Browse > Article
http://dx.doi.org/10.3837/tiis.2021.01.015

FRChain: A Blockchain-based Flow-Rules-oriented Data Forwarding Security Scheme in SDN  

Lian, Weichen (Department of Electronics and Communication Engineering Beijing Electronic Science & Technology Institute)
Li, Zhaobin (Department of Electronics and Communication Engineering Beijing Electronic Science & Technology Institute)
Guo, Chao (Department of Electronics and Communication Engineering Beijing Electronic Science & Technology Institute)
Wei, Zhanzhen (Department of Electronics and Communication Engineering Beijing Electronic Science & Technology Institute)
Peng, Xingyuan (Department of Electronics and Communication Engineering Beijing Electronic Science & Technology Institute)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.15, no.1, 2021 , pp. 264-284 More about this Journal
Abstract
As the next-generation network architecture, software-defined networking (SDN) has great potential. But how to forward data packets safely is a big challenge today. In SDN, packets are transferred according to flow rules which are made and delivered by the controller. Once flow rules are modified, the packets might be redirected or dropped. According to related research, we believe that the key to forward data flows safely is keeping the consistency of flow rules. However, existing solutions place little emphasis on the safety of flow rules. After summarizing the shortcomings of the existing solutions, we propose FRChain to ensure the security of SDN data forwarding. FRChain is a novel scheme that uses blockchain to secure flow rules in SDN and to detect compromised nodes in the network when the proportion of malicious nodes is less than one-third. The scheme places the flow strategies into blockchain in form of transactions. Once an unmatched flow rule is detected, the system will issue the problem by initiating a vote and possible attacks will be deduced based on the results. To simulate the scheme, we utilize BigchainDB, which has good performance in data processing, to handle transactions. The experimental results show that the scheme is feasible, and the additional overhead for network performance and system performance is less than similar solutions. Overall, FRChain can detect suspicious behaviors and deduce malicious nodes to keep the consistency of flow rules in SDN.
Keywords
SDN; Data Forwarding Security; Blockchain; Flow Rules; BigchainDB;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "Avant-guard: Scalable and vigilant switch flow management in software-defined networks," in Proc. of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 413-424, Nov. 2013.
2 S. Hong, L. Xu, H. Wang, and G. Gu, "Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures," in Proc. of The Network and Distributed System Security Symposium (NDSS), pp. 8-11, Feb. 2015.
3 N. Mckeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69-74, Apr. 2008.   DOI
4 T. Zhang, A. Bianco, P. Giaccone, and A. P. Nezhad, "Dealing with misbehaving controllers in SDN networks," in Proc. of GLOBECOM 2017-2017 IEEE Global Communications Conference, pp. 1-6, Dec. 2017.
5 A. Ranjbar, M. Komu, P. Salmela, and T. Aura, "An SDN-based approach to enhance the end-toend security: SSL/TLS case study," in Proc. of NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium, pp. 281-288, July 2016.
6 M. Antikainen, T. Aura, and M. Sarela, "Spook in your network: Attacking an SDN with a compromised openflow switch," in Proc. of Nordic Conference on Secure IT Systems, vol. 8788, pp. 229-244, 2014.
7 E. Alshaer and S. Alhaj, "FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures," in Proc. of the 3rd ACM Workshop on Assurable and Usable Security Configuration, pp. 37-44, Oct. 2010.
8 S. Son, S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "Model checking invariant security properties in OpenFlow," in Proc. of IEEE International Conference on Communications, pp. 1974-1979, Nov. 2013.
9 A. Khurshid, W. Zhou, M. Caesar, and P. B. Godfrey, "Veriflow: Verifying network-wide invariants in real time," in Proc. of the 1st Workshop on Hot Topics in Software Defined Network, pp. 49-54, 2013.
10 P. W. Chi, C. Kuo, J. W. Guo, and C. L. Lei, "How to detect a compromised SDN switch," in Proc. of 2015 1st IEEE Conference on Network Softwarization (NetSoft), pp. 1-6, 2015.
11 Z. Zhibin, C. Chaowen, and Z. Xianwei, "A Software-Defined Networking Packet Forwarding Verification Mechanism Based on Programmable Data Plane," Journal of Electronics & Information Technology, vol. 42, no. 5, pp. 1110-1117, 2020.
12 S. Nakamoto, "Bitcoin: A peer-to-peer electronic cash system," White Paper Bitcoin, pp. 1-9, 2009.
13 C. Tselios, I. Politis, and S. Kotsopoulos, "Enhancing SDN security for IoT-related deployments through blockchain," in Proc. of 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 303-308, Nov. 2017.
14 M. Ali, J. Nelson, R. Shea, and M. J. Freedman, "Blockstack: A global naming and storage system secured by blockchains," in Proc. of 2016 USENIX Annual Technical Conference, pp. 181-194, June 2016.
15 M. Dhawan, R. Poddar, K. Mahajan, and V. Mann, "SPHINX: Detecting Security Attacks in Software-Defined Networks," in Proc. of The Network and Distributed System Security Symposium (NDSS), vol. 15, pp. 8-11, Jan. 2015.
16 Y. Wang, J. Bi, and K. Zhang, "A tool for tracing network data plane via SDN/OpenFlow," Science China (Information Sciences), vol. 60, no. 2, pp. 74-86, Feb. 2017.
17 M. Wang, J. Liu, J. Mao, H. Cheng, J. Chen, and C. Qi, "Route Guardian: Constructing Secure Routing Paths in Software-Defined Networking," Tsinghua Science and Technology, vol. 22, no. 4, pp. 400-412, Aug. 2017.   DOI
18 T. Wang and H. Chen, "SGuard: A Lightweight SDN Safe-Guard rchitecture for DoS Attack," China Communications, vol. 14, no. 6, pp. 113-125, June 2017.   DOI
19 X. Qiu, K. Zhang, and Q. Ren, "Global Flow Table: A convincing mechanism for security operations in SDN," Computer Networks, vol. 120, pp. 56-70, 2017.   DOI
20 T. Sasaki, C. Pappas, T. Lee, T. Hoefler, and A. Perrig, "SDNsec: Forwarding Accountability for the SDN Data Plane," in Proc. of 2016 25st International Conference on Computer Communication and Networks (ICCCN), pp. 1-10, Sep. 2016.
21 K. Kataoka, S. Gangwar, and P. Podili, "Trust list: Internet-wide and distributed IoT traffic management using blockchain and SDN," in Proc. of 2018 IEEE 4th World Forum on Internet of Things (WF-IoT), pp. 296-301, May 2018.
22 M. Singh and S. Kim, "Blockchain based intelligent vehicle data sharing framework," arXiv: Cryptography and Security, July 2017.
23 P. K. Sharma, M. Y. Chen, and J. H. Park, "A software defined fog node based. distributed blockchain cloud architecture for IoT," IEEE Access, vol. 6, pp. 115-124, Sep. 2017.   DOI
24 P. K. Sharma, S. Singh, Y. Jeong, and J. H. Park, "Distblocknet: A distributed blockchains-based secure SDN architecture for IoT networks," IEEE Communications Magazine, vol. 55, no. 9, pp. 78-85, Sep. 2017.   DOI
25 J. Chen, "Flowchain: A distributed ledger designed for peer-to-peer IoT networks and real-time data transactions," in Proc. of the 2nd International Workshop on Linked Data and Distributed Ledgers (LDDL2), pp. 1-10, Jan. 2017.
26 A. Yazdinejad, R. M. Parizi, A. Dehghantanha, and K. R. Choo, "Blockchain-enabled Authentication Handover with Efficient Privacy Protection in SDN-based 5G Networks," IEEE Transactions on Network Science and Engineering, p. 1, Aug. 2019.
27 Z. A. El Houda, A. S. Hafid, and L. Khoukhi, "Cochain-SC: An Intra- and Inter-Domain Ddos Mitigation Scheme Based on Blockchain Using SDN and Smart Contract," IEEE Access, vol. 7, pp. 98893-98907, July 2019.   DOI
28 X. Zhang and X. Chen, "Data Security Sharing and Storage Based on a Consortium Blockchain in a Vehicular Ad-hoc Network," IEEE Access, vol. 7, pp. 58241-58254, Jan. 2019.   DOI
29 T. McConaghy, R. Marques, A. Müller, D. D. Jonghe, T. McConaghy, G. McMullen, R. Henderson, S. Bellemare, and A. Granzotto, "BigchainDB: a scalable blockchain database," White Paper, BigChainDB, 2016.
30 J. Kang, R. Yu, X. Huang, M. Wu, S. Maharjan, S. Xie, and Y. Zhang, "Blockchain for Secure and Efficient Data Sharing in Vehicular Edge Computing and Networks," IEEE Internet of Things Journal, vol. 6, no. 3, pp. 4660-4670, June 2019.   DOI
31 M. Szydlo, "Merkle tree traversal in log space and time," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, pp. 541-554, 2004.
32 Z. Guan, H. Lyu, H. Zheng, D. Li, and J. Liu, "Distributed Audit System of SDN Controller Based on Blockchain," in Proc. of International Conference on Smart Blockchain, vol. 11911, pp. 21-31, 2019.