LINK-GUARD: an effective and scalable security framework for link discovery in SDN networks

Software-Defined Networking (SDN) is an emerging networking paradigm that creates new opportunities for future generations of networks. The main characteristic of SDN is its ability to centralise control through the decoupling of control decisions from the network switches to make the network more flexible, programmable, and scalable. As part of this centralised control management, the SDN controller maintains a holistic view of the underlying network. Therefore, topology discovery in SDN is an essential service for topology-aware applications, such as routing, load balancing, mobility, and tracking. However, during the SDN topology discovery process, the controllers, without proper protection, are vulnerable to topology poisoning attacks, most notably Link Fabrication Attacks (LFAs). LFAs may be mounted due to a leak of packet source authentication, the lack of packet integrity checks, or the reuse of static packets. In this paper, we describe an effective and scalable security framework, LINK-GUARD, used for facilitating secure link discoveries in an SDN network. LINK-GUARD is designed to detect and thwart LFAs, thus reducing the risks of network topology poisoning. The framework has been implemented and evaluated on a Mininet emulator with an RYU controller. The security analysis indicates that LINK-GUARD can effectively and efficiently secure topology discoveries against both host-based and switch-based link fabrication attacks. Performance evaluation results show that the legitimacy of new links can be verified nearly real-time, taking approximately 30 milliseconds, and fake links can be detected within as low as 6 milliseconds, with a negligible runtime overhead. These results show that LINK-GUARD is a scalable solution for dynamic and large SDN networks.