TY - GEN
T1 - Mitigating Threats Emerging from the Interaction between SDN Apps and SDN (Configuration) Datastore
AU - Habib, Sana
AU - Bao, Tiffany
AU - Shoshitaishvili, Yan
AU - Doupé, Adam
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/11/7
Y1 - 2022/11/7
N2 - Software-defined networking (SDN) has established itself in networking and standardization efforts are under way to strengthen the next generation of this essential technology. The Network Management Datastore Architecture (NMDA), RFC 8342, is the notable achievement in this regard, which standardizes the two vital SDN datastores: configuration and operational. Even though the configuration datastore itself has been standardized, the guidelines for addressing its security as well as safeguarding interactions between SDN apps and SDN configuration datastore are hazy, which leaves room for security vulnerabilities. Both industry and academia have realized the threats that arise due to the interactions between SDN apps and the SDN configuration datastore. But, to date only partial solutions exist for the problem. In this paper, we focus on mitigating such threats by proposing four security design principles that we believe should be uniformly used across all SDN platforms: (i) authentication (of SDN apps), (ii) authorization (of SDN apps), (iii) accountability (of SDN apps), (iv) real-time conflict detection and resolution of configuration rules (belonging to the same/different SDN app/s). Based on these four security design principles, we develop and present a prototype implementation of the Eirene framework, an open-source vendor independent system for ensuring secure interactions between SDN apps-SDN configuration datastore.We then evaluate the security of the Eirene framework using two datasets: (i) real-world complicated cases of rule conflicts, (ii) 50,000+ real-world configuration (attack) rules. Our experiments reveal that the Eirene system mitigates the threats that emerge from SDN apps-SDN configuration datastore interactions with a one-time latency of ≈ 7ms for the insertion of 50,000th rule in the configuration datastore.
AB - Software-defined networking (SDN) has established itself in networking and standardization efforts are under way to strengthen the next generation of this essential technology. The Network Management Datastore Architecture (NMDA), RFC 8342, is the notable achievement in this regard, which standardizes the two vital SDN datastores: configuration and operational. Even though the configuration datastore itself has been standardized, the guidelines for addressing its security as well as safeguarding interactions between SDN apps and SDN configuration datastore are hazy, which leaves room for security vulnerabilities. Both industry and academia have realized the threats that arise due to the interactions between SDN apps and the SDN configuration datastore. But, to date only partial solutions exist for the problem. In this paper, we focus on mitigating such threats by proposing four security design principles that we believe should be uniformly used across all SDN platforms: (i) authentication (of SDN apps), (ii) authorization (of SDN apps), (iii) accountability (of SDN apps), (iv) real-time conflict detection and resolution of configuration rules (belonging to the same/different SDN app/s). Based on these four security design principles, we develop and present a prototype implementation of the Eirene framework, an open-source vendor independent system for ensuring secure interactions between SDN apps-SDN configuration datastore.We then evaluate the security of the Eirene framework using two datasets: (i) real-world complicated cases of rule conflicts, (ii) 50,000+ real-world configuration (attack) rules. Our experiments reveal that the Eirene system mitigates the threats that emerge from SDN apps-SDN configuration datastore interactions with a one-time latency of ≈ 7ms for the insertion of 50,000th rule in the configuration datastore.
KW - configuration rules.
KW - sdn apps
KW - sdn configuration datastore
KW - software defined networking (sdn)
UR - http://www.scopus.com/inward/record.url?scp=85142616048&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85142616048&partnerID=8YFLogxK
U2 - 10.1145/3560810.3564265
DO - 10.1145/3560810.3564265
M3 - Conference contribution
AN - SCOPUS:85142616048
T3 - CCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022
SP - 23
EP - 39
BT - CCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022
PB - Association for Computing Machinery, Inc
T2 - 13th Cloud Computing Security Workshop, CCSW 2022 - Co-located with CCS 2022
Y2 - 7 November 2022
ER -