Source Encryption Scheme in SDN Southbound

Abstract

In light of the existence of the software defined networking (SDN) southbound communication protocol OpenFlow, and manufacturers’ neglect of network security, in this paper, we propose a protection scheme for encryption at the source of the communication data that is based on the Kerberos authentication protocol. This scheme not only completes the identity authentication of and session key assignment for the communication parties on an insecure channel but also employs an efficient AES symmetric encryption algorithm to ensure that messages always exist in the form of ciphertext before they reach the end point and thus obtain end-to-end security protection of communication data. At the end of this paper, we present our experimental results in the form of a forwarding agent. After that, the performance of the Floodlight controller is tested using a CBench testing tool. Our results indicate that the proposed source encryption scheme provides end-to-end encryption of communication data. Although the communication latency increases by approximately 12% when both transport layer security (TLS) and source-encrypted are enabled, the source-encrypted part of the increase is only approximately 4%.