Software Defined Data Flow Isolation by Virtualization and Cryptographic Key Distribution
Abstract
OpenFlow is a widely used protocol in Software Defined Networking(SDN). Transport layer security (TLS) is used for communication securitybetween the SDN controller and each of the OpenFlow switches. How-ever, OpenFlow does not provide any cryptographic security throughOpenFlow.This thesis explores the possibility of adding encryption to the datap-ath that can be controlled from a Software Defined Networking (SDN)controller. A virtual testbed is created using Pox, Open vSwitch (OVS),and Virtualbox. In the virtual testbed, different encryption conceptsare tried out, and related performance testing is performed. Then, thesolution is ported to a physical network consisting of a computer, twoRaspberry Pi devices, and a router. A replay attack was tested on GenericRouting Encapsulation (GRE) and Internet Protocol Security (IPsec).The performance overhead from encryption and Pre Shared Key (PSK)renewal was evaluated. Some leaking traffic was discovered when changingPSK. Different ways of changing the PSK were tried out and evaluated.The best solution turned out to be adding new tunnel endpoints with anew PSK.