Attribute-Guard: : Attribute-Based Flow Access Control Framework in Software-Defined Networking
Authors: 
Xianwei Zhu, ChaoWen Chang, Qin Xi, ZhiBin Zuo Academic Editor: 
Roberto Di PietroAuthors Info & Claims
Xianwei Zhu, ChaoWen Chang, Qin Xi, ZhiBin Zuo Academic Editor: Roberto Di PietroAuthors Info & ClaimsAbstract
Software-defined networking (SDN) decouples the control plane from the data plane, offering flexible network configuration and management. Because of this architecture, some security features are missing. On the one hand, because the data plane only has the packet forwarding function, it is impossible to effectively authenticate the data validity. On the other hand, OpenFlow can only match based on network characteristics, and it is impossible to achieve fine-grained access control. In this paper, we aim to develop solutions to guarantee the validity of flow in SDN and present Attribute-Guard, a fine-grained access control and authentication scheme for flow in SDN. We design an attribute-based flow authentication protocol to verify the legitimacy of the validity flow. The attribute identifier is used as a matching field to define a forwarding control. The flow matching based on the attribute identifier and the flow authentication protocol jointly implement fine-grained access control. We conduct theoretical analysis and simulation-based evaluation of Attribute-Guard. The results show that Attribute-Guard can efficiently identify and reject fake flow.
References
[1]
Z. Sun, J. Li, and K. Yang, “Software-defined networking,” Zte Communications, vol. 56, no. 9, pp. 16–19, 2013.
[2]
E. Al-Shaer and S. Al-Haj, “Flowchecker: configuration analysis and verification of federated openflow infrastructures,” in Proceedings of the 3rd ACM workshop on assurable and usable security configuration, pp. 37–44, ACM, Chicago, IL, USA, 2010.
[3]
N. Gude, T. Koponen, J. Pettit et al., “Nox,” Acm Sigcomm Computer Communication Review, vol. 38, no. 3, pp. 105–110, 2008.
[4]
R. Guo, H. Shi, Q. Zhao, and D. Zheng, “Secure attribute-based signature scheme with multiple authorities for blockchain in electronic health records systems,” IEEE Access, vol. 6, pp. 11676–11686, 2018.
[5]
H. Xiong, Y. Bao, X. Nie, and Y. I. Assor, “Server-aided attribute-based signature supporting expressive access structures for industrial internet of things,” IEEE Transactions on Industrial Informatics, vol. 6, pp. 1–5, 2019.
[6]
P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu, “A security enforcement kernel for OpenFlow networks,” in Proceedings of the First Workshop on Hot Topics in Software Defined Networks, vol. 1–17, pp. 121–126, ACM, Helsinki, Finland, August 2016.
[7]
A. Abdou, P. C. Van Oorschot, and T. Wan, “Comparative analysis of control plane security of sdn and conventional networks,” IEEE Communications Surveys & Tutorials, vol. 20, no. 4, pp. 3542–3559, 2018.
[8]
R. Pang, M. Allman, M. Bennett, J. Lee, V. Paxson, and B. Tierney, “A first look at modern enterprise traffic,” in Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, p. 2, USENIX Association, Berkeley, CA, USA, October 2005.
[9]
P. A. Porras, S. Cheung, M. W. Fong, K. Skinner, and V. Yegneswaran, “Securing the software defined network control layer,” in Proceedingsof the 2015 Network and Distributed System Security Symposium, San Diego, CA, USA, February 2015.
[10]
S. Shin, Y. Song, T. Lee et al., “Rosemary: a robust, secure, and high-performance network operating system,” in Proceedings of the 2014 ACM SIGSAC conference on computer and communications security, pp. 78–89, ACM, Scottsdale, AZ, USA, November 2014.
[11]
S. W. Shin, P. Porras, V. Yegneswara, M. Fong, G. Gu, and M. Tyson, “Fresco: modular composable security services for software-defined networks,” in 20th Annual Network & Distributed System Security Symposium, San Diego, CA, USA, February 2013.
[12]
G. Lopez-Millan, R. Marin-Lopez, and F. Pereniguez-Garcia, “Towards a standard SDN-based IPsec management framework,” Computer Standards & Interfaces, vol. 66, 2019.
[13]
G. Lopez-Millan, R. Lopez, and A. Abadcarrascosa, Software-Defined Networking (Sdn)-Based Ipsec Flow Protection, Internet Engineering Task Force, Fremont, CA, USA, 2016.
[14]
A. Wundsam, D. Levin, S. Seetharaman, and A. Feldmann, “OFRewind: enabling record and replay troubleshooting for networks,” in Proceedings of the USENIX Annual Technical Conference, pp. 327–340, USENIX Association, Portland, OR, USA, June 2011.
[15]
J. Halpern and C. Pignataro, “Service function chaining (SFC) architecture,” 2015, No. RFC 7665.
[16]
M. Caprolu, S. Raponi, and R. Di Pietro, “Fortress: an efficient and distributed firewall for stateful data plane sdn,” Security and Communication Networks, vol. 2019, 16 pages, 2019.
[17]
S. K. Fayaz, Y. Tobioka, V. Sekar, and M. Bailey, “Bohatei: flexible and elastic ddos defense,” in Proceedings of the 24th {USENIX} Security Symposium ({USENIX} Security 15), pp. 817–832, Washington, DC, USA, August 2015.
[18]
J. M. J. Garay, A. Mendiola, N. Toledo, and E. Jacob, “FlowNAC: Flow-based network access control,” in Proceedings of the Third European Workshop on Software-Defined Networks, EWSDN 2014, pp. 1–3, IEEE, London, UK, September 2014.
[19]
K. Benzekki, Devolving IEEE 802.1X Authentication Capability to Data Plane in Software-Defined Networking SDN Architecture, John Wiley & Sons, Hoboken, NY, USA, 2016.
[20]
B. Jun, “SDN architecture and future network architecture innovation environment,” Telecommunications Science, vol. 29, no. 1, pp. 6–15, 2013.
[21]
Open Network Foundation, OpenFlow Switch Specification Version 1.2.0, Open Network Foundation, 2014, https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-vl.2.0.pdf.
[22]
M. Attig and G. Brebner, “400 Gb/s programmable packet parsing on a single FPGA,” in Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems, pp. 12–23, IEEE, Brooklyn, NY, USA, October 2011.
[23]
M. T. Arashloo, Y. Koral, M. Greenberg, J. Rexford, and D. Walker, “SNAP: stateful network-wide abstractions for packet processing,” in Proceedings of the 2016 ACM SIGCOMM Conference, pp. 29–43, ACM, Florianópolis, Brazil, August 2016.
[24]
D. Khader, “Attribute based group signatures,” IACR Cryptology ePrint Archive, vol. 159, 2007.
[25]
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98, ACM, Alexandria, VA, USA, October 2006.
[26]
M. Wang, J. Liu, J. Chen, X. Liu, and J. Mao, “Perm-guard: authenticating the validity of flow rules in software defined networking,” Journal of Signal Processing Systems, vol. 86, no. 2-3, pp. 157–173, 2017.
[27]
X. Wen, Y. Chen, C. Hu, C. Shi, and Y. Wang, “Towards a secure controller platform for openflow applications,” in Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pp. 171–172, ACM, Hong Kong, China, August 2013.
[28]
M. Casado, T. Garfinkel, A. Akella et al., “SANE: a protection architecture for enterprise networks,” in Proceedings of the USENIX Security Symposium, vol. 49, p. 50, Vancouver, Canada, August 2006.
[29]
D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” in Proceedings of the Annual International Cryptology Conference, pp. 41–55, Springer, Santa Barbara, CA, USA, August 2004.
[30]
M. Canini, P. Kuznetsov, D. Levin, and S. Schmid, “A distributed and robust SDN control plane for transactional network updates,” in Proceedings of the IEEE INFOCOM 2015—IEEE Conference on Computer Communications, IEEE, Kowloon, China, April 2015.
Recommendations
PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking
Software Defined Networking (SDN) is one type of the flow-rule-driven networks. In SDN, a centralized controller dictates the network behavior and configures network devices via flow rules. Therefore, the validity and consistency of flow rules are the ...
PERM-GUARD: Authenticating the Validity of Flow Rules in Software Defined Networking
CSCLOUD '15: Proceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud)Software Defined Networking (SDN) is one of the typical flow-rule-driven networks. In SDN, a centralized controller dictates the network behavior and configures network devices with many flow rules, and the validity and consistency of flow rules could ...
Towards Attribute-Centric Access Control: an ABAC versus RBAC argument
Recent developments in attribute-based access control have fueled the conventional debate regarding the pros and cons of Attributes-based access control ABAC versus Role-based access control RBAC. However, existing arguments have been primarily focused ...
Comments
Information & Contributors
Information
Published In
Copyright © 2020 XianWei Zhu et al.
This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Publisher
John Wiley & Sons, Inc.
United States
Publication History
Published: 01 January 2020
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 18 Feb 2025