Cryptographic Algorithm Invocation in IPsec: Guaranteeing the Communication Security in the Southbound Interface of SDN Networks

  • Deqiang Wang
  • Wan TangEmail author
  • Ximin Yang
  • Wei Feng
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 262)


Due to the static configuration of IPsec cryptographic algorithms, the invocation of these algorithms cannot be dynamically self-adaptable to the traffic fluctuation of software-defined networking (SDN) southbound communication. In this paper, an invocation mechanism, based on the Free-to-Add (FTA) scheme, is proposed to optimize the invocation mode of cryptographic algorithms in traditional IPsec. To balance the link security and communication performance, a feedback-based scheduling approach is designed for the controller of IPsec-applied SDN to replace flexibly and switch synchronously the IPsec cryptographic algorithms in use according to the real-time network status. The feedback information is applied to decide which appropriate algorithm(s) should be employed for the cryptographic process in a special application scenario. The validity and effectiveness of the proposed invocation mechanism are verified and evaluated on a small-scale SDN/OpenFlow platform with the deployed IPsec security gateway. The results show that the FTA-based mechanism invokes IPsec encryption algorithms consistently with the requirement for communication security in the SDN southbound interface, and the impact of the IPsec cryptographic process on the network performance will be reduced even if the network traffic fluctuates markedly.


Communication security Software-defined networking (SDN) IPsec Algorithm invocation Southbound interface (SBI) 



The work described in this paper was carried out with the support of the National Natural Science Foundation of China (61772562), the China Education and Research Network (CERNT) Innovation Project (NGII20150106), and the Fundamental Research Funds for the Central Universities, South-Central University for Nationalities (CZY18014).


  1. 1.
    Kreutz, D., Ramos, F.M.V., Veríssimo, P., et al.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)CrossRefGoogle Scholar
  2. 2.
    Liyanage, M., Ahmed, I., Okwuibe, J., et al.: Enhancing security of software defined mobile networks. IEEE Access 5, 9422–9438 (2017)CrossRefGoogle Scholar
  3. 3.
    Chen, M., Qian, Y., Mao, S., et al.: Software-defined mobile networks security. Mobile Netw. Appl. 21(5), 1–15 (2016)Google Scholar
  4. 4.
    OpenFlow Switch Specification v1.5.1.
  5. 5.
    Wang, M., Liu, J., Chen, J., et al.: Software defined networking: security model, threats and mechanism. J. Softw. 27(4), 969–992 (2016)MathSciNetzbMATHGoogle Scholar
  6. 6.
    Shu, Z., Wan, J., Li, D., et al.: Security in software-defined networking: Threats and countermeasures. Mobile Netw. Appl. 21(5), 764–776 (2013)CrossRefGoogle Scholar
  7. 7.
    Porras, P.A., Cheung, S., Fong, M.W., et al.: Securing the software-defined network control layer. In: Proceedings of Network and Distributed System Security (NDSS) Symposium, pp. 1–15. San Diego, USA (2015)Google Scholar
  8. 8.
    Scott-Hayward, S., Natarajan, S., Sezer, S.: A survey of security in software defined networks. IEEE Commun. Surv. Tutor. 18(1), 623–654 (2016)CrossRefGoogle Scholar
  9. 9.
    Ferguson, A.D., Guha, A., Liang, C., et al.: Participatory networking: an API for application control of SDNs. In: Proceedings of ACM Special Interest Group on Data Communication (SIGCOMM), pp. 327–338. Hong Kong, China (2013)CrossRefGoogle Scholar
  10. 10.
    Huang, X., Yu, R., Kang, J., et al.: Software defined networking for energy harvesting Internet of Things. IEEE Internet Things J. 5(3), 1389–1399 (2018)Google Scholar
  11. 11.
    Marin-Lopez, R., Lopez-Millan, G.: Software-defined networking (SDN)-based IPsec flow protection. I2NSF Internet-Draft. July 2018. draft-ietf-i2nsf-sdn-ipsec-flow-protection-02.
  12. 12.
    Al-Khatib, A.A., Hassan, R.: Impact of IPSec protocol on the performance of network real-time applications: A review. Int. J. Netw. Secur. 19, 800–808 (2017)Google Scholar
  13. 13.
    Yang, X., Wang, D., Feng, W., Wu, J., Tang, W.: Cryptographic algorithm invocation based on software-defined everything in IPsec. Wirel. Commun. Mobile Comput. (WCMC) 2018 (2018). Article ID 8728424Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  1. 1.College of Computer ScienceSouth-Central Univ. for NationalitiesWuhanChina

Personalised recommendations