Cryptographic Algorithm Invocation in IPsec: Guaranteeing the Communication Security in the Southbound Interface of SDN Networks
Due to the static configuration of IPsec cryptographic algorithms, the invocation of these algorithms cannot be dynamically self-adaptable to the traffic fluctuation of software-defined networking (SDN) southbound communication. In this paper, an invocation mechanism, based on the Free-to-Add (FTA) scheme, is proposed to optimize the invocation mode of cryptographic algorithms in traditional IPsec. To balance the link security and communication performance, a feedback-based scheduling approach is designed for the controller of IPsec-applied SDN to replace flexibly and switch synchronously the IPsec cryptographic algorithms in use according to the real-time network status. The feedback information is applied to decide which appropriate algorithm(s) should be employed for the cryptographic process in a special application scenario. The validity and effectiveness of the proposed invocation mechanism are verified and evaluated on a small-scale SDN/OpenFlow platform with the deployed IPsec security gateway. The results show that the FTA-based mechanism invokes IPsec encryption algorithms consistently with the requirement for communication security in the SDN southbound interface, and the impact of the IPsec cryptographic process on the network performance will be reduced even if the network traffic fluctuates markedly.
KeywordsCommunication security Software-defined networking (SDN) IPsec Algorithm invocation Southbound interface (SBI)
The work described in this paper was carried out with the support of the National Natural Science Foundation of China (61772562), the China Education and Research Network (CERNT) Innovation Project (NGII20150106), and the Fundamental Research Funds for the Central Universities, South-Central University for Nationalities (CZY18014).
- 3.Chen, M., Qian, Y., Mao, S., et al.: Software-defined mobile networks security. Mobile Netw. Appl. 21(5), 1–15 (2016)Google Scholar
- 4.OpenFlow Switch Specification v1.5.1. http://OpenFlowSwitch.org
- 7.Porras, P.A., Cheung, S., Fong, M.W., et al.: Securing the software-defined network control layer. In: Proceedings of Network and Distributed System Security (NDSS) Symposium, pp. 1–15. San Diego, USA (2015)Google Scholar
- 10.Huang, X., Yu, R., Kang, J., et al.: Software defined networking for energy harvesting Internet of Things. IEEE Internet Things J. 5(3), 1389–1399 (2018)Google Scholar
- 11.Marin-Lopez, R., Lopez-Millan, G.: Software-defined networking (SDN)-based IPsec flow protection. I2NSF Internet-Draft. July 2018. draft-ietf-i2nsf-sdn-ipsec-flow-protection-02. https://datatracker.ietf.org/doc/draft-ietf-i2nsf-sdn-ipsec-flow-protection/
- 12.Al-Khatib, A.A., Hassan, R.: Impact of IPSec protocol on the performance of network real-time applications: A review. Int. J. Netw. Secur. 19, 800–808 (2017)Google Scholar