{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,25]],"date-time":"2025-10-25T14:21:51Z","timestamp":1761402111195,"version":"3.37.3"},"reference-count":29,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2020,8,8]],"date-time":"2020-08-08T00:00:00Z","timestamp":1596844800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2020,8,8]],"date-time":"2020-08-08T00:00:00Z","timestamp":1596844800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001292","name":"Edinburgh Napier University","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100001292","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Computing"],"published-print":{"date-parts":[[2021,2]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>OpenFlow is considered as the most known protocol for Software Defined Networking (SDN). The main drawback of OpenFlow is the lack of support of new header definitions, which is required by network operators to apply new packet encapsulations. While SDN\u2019s logically centralized control plane could enhance network security by providing global visibility of the network state, it still has many side effects. The intelligent controllers that orchestrate the dumb switches are overloaded and become prone to failure. Delegating some level of control logic to the edge or, to be precise, the switches can offload the controllers from local state based decisions that do not require global network wide knowledge. Thus, this paper, to the best of our knowledge, is the first to propose the delegation of typical security functions from specialized middleboxes to the data plane. We leverage the opportunities offered by programming protocol-independent packet processors (P4) language to present two authentication techniques to assure that only legitimate nodes are able to access the network. The first technique is the port knocking and the second technique is the One-Time Password. Our experimental results indicate that our proposed techniques improve the network overall availability by offloading the controller as well as reducing the traffic in the network without noticeable negative impact on switches\u2019 performance.\n<\/jats:p>","DOI":"10.1007\/s00607-020-00835-4","type":"journal-article","created":{"date-parts":[[2020,8,8]],"date-time":"2020-08-08T11:02:35Z","timestamp":1596884555000},"page":"291-311","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":13,"title":["Lightweight edge authentication for software defined networks"],"prefix":"10.1007","volume":"103","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7432-7730","authenticated-orcid":false,"given":"Amar","family":"Almaini","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9758-5540","authenticated-orcid":false,"given":"Ahmed","family":"Al-Dubai","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7648-6559","authenticated-orcid":false,"given":"Imed","family":"Romdhani","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Martin","family":"Schramm","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9075-2828","authenticated-orcid":false,"given":"Ayoub","family":"Alsarhan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2020,8,8]]},"reference":[{"key":"835_CR1","doi-asserted-by":"crossref","unstructured":"von T\u00fcllenburg F, Pfeiffenberger T (2017) Concepts for reliable communication in a software-defined network architecture. In: International conference on computer safety, reliability, and security. Springer, Cham","DOI":"10.1007\/978-3-319-66284-8_15"},{"issue":"2","key":"835_CR2","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1145\/1355734.1355746","volume":"38","author":"McKeown Nick","year":"2008","unstructured":"Nick McKeown et al (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69\u201374. https:\/\/doi.org\/10.1145\/1355734.1355746","journal-title":"ACM SIGCOMM Comput Commun Rev"},{"issue":"2","key":"835_CR3","doi-asserted-by":"publisher","first-page":"44","DOI":"10.1145\/2602204.2602211","volume":"44","author":"Giuseppe Bianchi","year":"2014","unstructured":"Bianchi Giuseppe et al (2014) OpenState: programming platform-independent stateful openflow applications inside the switch. ACM SIGCOMM Comput Commun Rev 44(2):44\u201351","journal-title":"ACM SIGCOMM Comput Commun Rev"},{"issue":"3","key":"835_CR4","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1145\/2656877.2656890","volume":"44","author":"Pat Bosshart","year":"2014","unstructured":"Bosshart Pat et al (2014) P4: Programming protocol-independent packet processors. ACM SIGCOMM Comput Commun Rev 44(3):87\u201395. https:\/\/doi.org\/10.1145\/2656877.2656890","journal-title":"ACM SIGCOMM Comput Commun Rev"},{"key":"835_CR5","unstructured":"P416 Language specification. Last accessed 15 April 2019. 2019. URL: https:\/\/p4.org\/p4-spec\/docs\/P4-16-v1.1.0-spec.pdf"},{"key":"835_CR6","doi-asserted-by":"crossref","unstructured":"Hyun J, Hong JWK (2017) Knowledge-defined networking using in-band network telemetry. In: Network operations and management symposium (APNOMS), 2017 19th Asia-Pacific. IEEE","DOI":"10.1109\/APNOMS.2017.8094178"},{"key":"835_CR7","doi-asserted-by":"crossref","unstructured":"Baktir AC, Ozgovde A, Ersoy C (2018) Implementing service-centric model with P4: a fully-programmable approach. In: NOMS 2018-2018 IEEE\/IFIP network operations and management symposium. IEEE","DOI":"10.1109\/NOMS.2018.8406282"},{"key":"835_CR8","doi-asserted-by":"crossref","unstructured":"Sivaraman V et al. (2017) Heavy-hitter detection entirely in the data plane. In: Proceedings of the symposium on SDN research. ACM","DOI":"10.1145\/3050220.3063772"},{"key":"835_CR9","doi-asserted-by":"crossref","unstructured":"Paolucci F, Cugini F, Castoldi P (2018) P4-based multi-layer traffic engineering encompassing cyber security. In: Optical fiber communication conference. Optical society of America","DOI":"10.1364\/OFC.2018.M4A.5"},{"key":"835_CR10","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.comnet.2018.02.018","volume":"136","author":"Afek Yehuda","year":"2018","unstructured":"Yehuda Afek et al (2018) Detecting heavy flows in the SDN match and action model. Comput Netw 136:1\u201312. https:\/\/doi.org\/10.1016\/j.comnet.2018.02.018","journal-title":"Comput Netw"},{"key":"835_CR11","unstructured":"Ali FHM, Yunos R, Alias MAM (2012) Simple port knocking method: against TCP replay attack and port scanning. In: Cyber security, cyber warfare and digital forensic (CyberSec) 2012 international conference on. IEEE"},{"key":"835_CR12","unstructured":"Aycock J, Jacobson M (2005) Improved port knocking with strong authentication. In: 21st Annual computer security applications conference (ACSAC\u201905). IEEE"},{"issue":"12","key":"835_CR13","doi-asserted-by":"publisher","first-page":"3214","DOI":"10.1109\/TAC.2012.2200376","volume":"57","author":"Marzieh Nabi-Abdolyousefi","year":"2012","unstructured":"Nabi-Abdolyousefi Marzieh, Mesbahi Mehran (2012) Network identification via node knockout. IEEE Trans Autom Control 57(12):3214\u20133219","journal-title":"IEEE Trans Autom Control"},{"key":"835_CR14","doi-asserted-by":"crossref","unstructured":"Sivaraman A et al. (2015) Dc. p4: Programming the forwarding plane of a data-center switch. In: Proceedings of the 1st ACM SIGCOMM symposium on software defined networking research. ACM","DOI":"10.1145\/2774993.2775007"},{"key":"835_CR15","doi-asserted-by":"crossref","unstructured":"Nayak AK, Reimers A, Feamster N, Clark R (2009) Resonance: dynamic access control for enterprise networks. In: 1st ACM workshop on research on enterprise networking (WREN09)","DOI":"10.1145\/1592681.1592684"},{"key":"835_CR16","doi-asserted-by":"crossref","unstructured":"Levin D, Wundsam A, Heller B, Handigol N, Feldmann A (2012) Logically centralized? state distribution trade-offs in software defined networks. In: Proc. 1st workshop hot topics softw. defined netw., Helsinki, Finland, pp 1\u20136","DOI":"10.1145\/2342441.2342443"},{"issue":"1","key":"835_CR17","doi-asserted-by":"publisher","first-page":"A84","DOI":"10.1364\/JOCN.11.000A84","volume":"11","author":"F Paolucci","year":"2019","unstructured":"Paolucci F et al (2019) P4 Edge node enabling stateful traffic engineering and cyber security. J Opt Commun Netw 11(1):A84\u2013A95","journal-title":"J Opt Commun Netw"},{"key":"835_CR18","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1109\/JSYST.2019.2894689","volume":"14","author":"FPC Lin","year":"2019","unstructured":"Lin FPC, Tsai Z (2019) Hierarchical edge-cloud SDN controller system with optimal adaptive resource allocation for load-balancing. IEEE Syst J 14:265","journal-title":"IEEE Syst J"},{"key":"835_CR19","doi-asserted-by":"crossref","unstructured":"V\u00f6r\u00f6s P, Kiss A (2016) Security middleware programming using P4. In: International conference on human aspects of information security, privacy, and trust. Springer, Cham","DOI":"10.1007\/978-3-319-39381-0_25"},{"key":"835_CR20","doi-asserted-by":"crossref","unstructured":"Afek Y, Bremler-Barr A, Shafir L (2017) Network anti-spoofing with SDN data plane. In: INFOCOM 2017-IEEE Conference on computer communications, IEEE. IEEE","DOI":"10.1109\/INFOCOM.2017.8057008"},{"key":"835_CR21","doi-asserted-by":"crossref","unstructured":"Li Y et al (2016) Lossradar: fast detection of lost packets in data center networks. In: Proceedings of the 12th international on conference on emerging networking experiments and technologies. ACM","DOI":"10.1145\/2999572.2999609"},{"key":"835_CR22","unstructured":"Kabasele NG, Sadre R (2018) A two-level intrusion detection system for industrial control system networks using P4. In: ICS-CSR 2018"},{"key":"835_CR23","doi-asserted-by":"crossref","unstructured":"Kuliesius F, Dangovas V (2016) SDN enhanced campus network authentication and access control system. In: 2016 Eighth international conference on ubiquitous and future networks (ICUFN). IEEE","DOI":"10.1109\/ICUFN.2016.7536925"},{"issue":"8","key":"835_CR24","doi-asserted-by":"publisher","first-page":"1090","DOI":"10.1109\/5.533956","volume":"84","author":"David Lee","year":"1996","unstructured":"Lee David, Yannakakis Mihalis (1996) Principles and methods of testing finite state machines-a survey. Proc IEEE 84(8):1090\u20131123","journal-title":"Proc IEEE"},{"issue":"3","key":"835_CR25","doi-asserted-by":"publisher","first-page":"1701","DOI":"10.1109\/COMST.2017.2689819","volume":"19","author":"Tooska Dargahi","year":"2017","unstructured":"Dargahi Tooska et al (2017) A survey on the security of stateful SDN data planes. IEEE Commun Surv Tutor 19(3):1701\u20131725","journal-title":"IEEE Commun Surv Tutor"},{"key":"835_CR26","unstructured":"LACORE, UCV. A review of port scanning techniques"},{"issue":"11","key":"835_CR27","doi-asserted-by":"publisher","first-page":"770","DOI":"10.1145\/358790.358797","volume":"24","author":"Leslie Lamport","year":"1981","unstructured":"Lamport Leslie (1981) Password authentication with insecure communication. Commun ACM 24(11):770\u2013772","journal-title":"Commun ACM"},{"issue":"6","key":"835_CR28","first-page":"12","volume":"12","author":"M Krzywinski","year":"2003","unstructured":"Krzywinski M (2003) Port knocking: network authentication across closed ports. SysAdmin Mag 12(6):12\u201317","journal-title":"SysAdmin Mag"},{"key":"835_CR29","doi-asserted-by":"publisher","first-page":"66","DOI":"10.1016\/j.jnca.2017.08.018","volume":"97","author":"Suleman Khan","year":"2017","unstructured":"Khan Suleman et al (2017) Towards port-knocking authentication methods for mobile cloud computing. J Netw Comput Appl 97:66\u201378. https:\/\/doi.org\/10.1016\/j.jnca.2017.08.018","journal-title":"J Netw Comput Appl"}],"container-title":["Computing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00607-020-00835-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s00607-020-00835-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00607-020-00835-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,8,7]],"date-time":"2021-08-07T23:27:55Z","timestamp":1628378875000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s00607-020-00835-4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,8,8]]},"references-count":29,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2021,2]]}},"alternative-id":["835"],"URL":"https:\/\/doi.org\/10.1007\/s00607-020-00835-4","relation":{},"ISSN":["0010-485X","1436-5057"],"issn-type":[{"type":"print","value":"0010-485X"},{"type":"electronic","value":"1436-5057"}],"subject":[],"published":{"date-parts":[[2020,8,8]]},"assertion":[{"value":"14 February 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"10 July 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"8 August 2020","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}