Journal of Xidian University ›› 2023, Vol. 50 ›› Issue (6): 172-194.doi: 10.19665/j.issn1001-2400.20230904

• Cyberspace Security • Previous Articles     Next Articles

Advances in security analysis of software-defined networking flow rules

XIONG Wanyin1(),MAO Jian1(),LIU Ziwen1(),LIU Wenmao2(),LIU Jianwei1()   

  1. 1. School of Cyber Science and Technology,Beihang University,Beijing 100191,China
    2. NSFocus Inc.,Beijing 100089,China
  • Received:2022-12-10 Online:2023-12-20 Published:2024-01-22


With the increasing diversification of network functions,the software-defined networking(SDN) architecture,which provides centralized network control and programmability,has been deployed in various fields.However,the unique hierarchical structure and operation mechanism of SDN also introduce new security challenges,among which as the carrier of control plane management decisions and the basis of data plane network behavior,flow rules have become the focus of SDN attack and defense.Aiming at the security issues of flow rules in SDN,this paper first reviews the characteristics and security risks of the SDN architecture.Based on the mechanism of flow rules in SDN,the attacks against flow rules are systematically divided into two categories,namely,interference of control plane decision and violation in data plane implementation,with the attack examples introduced.Then,the methods for improving the security of flow rules are analyzed and classified into two categories,i.e.,checking and enhancing the security of flow rules.Furthermore,existing implementation mechanisms are summarized with their limitations briefly analyzed.In terms of flow rule security checking,two mainstream methods,i.e.,model-based checking and test-packet-based checking,are analyzed and discussed.In terms of flow rule security enhancement,three specific ideas based on permission control,conflict resolution and path verification are introduced and discussed.Finally,the future research trends of flow rule security are prospected.

Key words: software-defined networking, flow rule, network security, network verification, network testing

CLC Number: 

  • TP309