Reference : ANCHOR: logically-centralized security for Software-Defined Networks
E-prints/Working papers : Already available on another site
Engineering, computing & technology : Computer science
Computational Sciences
ANCHOR: logically-centralized security for Software-Defined Networks
Kreutz, Diego [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) >]
Yu, Jiangshan [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) >]
Ramos, Fernando M. V. [> >]
Verissimo, Paulo mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) >]
[en] Software-de ned networking ; SDN ; non-functional properties ; control plane ; security ; perfect forward secrecy ; post-compromise security ; post-compromise recovery ; post-quantum secure
[en] Software-de ned networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against di erent threats. The literature on SDN has mostly been concerned with the functional side, despite some speci c works concerning non-functional properties like ‘security’ or ‘dependability’. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to e ciency and e ectiveness problems.
We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the re-iteration of the successful formula behind SDN – ‘logical centralization’. As a general concept, we propose anchor, a subsystem architecture that promotes the logical
centralization of non-functional properties. To show the e ectiveness of the concept, we focus on ‘security’ in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms, in a global and consistent manner. anchor sets to provide essential security mechanisms such as strong entropy, resilient pseudo-random generators, secure device registration and association, among other crucial services.
We claim and justify in the paper that centralizing such mechanisms is key for their e ectiveness, by allowing us to: de ne and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and nally, better foster the resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms.
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Critical and Extreme Security and Dependability Research Group (CritiX)
Fonds National de la Recherche - FnR
IIS&D - Information Infrastructure Security and Dependability
Researchers ; Professionals ; Students
FnR ; FNR8149128 > Paulo Esteves-Veríssimo > IISD > Strategic Rtnd Program On Information Infrastructure Security And Dependability > 01/01/2015 > 31/12/2019 > 2014

File(s) associated to this reference

Fulltext file(s):

Open access
acm-tops-manuscript-arXiv.pdfAuthor preprint1.06 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.