Visible to the public Biblio

Filters: Keyword is Service Function Chaining (SFC)  [Clear All Filters]
2020-10-05
Chowdhary, Ankur, Alshamrani, Adel, Huang, Dijiang.  2019.  SUPC: SDN enabled Universal Policy Checking in Cloud Network. 2019 International Conference on Computing, Networking and Communications (ICNC). :572–576.

Multi-tenant cloud networks have various security and monitoring service functions (SFs) that constitute a service function chain (SFC) between two endpoints. SF rule ordering overlaps and policy conflicts can cause increased latency, service disruption and security breaches in cloud networks. Software Defined Network (SDN) based Network Function Virtualization (NFV) has emerged as a solution that allows dynamic SFC composition and traffic steering in a cloud network. We propose an SDN enabled Universal Policy Checking (SUPC) framework, to provide 1) Flow Composition and Ordering by translating various SF rules into the OpenFlow format. This ensures elimination of redundant rules and policy compliance in SFC. 2) Flow conflict analysis to identify conflicts in header space and actions between various SF rules. Our results show a significant reduction in SF rules on composition. Additionally, our conflict checking mechanism was able to identify several rule conflicts that pose security, efficiency, and service availability issues in the cloud network.

2020-09-08
Thang, Nguyen Canh, Park, Minho.  2019.  Detecting Compromised Switches And Middlebox-Bypass Attacks In Service Function Chaining. 2019 29th International Telecommunication Networks and Applications Conference (ITNAC). :1–6.
Service Function Chaining (SFC) provides a special capability that defines an ordered list of network services as a virtual chain and makes a network more flexible and manageable. However, SFC is vulnerable to various attacks caused by compromised switches, especially the middlebox-bypass attack. In this paper, we propose a system that can detect not only middlebox-bypass attacks but also other incorrect forwarding actions by compromised switches. The existing solutions to protect SFC against compromised switches and middlebox-bypass attacks can only solve individual problems. The proposed system uses both probe-based and statistics-based methods to check the probe packets with random pre-assigned keys and collect statistics from middleboxes for detecting any abnormal actions in SFC. It is shown that the proposed system takes only 0.08 ms for the packet processing while it prevents SFC from the middlebox-bypass attacks and compromised switches, which is the negligible delay.