"Enabling Secure Software-Defined Networking for Wireless and Cellular Networks

Through Virtualization"

Abstract— This paper centres on the study of concepts

separating the control plane from the data plane resulting in
and applications of software defined networking (SDN)
dummier network devices like routers and switches but a much
which is a network architecture that decouples the network
more intelligent management server for control. According to
control logic from the underlying network infrastructure
open networking foundation (ONF), SDN is a network
elements. Separation of the control plane from the data
architecture that decouples the control and forwarding functions
plane is the basic principle of SDN. This gives a separation of
[2], transferring the control function to a logically centralized
functions which leads to better scalability, programmability,
application referred to as the controller. The control plane now
interoperation, performance and ease of management. SDN
hosted on the control server or typically a cluster of control
helps to keep up with the increasing demand for connectivity
servers are physically separated from individual forwarding data
and bandwidth. This paper presents a review on how SDN
planes of the network devices. Ideally, the control planes are
can help drive development of network function
physically distributed for redundancy but the logical control
virtualisation. Application of SDN to wireless and cellular
remains centralised. SDN is not a totally new network paradigm
data networks is also studied. Finally, vulnerabilities
but an architectural advancement [3], [4] aimed at restructuring
associated with SDN are discussed and recommendations are
the network functionalities to better improve the performance
offered on how to make SDN more secure and reliable. A
and ease of management of the network [5].
detailed architecture for a network function virtualised
mobile cellular system is proposed as well as ONF indicates the layers of SDN to include: the application,
recommendations to improve security of these systems. control and infrastructure layers [2] as shown in Fig. 1 below.
The network control server uses the information gathered from
Keywords—Software defined networking, wireles systems, cellular
networks, network function virtualisation, security
the switches and routers to build a global network topology and
further build “Control Program” like routing, access control, etc.,
on top of the network topology [3] thereby resulting in “clean
I. INTRODUCTION separation of concerns” [1], [3] or layering. The data plane of
In today’s networks, networking elements comprise of two each network element which is responsible for forwarding of
planes – the data plane which is the hardware responsible for information is sometimes called the forwarding plane and is
making forwarding decisions and the control plane which does located within the infrastructure layer of SDN architecture.
computation and programming of the data plane. Both the In this paper, we discuss how SDN can be applied in wireless
programming and the hardware functionalities of networking and cellular data systems to secure and improve the system in
devices like routers and switches reside in the same device [1]. order to better adapt to the increased volume of data transmitted
This enables the networking devices to make forwarding through the network. Section II presents the use of SDN in
decisions based on their individual local forwarding states. wireless networks while section III describes network
Control plane makes use of physically and logically distributed virtualisation in wireless networks. Section IV gives an overview
protocols which often requires manual configuration of of an improved architecture for cellular SDN. Improvements on
individual devices. As the network gets larger, it becomes the security and reliability of SDN are discussed in section V
difficult to manage. It is also impossible to add a new control and the paper is concluded in section VI.
plain protocol or modify the existing ones.
The SDN allows for dynamic modelling and shaping of
traffic in real time or an administrators can dynamically assign
network resources according to need by writing and using their
own SDN program because the software is open source; this
feature is not available in today’s network. This is done by
physically

Fig. 1. Basic components of SDN architecture as proposed by ONF

 II. WIRELESS NETWORK
In the last few years, there has been massive increase in the
number and variety of wireless devices in our networks and this
has led to higher demands on the network infrastructure. Primary
method of network access, at least for client devices, has also
shifted largely from wired to wireless [6]. In order to keep up
with the rapidly increasing demands for wireless networks, SDN
approach is required [6]. SDN will improve the programmability
and ease of management of the network.
A. Conceptual View of SDN in Relation to Wireless Networks
Currently, controller-based wireless networks are deployed in
such a way that a centralized controller is used to manage a
number of wireless access points. This may appear to meet basic
principle of SDN which is physical separation of the control
plane from the data plane. However, a further assessment of the
situation shows that even though both planes are physically
separated, the network is not programmable thus does not allow
for dynamic modelling and shaping of traffics in real time. This
is because, most vendors presently use proprietary protocol for
communication between the controller and the access points [7].
This leads to non-interoperability amongst various vendors’
wireless devices. Another snag with the traditional controller-
based wireless networks is that control and provisioning of
wireless access points (CAPWAP) which is the protocol used to
manage communication between the controller and the access
points, has been largely modified with various extensions by the
vendors [7] thereby preventing interoperation amongst different
vendor equipment.
Furthermore, amongst other requirements, wireless networks
need precise features like: mobility management, dynamic
channel configuration [8], network access control, application
filtering and prioritisation. However, another benefit of SDN in
wireless networks has to do with its ability to create new
capacity like “network slicing and creation of new services on
top of virtualised resources in secure and isolated networks” [8].
In order to meet continuously increasing demand of applications,
network slices are created based on the resource requirements as
well as the source and destination media access control (MAC),
internet protocol (IP) address and port details. Thus slicing
allows for division of the network infrastructure into different
compartments which enables multiple instances to leverage on a
common physical infrastructure. The network slices are created
on the fly [9] and each slice is independent [8] of each other.
Consequently, in addition to network virtualisation,
configurations can be migrated to virtual switches based on the
network slices created on the network. Platforms like, Flowvisor
and OpenvirteX enable network virtualisation.
B. Software Defined Wireless Networking
Software defined wireless networking (SDWN) which is the
aspect of SDN that deals with wireless networking is a very
important area of the SDN especially now that demand for
wireless access is on the rise. SDN has various applications in
wireless network which are discussed in this section.
1) Enterprise Wireless Local Area Network Using Odin
Odin is an SDN framework which provides for
programmability of enterprise wireless local area network
(WLAN) in order to improve the functionality and flexibility of
the Enterprise WLAN [10], [11] According to 802.11 standard,
wireless clients perform probe scan in order to discover Access
Points (APs) and then transmit messages and the APs respond
back with probe response messages [10]. The client and an AP
undergo a handshake procedure which leads to successful
association of the client to the AP. Link virtual access points
(LVAPs) ensure that handoff from one AP to another during
roaming of the client is successfully executed to make sure the
client does not lose connection to the WLAN.
In Odin, LVAP acts as a client-specific AP and presents each
wireless client within its reach with a unique AP MAC address
called basic service set identifier (BSSID) to connect to. The
clients perceive the LVAPs as a normal AP and handing off from
one LVAP to another does not require exchange of additional
layers 2 and 3 messages between the client and the AP hence
making handoff very transparent to the clients. The concept
limits the clients from receiving just the MAC layer
acknowledgment (ACK) from the ‘AP’ it is associated to in
order to maintain connection. For clarity, it is important to state
that BSSID is different from service set identifier (SSID) which
is the network name. Also, virtual interfaces which can be
created off a wireless physical interface and used to create
multiple SSIDs is different from LVAP.
The architecture of Odin includes Odin master and agent as
was presented by [10], [11]. Odin master is an application that
uses standard OpenFlow protocol to communicate to
infrastructure layers devices like the switches and the APs, and
also reaches the Odin agents running on the APs using Odin
protocol [10]. The Odin master has a global view of the network
thus can gather OpenFlow statistical information such as packet
flow match counts from the infrastructure layer elements using
the OpenFlow protocol while radio statistics like signal strength,
bit-rate, etc., are obtained from the APs’ Odin agents with the
help of Odin protocol.
2) Internet of Things
Internet of things (IoT) sometimes referred to as Internet of
Everything (IoE) according to international data corporation
(IDC) refers to an internetwork of end points that communicate
locally and globally without human interaction using IP
connectivity [12]. IoT network elements can range from
household devices like refrigerators and fire alarm systems to
medical equipment installed inside human beings like heart bit
monitors. Each of the elements is connected to the network
mostly via wireless means and can transmit information in real
time. Other IoT network elements include things like an Insulin
dispenser that relies on one’s medical history to calculate
medication schedule or clothes that sense one’s body heat and
use biometrics to suggest specialty food [13]. According to
Cisco Inc., IoT is increasing the “connectedness” of people and
things at a rate that was once not imaginable [14].
As demand for wireless network services keeps rising, most
of the network elements in the IoT framework use wireless
network as their access medium and the trend is going to
continue. The SDN technique decouples the control plane from
the data plane of network element thereby leading to more
intelligent routing of traffics and this becomes very important in
IoT. This will lead to intelligent content delivery over the
wireless network using SDN [15]. Most data generated in the
IoT elements would be transmitted either through the wireless or
cellular system. Hence, SDN will be used extensively to improve
the transport network for the huge data which is expected from
IoT.
 III. NETWORK VIRTUALISATION
Network virtualization refers to creation of multiple virtual
instances of a network device on a physical device in order to
achieve network segments or tenant isolation. The virtual
instances help to provide for improved fault isolation, better
security, visibility, scalability, ease of management and
maintenance of the network. Firewall, routers, switches and load
balancers can each be virtualised to form multiple logical
devices.
A recent advancement in network virtualization is a
technique called network functions virtualization (NFV) which
is aimed at virtualizing those network functions which are
traditionally carried out by dedicated proprietary hardware
devices like routers, load balancers and firewalls. The initiative Fig. 2. Proposed network function virtualised cellular SDN architecture
of NFV is to decouple network services from dedicated
hardware devices and
move such services like routing, firewalling and load balancing forwarding data traffics to the packet data network gateway (P-
to virtual machines (VMs) which can run on standard x86
servers [16], [17]. The VM manager called hypervisor then
controls the VMs and allocate resources to them. Such
implementation can address operational issues and very high
cost associated with purchase and managing of the proprietary
network devices like serving gateway (S-GW) and packet data
network gateway (P- GW) used in today’s cellular networks.
Virtualization, consolidation of network functions and use of
cloud technologies can help network operators achieve better
agility and accelerate deployment of new services while forcing
down both the operational (OpEx) and capital expenditures
(CapEx) [18]. Implementation of NFV will result in a significant
reduction in service deployment cost because there will be no
requirement for a dedicated proprietary hardware devices for
service deployment.
SDN and NFV are two different network standardization
technique which complement each other. Both techniques aim at
reducing the cost of network devices and improve flexibility of
networks. The goal of the NFV is to virtualize network functions
(like firewalling, load balancing, wireless control, etc.) that are
traditionally run on dedicated proprietary hardware devices by
running such services on VMs while SDN aim at decoupling the
control plane form the data plane in order to improve the
underlying networks. Complementary roles of SDN and NFV
has been presented by [18].
While NFV is expected to make huge impact in cloud and
enterprise networks, the technology is also expected to make
significant contributions to cellular backend service deployment
as presented in our proposed network function virtualised
cellular SDN architecture of Fig. 2.

IV. CELLULAR NETWORKS

The rapidly growing number of smart handheld devices place
enormous strain on the mobile data networks. The exponential
traffic growth is expected to continue considering the global
adoption of smartphones and tablets coupled with recent
discussions and evolution of Internet of Things (IoT). In order to
cope with this growing need for bandwidth, current mobile data
network architecture which can be considered very complex and
inflexible needs to be improved using SDN.
There is no clear separation between the data and control
planes in the traditional Long Term Evolution (LTE) architecture
as presented in [19]. Reference [19] shows that, user equipment
(UE) like smartphones connect to a base station which in turn
connects to serving gateway (S-GW). The S-GW plays a huge
role in mobility management which is one of its control
functionality. The S-GW also performs data plane function by
GW) using general packet radio service (GPRS) tunneling
protocol (GTP). Besides controlling the charging rules and UE
IP address allocation policies, P-GW also carries out data plane
function. In addition to performing their respective data plane
roles, the base station, S-GW and P-GW all take path in control
plane activity like mobility management.
Data plane functions like policy enforcement, prioritization,
etc. which are centralised at the P-GW creates challenges in the
network [19] as listed below:
 Non scalability of the network.
 The equipment becomes very expensive because of its
numerous functionalities and vendor lock-in.
 Network congestion since all traffics, including traffics
between users in the same cell have to traverse the P-
GW.
SDN architecture proffers solution to challenges posed by
the LTE network architecture. Making the switches to be able to
support packet header inspection makes it possible to transfer
policy enforcement which is a data plane functionality from the
P-GW to the switches located in the base stations. In addition to
that, running a local agent on each switch in the base stations
will improve the network scalability [19] and also reduce
congestion. When that is done, the local agents running on the
switch will continuously poll the higher layer controller and
make real time incremental update to its local copy of the policy
to ensure it remains up to date. Taking the enforcement role off
the P-GW optimizes the network and improves the congestion
situation since policy enforcement point in the network is now
moved closer to the users. SDN will also improve
interoperability amongst equipment from different
manufacturers thereby forming a heterogeneous network. The
cellular SDN architecture presented by [19] did not clearly
incorporate the controller and lacks adequate detail, thus is not
implementable. Consequently, a network function virtualised
cellular SDN architecture which provides more details of the
components and the segment of the network where they belong
to is recommended in Fig. 2 and is an improvement on [19].

V. SECURITY AND RELIABILITY OF SDN

Security of technology infrastructure is an issue every
organisation takes very seriously considering the huge negative
impact that follows whenever a breach occurs. If a security
breach occurs and an organisation loses its business data or
customers’ information is stolen, the organisation may
suffer financial loss as a result of litigation, government
sanctions, etc. The organisation may also suffer reputational
loss. As a result of
 control plane protection on the switches can help to prevent
possible DDoS attacks on the SDN controllers. This can be done
by ensuring that data plane of the network elements like switches
are designed using just enough processing power that would
enable them forward traffics under maximum expected load. The
processors are not powerful enough to send plenty of packets to
the controller if they are under DDoS attack.
Fig. 3. Current security topology for traffic flow
There are some security concerns about the operation of the
controller that needs to be addressed and they are discussed
below. Firstly, communication between the SDN controller and
the switch is done using secure sockets layer (SSL) certificate
leading to encrypted link between both devices. However, the
digital certificate used for the communication is self-signed,
hence is not very secure. This is because, if the private key of the
self-signed certificate issued by controller to the switches gets
stolen, the attacker would be able to join his device to the
network and eavesdrop into information being forwarded around
the network. Moreover, self-signed certificates cannot be
revoked by the controller if it suspects a breach unlike certified
Fig. 4. SDN security model for traffic flow
certificate authority (CA) issued certificate which can be
uproar in industrial espionage, institutions have been investing revoked. Thus there is need to improve security of
hugely in provision and revamping of their security communication path between the controller and the network
infrastructure in order to prevent unauthorized access to their elements by using certified certificate from CAs like Symantec,
systems from within and outside the organisations. Entrust, etc. Secondly, SDN controller and application are built
on standard platform like Linux operating system which has its
In the existing security model, network security policies are own vulnerability. Hence hardening of the platform must be
enforced by making traffics to physically flow through the properly carried out else the platform becomes a potential
surface for attackers.
security devices. However, as presented by [20], network cause distributed denial of service (DDoS) on the controller.
topology is now virtual in SDN model such that the SDN However,
controller makes use of flow rules to control when and if traffic
goes through the security devices. This puts the entire trust on
the SDN controller and applications, with hope that both SDN
elements will not be compromised otherwise the attacker takes
control of the entire network. Fig. 3 presents the current security
model in comparison to the SDN security model shown in Fig. 4.
Both security model are presented with respect to flow of traffic
in the network. Fig. 4 shows that it is no longer very critical to
physically provision a network security element like the firewall
along the traffic path in the network since there is logical
network topology in SDN networks rather than physical
topology. For example, traffic from client node to server node in
Fig. 4 can be routed through the firewall or via the alternative
path to the server node based on policies maintained by the
routing and firewall functions. It is now the responsibility of the
SDN to ensure that traffic flows through the security devices or
otherwise. Furthermore, the fact that the controller is centralized
makes it a single point of failure, hence it is a critical aspect of
the network.
Security needs to be built into SDN architecture and also
delivered as a service to provide for the confidentiality, integrity
and availability of information that are store or transmitted
through the network [21]. Reference [22] presented three SDN
related threat vectors in addition to the already existing threat
vectors in the traditional networks and they include: attacks on
control plane communications, attacks on and vulnerabilities in
controllers, and lack of mechanisms to ensure trust between the
controller and management applications.
By design, the controllers with help of the higher layer
applications control the entire network. Hence, when the
controller is compromised, the entire network is affected. The
controller usually program the switches to send the first packet
in any unknown flow back to the controller. This can be an
avenue for attackers to hijack the communication and flood the
controller with unknown packets from multiple switches and
 VI. CONCLUSION
SDN promises a very good future to the area of networking
by decoupling the control logic from the data plane thereby
making the network more scalable and easier to manage,
leading to improved performance. SDN also creates a
heterogeneous and interoperable network thereby limiting
vendor lock-in which currently haunts some organizations.
There is almost a unanimous inference from previous studies
that SDN will resolve the issues associated with contemporary
networks. Major focus has been on the development of SDN as
it relates to wired networks. However, not so much has been
done about SDN as it applies to wireless network as well as the
security of the technology itself.
This paper presented a survey of how SDN and
network function virtualisation can help drive further
development of wireless networks. Application of SDN to
cellular and wireless networks were also studied. Finally,
vulnerabilities associated with SDN were discussed and
recommendations were offered on how to make SDN more
secure and reliable.

REFERENCE
S
[1] D. Kreutz, et al., “Software-defined networking: a
comprehensive survey”, Proceedings of the IEEE, vol. 103,
no. 1, Jan. 2015, pp. 14-63.
[2] Open Networking Foundation, “Software-defined
networking (SDN) definition”, [Online],
Available:
https://www.opennetworking.org/sdn-resources/sdn-
definition
[3] S. Shenker, “Stanford seminar - software-defined
networking at the crossroads”, May, 2013, [Online],
Available: https://www.youtube.com/watch?v=WabdXYzC
AOU&spfreload=1
[4] J. Clarke, “Cisco live 2015 – software defined networking
(SDN)”, Jun. 2015 [Online], Available:
https://www.youtube.com/watch?v=oIGrWuyof4o
[5] B.A.A. Nunes, M. Mendonca, X. Nguyen, K. Obraczka and [20]R.M. Hinden, “SDN & security: why take over the hosts
T. Turletti, “A survey of software-defined networking: past, when you can take over the network”, RSA Conference
present, and future of programmable networks,” IEEE 2014, San Francisco, Feb. 2014, [Online], Available:
Communications Surveys & Tutorials, vol. 16, no. 3, Quarter http://www.rsaconference.com/events/us14/agenda/sessions/1
3, 2014 pp. 1617-1634. 021/sdn-security-why-take-over-the-hosts-when-you-can
[6] Accton Newsletter, “Software-defined networking for wi-fi” [21]SDxCentral, “SDN security challenges in SDN
[Online], Available: http://www.accton.com/Newspag e.asp? environments”, [Online], Available: https://www.sdxcen
sno=88 tral.com/resources/security/security-challenges-sdn-software-
[7] S. Johnson, “In wireless, SDN can boost interoperability and defined-networks/
performance”, TechTarget, [Online], Available: [22]D.Kreutz, F.M.V. Ramos and P. Verissiomo, “Towards
http://searchsdn.techtarget.com/feature/In-wireless-SDN-can- secure and dependable software-defined networks”, ACM
boost-interoperability-and-performance# SIGCOMM Workshop on Hot Topics in Software Defined
[8]A. Hakiri, A. Gokhale, P. Berthou, D.C. Schmidt and T. Networking (HotSDN), Aug. 2013, pp. 55-60.
Gayraud, “Software-defined networking: challenges and
research opportunities for future Internet”, Elsevier
Computer Networks, vol. 75, part A, Dec. 2014, pp. 453-471.
[9]R. le Maistre, “Ericsson's network slicing: it's far out, man”,
Light Reading, Oct. 2013, [Online], Available:
http://www.lightreading.com/ethernet-ip/routers/ericssons-
network-slicing-its-far-out-man/d/d-id/706230
[10]L.S. Puthalath, et al, “Programming the enterprise WLAN:
An SDN approach”, Jun. 2012, [Online], Available:
https://lalithsuresh.files.wordpress.com/2011/04/lalith-
thesis.pdf
[11]L. Suresh, J. Schulz-Zander, R. Merz, A. Feldmann and T.
Vazao, “Towards programmable enterprise WLANs with
Odin”, ACM SIGCOMM (HotSDN’12), Aug. 2012, pp. 115-
120.
[12]J. Duffy, “8 Internet things that are not IoT”, Network
World, Jun. 2014, [Online], Available:
http://www.networkworld.com/article/2378581/internet-of-
things/8-internet-things-that-are-not-iot.html
[13] NEC, “IoT, meet SDN: How software-defined networking
will drive the Internet of things”, Sep. 2014, [Online],
Available: http://www.nec.com/en/global/ad/insite/article/s
dn01.html
[14] Cisco Inc., “Internet of things (IoT)”, [Online], Available:
http://www.cisco.com/web/solutions/trends/iot/overview.html
[15]H. Nam, D. Calin and H. Schulzrinne, “Intelligent content
delivery over wireless via SDN”, IEEE Wireless
Communications and Networking Conference (WCNC),
Mar. 2015, pp. 2185-2190.
[16]B. McCouch, “SDN, network virtualization and NFV in a
nutshell”, Network Computing, Sep. 2014, [Online],
Available: http://www.networkcomputing.com/networking
/sdn-network-virtualization-and-nfv-in-a-nutshell/a/d-
id/1315755
[17] TechTarget, “Network functions virtualization (NFV)
definition”, [Online], Available: http://searchsdn.techtarg
et.com/definition/network-functions-virtualization-NFV
[18] Open Networking Foundation, “OpenFlow-enabled SDN
and network functions virtualization”,
[Online], Available:
https://www.opennetworking.org/images/stories/downloads/s
dn-resources/solution-briefs/sb-sdn-nvf-solution.pdf
[19]L.E. Li, Z.M. Mao and J. Rexford, “Toward software-
defined cellular networks”, IEEE 2012 European Workshop,
Oct. 2012, pp. 7-12.