Checking Multi-domain Policies in SDN

Authors

  • Ferney A. Maldonado-Lopez Systems and Computing Engineering Department Universidad de los Andes, Bogotí¡, Colombia
  • Eusebi Calle BCDS, Broadband Communication and Distributed Systems Universitat de Girona, Spain
  • Yezid Donoso Systems and Computing Engineering Department Universidad de los Andes, Bogotí¡, Colombia

Keywords:

Network Operating Systems, Software-Defined Networking, Network management, Policy Verification

Abstract

Programmable Network like SDN allows administrators to program network nfrastructure according to service demand and custom-defined policies. Network olicies are interpreted by the centralized controller to define actions and rules to rocess the network traffic on devices that belong to a single domain. However, actual etworks are multi-domain where several domains are interconnected. Then, because DN controllers in a domain cannot define nor monitor policies in other domains, etwork administrators cannot ensure that their own policies, origin policies are being nforced by the domains not directly managed by them (i.e. foreign domains). e present AudiT, a multi-domain SDN policy verifier that identifies whether an rigin policy is enforced by foreign domains. AudiT comprises (1) model for network opology, policies, and flows, (2) an Audit protocol to gather information about the ctions performed by network devices to carry the flows of interest, and (3) a validation ngine that takes that information and detects security policy violations, and (4) an extension to the OpenFlow protocol to enable external auditing. This paper resents our approach and illustrates its application using an example considering ultiple SDN networks.

References

Al-Shaer, E.; Marrero, W.; El-Atawy, A.; Elbadawi, K. (2009); Network configuration in box: towards end-to-end verification of network reachability and security, 17th IEEE nternational Conference on Network Protocols, ICNP 2009, 123-132.

Canini, M.; Venzano, D.; PerešÃ­ni, P.; Kostić, D.; Rexford, J. (2012); A NICE way to test penFlow applications, Proceedings of the 9th USENIX conference on Networked Systems esign and Implementation, USENIX Association, 10-10.

Gude, N.; Koponen, T.; Pettit, J.; Pfaff, B.; Casado, M.; McKeown, N.; Shenker, S. (2008) NOX: towards an operating system for networks, SIGCOMM Comput. Commun. ev., ACM, 38: 105-110. http://dx.doi.org/10.1145/1384609.1384625

Hinrichs, T. L.; Gude, N. S.; Casado, M.; Mitchell, J. C.; Shenker, S. (2009); Expressing and nforcing Flow-Based Network Security Policies, University of Chicago, Technical report, -20.

Hinrichs, T. L.; Gude, N. S., Casado, M.; Mitchell, J. C.; Shenker, S. (2009); Practical eclarative Network Management, 1st ACM Workshop on Research on Enterprise Networking, 009, 1-10.

Jackson, D. (2002); Alloy: A Lightweight Object Modelling Notation, ACM Trans. Softw. ng. Methodol.; April 2002.

Jackson, D. (2006); Software Abstractions: Logic, Language, and Analysis, The MIT Press, 006.

Harel, D. and Rumpe, B. (2004); Meaningful Modeling: What's the Semantics of "Semantics"?, omputer, IEEE Computer Society Press, 37: 64-72.

Kazemanian, P.; Chang, M.; Zheng, H.; Varghese, G.; McKeown, N. (2013); Real time Network olicy Checking Using Header Space Analysis, Proceeding on Network System Design nd Implementation (NSDI), USENIX, 99-112.

Khurshid, A.; Zou, X.; Zhou, W.; Caesar, M.; Godfrey, P. B. (2013);

VeriFlow: Verifying etwork-Wide Invariants in Real Time, 10th USENIX Symposium on Networked Systems esign and Implementation (NSDI), Proceeding HotSDN '12 Proceedings of the first workshop n Hot topics in software defined networks, 49-54 .

Mai, H.; Khurshid, A.; Agarwal, R.; Caesar, M.; Godfrey, P. B.; King, S. T.(2011); Debugging he data plane with Anteater, SIGCOMM Comput. Commun. Rev., ACM, 41: 290-301.

Maldonado-Lopez, F.; Chavarriaga, J. and Donoso,Y. (2014); Detecting Network Policy onflicts Using Alloy, Abstract State Machines, Alloy, B, TLA, VDM, and Z, Springer erlin Heidelberg, 8477: 314-317.

Maldonado-Lopez, F. A.; Calle, E. and Donoso, Y.; (2015);Detection and prevention of irewall-rule conflicts on software-defined networking, Reliable Networks Design and Modeling (RNDM), 2015 7th International Workshop on, 259-265.

McKeown, N.; Anderson, T.; Balakrishnan, H.; Parulkar, G.; Peterson, L.; Rexford, J.; henker, S.; Turner, J. (2008); OpenFlow: enabling innovation in campus networks, SIGCOMM omput. Commun. Rev., ACM, 38: 69-74. http://dx.doi.org/10.1145/1355734.1355746

Mirzaei, S., Bahargam, S. and Skowyra, R. (2013); Using Alloy to Formally odel and Reason About an OpenFlow Network Switch, Technical Report, ttp://hdl.handle.net/2144/11416.

Monsanto, C.; Foster, N.; Harrison, R.; Walker, D. (2012); A Compiler and Run-time System or Network Programming Languages, SIGPLAN, ACM, 47: 217-230

Open Networking Foundation OpenFlow Switch Specification, v.1.3.1, ONF Open Networking oundation, 2012

Porras, P.; Shin, S.; Yegneswaran, V.; Fong, M.; Tyson, M.; Gu, G. (2012) A security nforcement kernel for OpenFlow networks Proceedings of the first workshop on Hot topics n software defined networks, ACM, 121-126.

Reitblatt, M.; Canini, M.; Guha, A.; Foster, N.(2013); FatTire: declarative fault tolerance or software-defined networks, Proceedings of the second ACM SIGCOMM workshop on Hot opics in software defined networking, ACM, 109-114.

Sethi, D.; Narayana, S. and Malik, S. (2013); Abstractions for model checking SDN controllers, ormal Methods in Computer-Aided Design (FMCAD), 2013, 145-148.

Soulé, R.; Basu, S.; Kleinberg, R.; Sirer, E. G.; Foster, N. (2013); Managing the Network ith Merlin, 12th workshop on Hot Topics in Networks, HotNets'13, Nov. 2013, 1-8.

Stone, G.; Lundy, B. and Xie, G. (2001);

Network Policy Languages: A survey and a new pproach, IEEE Network, 15: 10-21. http://dx.doi.org/10.1109/65.898818

Published

2016-03-24

Issue

Vol. 11 No. 3 (2016): International Journal of Computers Communications & Control (June)

Section

Articles

License

ONLINE OPEN ACCES: Acces to full text of each article and each issue are allowed for free in respect of Attribution-NonCommercial 4.0 International (CC BY-NC 4.0.

You are free to:

-Share: copy and redistribute the material in any medium or format;

-Adapt: remix, transform, and build upon the material.

The licensor cannot revoke these freedoms as long as you follow the license terms.

 

DISCLAIMER: The author(s) of each article appearing in International Journal of Computers Communications & Control is/are solely responsible for the content thereof; the publication of an article shall not constitute or be deemed to constitute any representation by the Editors or Agora University Press that the data presented therein are original, correct or sufficient to support the conclusions reached or that the experiment design or methodology is adequate.

Most read articles by the same author(s)

Obs.: This plugin requires at least one statistics/report plugin to be enabled. If your statistics plugins provide more than one metric then please also select a main metric on the admin's site settings page and/or on the journal manager's settings pages.