Protecting OpenFlow using Intel SGX

Jorge Medina, Nicolae Paladi, Patrik Arlos

Research output: Chapter in Book/Report/Conference proceedingPaper in conference proceedingpeer-review

202 Downloads (Pure)

Abstract

OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.
Original languageEnglish
Title of host publicationIEEE Conference on Network Function Virtualization and Software Defined Networks
Subtitle of host publication(NFV-SDN)
PublisherIEEE - Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)978-1-7281-4545-7
ISBN (Print)978-1-7281-4546-4
DOIs
Publication statusPublished - 2020 Mar 19
EventIEEE Conference on Network Function Virtualization and Software Defined Networks - Dallas, United States
Duration: 2019 Nov 122019 Nov 14

Conference

ConferenceIEEE Conference on Network Function Virtualization and Software Defined Networks
Country/TerritoryUnited States
CityDallas
Period2019/11/122019/11/14

Subject classification (UKÄ)

  • Computer Systems

Free keywords

  • Software Defined Networks
  • confidentiality
  • Software Guard Extentions
  • Integrity

Fingerprint

Dive into the research topics of 'Protecting OpenFlow using Intel SGX'. Together they form a unique fingerprint.

Cite this