Scalability and Security of the Control Plane in Software Defined Networks

Abstract

Software Defined Networks (SDN) is an emerging network paradigm that has brought a fundamental change to the traditional network by physically separating the control plane from the forwarding plane. The control plane is moved to a dedicated controller, which manages one or more underlying forwarding plane switches. Although the research on SDN has drawn considerable attention, still major concerns lie in addressing the scalability and security issues. To address the scalability issue, deploying multiple controllers is a possible solution. However, introducing multiple controllers creates other potential problems. For a given network to obtain the optimum number of controllers and their positions is an open question. In this aspect, our placement strategy minimizes switches to controller latency and ensure a failure-free control path scenario. To obtain a feasible solution we have used three population-based meta-heuristic techniques such as Particle Swarm Optimization (PSO), FireFly Algorithm (FFA), and Genetic Algorithm (GA). The efficient sharing of control requests generated from switches to controller is an important research topic. To balance the controller load, dynamic switch migration is a promising approach, for which the selection process of switch and target controller plays an important role. As a solution to this issue, our switch migration strategy selects a switch with less control request to a target controller with less load variance. From a security viewpoint, the control plane is always on the verge of potential cyber threats like side channel attack, fake rule installation, data alteration etc. Notably, Distributed Denial of Service (DDoS) attacks in control plane, is still a significantly challenging task. The proposed two-stage detection model can detect the DDoS attack on controller in an early stage. At first stage, the model uses the centralized traffic monitoring of SDN, to verify whether the incoming traffic is attack traffic or not. Once it confirms the attack alert, the second stage starts classifying and mitigating the attack. For an early detection of DDoS traffic, we have employed generalized entropy (GE) as the information distance metric at the controller. Moreover, we have trained the model with various Machine Learning techniques, for classifying different ongoing attacks. Such a classifier can fit into the proposed detection model which is capable of classifying different type of attacks with higher accuracy and lesser overhead to the controller. The outcomes of the simulation results signify the usefulness and effectiveness of the proposed approaches for addressing the scalability and security issues of SDN.