Rapid detection of disobedient forwarding on compromised OpenFlow switches

摘要

Software-defined networking (SDN) allows network administrators to manage network flows easily from a centralized controller. However, it also leads to new security threats to applications, controllers, OpenFlow switches, topology management and so on. In this work, we design a method to detect disobedient forwarding in the flow table by compromising a switch. To enhance detection efficiency and minimize additional network traffic, we reduce the number of detection packets necessary by aggregating the flow entries. This method selects the flow entries whose match fields can compose a valid packet from multiple switches. The switches on which the entries are form a path that allows the packet to travel through for rapid detection. We evaluate the efficiency of this detection method for various topology types in typical data center networks by Mininet simulation. The experimental results demonstrate that this method can examine the forwarding correctness of around 3 flow entries simultaneously for each detection packet in fat-tree topology. Furthermore, the scale of the network topology does not affect the efficiency of the method significantly.