Secure Software-Defined Networking Based on Blockchain

Abstract: Software-Defined Networking (SDN) separates the network control plane and data plane, which provides a network-wide view with centralized control (in the control plane) and programmable network configuration for data plane injected by SDN applications (in the application plane). With these features, a number of drawbacks of the traditional network architectures such as static configuration, non-scalability and low efficiency can be effectively avoided. However, SDN also brings with it some new security challenges, such as single-point failure of the control plane, malicious flows from applications, exposed network-wide resources and a vulnerable channel between the control plane and the data plane. In this paper, we design a monolithic security mechanism for SDN based on Blockchain. Our mechanism decentralizes the control plane to overcome single-point failure while maintaining a network-wide view. The mechanism also guarantees the authenticity, traceability, and accountability of application flows, and hence secures the programmable configuration. Moreover, the mechanism provides a fine-grained access control of network-wide resources and a secure controller-switch channel to further protect resources and communication in SDN.

• The paper presents a novel Blockchain-based mechanism that decentralizes the SDN control plane, mitigating single-point failures and enhancing network resilience.
• The paper introduces authentication protocols and Attribute-Based Encryption to enforce fine-grained access control over network resources.
• The paper demonstrates secure controller-switch communications using a modified HMQV protocol integrated with Blockchain, validated via a Floodlight-Hyperledger prototype.

Secure Software-Defined Networking Based on Blockchain

The paper presents a novel security mechanism for Software-Defined Networking (SDN) leveraging Blockchain technology to address prevalent security challenges. It aims to enhance SDN's resilience by decentralizing the control plane, improving authentication for application flows, enforcing access control, and securing controller-switch communication channels.

Introduction to Blockchain in SDN

Blockchain technology inherently provides decentralized, immutable, and transparent data management, which is beneficial for the security requirements of SDN. In SDN, separating the control and data planes offers advantages like scalability and efficiency but introduces security vulnerabilities, such as single-point control failure and malicious application flows. The paper proposes a monolithic security mechanism using Blockchain that decentralizes the control plane and provides robust authentication and auditing features.

Figure 1: The new architecture of SDN appended the Blockchain layer.

Authentication and Traceability Mechanism

The paper outlines protocols using Blockchain for authenticating application flows and providing traceability and accountability, essential for combating malicious configurations. This mechanism records application flows and network states on the Blockchain, facilitating real-time auditing and debugging capabilities. The flow authentication protocol verifies the legitimacy of applications via Blockchain transactions, safeguarding against replay attacks.

Figure 2: The overview of attacks on SDN architecture.

Decentralized Control Plane

SDN traditionally faces risks associated with centralized control points. The paper addresses this by introducing a decentralized control plane, which is achieved through the consensus-driven nature of Blockchain. This decentralization enhances network robustness and scalability while maintaining a consistent network-wide view among multiple controllers. This is illustrated through the audit and notification protocols ensuring controllers' health and operational status.

Access Control Implementation

Attribute-Based Encryption (ABE) is employed to enforce fine-grained access control over network resources. ABE allows controllers to specify access structures based on attributes, ensuring resource availability only to authorized applications. This mechanism is critical for preventing resource abuse and maintaining security across the network-wide topology.

Figure 3: The access control on the network-wide topology resources.

Controller-Switch Communication Security

The paper incorporates a modified HMQV protocol reinforced with Blockchain capabilities to establish secure channels between controllers and switches. This enhanced protocol addresses issues such as replay attacks and self-updating keys, ensuring secure and authenticated communication even with potential malicious actions from switches.

Figure 4: Transaction auditing graph. Note that a circle in dashed line represents a starting point in an auditing process, and directed edges in green lines, blue lines and purple lines are respectively related to the auditing process for authentication for application flows, replay attack detection for flows and notification of failed controllers for switches.

Prototype Implementation

A prototype implementation is designed on the Floodlight SDN platform integrated with Hyperledger Fabric Blockchain. Various Floodlight modules are extended with Blockchain providers to manage and secure transactions, enriching SDN's security capabilities. The interface between SDN and Blockchain is facilitated by a communication framework akin to Web3j, ensuring seamless interaction and protocol execution.

Figure 5: Schematic of our architecture prototype.

Conclusion

The proposed Blockchain-based mechanism successfully addresses several fundamental security concerns in SDN, offering decentralized control, strong authentication, and secure communication. The architecture promises improved scalability and robustness, with validated security through theoretical analysis and practical implementation. Future work may involve optimizing protocol efficiency and exploring Blockchain's broader applications within SDN.