SDN-based Trusted Path Control

Security of sensitive data in the network is a key issue in a world where such sensitive data can easily be transferred between different servers and locations (e.g., in networked clouds). In this context, there is a particular need to control the path followed by the data when they move across the cloud (e.g., to avoid crossing -even encrypted- un-trusted nodes or areas). In this paper we proposed therefore a new approach which aims to leverage the programmability offered by the SDN technology in order to enforce a trusted path for the transfer of sensitive data in the network. Given a policy related to the sensitive data (e.g., the data should not cross a given area), our approach allows sending this policy to an extended SDN controller (called Trusted Path Controller) which automatically enforces this policy in the SDN network. Two architectures have been investigated: the Out-of-Band architecture (the policy being sent to the Trusted Path Controller via a Web Service interface) and the In-Band architecture (the policy being sent to the Trusted Path Controller via a dedicated “signaling packet”). These two architectures have been implemented in a SDN controller. Experimentations and evaluations have also been performed on a test-bed of SDN switches which allow showing the feasibility of this approach as well as its performances.