Integrating IPsec within OpenFlow Architecture for Secure Group Communication

doi:DOI:10.3969/j.issn.1673-5188.2014.02.007

ZTE Communications ›› 2014, Vol. 12 ›› Issue (2): 41-49.DOI: DOI:10.3969/j.issn.1673-5188.2014.02.007

• Special Topic • Previous Articles Next Articles

Integrating IPsec within OpenFlow Architecture for Secure Group Communication

Vahid Heydari Fami Tafreshi ¹, Ebrahim Ghazisaeedi ², Haitham Cruickshank ¹, and Zhili Sun ¹

1.Centre for Communication System Research (CCSR), University of Surrey, Guildford, Surrey, GU2 7XH, UK;
2. Department of Systems and Computer Engineering, Carleton University, Ottawa, K1S 5B6, Canada

Received:2014-01-25 Online:2014-06-25 Published:2014-06-25
About author:Vahid Heydari Fami Tafreshi (v.fami@surrey.ac.uk) received his BSc in computer software engineering from Shomal Higher Education Institute, Iran, in 2007. He received his Cisco Certified Network Associate (CCNA) and Cisco Certified Network Associate Security (CCNA-Security) certificates from the Cisco Academy at London Metropolitan University, UK, in 2009. He received his MSc in internet computing from the University of Surrey, UK, in 2010. He is currently working and pursuing a PhD degree at the Centre for Communication Systems Research (CCSR), Department of Electronic Engineering, University of Surrey, UK. His main research interests include internet protocols and architecture, network security and multicasting.

Ebrahim Ghazisaeedi (eghazisaeedi@sce.carleton.ca) received his MSc degree in Mobile and satellite communications from the University of Surrey, UK, in 2011. He is currently pursuing a PhD degree in electrical and computer engineering at the Department of Systems and Computer Engineering, Carleton University, Canada. His main research interests are in communication networks, network virtualization, and network optimization.

Haitham Cruickshank (h.cruickshank@surrey.ac.uk) is a senior lecturer at the University of Surrey. He has worked there since January 1996 on several European research projects in the ACTS, ESPRIT, TEN-TELECOM and IST programmes. His main research interests are network security, satellite network architectures, VoIP and IP conferencing over satellites. He also teaches data and Internet networking and satellite communication courses at the University of Surrey. He is a member of the Satellite and Space Communications Committee of the IEEE ComSoc and a chartered engineer and corporate member of the IEE in the UK.

Zhili Sun (z.sun@surrey.ac.uk), Chair of Communication Networking, has been with the Centre for Communication Systems Research (CCSR), Department of Electronic Engineering, Faculty of Engineering and Physical Sciences, University of Surrey since 1993. He got his BSc in Mathematics from Nanjing University, China, in 1982, and PhD in Computer Science from Lancaster University, UK, in 1991. He worked as a postdoctoral research fellow with Queen Mary University of London from 1989 to 1993. He has been principle investigator and technical co-coordinator in many projects within the EU framework programs, ESA, EPSRC and industries, and has published over 125 papers in international journals, book chapters and conferences. He has published a book as sole author titled“satellite networking-principles and protocols”by Wiley in 2005, a book as contributing editors of“IP networking over next generation satellite systems”published by Springer in 2008, and another book as contributing editor to the 5th edition of the text book“Satellite Communications Systems-systems, techniques and technology”published by Wiley in December 2009. His research interests include wireless and sensor networks, satellite communications, mobile operating systems, traffic engineering, Internet protocols and architecture, QoS, multicast and security.

Integrating IPsec within OpenFlow Architecture for Secure Group Communication

Vahid Heydari Fami Tafreshi ¹, Ebrahim Ghazisaeedi ², Haitham Cruickshank ¹, and Zhili Sun ¹

1.Centre for Communication System Research (CCSR), University of Surrey, Guildford, Surrey, GU2 7XH, UK;
2. Department of Systems and Computer Engineering, Carleton University, Ottawa, K1S 5B6, Canada

作者简介:Vahid Heydari Fami Tafreshi (v.fami@surrey.ac.uk) received his BSc in computer software engineering from Shomal Higher Education Institute, Iran, in 2007. He received his Cisco Certified Network Associate (CCNA) and Cisco Certified Network Associate Security (CCNA-Security) certificates from the Cisco Academy at London Metropolitan University, UK, in 2009. He received his MSc in internet computing from the University of Surrey, UK, in 2010. He is currently working and pursuing a PhD degree at the Centre for Communication Systems Research (CCSR), Department of Electronic Engineering, University of Surrey, UK. His main research interests include internet protocols and architecture, network security and multicasting.

Ebrahim Ghazisaeedi (eghazisaeedi@sce.carleton.ca) received his MSc degree in Mobile and satellite communications from the University of Surrey, UK, in 2011. He is currently pursuing a PhD degree in electrical and computer engineering at the Department of Systems and Computer Engineering, Carleton University, Canada. His main research interests are in communication networks, network virtualization, and network optimization.

Haitham Cruickshank (h.cruickshank@surrey.ac.uk) is a senior lecturer at the University of Surrey. He has worked there since January 1996 on several European research projects in the ACTS, ESPRIT, TEN-TELECOM and IST programmes. His main research interests are network security, satellite network architectures, VoIP and IP conferencing over satellites. He also teaches data and Internet networking and satellite communication courses at the University of Surrey. He is a member of the Satellite and Space Communications Committee of the IEEE ComSoc and a chartered engineer and corporate member of the IEE in the UK.

Zhili Sun (z.sun@surrey.ac.uk), Chair of Communication Networking, has been with the Centre for Communication Systems Research (CCSR), Department of Electronic Engineering, Faculty of Engineering and Physical Sciences, University of Surrey since 1993. He got his BSc in Mathematics from Nanjing University, China, in 1982, and PhD in Computer Science from Lancaster University, UK, in 1991. He worked as a postdoctoral research fellow with Queen Mary University of London from 1989 to 1993. He has been principle investigator and technical co-coordinator in many projects within the EU framework programs, ESA, EPSRC and industries, and has published over 125 papers in international journals, book chapters and conferences. He has published a book as sole author titled“satellite networking-principles and protocols”by Wiley in 2005, a book as contributing editors of“IP networking over next generation satellite systems”published by Springer in 2008, and another book as contributing editor to the 5th edition of the text book“Satellite Communications Systems-systems, techniques and technology”published by Wiley in December 2009. His research interests include wireless and sensor networks, satellite communications, mobile operating systems, traffic engineering, Internet protocols and architecture, QoS, multicast and security.

Abstract

Abstract: Network security protocols such as IPsec have been used for many years to ensure robust end-to-end communication and are important in the context of SDN. Despite the widespread installation of IPsec to date, per-packet protection offered by the protocol is not very compatible with OpenFlow and flow-like behavior. OpenFlow architecture cannot aggregate IPsec-ESP flows in transport mode or tunnel mode because layer-3 information is encrypted and therefore unreadable. In this paper, we propose using the Security Parameter Index (SPI) of IPsec within the OpenFlow architecture to identify and direct IPsec flows. This enables IPsec to conform to the packet-based behavior of OpenFlow architecture. In addition, by distinguishing between IPsec flows, the architecture is particularly suited to secure group communication.

Key words: IPsec, OpenFlow, secure group communication, group domain of interpretation (GDOI), flow-based switching

摘要： Network security protocols such as IPsec have been used for many years to ensure robust end-to-end communication and are important in the context of SDN. Despite the widespread installation of IPsec to date, per-packet protection offered by the protocol is not very compatible with OpenFlow and flow-like behavior. OpenFlow architecture cannot aggregate IPsec-ESP flows in transport mode or tunnel mode because layer-3 information is encrypted and therefore unreadable. In this paper, we propose using the Security Parameter Index (SPI) of IPsec within the OpenFlow architecture to identify and direct IPsec flows. This enables IPsec to conform to the packet-based behavior of OpenFlow architecture. In addition, by distinguishing between IPsec flows, the architecture is particularly suited to secure group communication.

关键词: IPsec, OpenFlow, secure group communication, group domain of interpretation (GDOI), flow-based switching

Vahid Heydari Fami Tafreshi, Ebrahim Ghazisaeedi, Haitham Cruickshank, and Zhili Sun. Integrating IPsec within OpenFlow Architecture for Secure Group Communication[J]. ZTE Communications, 2014, 12(2): 41-49.

[1]	Yongsheng Hu, Tian Tian, and Jun Wang. D-ZENIC: A Scalable Distributed SDN Controller Architecture [J]. ZTE Communications, 2014, 12(2): 23-27.
[2]	Jiandong Li, Peng Liu, and Hongyan Li. Software-Defined Cellular Mobile Network Solutions [J]. ZTE Communications, 2014, 12(2): 28-33.

Integrating IPsec within OpenFlow Architecture for Secure Group Communication

Integrating IPsec within OpenFlow Architecture for Secure Group Communication

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 2

Recommended Articles

Metrics