SDN-based Trusted Path Control

Security of sensitive data in the network is a key issue in a world where such sensitive data can easily be transferred between different servers and locations (e.g., in networked clouds). In this context, there is a particular need to control the path followed by the data when they fly across the cloud (e.g., to avoid, even encrypted, crossing un-trusted nodes or areas). In this paper we proposed therefore a new approach which aims to leverage the programmability offered by the SDN technology in order to enforce a trusted path for the transfer of sensitive data in the network. Given a policy related to a sensitive data (e.g., the data should not cross a given area), our approach allows to send this policy to an extended SDN controller (called SDN-based Trusted Path Controller) which automatically enforces this policy in the SDN network. Two architecture alternatives have been investigated; the Out-of-Band architecture (the policy being sent to the SDN-based Trusted Path Controller via a web service interface) and the In-Band architecture (the policy being sent to the SDN-based Trusted Path Controller via a "signaling packet"). These two alternatives have been implemented; then experimentations and evaluations have also been performed on a testbed of real SDN switches which allows to show the feasibility of this approach as well as its performances.