Extended data plane architecture for in-network security services in software-defined networks

Abstract

Software-Defined Networking (SDN)-based Network Function Virtualization (NFV) technologies improve the dependability and resilience of networks by enabling administrators to spawn and scale-up traffic management and security services in response to dynamic network conditions. However, in practice, they often suffer from poor performance and require complex configurations because network packets must be 'detoured' to each virtualized security service, which expends bandwidth and increases network propagation delay. To address these challenges, we propose a new SDN-based data plane architecture, called DPX (Data Plane eXtension), that natively supports in-network security services. The DPX action model reduces redundant processing caused by frequent packet parsing and provides administrators with a simplified (and less error-prone) method for configuring security services into the network. DPX also increases the efficiency of enforcing complex security policies by introducing a novel technique called action clustering , which aggregates security actions from multiple flows into a small number of synthetic rules. Also, the application of action clustering (i.e., advanced and global) provides more diverse policies and network-wide detection. We present an implementation of DPX in hardware using NetFPGA-SUME and in software using Open vSwitch. We evaluate the performance of the DPX prototype and the effi-cacy of its flow-table simplifications against a range of complex network policies exposed to line rates of 10 Gbps.(c) 2022 Elsevier Ltd. All rights reserved.