State-Aware network access management for software-defined networks

TY - GEN

T1 - State-Aware network access management for software-defined networks

AU - Han, Wonkyu

AU - Hu, Hongxin

AU - Zhao, Ziming

AU - Doupe, Adam

AU - Ahn, Gail-Joon

AU - Wang, Kuang Ching

AU - Deng, Juan

PY - 2016/6/6

Y1 - 2016/6/6

N2 - OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of Open-Flow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-Awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).

AB - OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of Open-Flow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-Awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).

UR - http://www.scopus.com/inward/record.url?scp=84977134177&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84977134177&partnerID=8YFLogxK

U2 - 10.1145/2914642.2914643

DO - 10.1145/2914642.2914643

M3 - Conference contribution

VL - 06-08-June-2016

SP - 1

EP - 11

BT - SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies

PB - Association for Computing Machinery

ER -