A Survey on Data Plane Security in Software-Defined Networks: Toward Adaptive Security of Data Planes

Software-Defined Networking (SDN) is the actual approach in the network design, based on separating the control and data plane. Such architectural model has brought improvements in terms of network monitoring, management and troubleshooting, but has also increased risks related to network security. Security attacks can occur at all SDN layers and disrupt part or the entire network. Existing research is mostly focused on the security of the control plane, since it contains all control logic of SDN networks and thus represents their main part. Although the data plane has many vulnerabilities and can also be a significant source of security threats towards the control plane, it is only partially covered in existing research, without enough details related to differences between methods and implementation techniques which provide security enhancement. In this paper, we present a comprehensive survey on security of the data plane, focusing on the latest advanced solutions. The survey starts with an overview of attacks, threats and affected security attributes in the data plane, classified using common security models: STRIDE, CIA and AAA. After that, we present a detailed analysis of solutions explored in the literature, including the methods used for security enhancement, implementation techniques, experimental environments, their contributions in terms of vulnerabilities that they address, performance analysis and limitations. Through this analysis, we introduce the concept of adaptive security and select several mechanisms which can be used to achieve it. Additionally, we propose possible combinations of presented mechanisms to provide strong, comprehensive solution which should adapt to dynamics of network, attackers and users, and in that way protect the network from different threats and also satisfy the requirements of services which need different levels of security.