, J. H. Kim, and I. K. Kim, "Analysis on the VNF-DPI for the cloud security," in Proceedings of Symposium of the Korean Institute of Communications and Information Sciences (KICS), 2018, pp. 811-812.
  55. M. Pattaranantakul, R. He, A. Meddahi, and Z. Zhang, "SecMANO: towards network functions virtualization (NFV) based security management and orchestration," in Proceedings of 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, 2016, pp. 598-605.
  56. J. Jeong, S. Hyun, T. Ahn, S. Hares, and D. R. Lopez, "Applicability of interfaces to network security functions to network-based security services," Internet Engineering Task Force, Fremont, CA, draft-ietfi2nsf-applicability-10, 2019.
  57. J. Hyun and W. Hong, "Technical research trends of network virtualization technologies," in Proceedings of the Committee on Korean Network Operations and Management (KNOM) Conference, Chooncheon, Korea, 2016.
  58. T. Narten, E. Gray, D. Black, L. Fang, L. Kreeger, and N. Napierala, "Problem statement: Overlays for network virtualization," Internet Engineering Task Force, Fremont, CA, RFC 7364, 2013.
  59. P. Garg and Y. Wang, "NVGRE: network virtualization using generic routing encapsulation," Internet Engineering Task Force, Fremont, CA, RFC 7637, 2015.
  60. B. Davie and J. Gross, "A stateless transport tunneling protocol for network virtualization (STT)," Internet Engineering Task Force, Fremont, CA, draft-davie-stt-06, 2016.
  61. M. Mahalingam, D. G. Dutt, K. Duda, K. Agarwal, L. Kreeger, T. Sridhar, M. Bursell, and C. Wright, "Virtual eXtensible Local Area Network (VXLAN): a framework for overlaying virtualized layer 2 networks over layer 3 networks," Internet Engineering Task Force, Fremont, CA, RFC 7348, 2014.
  62. J. Gross, I. Ganga, and T. Sridhar, "GENEVE: generic network virtualization encapsulation," Internet Engineering Task Force, Fremont, CA, RFC 8926, 2020.
  63. B. G. Jung, H. G. Lee, H. S. Park, and J. D. Park, "Hyper-connected trust network technology," Electronics and Telecommunications Trends, vol. 32, no. 1, pp. 35-45, 2017.
  64. Y. Andamasov, "GRE over IPsec for secure tunneling," 2021 [Online]. Available: https://support.vyos.io/en/kb/articles/gre-over-ipsec-for-secure-tunneling-2.
  65. Fortinet, "FortiOS 6.2.3 (VXLAN over IPsec tunnel)," 2020 [Online]. Available: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/821119/vxlan-over-ipsec-tunnel.
  66. S. Boutros, C. Qian, and D. Wing, "IPsec over Geneve Encapsulation," Internet Engineering Task Force, Fremont, CA, draft-boutros-nvo3-ipsec-over-geneve-01, 2018.
  67. IEEE Standard for Local and metropolitan area networks - Media Access Control (MAC) security (IEEE Std 802.1AE), 2018 [Online]. Available: https://1.ieee802.org/security/802-1ae/.