Building a framework for secured openflow switch based on fpga

The research proposes a novel multi- core architecture associated with a high speed OpenFlow switch to make the such switch able to defend network attacking from the data plane of OpenFl

VIET NAM NATIONAL UNIVERSITY - HO CHI MINH CITY

HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY

HO QUANG CHI BAO

BUILDING A FRAMEWORK FOR SECURED OPENFLOW SWITCH BASED ON FPGA

XÂY DỰNG FRAMEWORK CHO SECURED OPENFLOW SWITCH TRÊN PHẦN CỨNG FPGA

MAJOR: COMPUTER SCIENCEMAJOR ID: 60.48.01

MASTER THESIS

HO CHI MINH CITY - DEC 2016

VIET NAM NATIONAL UNIVERSITY - HO CHI MINH CITY

HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY

HO QUANG CHI BAO

BUILDING A FRAMEWORK FOR SECURED OPENFLOW SWITCH BASED ON FPGA

XÂY DỰNG FRAMEWORK CHO SECURED OPENFLOW SWITCH TRÊN PHẦN CỨNG FPGA

MAJOR: COMPUTER SCIENCEMAJOR ID: 60.48.01

MASTER THESIS

SCIENTIFIC ADVISOR Assoc.Prof.Dr TRAN NGOC THINH

HO CHI MINH CITY - DEC 2016

THE THESIS IS COMPLETED AT

HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY - VNU HCM

Signature Scientific advisor: Assoc.Prof.Dr Tran Ngoc Thinh

The second reviewer: Assoc.Prof.Dr Tran Manh Ha The master thesis is defended at Ho Chi Minh City University of Technol- ogy (HCMUT), Viet Nam National University Ho Chi Minh City (VNU HCM) on 2016.

The scientific council has been formed with members below:

1 Assoc.Prof.Dr Pham Tran Vu

2 Dr Pham Quoc Cuong

3 Dr Pham Hoang Anh

4 Assoc.Prof.Dr Nguyen Manh Ha

5 Dr Bui Trong Tu

The master thesis has been approved by the chair of the scientific council and the dean of the Faculty of Computer Science and Engineering after corrected (if any).

VIET NAM NATIONAL UNIVERSITY - HCM SOCIALIST REPUBLIC OF VIET NAM HCMC UNIVERSITY OF TECHNOLOGY Independence - Liberty - Happiness

—————-THE MASTER —————-THESIS RESPONSIBILITY

I THESIS NAME:

Building a Framework for Secured OpenFlow Switch Based on FPGA

II RESPONSIBILITY AND CONTENT:

The thesis responsibility aims to research and build a framework for detecting and preventing several kinds of network attack mechanism base on OpenFlow network The research proposes a novel multi- core architecture associated with a high speed OpenFlow switch to make the such switch able to defend network attacking from the data plane of OpenFlow network architecture.

V SCIENTIFIC ADVISOR: Assoc.Prof.Dr Tran Ngoc Thinh.

Ho Chi Minh City, December 04th, 2016

(Name and signature) (Name and signature)

DEAN

Faculty of Computer Science and Engineering

(Name and signature)

A CKNOWLEDGMENTS

First and foremost, I respectfully express my gratefulness to my advisor, Associate

Professor Tran Ngoc Thinh for his warmly supports, taking the time from the

be-ginning of my work to orient the research, and during step by step of the thesisprocess

My sincerely thanks also come to my teachers at Faculty of Computer Science

& Engineering, Ho Chi Minh City University of Technology Ho who provided a lot

of knowledge for me during my master course

To Computer Engineering Laboratory, I would also like to thank Nguyen BaoQuoc, Tran Thi Thuy Chau, Ngo Duc Minh and the many other individuals whotake their efforts to help me in the prototype system implementation Moreover,

I owe thanks to Doctor Cuong Pham-Quoc who has guided me and improved myskill a lot while writing papers and the thesis

Last but importantly, I would like to say thank you so much to my family,especially my Dad and my deceased Mum I could not go far on my way withoutyour encouragement Again, I give my gratefulness to you, regarding the manysacrifices you made I am proud to be your son

Ho Chi Minh City, December 4th, 2016

Ho Quang Chi Bao

i

A BSTRACT

In recent years, Virtualization technology in the field of computer science andengineering has grown powerfully to meet the complexity increasing of customer’s

demand while offering services for them Especially, the advent of cloud

com-puting has made the Information Technology industry be changing significantly.

One important change is the improvement of IT infrastructure to offer a alized capacity at the network level for centralizing of system monitoring andmanagement, quickly deploying services, and efficiently expanding a service.Software Defined Networking (SDN) approach has been introduced to deal withthese practical demands

virtu-SDN approach has offered several benefits comparing to the traditional work such as centralized controlling and monitoring, virtualizing and automatic

net-at the network level The main idea of SDN approach which is decoupling thecontrol plane from the data plane makes SDN able to deal with almost require-ments that network infrastructure requests However, alongside these benefits,SDN approach has conducted a big challenge involving security issues whichmake not only researchers but also network manufacturers consider carefully.Especially in the scenario that there are more and more network attacks has beenperformed with the increasing in complexity of technology as well as the quan-tity of attack By the idea centralized controlling at a controller, it becomes asingle failure point in the network and an attractive target for cybers In case ofthe controller has been attacked and collapsed, the whole network operating will

be suspended and frozen immediately Therefore, the protection of architecturalSDN controller is a critical and urgent mission To protect the controller, in addi-tion to make it stronger and more reliable, the idea against network attacks fromSDN data plane should be considered because it helps the network system able

to defend itself earlier, to reduce the risk of whole network shutting-down

Stemming from this idea, we propose a secured OpenFlow-based switch chitecture in this thesis The architecture is a combination of OpenFlow Pro-cessing that routes packets according to the OpenFlow protocol and SecurityProcessing that defends against network attacks In particularly, the work of

ar-ii

ABSTRACT iii

the master’s thesis began proposing an architectural and constructing a kind ofOpenFlow switches with integrated security functions to examine and evaluatethe feasibility of the idea Base on experimental results the work keeps going

to study and develop a framework to provide a utility for studying the securityissues of OpenFlow network with the trend to defend attacking from the dataplane We have employed a reconfigurable hardware to deploy our ideas because

of the flexibility and high performance of such devices to build a secured Flow switch By applying a multi-core architecture to implement secured cores,the proposed switch can work not only as a OpenFlow-based forwarding devicebut also as a network protection system

Open-We implement our prototype switch on a Xilinx Virtex 5 xc5vtx240t FPGA vice In this prototype version, we integrate three different DDoS countermea-

de-sure techniques, the Hop-Count Filter, Port Ingress/Egress Filter, and the SYN

De-fender with two combination scenarios The first scenario is the integrating of

Hop-Count and Port Ingress/Egress Filter In the second scenario, we combinethe Port Ingress/Egress Filter with SYN Defender The experimental results showthat the switch in the first scenario achieves packet processing throughput by up

to 9.87 Gbps in half duplex and 19.74 Gbps full duplex mode The switch can play with 100 % attacks detection rate and obtain a 0 % false positive rate and a

0 % false negative rate However, the dropped packet rate of the overall system is

approx 0.001 % because of the FIFO size limitation In this scenario, the systemconsumes 39 % Look-Up Tables, 43 % Registers, and 64 % Block RAM of the FPGAdevice

In the second scenario, the hardware resources are consumed 41 %

Look-Up Tables, 45 % Registers, and 61 % Block RAM Since the first implementation

comprises many limitations, especially the timing score problem, the system can

work only against SYN Flood attacking at ≈ 4 Gbps In the case SYN Flood attackrate exceeds this threshold, these SYN packets can touch to the controller or theprotected host However, this problem depends on the place and route proce-dure of synthesis tool so we can optimize by several methods and techniques toimprove the protecting capacity of the system

ABSTRACT iv

Tóm Tắt Luận Văn Thạc Sĩ

Trong những năm gần đây, công nghệ ảo hóa trong lĩnh vực khoa học và

kỹ thuật máy tính đã phát triển ngày càng mạnh mẽ nhằm đáp ứng nhucầu ngày càng phức tạp khi cung cấp dịch vụ cho khách hàng Đặc biệt

với sự ra đời của dịch vụ điện toán đám mây - cloud computing đã thúc

đẩy ngành công nghiệp IT có những chuyển biến lớn Một trong nhữngbiến chuyển quan trọng chính là sự cải tiến hạ tầng công nghệ thông tin

để đáp ứng nhu cầu ảo hóa ở mức network nhằm mục đích quản lý giámsát tập trung, triển khai dịch vụ nhanh chóng và mở rộng dịch vụ dễ dàng.Phương pháp tiếp cận mạng Software Defined-Networking (SDN) ra đời

từ nhu cầu thực tiễn này

Từ khi xuất hiện, xu hướng tiếp cận SDN đem lại nhiều lợi ích hơn sovới cách tiếp cận mạng truyền thống Với ý tưởng tách rời phần điều khiển(control plane) ra khỏi phần chuyển tiếp dữ liệu (data plane) đã giúp choSDN có thể đáp ứng được những nhu cầu cấp thiết mà hạ tầng mạng hiệnđại đòi hỏi Tuy nhiên, bên cạnh những lợi ích đó, vấn đề bảo mật cho SDNtrở thành thách thức lớn đối với những nhà nghiên cứu cũng như nhữngnhà sản xuất thiết bị mạng trong bối cảnh thế giới ngày càng chịu nhiềucuộc tấn công mạng cả về số lượng cũng như kỹ thuật tấn công, đặc biệt là

kỹ thuật tấn công từ chối dịch vụ - DDoS Bởi chính ý tưởng tách rời phần

điều khiển ra khỏi phần chuyển tiếp dữ liệu để tập trung hóa việc điều

khiển hệ thống mạng tại Controller đã vô tình biến nó thành điểm mỏi

trong hệ thống và là mục tiêu chính của những kẻ tấn công Khi controllercủa hệ thống mạng sụp đổ, toàn bộ hoạt động của mạng sẽ bị tê liệt Vì vậy,việc bảo vệ controller trong kiến trúc SDN là nhiệm vụ quan trọng và cấpthiết Để bảo vệ cho controller, ngoài phương án tăng cường sức mạnh chochính nó, ý tưởng chống tấn công từ phần chuyển tiếp dữ liệu cũng đángđược xem xét vì nó tỏ ra hữu hiệu khi giúp hệ thống mạng có khả năngphòng vệ sớm trước khi gói tin tấn công đến được controller, từ đó giảmthiểu rủi ro sụp đổ cả hệ thống do controller bị phá hoại

Xuất phát từ ý tưởng này, chúng tôi đề xuất kiến trúc bảo mật cho thiết

bị chuyển mạch của OpenFlow network - là một hiện hữu phổ biến vàthành công nhất trong hướng tiếp cận SDN Đây là kiến trúc kết hợp giữachức năng xử lý OpenFlow để chuyển tiếp gói tin theo giao thức OpenFlowvới chức năng xử lý bảo mật để chống lại các hình thức tấn công mạng Cụthể hơn, công trình nghiên cứu của luận văn thạc sĩ này bắt đầu từ việc đưa

ABSTRACT v

ra kiến trúc và xây dựng một loại thiết bị chuyển mạch OpenFlow có tíchhợp thêm chức năng bảo mật ở mức phần cứng để thử nghiệm và đánh giátính khả thi của ý tưởng Từ cơ sở đó, công trình hướng tới việc nghiên cứu

và xây dựng framework để cung cấp tiện ích phục vụ nghiên cứu nhữngvấn đề bảo mật cho hệ thống mạng OpenFlow theo hướng chống lại cáchình thức công mạng từ lớp data plane Nghiên cứu sử dụng phần cứng táicấu hình để tận dụng tính linh động và khả năng đáp ứng ở tốc độ cao của

nó để xây dựng thiết bị chuyển mạch OpenFlow Bằng việc áp dụng kiến trúc đa nhân (multi-core) để hiện thực các lỏi bảo mật, bộ chuyển mạch

theo kiến trúc đề xuất có thể đáp ứng linh động, thích ứng với từng dạngtấn công đặc thù

Chúng tôi hiện thực một mẫu thử nghiệm cho bộ chuyển mạch theokiến trúc đề xuất trên thiết bị FPGA Virtex 5 xc5vtx240 của Xilinx Trongmẫu thử nghiệm này, chúng tôi tích hợp ba kỹ thuật phòng chống DDoS

cơ bản và phổ biến, đó là bộ lọc gói tin theo cơ chế Hop-Count, Port

In-gress/Egress và bộ SYN Defender theo hai kịch bản kết hợp cho khối chống

tấn công mạng Kịch bản đầu tiên là sự kết hợp của kỹ thuật Hop Count

và Port Ingress/Egress Kịch bản thứ hai, chúng tôi xây dựng khối bảo mậtbằng cách kết hợp bộ lọc Port Ingress/Egress với bộ SYN Defender Kết quảthử nghiệm cho thấy bộ chuyển mạch của mẫu thử nghiệm theo kịch bảnthứ nhất đạt tốc độ xử lý gói tin ở mức 9.87 Gbps ở chế độ hoạt động bánsong công và 19.74 Gbps ở chế độ song công Khả năng phát hiện gói tintấn công của hệ thống đạt mức 100 % với tỷ lệ nhận dạng nhầm gói tin tấncông thành gói tin hợp lệ và tỷ lệ nhận dạng nhầm gói tin hợp lệ thành góitin tấn công đều bằng 0 % Tuy nhiên, do giới hạn về kích thước của các bộđệm đầu vào cổng mạng nên xét trên tổng thể thì hệ thống vẫn bị mất gói

toàn bộ hệ thống theo kịch bản thứ nhất chiếm 39 % Look-Up Tables, 43 %Registers, và 64 % Block RAM của thiết bị FPGA

Đối với kịch bản hiện thực thứ hai, tài nguyên phần cứng bị chiếmdụng bởi hệ thống gồm 41 % Look-Up Tables, 45 % Registers và 61 % BlockRAM Vì đây là hiện thực đầu tiên nên khả năng chống tấn công SYN Flood

công SYN vượt mức 4.0 Gbps thì các gói tin này vượt qua được hệ thống vàchạm tới controller đồng thời xâm nhập được đến host cần được bảo vệ.Tuy nhiên, vấn đề này phụ thuộc vào đặc tính sắp xếp và đi dây của công

ABSTRACT vi

cụ hiện thực nên chúng ta có thể tối ưu và cải tiến bằng nhiều phươngpháp và kỹ thuật khác nhau để nâng cao khả năng phòng chống tấn côngcho hệ thống

ABSTRACT vii

Statement of Originality

I hereby declare that the research recorded in this thesis and the thesisitself was composed and originated entirely by myself at the Faculty ofComputer Science and Engineering (CSE), Ho Chi Minh City University

of Technology (HCMUT), Vietnam National University - Ho Chi Minh City(VNU HCM)

Parts of this work have previously been published in scientific papers low:

be-• Bao Ho, Quoc Nguyen, Cuong Pham-Quoc and Tran Ngoc Thinh,

“Secured-OFS: A Novel OpenFlow Switch Architecture with IntegratedSecurity Functions”, The Advanced of International Conference onAdvances in Information and Communication Technology (ICTA2016),12-13 December, 2016, Thai Nguyen, Vietnam

• Bao Ho, Cuong Pham-Quoc, Tran Ngoc Thinh and Nam Thoai, “A

Secured OpenFlow-based Switch Architecture”, International ference on Advanced Computing and Applications (ACOMP 2016),23-25 November, 2016, Can Tho, Vietnam

Con-Ho Quang Chi Bao

C ONTENTS

1.1 Problem overview 2

1.2 Thesis challenges 4

1.3 Contributions 5

1.4 Thesis organization 6

1.5 Summary 7

2 Background and Related work 8 2.1 Software Defined Network: an overview 8

2.2 Security approaches for OpenFlow network 11

2.3 Field Programmable Gate Array 14

2.4 The NetFPGA platforms 17

2.5 Summary 18

3 Proposed Architecture 19 3.1 The Ingress component 19

3.2 The Egress component 20

3.3 The Engine component 21

3.3.1 Incoming Packet Processing 21

3.3.2 OpenFlow Processing 22

3.3.3 Packet FIFO 23

3.3.4 Security Processing 24

3.3.5 Outgoing Packet Processing 25

viii

CONTENTS ix

3.4 Summary 25

4 Prototype Switch 27 4.1 Security Processing 27

4.1.1 Hop-Count filtering 28

4.1.2 Port Ingress/Egress filtering 29

4.1.3 SYN Defender core 30

4.2 Hardware resources usage 32

4.3 Summary 33

5 The OpenFlow-based Network Framework 34 5.1 The architecture of the framework 34

5.1.1 The graphic user interface layer 34

5.1.2 The software development layer (SDK) 35

5.1.3 The plugin layer 37

5.2 Framework implementation 39

5.3 Summary 39

6 Experimental Results 40 6.1 Experimental setup 40

6.2 Experiment Results 41

6.3 Summary 45

7 Conclusions and Future work 46 7.1 Summary 46

7.2 Contributions 47

7.3 Future work 48

7.3.1 Architecture open issues 48

7.3.2 Prototype switch open issues 48

Bibliography 50 A Simulation Waveform 55 A.1 First packet processing waveform of the first scenario 56

A.2 First packet processing waveform of the second scenario 57

B Publications 58 B.1 Secured-OFS: A Novel OpenFlow Switch Architecture with Inte-grated Security Functions 58

B.2 A Secured OpenFlow-based Switch Architecture 70

CONTENTS x

L IST OF F IGURES

1.1 The increasing of internet users through the last decade 2

1.2 Survey Peak Attack Size Year Over Year Source: Arbor Network, Inc 3 2.1 Layered view of networking functionality 9

2.2 Three major security problems of OpenFlow network 11

2.3 The basic architecture of an FPGA device 15

2.4 A configurable logic block in a modern FPGA architecture 16

2.5 The NetFPGA 10G platform 17

3.1 The proposed switch architecture 20

3.2 The Flow Table architecture 24

3.3 The flow for processing an incoming network packet 26

4.1 The Hop-Count Filtering Core architecture 29

4.2 The Port Ingress/Egress Filtering Core architecture 29

4.3 The SYN Defender Core architecture 31

4.4 The SYN Defender operation 32

5.1 The architecture of the proposed OpenFlow-based Network Frame-work 35

5.2 The first released OpenFlow-based Network Framework 39

6.1 The testing model of proposed switch 42

6.2 Connection of proposed switch and test agent 43

6.3 Performance testing of the proposed switch 44

A.1 First packet processing waveform of the first scenario: HCF & PIEF 56 A.2 First packet processing waveform of the second scenario: PIEF & SYN Defender 57

xi

L IST OF T ABLES

6.1 First packet processing timing of proposed switch in the first

xii

L ISTINGS

xiii

In these recent years, Internet is well developing in many aspects such as users,network services, and speed During the last decades, internet users are increas-ing linearly not only in term of total users but also in term of percentage of thepopulation Currently, there are more than 3 billion Internet users [Stats,2016].Figure 1.1 illustrates the increasing of Internet users through the last decade1

In the other aspects, as of November 2016, the total number of websites is morethan 1 billion According to the Internet Live Stats website, in average, there ismore than 3 billion GB of data transferred through Internet while more than 4billion Google searches are done per day

To provide such a large number of users excellent network-based services,many approaches have been proposed and implemented both in academia andindustry As one of the most emerging approaches, Software Defined Network-ing (SDN) [Goransson and Black, 2014] has been considered as an alternativeapproach of traditional networks SDN has been investigated and studied byboth academia and commercial organizations because of many advantages com-pared to the traditional approaches Computer networks are configured manu-ally in traditional networks while the SDN approach has many benefits such ascentralization control and monitoring, simple hardware devices, and high vir-tualization The SDN architecture decouples network control from forwardingfunctions so that network control becomes programmable In the SDN archi-

1 source: Internet Live Stats website: http://www.internetlivestats.com/

1

1.1.PROBLEM OVERVIEW 2

0 5 10 15 20 25 30 35 40 45 50

Internet Users % of Population

Figure 1.1: The increasing of internet users through the last decade

tecture, network control includes controllers programmed by network

adminis-trators through software interfaces Each controller is responsible for handling

a number of forwarding devices that process forwarding functions Those

for-warding devices route network packets from source nodes to destination nodesaccording to network configuration

One of the most famous and useful SDN instances is the OpenFlow net- work [

indus-try [Gelberger et al.,2013], so-called OpenFlow protocol Based on the SDN chitecture, the OpenFlow network architecture also decouples network controlfrom forwarding functions Therefore, the OpenFlow network takes all the ad-vantages of the SDN paradigm Moreover, by optimizing elements such as con-trollers and forwarding devices, the OpenFlow network can be implemented assoftware programs or be developed using hardware platforms

Although SDN has many advantages compared to traditional network approaches,several security issues are existing in both the architectures of SDN and Open-Flow Much research in the literature analysed vulnerabilities of both SDN andOpenFlow [Farhady et al.,2015;Hu et al.,2014;Kreutz et al.,2013;Nunes et al.,

2014] The survey in [Hu et al., 2014] discussed seven threats in an SDN tem which can be exploited There are many efforts to overcome these prob-lems [Shin et al.,2014;Tootoonchian and Ganjali,2010] According to the speci-fication of OpenFlow, a cyber-attacker can apply many attack types (e.g a flood-

sys-1.1.PROBLEM OVERVIEW 3

ing attack technique - a type of DDoS) to forwarding devices (switches) whichare working in a reactive mode Attackers can force all forwarding devices simul-taneously to send a lot of packets to the corresponding controller (switches in anOpenFlow network is associated with a controller) to make the controller over-loading and freezing Because of the logically centralized feature of controllers,research in the literature has focused mainly on how to make controllers be moreefficient, robust, and reliable It means that the dependable capacity of a for-warding device is still open

With the fast increasing the number of network attacks, a hardware-basednetwork protection system plays an important role in a successful cyber-securitystrategy According to reports from Akamai [Akamai,2016], the number of DDoSattacks hit the new record in the second quarter of 2016 Moreover, the trend

of DDoS attacks is increasing the attack size Figure1.2 shows a survey of peakattack size during the last decade [Arbor-Network,2016] Compared to software-based network protection systems, the hardware one provides much more per-formance Moreover, hardware-based systems can allow multiple network pro-tection mechanisms to be executed in parallel Thus, in turn, improves the de-pendable capacity of the systems

percent of respondents reported attacks over 50 Gbps In contrast, this year nearly one-quarter

of respondents report peak attack sizes over 100 Gbps, emphasizing the scale of the DDoS

problem Customers remain the number one target for DDoS attacks, with over two-thirds of attacks targeting them Again this year, the proportion of respondents seeing attacks targeting cloud-based services has grown, up from 19 percent two years ago, to 29 percent last year

and now 33 percent this year — a clear trend.

This year, attackers have continued the 2014 trend of using reflection/amplification techniques to exploit vulnerabilities

in NTP, SSDP and other protocols The largest attack reported by a respondent this year was 500 Gbps, with other respondents reporting attacks of 450 Gbps, 425 Gbps, and 337 Gbps (Figure 14) Another five respondents reported events at 200+ Gbps This continues the trend of significant growth in the top-end size of DDoS attacks year-over-year Last year, 20 percent of respondents reported attacks over 50 Gbps This year’s survey results indicate a sharp uptick, with nearly 25 percent of respondents seeing peak attack sizes over 100 Gbps In general, peak attack sizes and large attack frequency seem to have increased dramatically over last year The record number of 100 Gbps+ attacks tracked by the Arbor ATLAS system during 2015 confirms this; please see the ATLAS attack sizes section for further details

SERVICE PROVIDER DDoS ATTACKS

Survey Peak Attack Size Year Over Year

Figure 14 Source: Arbor Networks, Inc.

Source: Arbor Networks, Inc.

Figure 1.2: Survey Peak Attack Size Year Over Year Source: Arbor Network, Inc.

To protect an OpenFlow-based network, in particular against DDoS attacks,

a network security system needs to be deployed at forwarding devices so that tacking packets are removed from the network In other words, by classifying anddeleting attacking packets at forwarding devices, controllers are protected fromnetwork attacks There is no any OpenFlow-based network switch in both the lit-erature and industry integrating hardware security engines although there exists

The more efficient approach is to integrate hardware-based security modulesinto forwarding devices so that these modules are managed using the OpenFlowprotocol Compared to the previous approach, operation cost is lower This ap-proach has been taken into consideration by many researches in the literaturesuch as OFX and Avant-GAURD as mentioned above However, a software-basednetwork protection is not sufficient enough for high-speed networks We there-fore explore the following research questions in this thesis.

Question 1 Is it possible to build an OpenFlow-based network switch with an

in-tegrated reconfigurable hardware-based network protection module?

One of the most advantages of software-based protection system is the uration ability The implemented security mechanisms can be quickly updated

reconfig-or changed to prevent attacks from the systems With the current trend in formation technology development, more and more attacking techniques can

in-be deployed to attack a system Therefore, the hardware-based network tion module in the proposed OpenFlow-based network switch needs to have thereconfiguration ability The module also needs to be compatible with the Open-Flow protocol

protec-1.3.CONTRIBUTIONS 5

Question 2 Does it pay off to build such an OpenFlow-based network switch?

To the best of our knowledge, there is no any OpenFlow switch with integratedhardware-based network protection engine Therefore, we need to exam if it paysoff to build such a switch We need to take many aspects of the switch into ac-counts such as performance and throughput and packets processing time More-over, the reconfiguration ability of the protection engine is also analyzed

Question 3 How can we build a framework that allows network administrators

to configure/update the network protection module as well as manage/control the proposed switch?

One of the key factor when integrating hardware-based protection engine into

an OpenFlow switch is to keep the OpenFlow protocol unchanged However, as

a network protection engine, the switch needs to interact with network trators to get control instruction as well as show status information An anotherimportant requirement is that the switch can be reconfigured not only according

adminis-to the OpenFlow proadminis-tocol but also updating the protection engine Therefore, wetry to develop a framework working on a host processor so that network admin-istrators can handle the switch

Based on the research challenges identified in the previous section, we have beenworking on design and implement an OpenFlow switch with an integrated hard-ware-based network security module using reconfigurable hardware We focus

on reconfigurable hardware so that the security module can be updated to moreup-to-date and efficient network protection mechanisms The main contribu-tions of this thesis can be summarized as follows:

Contribution 1 We propose an OpenFlow switch architecture with integrated

hard-ware-based security functions.

To the best of our knowledge, this is the first OpenFlow switch that not only canroute network packets according to the OpenFlow protocol but also can defendagainst network attacks The proposed architecture separate the OpenFlow pro-cessing part from security processing part This approach allow different securityfunctions to be deployed for different systems and purposes

1.4.THESIS ORGANIZATION 6

Contribution 2 We demonstrate our proposed OpenFlow switch using FPGA

tech-nology to verify the benefit of the proposed architecture.

Our prototype secured OpenFlow-based switch using the NetFPGA-10G boardwhich is integrated two different DDoS defense mechanisms, the Hop-Count Fil-tering and the Port Ingress/Egress Filtering The switch prototype can work at up

to ≈ 80 MHz and achieve a 100% detection rate This prototype version can be abaseline system to compare other similar systems in future work

Contribution 3 We propose and implement a framework to allow users/researchers

to configure and manage forwarding devices in an OpenFlow network.

The proposed framework consists of three different layers the GUI layer, the SDKlayer, and the Plugins layer With the three layers architecture, the framework issuitable for handling and monitoring different forwarding devices in an Open-Flow network The proposed framework is developed with the QT5.7 environ-ment so that the framework can work with multiple platforms

Contribution 4 We published two scientific papers at international conferences.

1 Bao Ho, Quoc Nguyen, Cuong Pham-Quoc and Tran Ngoc Thinh,

“Secured-OFS: A Novel OpenFlow Switch Architecture with Integrated Security tions”, The Advanced of International Conference on Advances in Informa-tion and Communication Technology (ICTA2016), 12-13 December, 2016,Thai Nguyen, Vietnam

Func-2 Bao Ho, Cuong Pham-Quoc, Tran Ngoc Thinh and Nam Thoai, “A Secured

OpenFlow-based Switch Architecture”, International Conference on AdvancedComputing and Applications (ACOMP 2016), 23-25 November, 2016, CanTho, Vietnam

The work in this thesis is organized in 7 chapters Chapter2gives an overview

of the SDN as well as FPGA technology A survey of OpenFlow switch with grated security functions is also presented Finally, an overview of the NetFPGA-10G board, which we use to implement our first prototype OpenFlow switch, isintroduced in this chapter

inte-1.5.SUMMARY 7

Chapter3presents our proposed OpenFlow switch with integrated securityfunctions We explain, in detail, the purpose of each component and how theOpenFlow protocol can cooperate with security mechanisms to process incom-ing network packets The proposed architecture can be implemented using manyreconfigurable hardware technologies and families

Chapter 4 shows our first prototype OpenFlow switch using the 10G board The board includes one Xilinx Virtex-5 xc5vtx240t device This chap-ter also gives hardware resources usage information for the switch Although webuild the first prototype switch using the Virtex-5 FPGA device, the architectureand the implementation can be synthesized and ported into different FPGA fam-ilies and technologies because we use hardware description language to buildthe switch

NetFPGA-We introduce our framework in Chapter5 The main purpose of the work is to used to control and test the switch It also shows network attackingstatistic for research and management purpose

frame-We deploy many test-cases to validate both the OpenFlow-based switchingmechanisms as well as network security ability of the switch The experimentalresults are shown in Chapter6 This chapter also analyses the switch throughputand the accuracy of security functions

Finally, Chapter7concludes this thesis and introduces some open issues forfuture research

In this first chapter, we introduce current open issues with OpenFlow-based switches.Based on these research challenges, our work focuses on proposing an Open-Flow switch architecture with integrated security functions so that the switch canfunction as not only an OpenFlow switch but also a network protection system

We have two different contributions for the scientific world This chapter alsosummarizes contents and organization of this thesis

In this chapter, we give an overview of the SDN as well as FPGA technology Asurvey of OpenFlow switch with integrated security functions is also presented.Finally, an overview of the NetFPGA-10G board, which we use to implement ourfirst prototype OpenFlow switch, is introduced in this chapter

Software Defined Network (SDN) [Goransson and Black,2014] has been ered as an emerging alternative approach for traditional networks whose devices(e.g routers, switches, firewalls, ) must be separated, hardly configured andmanaged Compared to traditional networks, SDN offers more benefits such

consid-as providing centralization control and monitoring, simplifying hardware vices, and furnishing a capacity of virtualization and automation at the networklevel To provide such advantages, a SDN architecture partition the network logic

de-model into three planes, management plane, control plane and data plane

Fig-ure2.1illustrates the logical model of SDN Following this architecture, the SDNarchitecture decouples network control from forwarding functions so that net-work control becomes programmable In the SDN architecture, network control

includes controllers programmed by network administrators through software interfaces Each controller is responsible for handling a number of forwarding

devices that process forwarding functions Those forwarding devices route

net-work packets from source nodes to destination nodes according to netnet-work figuration

con-8

2.1.SOFTWARE DEFINEDNETWORK: AN OVERVIEW 9

Control Plane

Data Plane

SDN Control So�ware

Fowarding Device

Forwarding Device

Forwarding Device

Network Service Open northbound API

Open southbound API

Application Plane Network Applica�on

Figure 2.1: Layered view of networking functionality

One of the most popular and successful SDN versions is the OpenFlow work [McKeown et al., 2008] which not only is quite popular in academia butalso is an industry standard [Gelberger et al.,2013], so-called OpenFlow proto-col Based on the SDN architecture, the OpenFlow network architecture also de-couples network control from forwarding functions Therefore, the OpenFlownetwork takes all the advantages of the SDN paradigm Moreover, by optimiz-ing elements such as controllers and forwarding devices, the OpenFlow networkcan be implemented as software programs or be developed using hardware plat-forms

net-However, there are several security issues existing in both the architectures

of SDN and OpenFlow Much research in the literature analysed vulnerabilities

of both SDN and OpenFlow [Hu et al.,2014;Kreutz et al., 2013;Scott-Hayward

and vulnerabilities in an SDN system which can be exploited These attacks andvulnerability are at many levels, from control plane to data plane and even thecommunication between controller and forwarding devices Two of these threatsare likely from the traditional network and reside in the data plane of SDN archi-tecture Although the two of threats are not a specific of SDN, they still exist andseem to be exploited to attack network For instance, a cyber can fake trafficflows in the data plane to attack controllers or forwarding devices Besides, asimple forwarding device without any potential security can be a wide entrancefor an attacker to do dangerous activities

According to the specification of the OpenFlow protocol, Figure2.2presentsthree major weakness which can be exploited by attackers Here, we summarizethe three weak points:

2.1.SOFTWARE DEFINEDNETWORK: AN OVERVIEW 10

1 Forwarding devices (or switches), we call “forwarding device weakness”,are the starting points for all attacks, especially in active mode (active modemeans that the switches can self-learn strange/new flows) Attackers can

simultaneously flood network packets with different matching_field

val-ues so that the switches needs to encapsulate and send these packets tothe corresponding controller to get exact behaviors for these packets Withthese flooding packets, the communication channel between the controllerand forwarding devices becomes congestion The combination of one cen-tral controller and separation of the control and data plane is the coreweakness in SDN architecture The controller can become frozen along

with an overflow at the f low table in the switches due to a large number of

packets requiring a flow rule decision

2 Channel for communication between forwarding devices and the ated controller is a place where seems to be attacked According to theSND and OpenFlow protocol, this channel should be implemented usingSecured Socket Layer (SSL) However, there exist a lot of commercial Open-Flow networks which do not follow this requirement Therefore, the chan-nel can be hijack to take over the controller [Benton et al.,2013;Shin and

3 When a controller is taken over by attackers, the whole associated dataplane (all forwarding devices in this data plane) is under controlled by at-tackers because centralized management is conducted at the controller.Although there exists three different weakness in an OpenFlow network, to hijackthe communication channel or the controller, attackers need to send attackingpackets to forwarding devices at first For example, attackers can apply manyattack types (e.g a flooding attack technique - a type of DDoS) to forwarding de-vices (switches) which are working in a reactive mode Attackers then can forceall forwarding devices simultaneously to send a lot of packets to the correspond-ing controller to make the controller overloading and freezing

There are many efforts to overcome these security problems [Shin et al.,2014;

controllers, research in the literature has focused mainly on how to make trollers be more efficient, robust, and reliable There exist some approaches thatintegrate security functions into forwarding devices so that incoming packets arescanned before processed further at the associated controller to prevent such at-

con-2.2.SECURITY APPROACHES FOR OPENFLOW NETWORK 11

Applic a� on La yer

Con trol La yer

In fras tructu

re La yer

User User

OpenFlow switch

Controller 3 2

1

Figure 2.2: Three major security problems of OpenFlow network

tacks as mentioned in the previous paragraphs The next section shows a survey

of these approaches in the literature

Although there exists three different weakness in an OpenFlow network, to hijackthe communication channel or the controller, attackers need to send attackingpackets to forwarding devices at first For example, attackers can apply manyattack types (e.g a flooding attack technique - a type of DDoS) to forwarding de-vices (switches) which are working in a reactive mode Attackers then can forceall forwarding devices simultaneously to send a lot of packets to the correspond-ing controller to make it overloading and freezing

There are many efforts to overcome these security problems [Shin et al.,2014;

controllers, research in the literature has focused mainly on how to make themmore efficient, robust, and reliable There exist some approaches that integratesecurity functions into forwarding devices so that incoming packets are scannedbefore processed further at the associated controller to prevent such attacks asmentioned in the previous paragraphs The next section shows a survey of theseapproaches in the literature

AVANT-GUARD [Shin et al.,2013] extends forwarding devices in the data plane

by adding two new module: (1) a connection migration module to handle the threats of saturation attack; (2) an actual trigger module to address the respon-

2.2.SECURITY APPROACHES FOR OPENFLOW NETWORK 12

siveness challenge by providing condition triggered push capability in SDN vices

de-With the two new added modules, the forwarding devices are able to crease the resilience of the data-plane-to-control-plane interaction to anoma-lous control-plane floods However, the two modules are implemented by a gen-eral purpose processor instead of hardware as our work

in-AuthFlow [Ferrazani Mattos and Duarte,2016] is an authentication and cess control mechanism for SDN The main idea in this proposal is to deploy

ac-an Authenticator ac-and a RADIUS server to allow or deny network traffic at dataplane layer The Extensible Authentication Protocol (EAP) is used for commu-nication among the OpenFlow controller, the Authenticator, and the RADIUSservers Both the servers are built in personal computers

Virtual Source Address Validation Edge (VAVE) [Yao et al.,2011] is a solutionwith OpenFlow/NOX architecture to improve the source address validation stan-dard (SAVI) In this work, some OpenFlow devices are used to form a protectiveperimeter Whenever there exists a packet coming from outside perimeter, itssource address needs to be validated by a validation module However, the paperdid not provide any detail of this validation module

OFX (OpenFlow Extension Framework) [Sonchack et al.,2016] allows Flow switches to be extended with custom functionality In this approach, OFXextension modules are built in OpenFlow switches using existing general pur-pose processors These extension modules allow the switches to classify incom-ing packets based on different mechanisms installed by the associated controller.Three different deployed security applications are DDoS Detection, Network Taint-Tracking Declassifier, and Botnet Detection This approach shares the same ideawith our work However, instead of using a general purpose processor to de-ploy different security mechanisms we develop dedicated reconfigurable hard-ware modules for security mechanisms

Open-The authors of DevoFlow [Curtis et al.,2011] introduce two new mechanisms

to transfer control to an OpenFlow switch, rule cloning and local actions The

rule cloning mechanism implemented in the switch uses an additional flag, calledCLONE flag, to avoid invoking the controller Meanwhile, the local actions mech-anism implements a small set of possible “local routing actions” so that the switchcan process new flows if possible without sending requests to the controller.However, the authors have implemented the approach yet It can be taken intoaccount for the next generation of switches

2.2.SECURITY APPROACHES FOR OPENFLOW NETWORK 13

DIFANE˜citepYu:2010:SFN:2043164.1851224 is a scalable and efficient proposalthat routes all traffic through a predefined path of forwarding devices, that storethe necessary rules The associated controller is responsible for partitioning rulesover the switches However, due to the multi-hop path, the delay time of networkpackets is increased Moreover, the approach can not be applied for scanningpackets to recognize attacks such as DDoS

A DoS Attack Prevention Extension in Software-Defined Networks, so-calledFloodGaurd [Wang et al.,2015], is a solution for the data-to-control plane satura-tion attack The solution contains two new techniques/modules: proactive flowrule analyser and packet migration The proactive flow rule analyser combinessymbolic execution and dynamic application tracking to derive proactive flowrules in runtime while the packet migration module migrates, caches, and pro-cesses packets without existing associated rules in the flow table by using ratelimiting and round robin scheduling However, the modules are implementedinside the controller instead of forwarding devices

A denial of service defense system for software defined networking, FlowFence,

is introduced in [Piedrahita et al.,2015] Network routers in the FlowFence chitecture run a special service to monitor the average occupation of their in-terfaces to detect congestion conditions The associated controller bases on thisdetection to coordinate bandwidth assignment of controlled links Using suchapproach, the controller can limit the flow transmission rate from data plane toprevent the links from saturation The mitigation procedure of starvation stateallocates an average bandwidth, while flows exceeding the mean are penalised.This approach is only simulated and evaluated with a simulation tool

ar-LineSwitch [Ambrosin et al.,2015] is an efficient and effective solution againstcontrol plane saturation attack It combines SYN flooding defense technique andprobabilistic blacklisting technique for switches at data plane This combina-tion results in an efficient LineSwitch against the control plane saturation attack.However, the proposal is simulated using a network simulator only

The authors in [Park et al., 2016] proposed a Union of Security Actions forSoftware Switches, called UNISAFE The proposed switches employ two softwarefunctions running in the kernel space of the switches, the UNISAFE main con-troller and Security actions The authors implement a prototype version withthree different security functions: DDoS detector, scan detector, and deep packetinspection However, the proposal is implemented as software modules instead

of dedicated hardware as our approach

2.3.FIELD PROGRAMMABLEGATEARRAY 14

There exist many studies in the literature that introduce different solutions

to protect an OpenFlow network at different level such as ROSEMARRY [Shin

the application layer only Such those approaches are totally different from oursbecause our ultimate goal is to protect the network against attacks as soon aspossible In other words, we implement security functions at forwarding devices

of an OpenFlow network

Here, we already analyze research in the literature that proposed solutions toprotect data plane against attacks However, all the above approaches are imple-mented as software functions in a general purpose processor or are simulated by

a network simulator only To the best of our knowledge, our proposed approach

is the first hardware-based implementation

As mentioned above, our ultimate goal is to implement security functions for ward devices in an OpenFlow network as dedicated hardware modules The mainobstacle to this approach is updating and changing hardware modules Updat-ing and changing security functions in a network protection system is an essen-tial demand because attacks can be deployed with modern techniques at higherperformance Therefore, in this work, we target our work on reconfigurable hard-ware technology, i.e Field Programmable Gate Array technology so that the re-configurable requirement can be satisfied This section introduces an overview

for-of this technology

Field Programmable Gate Array (FPGA) is a dominant technology for ing high-performance computing applications and reconfigurable computing sys-tems Compared to general purpose processor, FPGAs have benefits in perfor-mance while compared to Application Specific Integrated Circuits (ASIC), FPGAsallow hardware circuits to be reconfigured Applied to two characteristics, FPGAsare widely used in both academic research and industry products Some well-known commercial FPGA-based high-performance computing platforms can becounted such as Micron [Micron,2012] (former Convey) and Maxeler [Pell and

intercon-2.3.FIELD PROGRAMMABLEGATEARRAY 15Three main components of FPGA include:

• Logic blocks: A logic block is also known as CLB A CLB includes lookup bles (LUT) to implement combinational logic, registers for sequential cir-cuits, and some additional logic elements such as multiplexers or buffers.Each LUT has multiple inputs to function as a multiple inputs combina-tional logic The number of inputs for each LUT depends on the architec-ture and generation of FPGA devices It is about 4 to 6 input for modernFPGA devices Figure2.4shows a sample CLB in a modern FPGA architec-ture

ta-• Input/Output blocks: These blocks are responsible for connecting and municating with external components or devices

com-• Interconnection switch: These switches can be programmed to connect ordisconnect CLBs, IO blocks and other components

FPGA may contain other blocks such as memory, clock distribution, digital nal processor (DSP), embedded microprocessors/microcontrollers, high-speedserial transceivers

sig-Programmable Interconnect Input/Output Blocks

Logic Blocks

Block RAM

Figure 2.3: The basic architecture of an FPGA device

FPGA is more flexible than application-specific integrated circuit (ASIC) Both

of them are programmable While FPGA is programmable after manufacturing

2.3.FIELD PROGRAMMABLEGATEARRAY 16

Programmable Interconnect Input/Output Blocks

Out

Logic Block

Block RAM

Figure 2.4: A configurable logic block in a modern FPGA architecture

by users, ASIC is programmed by experts from a manufacturer and can not be programmed after manufacturing FPGA not only takes advantage of hardware-based high-speed parallel processing but also the flexibility of software-basedprogrammability They are designed and programmed using hardware descrip-tion language (HDL) such as Verilog, very high speed integrated circuit (VHSIC)HDL (VHDL)

re-An FPGA device is configured by loading an application-specific tion data, named bitstream, into internal configuration memory Partial recon-figuration (PR) is the modification of an operating FPGA configuration memory

configura-by loading a partial configuration file With the rapid development of technology,FPGAs allow dynamic partial reconfiguration (DPR) It means that some parts of

an FPGA device can be reconfigured at runtime while other parts are still ing This runtime reconfiguration helps systems be updated while still operat-

work-2.4.THENETFPGA PLATFORMS 17

ing The design flow of DPR partitions configuration memory into static logicand reconfigurable logic [Xilinx,2012] In DPR process, the static logic remainsfunctioning while the reconfigurable logic is modified by the partial configura-tion file In this research, DPR is applied to change and update DDoS counteringmechanism to adapt security challenges in the future

NetFPGA [NetFPGA, 2014] is an open-source hardware and software platformdesigned for research and teaching It allows researchers, developers, and stu-dents to build prototypes of high-speed, hardware-accelerated networking sys-tems based on its supported platforms Its platforms, which is named NetFPGAplatform, are built upon FPGA technology supported by the manufacturer Thereare several NetFPGA platforms such as NetFPGA 1G, NetFPGA CML, NetFPGA10G and NetFPGA SUME In this work, we use the NetFPGA-10G platform (Fig-ure2.5) to build our prototype OpenFlow switch

Figure 2.5: The NetFPGA 10G platform

The NetFPGA-10G board includes four SFP+ ports and one Xilinx Virtex-5TX240T FPGA device Four SFP+ ports are suitable to build high-speed networkapplications Besides, Xilinx Virtex-5 TX240T provides powerful hardware re-sources to handle massive traffic on a network We use Hardware DescriptionLanguage (HDL) to develop all modules in the three most important compo-nents More details about the board are shown in Table2.1

Maximum Differential I/O Pairs 340PCI Express Endpoint Blocks 110/100/1000 Ethernet MAC Blocks 4Configuration Memory (MBits) 65.8

In this section, we introduce the SND and OpenFlow networks as well as rity issues of both the networks A survey of solutions to protect OpenFlow net-works at data plane levels is given in this chapter In this work, we aim to create

secu-an OpenFlow-based switch with hardware-based security functions Therefore,

we present an overview of FPGA technology that we use to build our prototypeswitch Finally, we discuss the NetFPGA platform which is used as our experi-mental platform

ture consists of three different components named Ingress, Egress, and Engine.

The Ingress component is responsible for receiving incoming packets from put ports, both data packets and control packets, and forwarding to the Enginecomponent for processing The Engine component is the main component ofthe proposed switch All incoming packets are analysed and processed in thiscomponent according to both the OpenFlow protocol and implemented securityfunctions Finally, these packets are routed to corresponding output ports of theEgress component Here, we present the components in details

The Ingress component includes one Packet Input Queue, multiple data input ports (Data InPort i), and one control input port (Control InPort) The number of

data input ports depends on hardware resources available of the platform which

is used to implement the switch All incoming network packets arriving data put ports are collected and stored into buffers inside these ports Packet Input

in-19

Flow of extracted features Flow of instructions

OpenFlow Processing Action Out

Data OutPort 1

Data OutPort n

Data OutPort i

Data OutPort 2

Control OutPort

Packet FIFO

Figure 3.1: The proposed switch architecture

Queue sequentially selects a packet from a buffer and forwards to the Enginecomponent for processing Packet Input Queue can be configured on the fly sothat packets from buffers are selected based on a specific strategy such as RoundRobin or based on a priority of each data input port While Data InPort is re-sponsible for receiving network packets, OpenFlow-based configuration data istransferred to the switch through Control InPort

Control InPort is the mean for communication between the associated troller and the OpenFlow-based switch according to the OpenFlow protocol Inother words, the corresponding controller sends configuration data through thisport to handle the switch following the protocol Configuration data is usuallyinformation used to update the Flow Table Configuration data is encoded intonetwork packets so that Packet Input Queue can process them without any ex-ception However, compared to data input ports, this Control InPort has a higherpriority, i.e., Packet Input Queue selects a packet from this port to send to the En-gine component whenever there exists any packet in the buffer of Control InPortregardless strategies used to select packets at Packet Input Queue

If the Ingress component can be considered as the main entrance of the switch,the Egress component can be seen as the main exit of the switch where network

3.3.THEENGINE COMPONENT 21

packets are sent out The Egress component consists of a Packet Output Queue, several data output ports (Data OutPort i), and one control output port (Control

OutPort) While there exists only Control Output in the switch to communicate

with the associated controller, the number of data output ports depends on thehardware resources of the platform which is used to build the switch As specified

by the name, data output ports are used to transfer network packets to tions

destina-A packet processed by the Engine component is forwarded to the Packet put Queue Please keep in mind that when a packet arrives the Egress compo-nent, it already examined by security functions in the Engine component Inother words, this packet is not classified as a legitimate packet according to theimplemented security protection mechanisms

Out-Based on routing information stored in the switch, Packet Output Queuesends this packet to a specific data output port However, following the Open-Flow protocol, there exist some cases where packets cannot be routed to any dataoutput ports due to lack of information In these cases, packets are forwarded tothe associated controller, that is handling the switch, through Control OutPort

so that the controller can decide a routing behaviour for these packets The troller then updates the switch by sending configuration data through ControlInPort

In this proposed architecture, the Engine component plays the most importantrole The Engine component in our proposed architecture has much function-ality than work reported in [Naous et al.,2008], [Antichi et al.,2013] The com-ponent processes an incoming packet receiving from the Ingress component fol-lowing both the OpenFlow protocol and the implemented network security mech-anisms After processing the packet, the Engine component sends it to the Egresscomponent so that the packet can be forwarded to its destination data outputport or the corresponding controller The component consists of five different

blocks Those are Incoming Packet Processing, OpenFlow Processing, Packet FIFO,

Security Processing, and Outgoing Packet Processing.

3.3.1 I NCOMING P ACKET P ROCESSING

The major function of the Incoming Packet Processing block is to decode an coming packet into different fields such as header field and payload field De-

in-3.3.THEENGINE COMPONENT 22

pending on the type of the input port from which packets come (data port orcontrol port), Incoming Packet Processing processes incoming packets in twodifferent scenarios In the first scenario, when packets come through the con-trol port, these packets are forwarded to the OpenFlow Processing block withoutany processing at the Incoming Packet Processing block because these packetsare generated by the associated controller to update or handle the switch Thesepackets are not examined by the security mechanisms because we assume thatthe communication link between the controller and the switch is secured More-over, in our work, this link is implemented as internal and private infrastructuresuch PCIe or buses In other words, the link is isolated from external networks

In the second scenario, when packets arrive through data input ports, ing Packet Processing analyses and decodes these packets first Both the Open-Flow Processing and Security Processing blocks are carried out simultaneously

Incom-to process these packets in parallel The header fields of these packets are ferred to OpenFlow Processing so that corresponding actions for each packet can

trans-be retrieved Meanwhile, depending on which network security mechanisms areused in Security Processing, different fields of packets are required so that thesepackets can be scanned to guarantee that these are legitimate network packets.These fields are forwarded to the Security Processing block This scenario mayresult in different behaviors such as attacking packet is dropped, it is forwarded

to a destination data output port or it needs to be forwarded the controller.Due to processing at both the OpenFlow Processing block and the SecurityProcessing block take time, the Engine component needs to work in a pipelinemode Therefore, the Incoming Packet Processing block needs to store raw pack-ets into the Packet FIFO block in parallel with forwarding packet’s fields to Open-Flow Processing and Security Processing While the OpenFlow Processing andSecurity Processing blocks are processed one packet, the Incoming Packet Pro-cessing block can analyze and decode another packet This approach helps im-prove system performance so that the switch could be suitable for high-speednetworks

3.3.2 O PEN F LOW P ROCESSING

The block consists of a OpenFlow Host Agent module, a Flow Table, and two

in-terfaces to communicate with both the Incoming Packet Processing and ing Packet Processing blocks When packets come to the switch through Con-trol InPort, these packets are generated by the associated controller to update or

Outgo-3.3.THEENGINE COMPONENT 23

handle the switch These packets contain instructions that the controller uses

to handle the switch such as updating Flow Table or modifying a packet header.The OpenFlow Host Agent module is responsible for receiving control packets,executing instructions, and sending feedback to the controller if required whencontrol packets come to the switch

When data packets arrive the switch, they are examined by the Security cessing block to defend against network attacks and processed by this Open-Flow Processing according to the OpenFlow protocol The OpenFlow Host Agentmodule analyses data packets and retrieves actions for each packet from FlowTable If actions for a particular packet can be found, they are returned to the

Pro-Outgoing Packet Processing block through the Action Out interface Otherwise,

when actions for a specific packet cannot be found in the Flow Table, OpenFlowProcessing requests Outgoing Packet Processing to send the packet to the asso-ciated controller so that the controller can decide appropriate actions for thepacket However, in both the cases, the behavior of the Outgoing Packet Process-ing depends on classification information from the Security Processing block Ifthe packet is recognized as an illegitimate packet, it is removed from the switchregardless actions from the OpenFlow Processing block Otherwise, when thepacket is classified as a legitimate packet, actions from the OpenFlow Processingblock are processed by the Outgoing Packet Processing block

To support the OpenFlow protocol, Flow Table is needed to store based actions [Suh et al.,2014] such as dropping, updating the header field, orforwarding a packet to a destination output port Figure3.2illustrates a segment

OpenFlow-of Flow Table Each entry OpenFlow-of the table consists OpenFlow-of fields, Matching Field and tion Based on header fields of a packet, the OpenFlow Host Agent module find

Ac-an entry whose matching field matches with the information in the headers ofthe packet If such the entry can be found, the value in the corresponding actionfield is extracted to the Action Out interface Otherwise, routing information forthe packet does not exist The OpenFlow Host Agent requires sending the packet

to the controller

3.3.3 P ACKET FIFO

When an incoming data packet is being processed by both OpenFlow ing and Security Processing, other packets can arrive Incoming Packet Process-ing Therefore, the whole packet that is being processed needs to be stored inPacket FIFO to wait for decisions from both OpenFlow Processing and Security