Towards Robust, Accountable and Multitenancy-Friendly Control Plane in Software-Defined Networks

Abstract

Software-Defined Networking (SDN) has quickly emerged as a new promising technology for future networks. Its decoupling of the logically centralized control plane from the data plane makes the network management more flexible. However, recently, there are several trends to the computer networks that bring new challenges to the SDN. First, with the rapid expansion of computer networks, there will be much more network events along with the large volume of network traffic that brings the scalability issue to the SDN control plane. The scalability issue could bring even more challenging security threat. Second, the third-party applications in the SDN control plane are becoming more complex and prone to bugs/vulnerabilities. However, existing network diagnosis tools cannot directly apply to the SDN since they cannot reason the root causes within the buggy/vulnerable application. Third, many enterprise networks migrate to the Infrastructure-asa- Service clouds. However, existing IaaS clouds only allow the cloud administrator to enjoy the benefit of SDN. The cloud tenants are not able to enjoy the technique of SDN in the clouds due to several security and privacy issues. Motivated by these challenges, we aim to enhance several new features to the SDN control plane. Our target is to design a secure SDN control plane which is: 1) robust to handle spikes of data plane events and even flooding attacks; 2) accountable to give records and explanation about how the flow control decisions have been made to help the diagnosis of networking problems; and 3) multitenancy-friendly to allow multitenancy management of network functions in the Infrastructure-as-a-Service clouds. In this dissertation work, we propose three extensions to the SDN control plane to enhance the three new features. To make the SDN control plane robust, we design a scalable, efficient, lightweight, and protocol-independent defense framework for SDN networks to prevent the datato- control plane saturation attack. To make the SDN control plane accountable, we provide finegrained forensics and diagnosis functions in the SDN networks. To make the SDN control plane multitenancy-friendly, we introduce a new cloud usage paradigm: Bring Your Own Controller (BYOC), which offers each tenant an individual SDN controller, where tenants can deploy SDN applications to manage their network. We also propose how to design a new SDN control plane from the scratch by integrating the three extensions. The evaluation results show that our solution can meet the needs and achieve a secure SDN framework.