Towards trusted and efficient SDN topology discovery: A lightweight topology verification scheme

Discovering network topology is critical for Software-defined Networking (SDN) controllers to establish the centralized network visibility. However, during the process of SDN topology discovery, SDN controllers tend to suffer from the topology poisoning attacks due to a lack of authentication. Existing methods can hardly solve the problems of SDN topology poisoning attacks in a comprehensive and lightweight manner. To fill this gap, we propose TrustTopo, a lightweight and efficient SDN topology verification scheme. Specifically, we first establish a security threat model to analyze key service vulnerabilities in the SDN controller. Then, we design two verification strategies (i.e., host location verification and link verification) to cope with the host hijacking attack and link fabrication attack, respectively. In more detail, our host location verification strategy is based on the path tracking and asynchronous rollback technique, while our link verification strategy is designed using the chaotic model and dynamic password generation technique. We implement TrustTopo in the mainstream SDN controller (i.e., Floodlight). Experimental results in the Mininet virtual network environment show that TrustTopo can effectively secure the network topology against the representative topology poisoning attacks, while bringing negligible runtime overhead.