Lightweight Resource Protection and Management System for SDN-based Cloud

ieee acm iwqos 2018 n.w
1 / 36
Embed
Share

Explore SDNKeeper, a lightweight resource protection and management system designed for Software-Defined Networking (SDN)-based cloud environments. The system addresses challenges such as absence of effective access control and unified management, providing solutions for securing and efficiently managing resources in SDN infrastructure. Discover the current solutions and key aspects of SDN-based cloud applications for enhanced network performance and security.

  • SDN-based Cloud
  • Resource Protection
  • Management System
  • Lightweight
  • Access Control
rayaanacharya
cupo_lyn Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. IEEE/ACM IWQoS 2018 SDNKeeper: Lightweight Resource Protection and Management System for SDN-based Cloud Xue Leng* Kaiyu Hou#, Yan Chen*#, Kai Bu*, Libin Song# Zhejiang University* Northwestern University#

  2. Background SDN ? What is SDN-based Cloud ? Application Application Application Plugin Plugin Plugin Plugin Plugin Core Project 2

  3. Background What is SDN-based Cloud ? Cloud Application Cloud Platform Northbound Interface (NBI) Plugin Plugin Plugin Plugin Plugin Core Project 3

  4. Problem 1: Absence of Effective Access Control Application Inaccurate requests from applications Requests are tampered with in transit SDN Controller Malicious requests sent through NBI directly 4

  5. Problem 1: Absence of Effective Access Control Application Inaccurate requests from applications Application Requests are tampered with in transit SDN Controller Malicious requests sent through NBI directly 5

  6. Problem 2: Absence of Unified Management Application Plugin Plugin Plugin Plugin Plugin SDN Controller 6

  7. Problem 2: Absence of Unified Management Application Inflexible control of resources1 Plugin Plugin Plugin Error prone during network configuration Plugin Plugin SDN Controller 1 Resource is anything that can be utilized to provide services in response to client requests. 7

  8. Current solutions Access control on requests [JNSM 18], AAA Project in ODL Verify the legitimacy of user s identity Omit the legitimacy of user s operation, Coarse-grained Reconciliating inside the plugin Redesigning API and controller architecture 8

  9. Current solutions Access control on requests [JNSM 18], AAA Project in ODL Verify the legitimacy of user s identity Omit the legitimacy of user s operation, Coarse-grained Application Reconciliating inside the plugin (SDNShield[DSN 16]) Code modification, Inflexible Plugin Plugin Plugin Plugin Plugin Redesigning API and controller architecture SDN Controller 9

  10. Current solutions Access control on requests [JNSM 18], AAA Project in ODL Verify the legitimacy of user s identity Omit the legitimacy of user s operation, Coarse-grained Reconciliating inside the plugin (SDNShield[DSN 16]) Code modification, Inflexible Redesigning API and controller architecture [HotSDN 14, SIGCOMM CCR 13] Poor interoperability 10

  11. SDNKeeper Policy Interpreter REST Service Access Control Filter Permission Engine Plugin Plugin Plugin Controller Kernel Policy Data Store 11

  12. SDNKeeper Administrator Policy Policy Interpreter REST Service Access Control Filter Permission Engine Plugin Plugin Plugin Controller Kernel Policy Data Store 12

  13. SDNKeeper Application Administrator Application Policy Policy Interpreter REST Service Access Control Filter Permission Engine Plugin Plugin Plugin Controller Kernel Policy Data Store 13

  14. SDNKeeper Application Administrator Application Policy Applicability Administrator Friendliness Policy Interpreter REST Service Access Control Filter Centralized Management Permission Engine Hot Update Plugin Plugin Plugin Controller Kernel Policy Data Store 14

  15. Detailed Designs Policy Language flexible permission abstractions Policy Interpreter parsing semantic policies Permission Engine performing access control on requests 15

  16. Policy Language Attribute Based Access Control P(S, O, E) <- Logic Expression(ATTR(S), ATTR(O), ATTR(E)) REST Request Object (Resource) Environment (Time) Subject (Requester) 16

  17. Policy Language Attribute Based Access Control P(S, O, E) <- Logic Expression(ATTR(S), ATTR(O), ATTR(E)) Policy: A set of assertion expressions Composition: Iteration of if-statements and logical operators Return: ACCEPT / REJECT 17

  18. Policy Global Policy for all requests Local Policy for individual user group and user 18

  19. Policy Global Policy for all requests Local Policy for individual user group and user Performance Expressiveness and simplicity 19

  20. Detailed Designs Policy Language flexible permission abstractions Policy Interpreter parsing semantic policies Permission Engine performing access control on requests 20

  21. Policy Interpreter Checking result & Logical operators || A An attribute or a comparing value B C (A && (B || C)) 21

  22. Detailed Designs Policy Language flexible permission abstractions Policy Interpreter parsing semantic policies Permission Engine performing access control on requests 22

  23. Permission Engine Step 1: Checking with Global Policies Global policy Y Matched? N N Local policy REJECT ? Y REJECT Checking Result 23

  24. Permission Engine Step 1: Checking with Global Policies Step 2: Checking with Local Policies Step 3: Returning Checking Result Global policy Y Matched? N N Local policy REJECT ? N Y Finish ? N N Y Y Y Matched? REJECT ? Matched? N Y ACCEPT REJECT Checking Result 24

  25. Implementation Filter-based, independent bundle Realizing the system on OpenDaylight controller No modification is required to the controller and applications Support for dynamic management CLI command: SDNKeeper: load/cache 25

  26. Effectiveness Type # API # Attribute Type # API # Attribute Networking 6 220 Meter 2 13 Firewall 3 83 QoS 2 31 Security 2 24 Load Balance 2 81 VPN 4 104 BGP VPN 1 22 SFC 4 60 L2 Gateway 2 26 30 policies all kinds of APIs 185 policies all kinds of actions in API 2789 policies 664 policies all kinds of attributes 1910 policies all possible combinations of two attributes 2789 illegal requests 26

  27. Effectiveness Type # API # Attribute Type # API # Attribute Networking 6 220 Meter 2 13 Firewall 3 83 QoS 2 31 Security 2 24 Load Balance 2 81 VPN 4 104 BGP VPN 1 22 SFC 4 60 L2 Gateway 2 26 User B User A 2789 illegal requests 27

  28. Processing Delay Latency - SDNKeeper Latency SDNKeeper VS OpenDaylight 4.2536 3.5703 3.3008 1.5974 1.0809 No significant increase in latency 28

  29. Processing Delay Latency - SDNKeeper Latency SDNKeeper VS OpenDaylight 4.2536 3.5703 3.3008 0.039 0.101 0.061 0.391 1.5974 1.0809 No significant increase in latency An average delay of 0.15ms 29

  30. Throughput Throughput - SDNKeeper Throughput SDNKeeper VS OpenDaylight 807 650 No significant effect in throughput 30

  31. Throughput Throughput - SDNKeeper Throughput SDNKeeper VS OpenDaylight 807 650 5.09% degradation 3.05% degradation overall No significant effect in throughput 31

  32. Conclusions SDNKeeper: a lightweight access control system Defending against malicious requests Assisting in managing resources Real-time protection and policy hot-update Reliable enforcement with good performance Thank you lengxue_2015@outlook.com 32

  33. Back Up Page 33

  34. Policy Language Attribute Based Access Control P(S, O, E) <- Logic Expression(ATTR(S), ATTR(O), ATTR(E)) REST Request Object (Resource) Environment (Time) Subject (Requester) Predefined Data Structure 34

  35. Policy Language Attribute Based Access Control P(S, O, E) <- Logic Expression(ATTR(S), ATTR(O), ATTR(E)) REST Request Object (Resource) Environment (Time) Subject (Requester) Predefined Data Structure subject.role subject.user action.uri action.method $.{object_name}.attribute $.network.network_type 35

  36. Policy Policy: A set of assertion expressions Composition: Iteration of if-statements and logical operators Return: ACCEPT / REJECT 36

Related


No related presentations.

More Related Content