“Preventing DoS attacks in multi-domain optical SDN”
Master’s thesis, Mestrado em Engenharia Informática, Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, Nov. 2016
Abstract: Legacy networks do not have the necessary dynamism to follow the evolution online services have experienced in the past few years. In order to overcome this problem, the Software Defined Networking (SDN) paradigm was proposed. The goal of this paradigm is change the way networks are controlled. In legacy networks, the control plane and the data plane are coupled together in the network elements. SDN separates the control plane and the data plane through the use of a standard SDN Application Programming Interface (API) in the data plane to communicate with the logically centralized control plane. In order to reap the benefits of SDN, a plan of migration for legacy networks should be established. For optical networks the migration to SDN is not easy because optical equipments have their own protocols to communicate and there are no SDN standardized interfaces prepared to abstract these type of equipments. In order to solve this problem, organizations such as China Mobile, China Telecom, Verizon and industry organizations like the Open Networking Foundation (ONF) have proposed the use of an abstraction layer between the data plane and the main controller. This abstraction layer is responsible to convert the optical equipment protocols into a standard SDN Application Programming Interface (API) to communicate with the main controller. The abstraction layer can be considered an optical equipment controller, the Original Equipment Manufacturer (OEM) controller. With this approach, service providers (SP) (i.e., telecommunication operators) only need to have a main controller to orchestrate the whole network through the use of OEM controllers. With this solution the Service Providers (SP) are able to control the optical network with different optical equipment from multiple vendors (multi-domain networks). The OEM controllers are responsible to execute all the operations in the Network Element (NE) (the NE is the optical equipment) that constitutes the Data Plane (DP). They also process information that comes from the NE and translate that information to the main controller. Examples include: network information and performance of services. The challenge is that if the OEM controller is compromised, the entire optical network is compromised. This is the main motivation for this project. The objective of our work is to develop a solution that can help the Service Provider (SP) to have confidence in the NEs and respective optical network connections. To achieve this goal, the system has to guarantee the availability and integrity of the OEM controller. This component should be always available to process notifications, be it from the NEs or from the main controller. It should also be ensured that the integrity of all requests thatare sent by the SP controller to the OEM controllers is guaranteed. In order to solve these problems, we propose a new security mechanism for the OEM controller to protect the optical network. The solution consists in the use of a reverse proxy and a firewall to control the ow of requests to the OEM controller. The communication between the SP controller and the OEM controller is also made secure to assure the integrity of requests.
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)