TY - GEN
T1 - State-Aware network access management for software-defined networks
AU - Han, Wonkyu
AU - Hu, Hongxin
AU - Zhao, Ziming
AU - Doupe, Adam
AU - Ahn, Gail-Joon
AU - Wang, Kuang Ching
AU - Deng, Juan
PY - 2016/6/6
Y1 - 2016/6/6
N2 - OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of Open-Flow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-Awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).
AB - OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of Open-Flow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-Awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).
UR - http://www.scopus.com/inward/record.url?scp=84977134177&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84977134177&partnerID=8YFLogxK
U2 - 10.1145/2914642.2914643
DO - 10.1145/2914642.2914643
M3 - Conference contribution
AN - SCOPUS:84977134177
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 1
EP - 11
BT - SACMAT 2016 - Proceedings of the 21st ACM Symposium on Access Control Models and Technologies
PB - Association for Computing Machinery
T2 - 21st ACM Symposium on Access Control Models and Technologies, SACMAT 2016
Y2 - 6 June 2016 through 8 June 2016
ER -