Visible to the public Towards Proactive SDN-Controller Attack and Failure Resilience

TitleTowards Proactive SDN-Controller Attack and Failure Resilience
Publication TypeConference Paper
Year of Publication2017
AuthorsAzab, M., Fortes, J. A. B.
Conference Name2017 International Conference on Computing, Networking and Communications (ICNC)
ISBN Number978-1-5090-4588-4
Keywordscentral SDN controller, checkpointing, Collaboration, composability, computer network performance evaluation, computer network security, Containers, control systems, controller resilience, controller sandboxing mechanism, controller/host isolation, data center networks, failure resilience, failure-and-attack-resilient execution, generic hardware platforms, host-based attacks, Linux, Linux containers, Linux-containers, live remote checkpointing, Moving-Target Defense, network performance, PAFR, plug-and-play operation, policy, Policy-Governed Secure Collaboration, Policy-Governed systems, proactive SDN-controller attack, pubcrawl, resilience, Sandboxing, SDN networks, security, Servers, software defined modules, software defined networking, Software-Defined Networks, virtualization

SDN networks rely mainly on a set of software defined modules, running on generic hardware platforms, and managed by a central SDN controller. The tight coupling and lack of isolation between the controller and the underlying host limit the controller resilience against host-based attacks and failures. That controller is a single point of failure and a target for attackers. ``Linux-containers'' is a successful thin virtualization technique that enables encapsulated, host-isolated execution-environments for running applications. In this paper we present PAFR, a controller sandboxing mechanism based on Linux-containers. PAFR enables controller/host isolation, plug-and-play operation, failure-and-attack-resilient execution, and fast recovery. PAFR employs and manages live remote checkpointing and migration between different hosts to evade failures and attacks. Experiments and simulations show that the frequent employment of PAFR's live-migration minimizes the chance of successful attack/failure with limited to no impact on network performance.

Citation Keyazab_towards_2017