ROCA: Auto‐resolving overlapping and conflicts in Access Control List policies for Software Defined Networking

Asif, Awais Bin; Imran, Muhammad; Shah, Nadir; Afzal, Mehtab; Khurshid, Hasnat

doi:10.1002/dac.4815

Cited by 12 publications

(9 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In case of policy change, the proposed mechanisms detect this change and compute the shortest path to install the computed flow rules, in addition to deleting the old flow rules. ROCA [ 108 ] proposes a novel mechanism to detect and resolve network conflicts along with policy overlapping for effective communication in SDN. The proposed approaches help to resolve network policy conflicts and efficiently install flow rules at the data plane.…”

Section: Flow Rule Installation Mechanismsmentioning

confidence: 99%

Software-Defined Networking: Categories, Analysis, and Future Directions

Hussain

Shah

Amin³

et al. 2022

Sensors

Self Cite

View full text Add to dashboard Cite

Software-defined networking (SDN) is an innovative network architecture that splits the control and management planes from the data plane. It helps in simplifying network manageability and programmability, along with several other benefits. Due to the programmability features, SDN is gaining popularity in both academia and industry. However, this emerging paradigm has been facing diverse kinds of challenges during the SDN implementation process and with respect to adoption of existing technologies. This paper evaluates several existing approaches in SDN and compares and analyzes the findings. The paper is organized into seven categories, namely network testing and verification, flow rule installation mechanisms, network security and management issues related to SDN implementation, memory management studies, SDN simulators and emulators, SDN programming languages, and SDN controller platforms. Each category has significance in the implementation of SDN networks. During the implementation process, network testing and verification is very important to avoid packet violations and network inefficiencies. Similarly, consistent flow rule installation, especially in the case of policy change at the controller, needs to be carefully implemented. Effective network security and memory management, at both the network control and data planes, play a vital role in SDN. Furthermore, SDN simulation tools, controller platforms, and programming languages help academia and industry to implement and test their developed network applications. We also compare the existing SDN studies in detail in terms of classification and discuss their benefits and limitations. Finally, future research guidelines are provided, and the paper is concluded.

show abstract

Section: Flow Rule Installation Mechanismsmentioning

confidence: 99%

Software-Defined Networking: Categories, Analysis, and Future Directions

Hussain

Shah

Amin³

et al. 2022

Sensors

Self Cite

View full text Add to dashboard Cite

show abstract

“…Tere have been various studies on SDN policy forwarding control and policy implementation. Tey include controlling datafows forwarding based on custom policies [3][4][5], implementing trafc scheduling based on policies [6], fltering or redirecting abnormal data fows based on policies [7], network programming language to facilitate network policy creation, development, and deployment [8,9], implementing policy expression as well as policy confict detection and resolution based on specifc data structures [10,11], optimizing policy deployment [12][13][14][15], resolving inconsistencies during policy implementation [16,17], detecting and resolving the overlaps and conficts among the fow rules [18,19], designing policy implementation schemes to adapt to dynamic changes in the link state [20,21], and forth.…”

Section: Introductionmentioning

confidence: 99%

“…Second, the information basis for policy formulation is diferent. In SDN intradomain policy schemes, the intradomain global network state can be read from the controller to formulate address-oriented (IP, MAC, and switch port number) or identifer-oriented (the identifer of the switch, user, or middleware) policies [3,4,10,11,17]; however, in the SDN distributed multidomain environment, there is no central controller that holds interdomain global network state, so SDN cross-domain network information is opaque. Tis would make it impossible to directly develop addressoriented or identifer-oriented interdomain forwarding control policies for SDN interdomains.…”

Section: Introductionmentioning

confidence: 99%

“…Tird, the need for policy representation capabilities is diferent. Compared to the interdomain requirements for forwarding control of datafows with certain attribute characteristics, the intradomain policies are described using addresses or identifers and a fxed number of tuples [3,4,10,12,13,17], which lack a higher level of abstraction and fexibility in policy expression. At the same time, most of the existing intradomain implementation schemes are oriented to ACL policy or service function chain policy [10-13, 17, 21].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

BPFC-SDNs: A Blockchain-Based and Policy-Oriented Forwarding Control for the SDN Interdomain

Hanzo

Chang

et al. 2023

Security and Communication Networks

View full text Add to dashboard Cite

Policy-oriented forwarding control has been widely recognized in a software-defined network (SDN). However, in the multidomain SDN scenario, policy-oriented forwarding control confronts the challenges that the lack of a higher-level abstraction policy paradigm, cross-domain policy unknowability and policy conflict, a distributed and untrusted communication environment, and latency sensitivity. To tackle these challenges, this article proposes BPFC-SDNs, a blockchain-based and policy-oriented forwarding control for the SDN interdomain. As the basis of BPFC-SDNs, we define an attribute-based interdomain forwarding control policy paradigm and implement secure and trusted cross-domain information and policy sharing based on blockchain. The main idea of BPFC-SDNs is to achieve cross-domain dataflow forwarding control based on the global collaborative policy. Specifically, we propose a physically centralized and logically isolated architecture to ensure efficient and secure information exchange between the SDN and blockchain. Moreover, we design a combined on-chain and off-chain functional model to separate forwarding control from the blockchain, which enables forwarding control based on trusted data while avoiding the introduction of high latency and computational overhead of the blockchain. Finally, we implement a prototype for BPFC-SDNs, and the experimental results indicate that BPFC-SDNs can provide effective forwarding control for the SDN interdomain with acceptable latency and good scalability.

show abstract

“…Access Control List (ACL) is a network security enhancement. It applies a set of ACL rules to each IP packet and determines whether to forward or drop the packet based on its header fields [ 11 ]. ACL is similar to the stateless firewall or packet filtering firewall which provides basic traffic filtering capabilities [ 12 ].…”

Section: Introductionmentioning

confidence: 99%

CPACK: An Intelligent Cyber-Physical Access Control Kit for Protecting Network

Liu

Zou

et al. 2022

Sensors

View full text Add to dashboard Cite

Access Control Lists (ACL) are critical to protecting network and cyber-physical systems. Traditional firewalls mostly use reactive methods to enforce ACLs, so that new ACL updates cannot take effect immediately. In this paper, based on our previous work, we propose CPACK, an intelligent cyber-physical access control kit, which uses a smart algorithm to upgrade the ACL list. CPACK adopts a proactive way to enforce ACL and reacts to a new ACL update and network view update in real time. We implement CPACK on both Floodlight and ONOS controller. We then conduct a large number of experiments to compare CPACK with the Floodlight firewall application. The experimental results show that CPACK has a better performance than the existing Floodlight firewall application. CPACK is also integrated into the new version of Floodlight and ONOS controller.

show abstract

ROCA: Auto‐resolving overlapping and conflicts in Access Control List policies for Software Defined Networking

Cited by 12 publications

References 22 publications

Software-Defined Networking: Categories, Analysis, and Future Directions

Software-Defined Networking: Categories, Analysis, and Future Directions

BPFC-SDNs: A Blockchain-Based and Policy-Oriented Forwarding Control for the SDN Interdomain

CPACK: An Intelligent Cyber-Physical Access Control Kit for Protecting Network

Contact Info

Product

Resources

About