Sridut: Securing Multi-Controller SDN Integrity with State-Aware Multi-Consistency Storage and Provable Convergence

Abstract

Software Defined Networking (SDN) is a network paradigm that decouples the control and data planes, enabling centralized network control. The single centralized controller of the original paradigm, however, created a single point of failure, which was overcome with the introduction of multi-controller networks. These networks, however, introduce new security challenges as the availability and integrity of the networks now depend on state consistency mechanisms and their inherent trade-offs. For example, multi-controller networks that solely support strong consistency enforce correctness at the cost of availability due to their susceptibility to Denial of Service (DoS) attacks and maliciously induced partitions. Alternatively, some designs employ hybrid consistency or multi-consistency, sacrificing correctness guarantees to strike a balance between correctness and availability. However, these designs lack mechanisms for provably verifiable convergence, resulting in critical integrity violations such as corrupted and conflicting security and Quality of Service (QoS) policies. This critical gap is exploitable by adversaries, enabling them to trigger policy conflicts and bypass security perimeters. These security implications are further amplified by the lack of transparency between the application layer and consistency state events. This transparency hampers the ability of the controller to react and recover from consistency-based attacks. To address these challenges, this paper introduces Sridut, a secure multi-consistency storage model providing strong consistency, strong eventual consistency, and consistency state awareness. The model provides multiple storage backends with varying degrees of consistency guarantees, allowing for more granular control of the inherent security trade-offs. Additionally, the consistency state, health, and critical events are made transparent, further improving an application's ability to react to consistency-based attacks. The model leverages Conflict-free Replicated Data Types (CRDTs) and anti-entropy mechanisms to achieve strong eventual consistency. This mechanism allows divergent states to be safely merged, preserving integrity of critical data such as network policies. Consequently, this approach mitigates exploitable security risks associated with divergent states. Ultimately, the state-aware architecture and provable convergence of Sridut provide a robust defence against both malicious threats and inherent network partitions, helping preserve integrity and availability in SDN multi-controller networks.