Path information based packet verification for authentication of SDN network manager

Abstract

In this paper we propose new authentication scheme that is suitable for Software-Defined Networks (SDN). Basically our approach is based on One Time Password (OTP). To check legitimacy of OTP, our model uses an additional parameter, which is related with the path information where packet passed through. This is possible because SDN controller can monitor the entire network status. Proposed scheme can be briefly described as follows. First, a specific path is assigned to the network manager and his OTP packet should pass through this path. The controller modifies corresponding flow rules to forward OTP packet along correct direction. Consequently, OTP packet of legal user will be forwarded on pre-assigned path. Using this model, SDN controller can be protected from attack even when attacker knows the OTP because SDN controller accepts OTP packet only if it is forwarded along specific path. Finally we analyzed overhead caused from our authentication mechanism.