Policy Conflict Management in Distributed SDN Environments

abstract: The ease of programmability in Software-Defined Networking (SDN) makes it a great platform for implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers. In this dissertation, a formalism for flow rule conflicts in SDN environments is introduced. This formalism is realized in Brew, a security policy analysis framework implemented on an OpenDaylight SDN controller. Brew has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. Techniques for global prioritization of flow rules in a decentralized environment are presented, using which all SDN flow rule conflicts are recognized and classified. Strategies for unassisted resolution of these conflicts are also detailed. Alternately, if administrator input is desired to resolve conflicts, a novel visualization scheme is implemented to help the administrators view the conflicts in an aesthetic manner. The correctness, feasibility and scalability of the Brew proof-of-concept prototype is demonstrated. Flow rule conflict avoidance using a buddy address space management technique is studied as an alternate to conflict detection and resolution in highly dynamic cloud systems attempting to implement an SDN-based Moving Target Defense (MTD) countermeasures.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Monitoring and verifying network behavior using data-plane state

Modern computer networks are complex, incorporating hundreds or thousands of network devices from multiple vendors performing diverse functions such as routing, switching, and access control across physical and virtual networks (VPNs and VLANs). As in any complex computer system, these networks are prone to a wide range of errors such as misconfigurations, software bugs, or unexpected interactions across protocols. Previous tools to assist operators in debugging network anomalies primarily focus on analyzing control plane configuration. Configuration analysis is limited in that it cannot find bugs in router software, and is harder to generalize across protocols since it must model complex configuration languages and dynamic protocol behavior. This thesis studies an alternate approach: diagnosing problems through static analysis of a network's data-plane state. We call it data-plane verification. This approach can catch bugs that are invisible at the level of configuration files, and simplifies unified analysis of a network across many protocols and implementations. To prove the applicability and usefulness of data-plane verification, we designed and implemented two tools to rigorously check important network invariants, such as absence of routing loops, routing consistency of replicated devices, and other reachability properties. Our first tool, called Anteater, translates a network's data-plane state and invariants into boolean satisfiability problems, and checks them using a SAT solver. Our second tool, called VeriFlow, creates a device independent graph model of the network state, and uses standard graph traversal algorithms to detect invariant violations. We tested our tools with real world network data-plane traces, and with large emulated networks. Both of our tools were able to detect real bugs that went unnoticed to network operators for more than a month. Our tools helped them to narrow down the faulty configurations, and resolve those quickly. Results from emulated larger networks showed that the running time performance of our tools, especially that of VeriFlow, is good enough to detect bugs quickly before they can be exploited by outside attackers. Due to the fast response time of VeriFlow, it can be used in the emerging Software-Defined Networking (SDN) setting as a proactive tool to detect and filter out faulty configurations before they reach network devices

Un compilateur de traitement du paquet pour les réseaux multi-tenants

Le Software Defined Network (SDN) est un nouveau paradigme de design et de gestion des réseaux. Le SDN se base sur la séparation entre le plan de données et le plan de contrôle. Le réseau est géré à travers un contrôleur centralisé. Ce dernier gère la politique d'acheminement et d'aiguillage des paquets sur tout le réseau par des opérations d'ajout et de suppression des règles. Le SDN simplifie la virtualisation réseau où plusieurs tenants peuvent coexister sur la même infrastructure physique, chaque tenant a son propre contrôleur qui dicte la politique de traitement des paquets dans son réseau. Cela pose des problèmes au niveau du partage des ressources et d'isolation du trafic. Pour assurer une isolation du trafic entre les différents tenants ainsi qu'une haute performance d'acheminement du paquet sur tout le réseau, on introduit un compilateur centrale qui fera la translation, la distribution et l'application des règles sur l'infrastructure physique. Dans ce rapport, nous allons détailler la conception d'un compilateur de règles pour un réseau multi-tenants. Ce compilateur transforme les règles et adapte les structures de classification pour tenir compte des contraintes matérielles des équipements. Une implémentation du compilateur a été développée pour les switches physiques et logiciels. Les tests ont montré une réduction de 20% à 30% de nombre des entrées, une capacité de mise à jour qui s'élève à 300 règles/seconde et une minimisation du délai du traitement des paquets par 2-3 us et par 50-100 us respectivement pour les switches physiques et logiciels