6 Citations (Scopus)

Abstract

OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of Open-Flow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-Awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).

Original languageEnglish (US)
Title of host publicationSACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies
PublisherAssociation for Computing Machinery
Pages1-11
Number of pages11
Volume06-08-June-2016
ISBN (Electronic)9781450338028
DOIs
StatePublished - Jun 6 2016
Event21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016 - Shanghai, China
Duration: Jun 6 2016Jun 8 2016

Other

Other21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016
CountryChina
CityShanghai
Period6/6/166/8/16

Fingerprint

Application programming interfaces (API)
Access control
Throughput
Degradation
Controllers
Monitoring

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems

Cite this

Han, W., Hu, H., Zhao, Z., Doupe, A., Ahn, G-J., Wang, K. C., & Deng, J. (2016). State-Aware network access management for software-defined networks. In SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies (Vol. 06-08-June-2016, pp. 1-11). Association for Computing Machinery. https://doi.org/10.1145/2914642.2914643

State-Aware network access management for software-defined networks. / Han, Wonkyu; Hu, Hongxin; Zhao, Ziming; Doupe, Adam; Ahn, Gail-Joon; Wang, Kuang Ching; Deng, Juan.

SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies. Vol. 06-08-June-2016 Association for Computing Machinery, 2016. p. 1-11.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Han, W, Hu, H, Zhao, Z, Doupe, A, Ahn, G-J, Wang, KC & Deng, J 2016, State-Aware network access management for software-defined networks. in SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies. vol. 06-08-June-2016, Association for Computing Machinery, pp. 1-11, 21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016, Shanghai, China, 6/6/16. https://doi.org/10.1145/2914642.2914643
Han W, Hu H, Zhao Z, Doupe A, Ahn G-J, Wang KC et al. State-Aware network access management for software-defined networks. In SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies. Vol. 06-08-June-2016. Association for Computing Machinery. 2016. p. 1-11 https://doi.org/10.1145/2914642.2914643
Han, Wonkyu ; Hu, Hongxin ; Zhao, Ziming ; Doupe, Adam ; Ahn, Gail-Joon ; Wang, Kuang Ching ; Deng, Juan. / State-Aware network access management for software-defined networks. SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies. Vol. 06-08-June-2016 Association for Computing Machinery, 2016. pp. 1-11
@inproceedings{8a321078853c4bdeb2a68f1fbb9b85d0,
title = "State-Aware network access management for software-defined networks",
abstract = "OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of Open-Flow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-Awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27{\%} throughput degradation).",
author = "Wonkyu Han and Hongxin Hu and Ziming Zhao and Adam Doupe and Gail-Joon Ahn and Wang, {Kuang Ching} and Juan Deng",
year = "2016",
month = "6",
day = "6",
doi = "10.1145/2914642.2914643",
language = "English (US)",
volume = "06-08-June-2016",
pages = "1--11",
booktitle = "SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - State-Aware network access management for software-defined networks

AU - Han, Wonkyu

AU - Hu, Hongxin

AU - Zhao, Ziming

AU - Doupe, Adam

AU - Ahn, Gail-Joon

AU - Wang, Kuang Ching

AU - Deng, Juan

PY - 2016/6/6

Y1 - 2016/6/6

N2 - OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of Open-Flow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-Awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).

AB - OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of Open-Flow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-Awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).

UR - http://www.scopus.com/inward/record.url?scp=84977134177&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84977134177&partnerID=8YFLogxK

U2 - 10.1145/2914642.2914643

DO - 10.1145/2914642.2914643

M3 - Conference contribution

VL - 06-08-June-2016

SP - 1

EP - 11

BT - SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies

PB - Association for Computing Machinery

ER -