Skip to main content
SpringerLink
Log in

New Programmable Data Plane Architecture Based on P4 OpenFlow Agent

  • Conference paper
  • First Online:
Advanced Information Networking and Applications (AINA 2020)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1151))

Abstract

Software-defined network (SDN) architecture is characterized by the separation between the data plane and the control plane. This feature provides the development of a programmable environment on the network. Despite the numerous benefits provided by this architecture, the security of an SDN network is still an important matter of concern. In particular, Denial of Service (DoS) attacks challenge SDN architectures in several ways. Solutions that act on the control plane require continuous communication with the data plane, which can result in higher processing time delays, which in turn can affect the time required to detect an attack. On the other hand, solutions that work in the data plane seek to reduce this processing time. However, these solutions still need to address a restricted set of traffic analysis functionality, limiting the scope of the security solutions developed in the data plane. This paper proposes a data plane architecture that allows the use of more sophisticated solutions to be implemented directly in the data plane. The proposed architecture is composed of a component that acts alongside the P4 switch and adds flexibility to the switch to handle more complex operations. The architecture also provides support for the OpenFlow protocol, ensuring compatibility with currently deployed controllers. We compared two DoS attack detection techniques (chi-square and entropy) when applied to control and data planes. Experimental results show that the data plane and the control plane yield similar results in terms of detection accuracy, although the data plane requires fewer packets to detect the attack, on average 45% less compared to the control plane.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The relationship between the \(\delta \) and \(T_{w_{i}}\) depends on the field to be analyzed. For example, if the field is the source IP, use \(\delta > T_{w_{i}}\), if the field is the destination IP, use (\(\delta < T_{w_{i}}\)).

References

  1. Apache thrift. https://thrift.apache.org/

  2. Bani-Hani, R., Al-Ali, Z.: SYN flooding attacks and countermeasures: a survey, April 2013

    Google Scholar 

  3. Beitollahi, H., Deconinck, G.: Analyzing well-known countermeasures against distributed denial of service attacks. Comput. Commun. 35(11), 1312–1332 (2012)

    Article  Google Scholar 

  4. Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., Walker, D.: P4: programming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014)

    Article  Google Scholar 

  5. Carvalho, R., Bordim, J.L., Alchieri, E.A.P.: Entropy-based DoS attack identification in SDN. In: 21st Workshop on Advances in Parallel and Distributed Computational Models (2019)

    Google Scholar 

  6. Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks. In: Network and Distributed System Security Symposium. Internet Society (2015)

    Google Scholar 

  7. Ferrazani Mattos, D.M., Duarte, O.C.M.B.: AuthFlow: authentication and access control mechanism for software defined networking. Ann. Telecommun. 71, 607–615 (2016)

    Article  Google Scholar 

  8. Feinstein, L., Schnackenberg, D., Balupari, R., Kindred, D.: Statistical approaches to DDoS attack detection and response. In: Proceedings DARPA Information Survivability Conference and Exposition, vol. 1, pp. 303–314, April 2003

    Google Scholar 

  9. Imran, M., Durad, M.H., Khan, F.A., Derhab, A.: Toward an optimal solution against denial of service attacks in software defined networks. Futur. Gener. Comput. Syst. 92, 444–453 (2019)

    Article  Google Scholar 

  10. Gondim, J.J.C., Albuquerque, R.O.: Mirror saturation in amplified reflection DDoS. In: JNIC-Jornadas Nacionales de Investigacin en Ciberseguridad (2019)

    Google Scholar 

  11. Kreutz, D., Ramos, F.M.V., Veríssimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)

    Google Scholar 

  12. Lapolli, A.C., Marques, J.A., Gaspary, L.P.: Offloading real-time DDoS attack detection to programmable data planes. In: IFIP/IEEE International Symposium on Integrated Network Management (2019)

    Google Scholar 

  13. Lau, F., Rubin, S.H., Smith, M., Trajkovic, L.: Distributed denial of service attacks, vol. 3, pp. 2275–2280, February 2000

    Google Scholar 

  14. Sanfilippo, S.: Hping - active network security (2006)

    Google Scholar 

  15. Scapy: Packet crafting for python2 and python3 (2008)

    Google Scholar 

  16. Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948)

    Article  MathSciNet  Google Scholar 

  17. Sharma, S., Sahu, S.K., Jena, S.K.: On selection of attributes for entropy based detection of DDoS. In: International Conference on Advances in Computing, Communications and Informatics (2015)

    Google Scholar 

  18. Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, pp. 413–424. ACM, New York (2013)

    Google Scholar 

  19. Sviridov, G., Bonola, M., Tulumello, A., Giaccone, P., Bianco, A., Bianchi, G.: LODGE: LOcal decisions on global statEs in progrananaable data planes. In: 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), pp. 257–261, June 2018

    Google Scholar 

  20. Tajer, J., Makke, A., Salem, O., Mehaoua, A.: A comparison between divergence measures for network anomaly detection. In: 7th International Conference on Network and Service Management (2011)

    Google Scholar 

  21. Mininet Team: Mininet - an instant virtual network on your laptop (or other PC) (2014)

    Google Scholar 

  22. Tritilanunt, S., Sivakorn, S., Juengjincharoen, C., Siripornpisan, A.: Entropy-based input-output traffic mode detection scheme for DoS/DDoS attacks. In: 2010 10th International Symposium on Communications and Information Technologies, pp. 804–809, October 2010

    Google Scholar 

  23. Yang, X., Han, B., Sun, Z., Huang, J.: SDN-based DDoS attack detection with cross-plane collaboration and lightweight flow monitoring. In: GLOBECOM 2017 - 2017 IEEE Global Communications Conference, pp. 1–6, December 2017

    Google Scholar 

Download references

Acknowledgements

This work is partially supported by the MCTIC/RNP/CTIC (Brazil) through the project P4Sec.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Brasilia, Brasilia, Brazil

    Ranyelson N. Carvalho, Lucas R. Costa, Jacir L. Bordim & Eduardo A. P. Alchieri

Authors
  1. Ranyelson N. Carvalho
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lucas R. Costa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jacir L. Bordim
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eduardo A. P. Alchieri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ranyelson N. Carvalho .

Editor information

Editors and Affiliations

  1. Department of Information and Communication Engineering, Faculty of Information Engineering, Fukuoka Institute of Technology, Fukuoka, Japan

    Leonard Barolli

  2. Department of Electrical Engineering and Information Technology, University of Naples “Frederico II”, Naples, Italy

    Flora Amato

  3. Department of Political Science, University of Campania “Luigi Vanvitelli”, Caserta, Italy

    Francesco Moscato

  4. Faculty of Business Administration, Rissho University, Tokyo, Japan

    Tomoya Enokido

  5. Department of Advanced Sciences, Faculty of Science and Engineering, Hosei University, Tokyo, Japan

    Makoto Takizawa

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Carvalho, R.N., Costa, L.R., Bordim, J.L., Alchieri, E.A.P. (2020). New Programmable Data Plane Architecture Based on P4 OpenFlow Agent. In: Barolli, L., Amato, F., Moscato, F., Enokido, T., Takizawa, M. (eds) Advanced Information Networking and Applications. AINA 2020. Advances in Intelligent Systems and Computing, vol 1151. Springer, Cham. https://doi.org/10.1007/978-3-030-44041-1_115

Download citation

Publish with us

Policies and ethics

Search

Navigation