PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking

Software Defined Networking (SDN) is one of the typical flow-rule-driven networks. In SDN, a centralized controller dictates the network behavior and configures network devices with many flow rules, and the validity and consistency of flow rules could guarantee the normal operations in SDN. Therefore, SDN requires a secure and efficient mechanism to manage and authenticate flow rules between the application layer and the control layer. In this paper, our target problem is to authenticate the validity of flow rules in SDN. We analyze the mechanisms to generate and insert flow rules in SDN respectively, and present PERM-GUARD, a fine-grained flow rule production-permission authentication scheme. PERM-GUARD employs a new permission authentication model and introduces an identity-based signature scheme to ensure that the controller can verify the validity of flow rules. We conduct theoretical analysis and evaluate our approach by simulation. The results demonstrate that PERM-GUARD can efficiently identify and reject fake flow rules generated by unregistered applications. Meanwhile, our approach can also effectively filter unauthorized flow rules created by valid applications.