<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">sibsutis</journal-id><journal-title-group><journal-title xml:lang="ru">Вестник СибГУТИ</journal-title><trans-title-group xml:lang="en"><trans-title>The Herald of the Siberian State University of Telecommunications and Information Science</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1998-6920</issn><publisher><publisher-name>СибГУТИ</publisher-name></publisher></journal-meta><article-meta><article-id custom-type="elpub" pub-id-type="custom">sibsutis-169</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>Статьи</subject></subj-group></article-categories><title-group><article-title>Аспекты информационной безопасности архитектуры SDN</article-title><trans-title-group xml:lang="en"><trans-title>SDN architecture, cyber security aspects</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Захаров</surname><given-names>А. А.</given-names></name><name name-style="western" xml:lang="en"><surname>Zakharov</surname><given-names>A. A.</given-names></name></name-alternatives><email xlink:type="simple">azaharov@utmn.ru</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Попов</surname><given-names>Е. Ф.</given-names></name><name name-style="western" xml:lang="en"><surname>Popov</surname><given-names>E. F.</given-names></name></name-alternatives><email xlink:type="simple">efpopov@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Фучко</surname><given-names>М. М.</given-names></name><name name-style="western" xml:lang="en"><surname>Fuchko</surname><given-names>M. M.</given-names></name></name-alternatives><email xlink:type="simple">mikefgtab@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff xml:lang="ru" id="aff-1"><institution>Тюменский государственный университет</institution><country>Russian Federation</country></aff><pub-date pub-type="collection"><year>2016</year></pub-date><pub-date pub-type="epub"><day>24</day><month>10</month><year>2022</year></pub-date><volume>0</volume><issue>1</issue><fpage>83</fpage><lpage>92</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Захаров А.А., Попов Е.Ф., Фучко М.М., 2022</copyright-statement><copyright-year>2022</copyright-year><copyright-holder xml:lang="ru">Захаров А.А., Попов Е.Ф., Фучко М.М.</copyright-holder><copyright-holder xml:lang="en">Zakharov A.A., Popov E.F., Fuchko M.M.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://vestnik.sibsutis.ru/jour/article/view/169">https://vestnik.sibsutis.ru/jour/article/view/169</self-uri><abstract><p>OpenFlow является наиболее распространенным протоколом архитектуры Software Defined Networking (SDN), которая разделяет функции управления сетевыми устройствами и передачи данных. Она переносит основные функции управления с маршрутизаторов и коммутаторов на централизованные контроллеры. Благодаря централизованному управлению сетью и программируемости контроллеров, архитектура SDN обладает потенциалом, который может быть использован для модернизации средств обеспечения безопасности и реализации более эффективных методов противодействия угрозам, свойственных традиционной архитектуре сетей передачи данных. В работе представлен обзор архитектуры SDN и протокола OpenFlow, анализ угроз и технологии их нейтрализации для архитектуры SDN и протокола OpenFlow, а также определены критичные угрозы для тех сетей OpenFlow, которые в скором времени могут появиться в РФ; предложены способы противодействия данным угрозам.</p></abstract><trans-abstract xml:lang="en"><p>Open Flow is the most deployed Software Defined Networking (SDN) protocol, which allows us to decouple the control plane and data plane function of a network. This architecture transfers core functions from the routers and switches to centralized controllers. Due to centralized control, SDN architecture has specific capabilities that can be exploited to improve security tools and mitigate threats of traditional architecture networks more effective. This paper presents an overview of SDN architecture and Open Flow protocol, analysis of related security threats and mitigation techniques. Moreover, the most critical threats for data networks, which may be deployed soon in RF, are determined and mitigation approaches for these threats are proposed.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>защита информации</kwd><kwd>протокол OpenFlow</kwd><kwd>программно-конфигурируемые сети</kwd><kwd>информационная безопасность</kwd></kwd-group><kwd-group xml:lang="en"><kwd>SDN</kwd><kwd>protection of information</kwd><kwd>SDN</kwd><kwd>Open Flow protocol</kwd><kwd>software-configurable network</kwd><kwd>information security</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">K. Calvert, S. Bhattacharjee, E. Zegura, and J. Sterbenz, Directions in Active Networks IEEE Communications magazine, р. 72-78, October 1998.</mixed-citation><mixed-citation xml:lang="en">K. Calvert, S. Bhattacharjee, E. Zegura, and J. Sterbenz, Directions in Active Networks IEEE Communications magazine, р. 72-78, October 1998.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Diego Kreutz, Fernando MV Ramos, P Esteves Verissimo, Christian Esteve Rothenberg, Siamak Azodolmolky, and Steve Uhlig. Software-defined networking: A comprehensive survey. proceedings of the IEEE, 103[1]: 14-76, 2015.</mixed-citation><mixed-citation xml:lang="en">Diego Kreutz, Fernando MV Ramos, P Esteves Verissimo, Christian Esteve Rothenberg, Siamak Azodolmolky, and Steve Uhlig. Software-defined networking: A comprehensive survey. proceedings of the IEEE, 103[1]: 14-76, 2015.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38[2]:69-74, 2008.</mixed-citation><mixed-citation xml:lang="en">Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38[2]:69-74, 2008.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Diego Kreutz, Fernando Ramos, and Paulo Verissimo. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 55-60. 2013.</mixed-citation><mixed-citation xml:lang="en">Diego Kreutz, Fernando Ramos, and Paulo Verissimo. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 55-60. 2013.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Смелянский Р. Л. Программно-конфигурируемые сети. Открытые системы. СУБД 9. 2012. с. 23-26.</mixed-citation><mixed-citation xml:lang="en">Смелянский Р. Л. Программно-конфигурируемые сети. Открытые системы. СУБД 9. 2012. с. 23-26.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">OpenFlow Switch Specification Ver 1.5.1, 2016 [accessed January 11, 2016]. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-vl.5.1.pdf.</mixed-citation><mixed-citation xml:lang="en">OpenFlow Switch Specification Ver 1.5.1, 2016 [accessed January 11, 2016]. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-vl.5.1.pdf.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Никульчев Е. В., Паяин С. В., Плужник Е. В. Динамическое управление трафиком программно -конфигурируемых сетей в облачной инфраструктуре. Вестник РГРТУ. № 3. 2013. с. 45.</mixed-citation><mixed-citation xml:lang="en">Никульчев Е. В., Паяин С. В., Плужник Е. В. Динамическое управление трафиком программно -конфигурируемых сетей в облачной инфраструктуре. Вестник РГРТУ. № 3. 2013. с. 45.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Sandra Scott-Hayward, Gemma O’Callaghan, and Sakir Sezer. Sdn security: A survey. In Future Networks and Services (SDN4FNS), 2013 IEEE SDN For, p. 1-7. IEEE, 2013.</mixed-citation><mixed-citation xml:lang="en">Sandra Scott-Hayward, Gemma O’Callaghan, and Sakir Sezer. Sdn security: A survey. In Future Networks and Services (SDN4FNS), 2013 IEEE SDN For, p. 1-7. IEEE, 2013.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Open Networking Fundation. Software-defined networking: The new norm for networks. ONF White Paper, 2012.</mixed-citation><mixed-citation xml:lang="en">Open Networking Fundation. Software-defined networking: The new norm for networks. ONF White Paper, 2012.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Kevin Benton, L Jean Camp, and Chris Small. Openflow vulnerability assessment. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 151-152. 2013.</mixed-citation><mixed-citation xml:lang="en">Kevin Benton, L Jean Camp, and Chris Small. Openflow vulnerability assessment. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 151-152. 2013.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Seungwon Shin and Guofei Gu. Attacking software-defined networks: A first feasibility study. In Proceedings of the second ACM SIGCOMM work- shop on Hot topics in software defined networking, p. 165-166. 2013.</mixed-citation><mixed-citation xml:lang="en">Seungwon Shin and Guofei Gu. Attacking software-defined networks: A first feasibility study. In Proceedings of the second ACM SIGCOMM work- shop on Hot topics in software defined networking, p. 165-166. 2013.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Diego Kreutz, Fernando Ramos, and Paulo Verissimo. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 55-60. 2013.</mixed-citation><mixed-citation xml:lang="en">Diego Kreutz, Fernando Ramos, and Paulo Verissimo. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 55-60. 2013.</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Margaret Wasserman and Sam Hartman. Security analysis of the open networking foundation (onf) openflow switch specification. 2013.</mixed-citation><mixed-citation xml:lang="en">Margaret Wasserman and Sam Hartman. Security analysis of the open networking foundation (onf) openflow switch specification. 2013.</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Ehab Al-Shaer and Saeed Al-Haj. Flowchecker: Configuration analysis and verification of federated openflow infrastructures. In Proceedings of the 3rd ACM workshop on Assurable and usable security configuration, p. 37-44. 2010.</mixed-citation><mixed-citation xml:lang="en">Ehab Al-Shaer and Saeed Al-Haj. Flowchecker: Configuration analysis and verification of federated openflow infrastructures. In Proceedings of the 3rd ACM workshop on Assurable and usable security configuration, p. 37-44. 2010.</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Seuk Son, Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Model checking invariant security properties in openflow. In Communications (ICC), 2013 IEEE International Conference on, p. 1974-1979. 2013.</mixed-citation><mixed-citation xml:lang="en">Seuk Son, Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Model checking invariant security properties in openflow. In Communications (ICC), 2013 IEEE International Conference on, p. 1974-1979. 2013.</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Cole Schlesinger, Alec Story, Stephen Gutz, Nate Foster, and David Walker. Splendid isolation: Language-based security for software- defined networks. In Proc. of Workshop on Hot Topics in Software Defined Networking, 2012.</mixed-citation><mixed-citation xml:lang="en">Cole Schlesinger, Alec Story, Stephen Gutz, Nate Foster, and David Walker. Splendid isolation: Language-based security for software- defined networks. In Proc. of Workshop on Hot Topics in Software Defined Networking, 2012.</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">Xiong Liu, Haiwei Xue, Xiaoping Feng, and Yiqi Dai. Design of the multi-level security network switch system which restricts covert channel. In Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on, p. 233-237. 2011.</mixed-citation><mixed-citation xml:lang="en">Xiong Liu, Haiwei Xue, Xiaoping Feng, and Yiqi Dai. Design of the multi-level security network switch system which restricts covert channel. In Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on, p. 233-237. 2011.</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">Guang Yao, Jun Bi, and Peiyao Xiao. Source address validation so- lution with openflow/nox architecture. In Network Protocols (ICNP), 2011 19th IEEE International Conference on, p. 7-12. 2011.</mixed-citation><mixed-citation xml:lang="en">Guang Yao, Jun Bi, and Peiyao Xiao. Source address validation so- lution with openflow/nox architecture. In Network Protocols (ICNP), 2011 19th IEEE International Conference on, p. 7-12. 2011.</mixed-citation></citation-alternatives></ref><ref id="cit19"><label>19</label><citation-alternatives><mixed-citation xml:lang="ru">Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan. Openflow random host mutation: transparent moving target defence using software defined networking. In Proceedings of the first workshop on Hot topics in software defined networks, p. 127-132. 2012.</mixed-citation><mixed-citation xml:lang="en">Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan. Openflow random host mutation: transparent moving target defence using software defined networking. In Proceedings of the first workshop on Hot topics in software defined networks, p. 127-132. 2012.</mixed-citation></citation-alternatives></ref><ref id="cit20"><label>20</label><citation-alternatives><mixed-citation xml:lang="ru">Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu. A security enforcement kernel for openflow networks. In Proceedings of the first workshop on Hot topics in software defined networks, p. 121-126. 2012.</mixed-citation><mixed-citation xml:lang="en">Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu. A security enforcement kernel for openflow networks. In Proceedings of the first workshop on Hot topics in software defined networks, p. 121-126. 2012.</mixed-citation></citation-alternatives></ref><ref id="cit21"><label>21</label><citation-alternatives><mixed-citation xml:lang="ru">noxrepo/nox - C++ - GitHub, 2016 [accessed January 11, 2016]. https: //github.com/noxrepo/nox.</mixed-citation><mixed-citation xml:lang="en">noxrepo/nox - C++ - GitHub, 2016 [accessed January 11, 2016]. https: //github.com/noxrepo/nox.</mixed-citation></citation-alternatives></ref><ref id="cit22"><label>22</label><citation-alternatives><mixed-citation xml:lang="ru">Seungwon Shin, Phillip Porras, Vinod Yegneswaran, and Guofei Gu. A framework for integrating security services into software- defined networks. Proceedings of the 2013 Open Networking Summit (Re- search Track poster paper), ser. ONS, 13, 2013.</mixed-citation><mixed-citation xml:lang="en">Seungwon Shin, Phillip Porras, Vinod Yegneswaran, and Guofei Gu. A framework for integrating security services into software- defined networks. Proceedings of the 2013 Open Networking Summit (Re- search Track poster paper), ser. ONS, 13, 2013.</mixed-citation></citation-alternatives></ref><ref id="cit23"><label>23</label><citation-alternatives><mixed-citation xml:lang="ru">Xitao Wen, Yan Chen, Chengchen Hu, Chao Shi, and Yi Wang. Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 171-172. 2013.</mixed-citation><mixed-citation xml:lang="en">Xitao Wen, Yan Chen, Chengchen Hu, Chao Shi, and Yi Wang. Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 171-172. 2013.</mixed-citation></citation-alternatives></ref><ref id="cit24"><label>24</label><citation-alternatives><mixed-citation xml:lang="ru">Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer &amp; communications security, p. 413-424. 2013.</mixed-citation><mixed-citation xml:lang="en">Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer &amp; communications security, p. 413-424. 2013.</mixed-citation></citation-alternatives></ref><ref id="cit25"><label>25</label><citation-alternatives><mixed-citation xml:lang="ru">Junho Suh, H-g Choi, W Yoon, T You, T Kwon, and Y Choi. Implementation of a content-oriented networking architecture (cona): A focus on ddos countermeasure. In Proceedings of European NetFPGA developers workshop, 2010.</mixed-citation><mixed-citation xml:lang="en">Junho Suh, H-g Choi, W Yoon, T You, T Kwon, and Y Choi. Implementation of a content-oriented networking architecture (cona): A focus on ddos countermeasure. In Proceedings of European NetFPGA developers workshop, 2010.</mixed-citation></citation-alternatives></ref><ref id="cit26"><label>26</label><citation-alternatives><mixed-citation xml:lang="ru">Chu Yu Hunag, Tseng Min Chi, Chen Yao Ting, Chou Yu Chieh, and Chen YanRen. A novel design for future on-demand service and security. In 2010 IEEE 12th International Conference on Communication Technology, p. 385-388. 2010.</mixed-citation><mixed-citation xml:lang="en">Chu Yu Hunag, Tseng Min Chi, Chen Yao Ting, Chou Yu Chieh, and Chen YanRen. A novel design for future on-demand service and security. In 2010 IEEE 12th International Conference on Communication Technology, p. 385-388. 2010.</mixed-citation></citation-alternatives></ref><ref id="cit27"><label>27</label><citation-alternatives><mixed-citation xml:lang="ru">Rodrigo Braga, Edjard Mota, and Alexandre Passito. Lightweight ddos flooding attack detection using nox/openflow. In Local Computer Networks (LCN), 2010 IEEE 35th Conference on, p. 408-415. 2010.</mixed-citation><mixed-citation xml:lang="en">Rodrigo Braga, Edjard Mota, and Alexandre Passito. Lightweight ddos flooding attack detection using nox/openflow. In Local Computer Networks (LCN), 2010 IEEE 35th Conference on, p. 408-415. 2010.</mixed-citation></citation-alternatives></ref><ref id="cit28"><label>28</label><citation-alternatives><mixed-citation xml:lang="ru">Yung-Li Hu, Wei-Bing Su, Li-Ying Wu, Yennun Huang, and Sy- Yen Kuo. Design of event-based intrusion detection system on openflow network. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on, p. 1-2. 2013.</mixed-citation><mixed-citation xml:lang="en">Yung-Li Hu, Wei-Bing Su, Li-Ying Wu, Yennun Huang, and Sy- Yen Kuo. Design of event-based intrusion detection system on openflow network. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on, p. 1-2. 2013.</mixed-citation></citation-alternatives></ref><ref id="cit29"><label>29</label><citation-alternatives><mixed-citation xml:lang="ru">Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. Nice: Network intrusion detection and countermeasure selection in virtual network systems. Dependable and Secure Computing, IEEE Transactions on, 10[4]: 198-211, 2013.</mixed-citation><mixed-citation xml:lang="en">Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. Nice: Network intrusion detection and countermeasure selection in virtual network systems. Dependable and Secure Computing, IEEE Transactions on, 10[4]: 198-211, 2013.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
