Abstract
Software-Defined Networking (SDN) as an emerging paradigm in networking divides the network architecture into three distinct layers such as application, control, and data layers. The multi-layered network architecture in SDN tremendously helps manage and control network traffic flows but each layer heavily relies on complex network policies. Managing and enforcing these network policies require dedicated cautions since combining multiple network modules in an SDN application not only becomes a non-trivial job, but also requires considerable efforts to identify dependencies within a module and between modules. In addition, multi-tenant SDN applications make network management tasks more difficult since there may exist unexpected interferences between traffic flows. In order to accommodate such complex network dynamics in SDN, we propose a novel policy management framework for SDN, called layered policy management (LPM). We also articulate challenges for each layer in terms of policy management and describe appropriate resolution strategies. In addition, we present a proof-of-concept implementation and demonstrate the feasibility of our approach with an SDN-based simulated network.
This work was partially supported by the grant from Department of Energy (DE-SC0004308).
Chapter PDF
Similar content being viewed by others
References
Floodlight: Open SDN Controller, http://www.projectfloodlight.org
Header Space Library, https://bitbucket.org/peymank/hassel-public
Mininet: An Instant Virtual Network on Your Laptop, http://mininet.org
Bandara, A.K., Lupu, E.C., Russo, A.: Using event calculus to formalise policy specification and analysis. In: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 26–39. IEEE (2003)
Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Transactions on Information and System Security (TISSEC) 5(1), 1–35 (2002)
ONF Market Education Committee, et al.: Software-defined networking: The new norm for networks. ONF White Paper. Open Networking Foundation, Palo Alto (2012)
Fayazbakhsh, S.K., Chiang, L., Sekar, V., Yu, M., Mogul, J.C.: Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags. In: 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2014), pp. 543–546. USENIX Association (2014)
Hu, H., Ahn, G.-J., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Transactions on Dependable and Secure Computing 9(3), 318–331 (2012)
Monsanto, C., Reich, J., Foster, N., Rexford, J., Walker, D.: Composing software-defined networks. In: Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation, pp. 1–14. USENIX Association (2013)
Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for openflow networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp. 121–126. ACM (2012)
Shin, S., Porras, P., Yegneswaran, V., Fong, M., Gu, G., Tyson, M.: Fresco: Modular composable security services for software-defined networks. In: Proceedings of Network and Distributed Security Symposium (2013)
Stephens, B., Cox, A., Felter, W., Dixon, C., Carter, J.: Past: Scalable ethernet for data centers. In: Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies (CoNEXT 2012), pp. 49–60. ACM (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Han, W., Hu, H., Ahn, GJ. (2014). LPM: Layered Policy Management for Software-Defined Networks. In: Atluri, V., Pernul, G. (eds) Data and Applications Security and Privacy XXVIII. DBSec 2014. Lecture Notes in Computer Science, vol 8566. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43936-4_23
Download citation
DOI: https://doi.org/10.1007/978-3-662-43936-4_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43935-7
Online ISBN: 978-3-662-43936-4
eBook Packages: Computer ScienceComputer Science (R0)