Software defined networking implements the network control plane in an external entity, rather than in each individual device as in conventional networks. This architectural difference implies a different design for control functions necessary for essential network properties, e.g., loop prevention and link redundancy. We explore how such differences redefine the security weaknesses in the SDN control plane and provide a framework for comparative analysis which focuses on essential network properties required by typical production networks. This enables analysis of how these properties are delivered by the control planes of SDN and conventional networks, and to compare security threats and mitigations. Despite the architectural difference, we find similar, but not identical, exposures in control plane security if both network paradigms provide the same network properties and are analyzed under the same threat model. However, defenses vary; SDN cannot depend on edge based filtering to protect its control plane, while this is arguably the primary defense in conventional networks. Our concrete security analysis suggests that a distributed SDN architecture that supports fault tolerance and consistency checks is important for SDN control plane security. Our analysis methodology may be of independent interest for future security analysis of SDN and conventional networks.

Additional Metadata
Keywords Analytical models, Computer architecture, Control plane security, Control systems, Network security, OpenFlow security., Production, Protocols, SDN security, Security, Tutorials
Persistent URL
Journal IEEE Communications Surveys and Tutorials
Abdou, A.R. (Abdel Rahman), Van Oorschot, P, & Wan, T. (Tao). (2018). Comparative Analysis of Control Plane Security of SDN and Conventional Networks. IEEE Communications Surveys and Tutorials. doi:10.1109/COMST.2018.2839348