Mitigating Threats Emerging from the Interaction between SDN Apps and SDN (Configuration) Datastore

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Software-defined networking (SDN) has established itself in networking and standardization efforts are under way to strengthen the next generation of this essential technology. The Network Management Datastore Architecture (NMDA), RFC 8342, is the notable achievement in this regard, which standardizes the two vital SDN datastores: configuration and operational. Even though the configuration datastore itself has been standardized, the guidelines for addressing its security as well as safeguarding interactions between SDN apps and SDN configuration datastore are hazy, which leaves room for security vulnerabilities. Both industry and academia have realized the threats that arise due to the interactions between SDN apps and the SDN configuration datastore. But, to date only partial solutions exist for the problem. In this paper, we focus on mitigating such threats by proposing four security design principles that we believe should be uniformly used across all SDN platforms: (i) authentication (of SDN apps), (ii) authorization (of SDN apps), (iii) accountability (of SDN apps), (iv) real-time conflict detection and resolution of configuration rules (belonging to the same/different SDN app/s). Based on these four security design principles, we develop and present a prototype implementation of the Eirene framework, an open-source vendor independent system for ensuring secure interactions between SDN apps-SDN configuration datastore.We then evaluate the security of the Eirene framework using two datasets: (i) real-world complicated cases of rule conflicts, (ii) 50,000+ real-world configuration (attack) rules. Our experiments reveal that the Eirene system mitigates the threats that emerge from SDN apps-SDN configuration datastore interactions with a one-time latency of ≈ 7ms for the insertion of 50,000th rule in the configuration datastore.

Original languageEnglish (US)
Title of host publicationCCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022
PublisherAssociation for Computing Machinery, Inc
Pages23-39
Number of pages17
ISBN (Electronic)9781450398756
DOIs
StatePublished - Nov 7 2022
Externally publishedYes
Event13th Cloud Computing Security Workshop, CCSW 2022 - Co-located with CCS 2022 - Los Angeles, United States
Duration: Nov 7 2022 → …

Publication series

NameCCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022

Conference

Conference13th Cloud Computing Security Workshop, CCSW 2022 - Co-located with CCS 2022
Country/TerritoryUnited States
CityLos Angeles
Period11/7/22 → …

Keywords

  • configuration rules.
  • sdn apps
  • sdn configuration datastore
  • software defined networking (sdn)

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Mitigating Threats Emerging from the Interaction between SDN Apps and SDN (Configuration) Datastore'. Together they form a unique fingerprint.

Cite this