Secure, Efficient and Scalable Link Discoveries for Large-Scale Software-Defined Networks

Abstract

Software-Defined Networking (SDN) represents a transformative approach in networking, emphasizing programmability, flexibility, and scalability by decoupling control and data planes. Central to the SDN paradigm is the SDN controller, which orchestrates operations and maintains a comprehensive view of network topology. This global perspective is crucial for deploying network services like routing, load balancing, and mobility management. The link discovery service, part of topology discovery, enables the controller to identify links between devices. The link discovery process is susceptible to various security and performance issues. Among the key security threats are link fabrication attacks, such as injection, relay, and flooding, which compromise topology integrity and disrupt network operations. On the performance side, the main challenge lies in facilitating real-time and effective link discoveries to maintain a comprehensive view of the underlying network topology in large, dynamic, and hybrid SDN networks with multi-controllers, including legacy devices. This thesis aims to address security and performance issues in large, dynamic, and hybrid SDN networks. To address these issues, we have investigated and critically analysed state-of-the-art solutions, identifying their limitations and areas for improvement. We then designed and evaluated two novel frameworks to overcome these weaknesses. The first framework, LINK-GUARD, is designed to detect and thwart link fabrication attacks, reducing the risk of network topology poisoning. It uses three methods: (i) bidirectional link verification for detecting LLDP injection attacks, (ii) link latency measurement using statistical analysis to identify LLDP relay attacks, and (iii) per-port LLDP packet counter to detect LLDP flooding attacks. Implemented on a Mininet emulator with an RYU controller, LINK-GUARD effectively secures topology discoveries against host-based and switch-based link fabrication attacks. Performance evaluations show that new links can be verified in about 30 milliseconds, and fake links detected within 6 milliseconds, with negligible runtime overhead. These results show that LINK-GUARD is a scalable solution for dynamic and large SDN networks. The novel second framework is an Effective, Efficient, and Scalable Link Discovery (EESLD) framework. The framework uses an event-driven approach and the Bidirectional Forwarding Detection (BFD) protocol to detect direct and indirect SDN links in both intra-domain and inter-domain networks. Additionally, EESLD uses the sFlow protocol to discover and monitor legacy links and uses a distributed messaging system to maintain a consistent network view across controllers. Implemented on a Mininet emulator with an RYU controller and an sFlow server, EESLD discovers direct SDN links 10.3 times faster than OFDPv2 and indirect links 12.9 times faster than BDDP in a network with 85 switches. Additionally, sFlow-based link discovery outperforms OSPF-based discovery in terms of legacy link discovery and removal times. These results show that the EESLD framework is a more effective, efficient, and scalable solution for dynamic and large-scale hybrid multi-controller SDN networks.

Date of Award	1 Aug 2025
Original language	English
Awarding Institution	The University of Manchester
Supervisor	Steve Furber (Supervisor) & Ning Zhang (Supervisor)