Seung Hun Jee* , Ji Su Park** and Jin Gon Shon*
Security in Network Virtualization: A Survey
Abstract: Network virtualization technologies have played efficient roles in deploying cloud, Internet of Things (IoT), big data, and 5G network. We have conducted a survey on network virtualization technologies, such as software-defined networking (SDN), network functions virtualization (NFV), and network virtualization overlay (NVO). For each of technologies, we have explained the comprehensive architectures, applied technologies, and the advantages and disadvantages. Furthermore, this paper has provided a summarized view of the latest research works on challenges and solutions of security issues mainly focused on DDoS attack and encryption.
Keywords: Cloud , Network Virtualization , NFV , NVO , SDN , Security
In the era of the 4th industrial revolution, virtualization technologies play a big role in the acceleration of cloud, Internet of Things (IoT), big data, and 5G network. Virtualization is a new process of creating a virtual instance of a computing system in the abstraction layer over the infrastructure layer. Virtualization can increase agility, scalability, flexibility, and mobility. On the other hand, virtualization can also decrease capital expenditure, operating expense, and complexity. Virtualization is classified into server, storage, and network virtualization. Among these, this paper has focused on network virtualization.
Traditional network device consists of a management plane for monitoring and management, a control plane for configuration and control, and a data plane for forwarding and port. These planes are tightly coupled and integrated into the device. Traditional network architecture is designed as a vertical 3-tier structure, consisting of a core, a distribution, and an access layer. Major traffics such as e-mail and multimedia service flow in the north-south direction, from silo-based servers to the external customers.
The network device has been changed into a loosely coupled structure. A management plane, a control plane, and a data plane are physically separated and communicate through separate interfaces. Each plane becomes virtualized, programmable, and centralized controllable. Network architecture also has been changed into a horizontal 2-tier structure, consisting of a spine and a leaf layer. Major traffics flow in the east-west direction to transport server-to-server traffic for distributed computing and big data.
IoT, cloud, big data, and 5G environments are because of technical advances in the virtualization technologies. Network virtualization is the youngest but the most influential technology than others. In this paper, we have provided the comprehensive architectures, applied technologies, security challenges and solutions against DDoS attack, which is mainly focused on software-defined networking (SDN), network functions virtualization (NFV), and network virtualization overlay (NVO). We expect this paper can show you how your network can be deployed to use network virtualization technologies.
2. Network Virtualization
2.1 Quick Review of Networks
Network elements are composed of a set of nodes and links as shown in Fig. 1(a). Network node can be a physical or virtual node as shown in Fig. 1(b), and network link can also be a physical or virtual link as shown in Fig. 1(c). Virtual node is not a physical hardware, but a logical software over the abstraction layer. Virtual link can provide direct connection among nodes that are not physically connected.
Network topology provides a roadmap for one node to know the way to the other node through the link. There are many methods to design network topologies. Here are two famous methods to design network topologies, fat-tree topology and Clos topology. Fat-tree topology is a tree-like, 3-tier’s architecture as shown in Fig. 2(a), which is generally used in the traditional network architectures. Clos topology is a 2-tier’s architecture as shown in Fig. 2(b), which is widely used in the virtualized or cloud network architectures. In the fat-tree topology described in Fig. 2(a), the hop count from node A to node B is 4, but in the Clos topology described in Fig. 2(b), the hop count from node C to node D is just 2. That is why recent network architectures prefer Clos topology to fat-tree topology .
2.2 Classifications of Network Virtualization
Network virtualization can be classified by network elements into node virtualization and link virtualization. Node virtualization is the separation of software from hardware. Link virtualization is logical extension without physical extension. In this classification, SDN and NFV belong to node virtualization. SDN is mainly to virtualize the control plane, and NFV is mainly to virtualize the data plane. In the meantime, NVO belongs to link virtualization to connect direct network without a physical cable. Table 1 shows a summarization of what we explained above.
2.3 Summary of Surveys on Network Virtualization
There have been many surveys on network virtualization. Table 2 summarizes research surveys and compares ours with them [2-15]. In the column of “Contributions,” we mark some of surveys as (highly) historical when they explain how network virtualization was born, raised and developed from the past. Recent and informational surveys are marked as (highly) recommended when they provide information for the readers to understand the definition, categories, applied technologies, and security issues of network virtualization.
3. Software-Defined Networking
In this section, the comprehensive architecture, technologies of SDN, security threats, and research works on SDN security have been explained.
3.1 Architecture of SDN
SDN is a technology to separate control plane and data plane. As shown in Fig. 3, traditional network architecture consists of management plane, control plane, and data plane in one-box hardware. SDN architecture consists of management plane, control plane, and data plane. The separated planes communicate each other through northbound and southbound interface in SDN .
SANE architecture  proposed in 2006 and Ethane architecture  proposed in 2007 are the beginning of SDN history. Ethane controls the network into two components; a centralized controller responsible for enforcing global policy, and ethane switches to simply forward packets based on rules in a flow table. SDN, with its characteristics of separation of control plane from data plane, offers a greater advantage such as automation, centralized management, and network programming. Centralized control plane provides a global network visibility and management of entire network flows.
Three layers are SDN application in the application layer, SDN controller in the control layer, and SDN switch in the infrastructure layer. Two interfaces of SDN are southbound and northbound interface. Southbound interface (SBI) provides an interface between control and data plane. Northbound interface (NBI) provides an interface between control and management plane.
SDN application is a management plane to communicate network requirement toward a control plane via NBI. SDN controller is a control plane to translate SDN application’s requirement and execute the exclusive control of data plane via SBI. SDN switch is a data plane to consist of network elements and execute the packet forwarding.
Open vSwitch is an open source multi-layer virtual switch that is widely used in SDN. It supports traditional network service such as VLAN, sFlow, and SPAN. It also supports new network service such as OpenFlow and network programming .
Mininet is a network emulator to create a virtual SDN network. It can make virtual hosts, switches, routers, links, and controllers on your laptop computer. The advantages of Mininet are fast, easy, programmable, and free .
OpenFlow is a southbound interface technology between SDN controller and switch. Main feature of OpenFlow is a packet processing operation called action and instruction . OpenFlow is proposed by McKeown et al.  to enable easy network experiments in a campus network. OpenFlow Switch consists of a flow table, a group table, and OpenFlow channel. SDN controller can control SDN switches (e.g., add, update, and delete flow entries in flow tables). Each flow entries consist of match fields, counters, and instructions.
Network Configuration Protocol (NETCONF) provides mechanism to install, manipulate, and delete the configuration of network devices. It uses an XML-based data encoding for the configuration data as well as the protocol messages . YANG  is a data modeling language used to model configuration and state data manipulated by the NETCONF. NETCONF/YANG is a technology of southbound interface to configure and monitor the SDN network.
Representational State Transfer (REST) is an architectural style for distributed hypermedia systems, describing the software engineering principles . The application programming interface (API) is an interface between different parts of a computer program. REST API use the HTTP/HTTPS protocol to execute a command represented by uniform resource identifier (URI) strings. REST API is used a northbound interface to communicate between the SDN application and controller .
Chef , Puppet , and Ansible  are DevOps tools to configure servers and networks. They are widely used as infrastructure as code (IaC) for management and orchestration. In SDN environment, they can be used as northbound interfaces to communicate between SDN application and controller.
3.3 Security Threats of SDN
SDN gives rise to a new challenge of security threats such as software vulnerability, single point of failure (SPOF) of SDN controller, and DDoS attack. Programmability of SDN can increase software vulnerability if there are security holes in source codes. When SDN controller is broken in SPOF, Entire network will be out of service. DDoS attack against SDN is a critical security threat. If DDoS attack is targeted at SDN application, controller, and switch, the availability of SDN is seriously threatened.
3.4 Research Works on SDN Security
In this section, we have reviewed several research works of SDN security mainly focused on DDoS attack as follow.
(1) Security enhancement using SDN against DDoS attack
To use the architectural advantages; centralized network control and visibility of total network, SDN has been enhanced network security from the malicious DDoS attack. To use the technical advantages; network programming, SDN also has been delivered various security code to protect DDoS attack. Various research works include these as follows.
SDN-based MAC address hiding method has been proposed to protect IP spoofing attack from acquiring MAC address . Attack detection technology has been proposed using SDN controller to overcome DDoS attack in IoT environment . ArOMA, an autonomic DDoS defense framework has been proposed to leverage the programmability and centralized manageability features .
(2) Security challenges and solutions in SDN against DDoS attack
Despite of the architectural and technical advantages of SDN, the three-layer and two-interface architecture results in new security issues. The SDN controller can be especially vulnerable to DDoS attack. The SDN switch is also a weak point to fail the connection among hosts due to DDoS attack. To solve this security issues, various research works include these as follows.
FleXam has proposed a flexible per-flow sampling extension to enable the controller to access packetlevel information to detect DDoS attack more precisely . FuzzyGuard has proposed, a DDoS attack prevention extension. In it, a control network with both the protection of data flow and the convergence of attack flow is constructed in the data plane by using the idea of independent routing control flow . Moving window principal components analysis is proposed to be based anomaly detection and mitigation approach to map data onto a low-dimensional subspace and keep monitoring the network state in realtime in SDN network . Dynamic DDoS defense approach has been proposed to improve the defect of static DDoS defense mechanism .
An approach to detect large flows in real-time has been proposed to mitigate DDoS attack, when the large flows hit over the static configured thresholds . A technique to defend the DDoS SYN Flooding attack to monitor backlog queue of server has been proposed . TCP SYN flood attack detection and mitigation method has been proposed to use OpenFlow and sFlow to improve performance of detecting from only one router to many routers .
AVANT-GUARD has been proposed to a framework to advance the security of the architectural extension of OpenFlow data plane. To detect TCP session information, AVANT-GUARD filters the malicious flow request information, and sends the legitimate flow request information to the SDN controller . LineSwitch has been proposed to provide a solution based on probability and blacklisting to detect and mitigate DDoS attack . SLICOTS has been also proposed to mitigate TCP SYN flooding attack by monitoring TCP requests. When the number of half-open state of TCP connection hit over the thresholds, SLICOTS issues a flow rule to block that malicious flow . SHDA has been proposed to a mitigation method from Slow HTTP DDoS attack. SHDA monitors HTTP incomplete requests from web server, the number of requests exceeds a predefined threshold, and then block the malicious packet .
(3) Security challenges and solutions in SDN against other security threats
To overcome single point of failure caused by single SDN controller, many researchers have proposed a multi-controllers deployment scheme to distribute service traffic and implement redundancy . Mathematical implementation of common vulnerability scoring system (CVSS) and Bayesian network methodology in SDN has been proposed to identify the status of different entities while mutual exploitations take place against SDN security . Table 3 summarizes the related work on the solution and implementation against the security issues that can happen in SDN application, controller, and switch.
4. Network Functions Virtualization
In this section, the comprehensive architecture, technologies of NFV, security threats, and research works on NFV security have been explained.
4.1 Architecture of NFV
NFV is a technology to decouple network software from network hardware to virtualize network functions. As shown in Fig. 4, Traditional network architecture such as switch, router, and firewall consists of software and hardware. NFV architecture is decoupled into virtual network functions (VNFs), NFV infrastructure over virtualization layer, physical hardware in ×86 hardware server, and NFV management and orchestration .
ETSI ISG NFV released a paper to define NFV architecture in 2014. OPNFV has been working on the open standards for NFV-based VNFs . NFV can reduce capital expenditures and operating expenses, save power consumption of hardware, and increase time to market deployment by minimizing the typical engineering job . SDN and NFV are high complementary but dependent to each other. They can be sometimes combined and made more valuable technology.
In ETSI NFV model, NFV consists of three main components: NFV infrastructure (NFVI), VNFs, and NFV management and orchestration (NFV MANO) .
NFVI consists of the infrastructure components (e.g., compute, storage, and network) on a platform to support a hypervisor software (e.g., KVM) needed to run network apps. Hypervisor acts as an abstract or virtualization layer, which can be installed and operated on the commercial off-the-shelf (COTS) hardware like commodity x86 servers. VNFs are software applications that deliver network functions such as virtual switch, virtual router, and virtual firewall. The main purpose of using NFV is to deploy VNFs-based various network services that can be launched quickly, just by installing software without installing hardware. Many groups such as OPNFV take efforts to develop open-source methods to make VNFs cloud native. NFV MANO provides a dashboard service to manage NFV infrastructure and orchestrate VNFs. NFV MANO consists of three functional blocks in detail; NFV Orchestrator is used to manage network services in VNFs. VNF manager is used to manage VNFs in NFVI. Virtualization infrastructure manager (VIM) is used to control NFVI compute, storage, and network resources.
OPNFV is a project that facilitates a common NFVI, continuous integration (CI) with upstream projects, stand-alone testing toolsets, and a compliance and verification program for industry-wide testing and integration to accelerate the transformation of enterprise and service provider networks. As a common NFVI platform, OPNFV brings together upstream components across compute, storage, and network virtualization to create an end-to-end platform such as Hunter and Arno .
4.3 Security Threats of NFV
NFV gives rise to a new challenge of security threats such as VNF vulnerability, insecure interfaces, and DDoS attack . VNF can increase software vulnerability if there are security holes in VNF codes. Insecure interfaces can also be a security threat. If the packet between VNF and NFV interface is unencrypted and eavesdropping by a malicious attacker, it can be a serious security threat. Most of all, DDoS attack against NFV is a critical security threat. If DDoS attack is targeted at NFV environment, the availability of NFV is seriously threatened.
4.4 Research Works on NFV Security
In this section, we have reviewed several research works of NFV security mainly focused on DDoS attack as follow.
(1) Security enhancement using NFV
To use the architectural and technical advantages with the decoupling of software and hardware, NFV has enhanced network security and mitigates the risks of malicious cyberattack. Traditional firewalls and IDS/IPS are dependent on the performance of the hardware. More performance is required, more resource is allocated to scale up with hardware change. In NFV, more performance is required, more resource is allocated to scale out without hardware change. A quality of security has been proposed to provide adaptive security services using NFV .
(2) Security challenges and solutions in NFV against DDoS attack
Despite of the architectural and technical advantages of NFV, the physically or logically separated and distributed architecture of NFV is exposed new security threats that were not considered before. Especially DDoS attack is very critical threats to NFV environment targeting NFVI, VNFs, and NFV MANO. To solve this security issues, Research works include these as follows.
The security risks and targets of NFV is analyzed, and best practices of NFV are proposed. One of security risks is a DDoS attack to target VNFs, which a best practice to delay DDoS attack is a flexible VNF deployment . Moving target defense (MTD) based mechanism has been proposed to detect and mitigate DDoS attack . SDN, NFV, and AI are collaborated to detect and mitigate DDoS attack. A virtual public key infrastructure (vPKI) mechanism has been proposed to detect a fake VNFs . VNFbased DPI engine has been proposed to be integrated with Open vSwitch in hypervisor and is working as VNF component in virtual machine .
(3) Security challenges and solutions in NFV against other security threats
SecMANO has been proposed a design to provide NFV based security management and orchestration. It aims to deploy and manage security functions on the demands of users and customers dynamically and adaptively . Interface to network security functions (I2NSF) made by the Electronics and Telecommunications Research Institute (ETRI) in Korea has been proposed by the Internet Engineering Task Force (IETF) to network-based security services in NFV environments, such as firewall, IDS/IPS, DPI. I2NSF defines a framework and interfaces to interact with network security functions (NSFs) .
Compared to SDN, NFV requires more standardization and is necessary to research security issues and solution to deliver safe and secure network functions. Table 4 summarizes the related work on the solution and implementation against the security issues that can happen in NFVI, VNFs, and NFV MANO.
5. Network Virtualization Overlay
In this section, the comprehensive architecture, technologies of NVO, security threats, and research works on NVO security have been explained.
5.1 Architecture of NVO
NVO is a technology to create a virtual overlay network on top of the physical underlay network. As shown in Fig. 5, underlay network consists of physical nodes and links, which determines next-hop routing path based on various traditional routing protocol such as static, OSPF, BGP, and so on. Overlay network consists of virtual nodes and links, which determines next-hop routing path based on various overlay protocol such as VLAN, GRE, VXLAN, and so on .
Virtual local area network (VLAN) is a traditional technology to slice a single physical link into multiple virtual links and the maximum number of VLANs is 4,096. When data center and cloud network need to expand, the number of VLANs can be exceeded over 4,096. Generic routing encapsulation (GRE) is also a traditional technology to make an overlay virtual link over underlay physical links. Only L3 network can be virtually extended in GRE .
Network virtualization using GRE (NVGRE) is a L2 frame over IP and GRE overlay proposed by Microsoft. NVGRE encapsulation is based on GRE, which mandates the inclusion of the optional GRE key field and carries virtual subnet identifier (VSID) . Stateless transport tunneling (STT) is a L2 frame over IP and TCP overlay proposed by Nicira. STT can be applied in a software switch. But STT is now historically interesting and is a base work on GENEVE . Virtual extensible LAN (VXLAN) is a L2 frame over IP and UDP overlay proposed by VMware. VXLAN encapsulation is based on UDP and provides a 24-bit VXLAN network identifier (VNI), which typically provides a one-to-one mapping to the tenant VID . Generic network virtualization encapsulation (GENEVE) is a L2 frame over IP and UDP overlay proposed by VMware. GENEVE tunnel options are encoded in a type length value (TLV), which will be useful to new feature functionality, scalability, and security .
5.3 Security Threats of NVO
NVO uses an encapsulation that overwrites the new packet header over the original header. It has a technical advantage of hiding the original packet information under the encapsulation. However, there is a vulnerability if the packet is not encrypted but plaintext, the data can be leaked from packet sniffing. Secured tunneling and encryption mechanisms (e.g., IPsec) can be applied on NVO technology to increase security.
5.4 Research Works on NVO Security
In this section, we have reviewed several research works of NVO security mainly focused on packet encryption as follow.
(1) IPsec encryption
A multi-tunneling (e.g., GRE/TLS, GRE/IPsec) has been proposed to make IP packet to be encapsulated and encrypted with GRE and TLS, or GRE and IPsec . But the overhead of doubled encapsulated packet causes a traffic and performance delay.
The layer-2 Ethernet extension across the data center has been proposed to increase the scope against IP spoofing attack. The authentication and encryption using IPsec or other IP-based mechanism can be used to mitigate IP spoofing attack .
The mechanism like IPsec has proposed to authenticate and optionally encrypt VXLAN traffic, which the tunneled traffic over the IP network can be secured. This needs to be coupled with an authentication infrastructure for authorized end points to obtain and distribute credentials .
IPsec is proposed to provide authentication and encryption of the IP packets formed as part of GENEVE encapsulation, because GENEVE does not have any inherent security mechanisms within an encapsulated UDP/IP packet .
In addition, VXLAN over IPsec like GRE over IPsec  is proposed to provide traffic encapsulation and encryption of VXLAN and GRE with IPsec VPN . IPsec over GENEVE is proposed to provide IP encapsulating security payload (ESP) encryption to secure a layer-3 IP network .
(2) MACsec Encryption
Media access control security (MACsec) has been proposed to provide a secure connection of layer-2 Ethernet interface. MACsec encrypts every ethernet frame using the symmetric key cryptography to enhance confidentiality, integrity, and authentication of network frame. MACsec key agreement protocol (MKA) is used to discover an authenticated MACsec peers, and symmetric secure association keys (SAKs) are used to encrypt ethernet frame .
Table 5 summarizes the related works on the solution and implementation against security issues of NVO to secure a layer-3 IP packet and layer-2 Ethernet frame.
6. Open Issues and Challenges
Here are two open issues and challenges of SDN and NFV. First one still lacks a fine way to protect DDoS attack. Centralized architecture of SDN/NFV controller is a delicious target, and distributed architecture of SDN/NFV switch is also a weak point of malicious attacker. That is why many researches and developments are needed to find a way to detect and mitigate DDoS attack in SDN/NFV environment. Second one is that open and vendor-neutral SDN/NFV solutions are losing power and commercial SDN/NFV solutions are developing into their closed and vendor-specific architectures. To implement software-defined, agile, and centrally managed SDN/NFV environment successfully, SDN/NFV needs to be open standards-based and vendor-neutral.
Here are also two open issues and challenges of NVO. First one is a lack of interoperability among different NVO technologies and standardization is still on going. This issue makes network infrastructure more difficult to manage and operate, especially to do some different kinds of troubleshooting in NVO environment. Second one is a lack of packet encryption technology of overlay tunnel interface. Encapsulation is not enough to protect your data. Encapsulation and encryption need to be combined to protect your data more safely from malicious attacker.
In this paper, we have explained a survey of network virtualization technologies. SDN is a new network architecture that separates hardware and software from the network device. The virtualization of SDN is mainly focused on control plane. We have explained the three tiers and two interfaces architecture, and the applied technologies of SDN. To take advantages of the architecture and technology of SDN, it can provide you a centralized and programmable security method to detect and mitigate malicious attack such as DDoS attack. NFV is a new network architecture that decouples network software from network hardware, network function from network device, and three separated components are integrated. The virtualization of NFV is mainly focused on data plane. To take advantages of the architecture and technology of NFV, it can provide you a virtualized and function-based security method to detect and mitigate malicious attack such as DDoS attack. NVO is a new network overlay architecture that addresses the requirements of multi-tenant office or data center network, especially with the mobility of user’s device or the migration of VMs or virtual workloads. The virtualization of NVO is mainly focused on LAN or WAN. To take advantages of the architecture and technology of NVO, it can provide you a virtual overlay network with the encapsulation packets. As of security challenges, SDN, NFV, and NVO are continuously to be researched, developed, and deployed in your network to enhance your network environment.
Table 6 summarizes network virtualization mainly focused on the architecture, applied service, and the security strength and weak point of SDN, NFV, and NVO technologies in our paper.
Network virtualization technologies are the key paradigm that can improve the limitations of traditional network as we have seen a lot of research works are being done. A variety of research and technology adoption are being carried out to address potential security vulnerabilities and threats that have exploited them. Research on continuous security technologies will be needed in the future. We expect you to learn various network virtualization technologies, and apply your data center network, IoT network, and 5G mobile network for your convenience. Future research topic will focus on the detection and mitigation from DDoS attack in SDN.
Seung Hun Jeehttps://orcid.org/0000-0002-2183-0172
He received B.S. in the Department of French Language and Literature from Seoul National University in 2002, and in the Department of Computer Science from Korea National Open University in 2015. Since March 2015, he has been with the Department of Computer Science from Korea National Open University as a M.S. candidate. He has been working as a network engineer in SK since 2005.
Ji Su Parkhttps://orcid.org/0000-0001-9003-1131
He received his B.S., M.S. degrees in Computer Science from Korea National Open University, Korea, in 2003, 2005, respectively and Ph.D. degrees in Computer Science Education from Korea University, 2013. He is currently a Professor in Department of Computer Science and Engineering from Jeonju University in Korea. His research interests are in grid computing, mobile cloud computing, cloud computing, distributed system, computer education, and AIoT. He is employed as associate editor of Human-centric Computing and Information Sciences (HCIS) by Springer, The Journal of Information Processing Systems (JIPS) by KIPS. He has also served as the chair, program committee chair or organizing committee chair at international conferences and workshops. He has received "best paper" awards from the CSA2018 conferences and "outstanding service" awards from CUTE2019 and BIC2020.
Jin Gon Shonhttps://orcid.org/0000-0002-0540-4640
He received the B.Sc. degree in Mathematics and the M.S. and Ph.D. degrees in Computer Science from Korea University, Seoul, Korea. Since 1991, he has been working for Department of Computer Science, Korea National Open University. His research interests consist of two groups; computer science and e-learning fields. They include computer networks, distributed computing, wireless sensor networks, big data processing, and educational technologies such as mobile technologies and universal design for e-learning.