Secure and cost-effective controller deployment in multi-domain SDN with Baguette

Software-Defined Networking (SDN) is becoming prevalently in recent years. Practical SDN (e.g., production Software-defined Wide Area Network) deployments leverage multiple commercial controllers, which partitions the network into multiple domains, and each domain uses a dedicated controller. Commercial controllers are usually used for reliability and fully post-sales supports. However, using a single type of SDN controllers can compromise the whole network if the attacker can exploit its vulnerabilities. In this paper, we consider this security issue and present the Secure and Cost-effective Controller Deployment (SCCD) problem. The SCCD problem aims to replace a few controllers with different types of commercial SDN controllers, which satisfies the security requirement at a minimal cost. The complexity of the SCCD problem comes from common vulnerabilities shared among different types of SDN controllers and attack propagations among network domains. We prove the non-deterministic polynomial-time hardness (NP-hardness) of the problem and propose the Baguette algorithm to efficiently solve the problem. Baguette judiciously chooses and replaces controllers for critical domains with selected types of commercial SDN controllers. Simulation results show that Baguette can achieve comparable performance to the Optimal solution and can stably achieve up to 12.6x security enhancement compared with the single controller type deployment and reduce to 11.1% cost of the securest deployment.