Volume 7 - Issue 4
Application-aware and Dynamic Security Function Chaining for Mobile Networks
- Guanglei Li
Beijing Jiaotong University, Beijing, 100044 China
15111035@bjtu.edu.cn
- Huachun Zhou
Beijing Jiaotong University, Beijing, 100044 China
hchzhou@bjtu.edu.cn
- Guanwen Li
Beijing Jiaotong University, Beijing, 100044 China
16111011@bjtu.edu.cn
- Bohao Feng
Beijing Jiaotong University, Beijing, 100044 China
bohaofeng@bjtu.edu.cn
Keywords: Mobile Networks, Security Function Chaining, Application awareness
Abstract
Mobile networks have urgent demands of fine-grained, cost-effective and flexible service provision
for diversified user traffic. To cope with these demands, researchers have proposed various Service
Function Chaining (SFC) solutions with the rise of Software Defined Networking (SDN) and Network
Function Virtualization (NFV) technologies. However, most of them are performed based on
MAC address and/or OpenFlow protocols without Network Service Header (NSH) support, having
drawbacks in complexity, scalability and flexibility. NSH-based approaches are more promising for
mobile networks, since they support metadata-based packet information sharing and policy enforcement.
Moreover, a hierarchical SFC (hSFC) architecture is proposed to alleviate the scalability and
management problems in large-scale networks. Nevertheless, how to realize application awareness
and on-demand service provision has not been investigated thoroughly in the hSFC environment.
Thus, in this paper, we propose a proactive-based branching approach for application-aware and dynamic
security function chaining, where application features are analyzed at first, and then carried
in the metadata of NSHs for subsequent processes by the relevant security functions. In this way,
the data plane is able to redirect traffic based on metadata without the participation of control plane.
Besides, we verify the proposed approach through our prototype system via two typical use cases, the
application-aware traffic control and lawful interception, and the related experiment results confirm
its feasibility and elasticity.