Cryptographic Algorithm Invocation in IPsec: Guaranteeing the Communication Security in the Southbound Interface of SDN Networks

Due to the static configuration of IPsec cryptographic algorithms, the invocation of these algorithms cannot be dynamically self-adaptable to the traffic fluctuation of software-defined networking (SDN) southbound communication. In this paper, an invocation mechanism, based on the Free-to-Add (FTA) scheme, is proposed to optimize the invocation mode of cryptographic algorithms in traditional IPsec. To balance the link security and communication performance, a feedback-based scheduling approach is designed for the controller of IPsec-applied SDN to replace flexibly and switch synchronously the IPsec cryptographic algorithms in use according to the real-time network status. The feedback information is applied to decide which appropriate algorithm(s) should be employed for the cryptographic process in a special application scenario. The validity and effectiveness of the proposed invocation mechanism are verified and evaluated on a small-scale SDN/OpenFlow platform with the deployed IPsec security gateway. The results show that the FTA-based mechanism invokes IPsec encryption algorithms consistently with the requirement for communication security in the SDN southbound interface, and the impact of the IPsec cryptographic process on the network performance will be reduced even if the network traffic fluctuates markedly.