Towards adoption of secure communication protocol in Software Defined Networks

Software Defined Networking (SDN) decouples the forwarding data plane from the network control plane to provide centralized control and programmability of the data plane elements like switches and routers. Traditionally, this communication between control plane and the data plane (southbound communication) for e.g., using OpenFlow were based on the nonsecure protocol like transmission control protocol (TCP), which over-the-years resulted in several security incidents. In order to facilitate secure data communication, the adoption of transport layer security (TLS) has become unavoidable. To this extent, we first present the key qualitative aspects and suitability of using TLS 1.2 and the newer TLS 1.3 for southbound communication. Further, we present extensive quantitative evaluation on Mininet emulator testbed to assess the performance impact of using the TLS 1.2 and TLS 1.3 (for most widely used cipher suites) over TCP to secure the controller-switch communication. Our work shows that the adoption of secure communication channel TLS incurs significant overheads (similar to 2 - 6x) when compared to baseline TCP (unsecure channel), while TLS 1.3 adds marginal overheads in terms of latency and throughput (similar to 5%) in comparison to TLS 1.2. Also, we observed that the memory and processing (computational cost) overheads with TLS 1.2 and TLS 1.3 to be negligible, even when supporting a large number of flows. Further, we also discuss the potential adoption of QUIC protocol as an alternative to provide high performance secure communication for the southbound interface.