The specification and enforcement of network-wide policies in a single
administrative domain is common in today's networks and considered as already
resolved. However, this is not the case for multi-administrative domains, e.g.
among different enterprises. In such situation, new problems arise that
challenge classical solutions such as PKIs, which suffer from scalability and
granularity concerns. In this paper, we present an extension to Group-Based
Policy -- a widely used network policy language -- for the aforementioned
scenario. To do so, we take advantage of a permissioned blockchain
implementation (Hyperledger Fabric) to distribute access control policies in a
secure and auditable manner, preserving at the same time the independence of
each organization. Network administrators specify polices that are rendered
into blockchain transactions. A LISP control plane (RFC 6830) allows routers
performing the access control to query the blockchain for authorizations. We
have implemented an end-to-end experimental prototype and evaluated it in terms
of scalability and network latency.Comment: 7 pages, 9 figures, 2 table
