Skip to main content
Annual Computer Security Applications Conference (ACSAC) 2017

Full Program »

A Security-Mode for Carrier-Grade SDN Controllers

Management approaches to modern networks are increasingly influenced by software-defined networks (SDNs), and this increased influence is reflected in the growth of commercially available innovative SDN-based switches, controllers and applications. To date, there have been a number of commercial and open-source SDN operating systems (NOS) introduced for various purposes, including distributed controller frameworks targeting large, carrier-grade networks such as the Open Network Operating System (ONOS) and OpenDayLight (ODL). These frameworks are distinguished by their (i) elastic cluster controller architecture, (ii) network virtualization support, and (iii) modular design. Given their flexible design, growing list of supported features, and collaborative community support, these are attractive hosting platforms for a wide range of third-party distributed network management applications. This paper identifies the common security requirements for policy enforcement in such distributed controller environments. We present the design of a network application permission-enforcement model and an integrated security subsystem (SM-ONOS) for managing distributed applications running on an ONOS controller. We discuss the underlying motivations of its security extensions and their implications for improving our understanding of how to securely manage large-scale SDNs. Our performance assessments demonstrate that the security-mode extension imposed reasonable overheads (ranging from 5 to 20% for 1-7 node clusters).

Changhoon Yoon
KAIST
South Korea

Seungwon Shin
KAIST
South Korea

Phillip Porras
SRI International
United States

Vinod Yegneswaran
SRI International
United States

Heedo Kang
KAIST
South Korea

Martin Fong
SRI International
United States

Brian O'Connor
Open Networking Laboratory
United States

Thomas Vachuska
Open Networking Laboratory
United States

 

Powered by OpenConf®
Copyright ©2002-2017 Zakon Group LLC