Software-de ned networking; SDN; non-functional properties; control plane; security; perfect forward secrecy; post-compromise security; post-compromise recovery; post-quantum secure
Abstract :
[en] Software-de ned networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against di erent threats. The literature on SDN has mostly been concerned with the functional side, despite some speci c works concerning non-functional properties like ‘security’ or ‘dependability’. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to e ciency and e ectiveness problems.
We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the re-iteration of the successful formula behind SDN – ‘logical centralization’. As a general concept, we propose anchor, a subsystem architecture that promotes the logical
centralization of non-functional properties. To show the e ectiveness of the concept, we focus on ‘security’ in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms, in a global and consistent manner. anchor sets to provide essential security mechanisms such as strong entropy, resilient pseudo-random generators, secure device registration and association, among other crucial services.
We claim and justify in the paper that centralizing such mechanisms is key for their e ectiveness, by allowing us to: de ne and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and nally, better foster the resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Critical and Extreme Security and Dependability Research Group (CritiX)
Disciplines :
Computer science
Author, co-author :
KREUTZ, Diego ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
YU, Jiangshan ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Ramos, Fernando M. V.
VERISSIMO, Paulo ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Language :
English
Title :
ANCHOR: logically-centralized security for Software-Defined Networks