SDNKeeper Lightweight Resource Protection and Management System for SDNbased Cloud Xue Leng Kaiyu Hou Yan Chen Kai Bu Libin Song Zhejiang University Northwestern University ID: 761563
Download Presentation The PPT/PDF document "SDNKeeper: Lightweight Resource Protecti..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
![SI Value Proposition [Speaker Name]](https://thumbs.docslides.com/667379/si-value-proposition-speaker-name.jpg)
SDNKeeper: Lightweight Resource Protection and Management System for SDN-based Cloud Xue Leng*Kaiyu Hou#, Yan Chen*#, Kai Bu*, Libin Song#Zhejiang University* Northwestern University# IEEE/ACM IWQoS 2018
2 BackgroundWhat isSDN-based Cloud ? Plugin Plugin Plugin Plugin Plugin Core Project Application Application Application SDN ?
3 BackgroundWhat is SDN-based Cloud ? Plugin Plugin Plugin Plugin Plugin Core Project Cloud Platform Cloud Application Northbound Interface (NBI)
4 Problem 1: Absence of Effective Access Control Inaccurate requests from applications Requests are tampered with in transit Malicious requests sent through NBI directlySDN Controller Application
5 SDN ControllerApplicationApplication Inaccurate requests from applications Requests are tampered with in transit Malicious requests sent through NBI directly Problem 1: Absence of Effective Access Control
6 Problem 2: Absence of Unified ManagementApplicationSDN Controller Plugin Plugin Plugin Plugin Plugin
7 Problem 2: Absence of Unified Management Inflexible control of resources1 Error prone during network configuration Application SDN Controller Plugin Plugin Plugin Plugin Plugin 1 Resource is anything that can be utilized to provide services in response to client requests.
8 Current solutions Access control on requests [JNSM’18], AAA Project in ODL Reconciliating inside the plugin Redesigning API and controller architectureVerify the legitimacy of user’s identity Omit the legitimacy of user’s operation, Coarse-grained
9 Current solutions Access control on requests [JNSM’18], AAA Project in ODL Reconciliating inside the plugin (SDNShield[DSN’16]) Redesigning API and controller architecture Verify the legitimacy of user’s identity Omit the legitimacy of user’s operation, Coarse-grained Code modification, Inflexible Application SDN Controller Plugin Plugin Plugin Plugin Plugin
10 Current solutions Access control on requests [JNSM’18], AAA Project in ODL Reconciliating inside the plugin (SDNShield[DSN’16]) Redesigning API and controller architecture [HotSDN’14, SIGCOMM CCR’13] Verify the legitimacy of user’s identity Omit the legitimacy of user’s operation, Coarse-grained Code modification, Inflexible Poor interoperability
Policy Data Store Plugin Plugin Plugin REST Service Controller Kernel 11 SDNKeeper Policy Interpreter Permission Engine Access Control Filter
Policy Data Store Plugin Plugin Plugin REST Service Controller Kernel 12 SDNKeeper Policy Interpreter Permission Engine Access Control Filter Administrator Policy
Policy Data Store Plugin Plugin Plugin REST Service Controller Kernel 13 SDNKeeper Policy Interpreter Permission Engine Application Application Access Control Filter Administrator Policy
Policy Data Store Plugin Plugin Plugin REST Service Controller Kernel 14 SDNKeeper Policy Interpreter Permission Engine Application Application Access Control Filter Administrator Policy Applicability Administrator Friendliness Centralized Management Hot Update
15 Detailed Designs Policy Language – flexible permission abstractions Policy Interpreter – parsing semantic policies Permission Engine – performing access control on requests
16 Policy LanguageAttribute Based Access ControlSubject(Requester)Object(Resource) Environment (Time) REST Request P(S, O, E) <- Logic Expression(ATTR(S), ATTR(O), ATTR(E))
17 Policy LanguageAttribute Based Access ControlP(S, O, E) <- Logic Expression(ATTR(S), ATTR(O), ATTR(E)) Policy : A set of assertion expressions Composition : Iteration of if-statements and logical operators Return : ACCEPT / REJECT
18 Policy Global Policy all requests Local Policy individual user group and user for for
19 PolicyGlobal Policy all requestsLocal Policy individual user group and user for for Performance Expressiveness and simplicity
20 Detailed Designs Policy Language – flexible permission abstractions Policy Interpreter – parsing semantic policies Permission Engine – performing access control on requests
21 Policy Interpreter&A || B C (A && (B || C)) An attribute or a comparing value Logical operators Checking result
22 Detailed Designs Policy Language – flexible permission abstractions Policy Interpreter – parsing semantic policies Permission Engine – performing access control on requests
23 Permission EngineMatched?Global policy Local policy Checking Result N Y REJECT ? N Y REJECT Step 1: Checking with Global Policies
24 Permission EngineMatched?Global policy Local policy Checking Result Matched? N Y REJECT ? N Y N Y REJECT ? Y N Finish ? N Y ACCEPT REJECT Matched? Y N Step 1: Checking with Global Policies Step 2: Checking with Local Policies Step 3: Returning Checking Result
25 Implementation Filter-based, independent bundleRealizing the system on OpenDaylight controllerNo modification is required to the controller and applications Support for dynamic managementCLI command: SDNKeeper: load/cache
26 EffectivenessType# API# Attribute Type # API# Attribute Networking 6 220 Meter 2 13 Firewall 3 83 QoS 2 31 Security 2 24 Load Balance 2 81 VPN 4104 BGP VPN1 22SFC 4 60 L2 Gateway 2 26 2789 policies 30 policies – all kinds of APIs 185 policies – all kinds of actions in API 664 policies – all kinds of attributes 1910 policies – all possible combinations of two attributes 2789 illegal requests
27 EffectivenessType# API# Attribute Type # API# Attribute Networking 6 220 Meter 2 13 Firewall 3 83 QoS 2 31 Security 2 24 Load Balance 2 81 VPN 4104 BGP VPN1 22SFC 4 60 L2 Gateway 2 26 2789 illegal requests User A User B
28 Processing Delay 1.5974 4.2536 3.5703 3.3008 1.0809 Latency - SDNKeeper Latency – SDNKeeper VS OpenDaylight No significant increase in latency
29 Processing Delay 1.5974 4.2536 3.5703 3.3008 1.0809 0.039 0.101 0.061 0.391 Latency - SDNKeeper Latency – SDNKeeper VS OpenDaylight An average delay of 0.15ms No significant increase in latency
30 Throughput807 650 Throughput - SDNKeeper Throughput – SDNKeeper VS OpenDaylight No significant effect in throughput
31 Throughput 5.09% degradation 3.05% degradation overall Throughput - SDNKeeper Throughput – SDNKeeper VS OpenDaylight 807 650 No significant effect in throughput
32 ConclusionsThank youlengxue_2015@outlook.com SDNKeeper: a lightweight access control systemDefending against malicious requestsAssisting in managing resources Real-time protection and policy hot-update Reliable enforcement with good performance
33 Back Up Page
34 Policy LanguageAttribute Based Access ControlSubject(Requester)Object(Resource) Environment (Time)Predefined Data Structure REST Request P(S, O, E) <- Logic Expression(ATTR(S), ATTR(O), ATTR(E))
35 Policy LanguageAttribute Based Access ControlSubject(Requester)Object(Resource) Environment (Time)Predefined Data Structure subject.role subject.user action.uri action.method $.{object_name}.attribute REST Request $.network.network_type P(S, O, E) <- Logic Expression(ATTR(S), ATTR(O), ATTR(E))
36 PolicyPolicy: A set of assertion expressionsComposition: Iteration of if-statements and logical operatorsReturn: ACCEPT / REJECT