DPSec: A blockchain-based data plane authentication protocol for SDNs

Abstract

Software-Defined Networking (SDN) is a promising networking architecture that enables central management along with network programmability. However, SDN brings additional security threats due to untrusted control and data planes. In this work, we focus on authenticating SDN's data plane since it can be exploited to attack SDN's control plane. As a result, the whole SDN network will be paralysed. On the other hand, Blockchain (BC) can be utilized to provide more secure data plane by introducing a fault-tolerant, decentralized and secure ledger without relying on any trusted third-party intermediaries. To this end, in this work we propose, DPSec, a consortium BC-based protocol for authenticating SDN's data plane including SDN switches and hosts. We also provide a proof-of-concept that demonstrates the applicability and feasibility of our protocol in SDNs. Finally, we present a security analysis that shows how DPSec can address several attacks against SDNs including CVE-2018-1000155 vulnerability [1] that targets SDN controllers due to the untrusted data plane.