A Security Architecture Against Service Function Chaining Threats
draft-nguyen-sfc-security-architecture-00

Document Type Expired Internet-Draft (individual)
Last updated 2020-05-27 (latest revision 2019-11-24)
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-nguyen-sfc-security-architecture-00.txt

Abstract

Service Function Chaining (SFC) provides a special capability that defines an ordered list of network services as a virtual chain and makes a network more flexible and manageable. However, SFC is vulnerable to various attacks caused by compromised switches, especially the middlebox-bypass attack. In this document, we propose a security architecture that can detect not only middlebox-bypass attacks but also other incorrect forwarding actions by compromised switches. The existing solutions to protect SFC against compromised switches and middlebox-bypass attacks can only solve individual problems. The proposed architecture uses both probe-based and statistics-based methods to check the probe packets with random pre- assigned keys and collect statistics from middleboxes for detecting any abnormal actions in SFC.

Authors

THANG Nguyen (nct@soongsil.ac.kr)
Minho Park (mhp@ssu.ac.kr)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)