Authorizing Network Control at Software Defined Internet Exchange Points

Software Defined Internet Exchange Points (SDXes) increase the flexibility of interdomain traffic delivery on the Internet. Yet, an SDX inherently requires multiple participants to have access to a single, shared physical switch, which creates the need for an authorization mechanism to mediate this access. In this paper, we introduce a logic and mechanism called FLANC (A Formal Logic for Authorizing Network Control), which authorizes each participant to control forwarding actions on a shared switch and also allows participants to delegate forwarding actions to other participants at the switch (e.g., a trusted third party). FLANC extends "says" and "speaks for" logic that have been previously designed for operating system objects to handle expressions involving network traffic flows. We describe FLANC, explain how participants can use it to express authorization policies for realistic interdomain routing settings, and demonstrate that it is efficient enough to operate in operational settings.

[1]  Russell J. Clark,et al.  SDX , 2014 .

[2]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[3]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[4]  Rob Sherwood,et al.  Can the Production Network Be the Testbed? , 2010, OSDI.

[5]  Access control in a core calculus of dependency , 2006, ICFP '06.

[6]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[7]  Emin Gün Sirer,et al.  NetQuery: a knowledge plane for reasoning about network properties , 2010, CoNEXT '10 Student Workshop.

[8]  Martín Abadi Variations in Access Control Logic , 2008, DEON.

[9]  David Walker,et al.  Languages for software-defined networks , 2013, IEEE Communications Magazine.

[10]  Tirumaleswar Reddy,et al.  Information Model for DDoS Open Threat Signaling (DOTS) , 2015 .

[11]  Randy Bush,et al.  Enforcing RPKI-based routing policy on the data plane at an internet exchange , 2014, HotSDN.

[12]  AbadiMartín,et al.  Authentication in the Taos operating system , 1993 .

[13]  Rob Sherwood,et al.  FlowVisor: A Network Virtualization Layer , 2009 .

[14]  Martín Abadi,et al.  Unified Declarative Platform for Secure Netwoked Information Systems , 2009, 2009 IEEE 25th International Conference on Data Engineering.

[15]  Emin Gün Sirer,et al.  Nexus authorization logic (NAL): Design rationale and applications , 2011, TSEC.

[16]  Chen Liang,et al.  Participatory networking: an API for application control of SDNs , 2013, SIGCOMM.

[17]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[18]  Andrew W. Appel,et al.  Proof-carrying authentication , 1999, CCS '99.

[19]  Marco Canini,et al.  An Industrial-Scale Software Defined Internet Exchange Point , 2016, USENIX Annual Technical Conference.

[20]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[21]  Frank Pfenning,et al.  An Authorization Logic With Explicit Time , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[22]  Joan Feigenbaum,et al.  KeyNote: Trust Management for Public-Key Infrastructures (Position Paper) , 1998, Security Protocols Workshop.

[23]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[24]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[25]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[26]  Angelos D. Keromytis,et al.  Key note: Trust management for public-key infrastructures , 1999 .

[27]  Joan Feigenbaum,et al.  A logic-based knowledge representation for authorization with delegation , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[28]  Ilya Baldin,et al.  A resource delegation framework for software defined networks , 2014, HotSDN.