IPsec Cryptographic Algorithm Invocation Considering Performance and Security for SDN Southbound Interface Communication

The introduction of IPsec into software-defined networking (SDN) can secure communication in an SDN southbound interface, i.e., communication between the controllers and the switches. However, due to the static configuration of IPsec cryptographic algorithms, the invocation of these algorithms cannot dynamically self-adapt to traffic fluctuations in SDN southbound communication. To address the contradiction between link security and communication performance incurred by IPsec encryption, an evaluation model to find a trade-off between communication performance and link security is presented in this paper. An invocation mechanism based on the Free-to-Add (FTA) method is also proposed to optimize the invocation mode of cryptographic algorithms in traditional IPsec. Based on the real-time network status and the impact of the IPsec encryption process on the network latency and throughput, a feedback-based scheduling scheme is designed to enable the IPsec algorithms in use to be flexibly replaced and synchronously switched, and two policies are applied to determinate the appropriate encryption algorithm(s). The validity and effectiveness of the FTA-based mechanism are verified and evaluated on an SDN/OpenFlow platform in which IPsec security gateways are deployed. The feedback-based scheduling scheme is evaluated in terms of packet processing latency, distribution of optional encryption intensity, and the hit rate of encryption intensity.