SECAP switch—defeating topology poisoning attacks using P4 data planes

Programmable networking is evolving from programmable control plane solutions such as OpenFlow-based software-defined networking (SDN) to programmable data planes such as P4-based SDN. To support the functionality of the SDN, the correct view of the network topology is required. However, multiple attacks aimed at topology poisoning have been demonstrated in SDNs. While several controller-centralised security solutions have been proposed to defeat topology poisoning attacks, some attacks e.g., the Data Plane ARP Cache Poisoning Attack and the relay-type Link Fabrication Attack are difficult to detect using a fully centralised security solution. In this paper, we present the Security-Aware Programmable (SECAP) Switch—a lightweight, in-network, P4-based security solution that is designed to prevent attacks that might otherwise evade control plane solutions. The SECAP switch verifies source address details contained within the headers of protocols commonly used to perform topology poisoning attacks. This function is supported by a novel variance-based anomaly detection solution to provide a layered defence. We demonstrate the ability of the SECAP switch to defeat topology poisoning attacks with minimal memory and processing overhead.