State-aware Network Access Management for Software-Defined Networks
作者: Wonkyu Han , Hongxin Hu , Ziming Zhao , Adam Doupé , Gail-Joon Ahn
关键词: OpenFlow 、 Networking hardware 、 Access network 、 Network Access Control 、 Computer network 、 Forwarding plane 、 Stateful firewall 、 Computer science 、 Network management station 、 Distributed computing 、 Software-defined networking
摘要: OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility many network applications to effectively manage process flows. However, because OpenFlow attempts keep SDN data plane simple efficient, it focuses solely on L2/L3 transport consequently lacks fundamental ability of stateful forwarding plane. Also, provides a very limited access connection-level information in controller. In particular, any management SDNs that require comprehensive state information, these inherent limitations pose challenges supporting services. To address challenges, we propose an innovative connection tracking framework called STATEMON global state-awareness provide better control SDNs. is based lightweight extension programming plane, while keeping underlying devices possible. demonstrate practicality feasibility STATEMON, implement evaluate firewall port knocking SDNs, using APIs provided by STATEMON. Our evaluations show minimal message exchanges monitoring active connections with manageable overhead (3.27% throughput degradation).
elsevier.com
acm.org
sci-hub.se 参考文章(25)
Fayazbakhsh SKaveh, L Chiang, V Sekar, M Yu, JC Mogul, Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags networked systems design and implementation. ,vol. 2014, pp. 533- 546 ,(2014) , 10.5555/2616448.2616497
Nick McKeown, George Varghese, Peyman Kazemian, Scott Whyte, Hongyi Zeng, Michael Chang, Real time network policy checking using header space analysis networked systems design and implementation. pp. 99- 112 ,(2013)
Daniel Hartmeier, Design and Performance of the OpenBSD Stateful Packet Filter (pf) usenix annual technical conference. pp. 171- 180 ,(2002)
Ahme Khurshid, Xuan Zou, Wenxuan Zhou, Matthew Caesar, P. Brighten Godfrey, VeriFlow: verifying network-wide invariants in real time networked systems design and implementation. pp. 15- 28 ,(2013)
Dan Boneh, Nick McKeown, Scott Shenker, Tal Garfinkel, Michael J. Freedman, Martin Casado, Aditya Akella, SANE: a protection architecture for enterprise networks usenix security symposium. pp. 10- ,(2006)
Nick McKeown, George Varghese, Peyman Kazemian, Header space analysis: static checking for networks networked systems design and implementation. pp. 9- 9 ,(2012)
Masoud Moshref, Apoorv Bhargava, Adhip Gupta, Minlan Yu, Ramesh Govindan, Flow-level state transition as a new switch primitive for SDN Proceedings of the third workshop on Hot topics in software defined networking. pp. 61- 66 ,(2014) , 10.1145/2620728.2620729
Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford, Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, David Walker, P4: programming protocol-independent packet processors acm special interest group on data communication. ,vol. 44, pp. 87- 95 ,(2014) , 10.1145/2656877.2656890
Hongxin Hu, Wonkyu Han, Gail-Joon Ahn, Ziming Zhao, FLOWGUARD: building robust firewalls for software-defined networks acm special interest group on data communication. pp. 97- 102 ,(2014) , 10.1145/2620728.2620749
Giuseppe Bianchi, Marco Bonola, Antonio Capone, Carmelo Cascone, OpenState: programming platform-independent stateful openflow applications inside the switch acm special interest group on data communication. ,vol. 44, pp. 44- 51 ,(2014) , 10.1145/2602204.2602211