Abstract
Software Defined Networking (SDN) deconstructs the current routing infrastructure into a small number of controllers, which are general purpose computers, and a large number of switches which are programmable forwarding engines. It is already deployed in data centres, where it offers considerable advantages of both cost and flexibility over a switching fabric of traditional routers. Such applications have a single controlling organisation and issues of trust between subdomains do not really arise. However for SDN to fulfil its potential, it is necessary to design and develop mechanisms for smart networks with mutually mistrustful principals.
In an earlier paper, we used as an example an airport where we might have 100,000 staff working for 3,000 different firms which include not just competitors but also organisations in a state of conflict (for example, El Al and Iran Air). That paper discussed using hierarchical control structures to delegate trust with mechanisms focussed on preventing denial-of-service attacks, with the assumption that confidentiality and integrity would be provided by the principals at higher layers. But this turns out to be a quagmire. Can you run your app and your enemy’s app on the same controllers of the same fabric, and get a passable separation of behaviour on private networks that run over the same switches? And can all this be done without a trusted root anywhere?
This paper reports a project to build a test environment that adapts Quagga so that a software defined network can be automatically configured using information learned from BGP. Our Quagga for SDN Module, “QuaSM”, is designed to support the use of SDN in three further use cases: in a network exchange point, in an organisation seeking to join up two or more SDN islands using an existing BGP fabric; and in security research on virtual networking.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Firewall rules are not straightforward, and it may be necessary to configure each firewall differently: where not all the firewalls in the network are of the same make and model; or where for performance or other reasons not all rules for the network can be installed in every router; or where the rules for different parts of the network simply aren’t the same; and so on.
References
Yu, D., Moore, A.W., Hall, C., Anderson, R.: Authentication for resilience: the case of SDN. In: Christianson, B., Malcolm, J., Stajano, F., Anderson, J., Bonneau, J. (eds.) Security Protocols 2013. LNCS, vol. 8263, pp. 39–44. Springer, Heidelberg (2013)
Feamster, N., Rexford, J., Zegura, E.: The road to SDN: an intellectual history of programmable networks. In: Queue, vol. 11, no. 12, pp. 20–32, December 2013
Limoncelli, T.: OpenFlow: a radical new idea in networking. In: Queue, vol. 10, no. 6, pp. 40–46, June 2012
Caesar, M., Caldwell, D., Feamster, N., Rexford, J., Shaikh, A., van der Merwe, J.: Design and implementation of a routing control platform. In: NSDI 05, pp 15–28 (2005)
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)
Jain, S., Kumar, A., Mandal, S., Ong, J., Poutievski, L., Singh, A., Venkata, S., Wanderer, J., Zhou, J., Zhu, M., Zolla, J., Hölzle, U., Stuart, S., Vahdat, A.: B4: experience with a globally-deployed software defined WAN. In: SIGCOMM 2013. http://cseweb.ucsd.edu/~vahdat/papers/b4-sigcomm13.pdf
Cheshire, S.: Latency and the quest for interactivity. http://www.stuartcheshire.org/papers/LatencyQuest.html
Geelhoed, E., Parker, A., Williams, D., Groen, M.: Effects of latency on telepresence. Hewlett Packard technical report 120, June 2009. http://www.hpl.hp.com/techreports/2009/HPL-2009-120.pdf
Gupta, A., Shahbaz, M., Vanbever, L., Kim, H., Clark, R., Feamster, N., Rexford, J., Shenker, S.: SDX: a software defined internet exchange. Georgia Institute of Technology, SCS technical report; GT-CS-13-06 (2013). https://smartech.gatech.edu/handle/1853/49629
Hall, C.: quagga.euro-ix. https://github.com/GMCH
Acknowledgement
The work described in this paper was funded under DARPA BA 12-29 FA8750-13-2-0023, ‘Hardening the next generation control plane’, whose support is gratefully acknowledged.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Hall, C. et al. (2014). Collaborating with the Enemy on Network Management. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds) Security Protocols XXII. Security Protocols 2014. Lecture Notes in Computer Science(), vol 8809. Springer, Cham. https://doi.org/10.1007/978-3-319-12400-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-12400-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12399-8
Online ISBN: 978-3-319-12400-1
eBook Packages: Computer ScienceComputer Science (R0)