[Abstract] Network security protocols such as IPsec have been used for many years to ensure robust end⁃to⁃end communication and are important in the context of SDN. Despite the widespread installation of IPsec to date, per⁃packet protection offered by the protocol is not very compatible with OpenFlow and flow⁃like behavior. OpenFlow architecture cannot aggregate IPsec⁃ESP flows in transport mode or tunnel mode because layer⁃3 information is encrypted and therefore unreadable. In this paper, we propose using the Security Parameter Index (SPI) of IPsec within the OpenFlow architecture to identify and direct IPsec flows. This enables IPsec to conform to the packet⁃based behavior of OpenFlow architecture. In addition, by distinguishing between IPsec flows, the architecture is particularly suited to secure group communication.
[Keywords] IPsec; OpenFlow; secure group communication; group domain of interpretation (GDOI); flow⁃based switching