Vulnerabilities and solutions for isolation in FlowVisor-based virtual network environments

被引:10
作者
Costa, Victor T. [1 ]
Costa, Luis Henrique M. K. [1 ]
机构
[1] Univ Fed Rio de Janeiro, GTA, COPPE, Rio De Janeiro, Brazil
关键词
OpenFlow; FlowVisor; Security; Network virtualization; Resource isolation;
D O I
10.1186/s13174-015-0034-4
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
In a virtualized environment, different virtual networks can operate over the same physical infrastructure. Each virtual network has its own protocols and share the available resources, thus highlighting the need of resource isolation mechanisms. Investigating the isolation mechanisms provided by FlowVisor, we have discovered vulnerabilities previously unknown regarding addressing space isolation. We show that, in the presence of a malicious controller, FlowVisor's isolation can be broken allowing different attacks. This paper addresses these vulnerabilities by proposing an Action Slicing mechanism, that allows FlowVisor to limit which actions can be used by each virtual network controller, thus extending the virtual network definition. Our experimental results show that using the proposed Action Slicing mechanism can effectively neutralize the discovered vulnerabilities.
引用
收藏
页数:9
相关论文
共 17 条
[1]  
Al-Shabibi A., 2014, P 3 WORKSHOP HOT TOP, P25
[2]  
Barham P., 2003, ACM SIGOPS OPER SYST, P164, DOI DOI 10.1145/1165389.945462
[3]  
Benton K., 2013, P 2 ACM SIGCOMM WORK, P151, DOI [DOI 10.1145/2491185.2491222, 10.1145/2491185.2491222]
[4]  
GlobalNOC, 2013, FSFW FLOWSPACE FIR
[5]  
GTA/UFRJ, 2011, FUT INT TESTB SEC
[6]  
Kopsel A, 2011, LECT NOTES COMPUT SC, V6994, P311, DOI 10.1007/978-3-642-24755-2_30
[7]  
Mattos DMF, 2012, 30 S BRAS RED COMP S, P536
[8]   OpenFlow: Enabling innovation in campus networks [J].
McKeown, Nick ;
Anderson, Tom ;
Balakrishnan, Hari ;
Parulkar, Guru ;
Peterson, Larry ;
Rexford, Jennifer ;
Shenker, Scott ;
Turner, Jonathan .
ACM SIGCOMM COMPUTER COMMUNICATION REVIEW, 2008, 38 (02) :69-74
[9]   FITS: A flexible virtual network testbed architecture [J].
Moraes, Igor M. ;
Mattos, Diogo M. F. ;
Ferraz, Lyno Henrique G. ;
Campista, Miguel Elias M. ;
Rubinstein, Marcelo G. ;
Costa, Luis Henrique M. K. ;
de Amorim, Marcelo D. ;
Velloso, Pedro B. ;
Duarte, Otto Carlos M. B. ;
Pujolle, Guy .
COMPUTER NETWORKS, 2014, 63 :221-237
[10]  
ONLab, 2013, OVS FAQ