Ehab Al-Shaer
ABSTRACT
It is difficult to build a real network to test novel experiments. OpenFlow makes it easier for researchers to run their own experiments by providing a virtual slice and configuration on real networks. Multiple users can share the same network by assigning a different slice for each one. Users are given the responsibility to maintain and use their own slice by writing rules in a FlowTable. Misconfiguration problems can arise when a user writes conflicting rules for single FlowTable or even within a path of multiple OpenFlow switches that need multiple FlowTables to be maintained at the same time.
In this work, we describe a tool, FlowChecker, to identify any intra-switch misconfiguration within a single FlowTable. We also describe the inter-switch or inter-federated inconsistencies in a path of OpenFlow switches across the same or different OpenFlow infrastructures. FlowChecker encodes FlowTables configuration using Binary Decision Diagrams and then uses the model checker technique to model the inter-connected network of OpenFlow switches.
- }}E. Al-Shaer and H. Hamed. Firewall policy advisor for anomaly detection and rule editing. In IEEE/IFIP Integrated Management (IM'2003), March 2003. Best Paper Award.Google Scholar
- }}E. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan. Conflict classification and analysis of distributed firewall policies. IEEE Journal on Selected Areas in Communications (JSAC), 23(10), October 2005. Nominated for Best JSAC Paper Award for year 2005. Google ScholarDigital Library
- }}E. Al-Shaer, W. Marrero, and A. El-Atawy. Network configuration in a box: Towards end-to-end verification of network reachability and security. In IEEE International Conference of Network Protocols (ICNP'2009), Oct. 2009.Google ScholarDigital Library
- }}E. S. Al-shaer and H. H. Hamed. Discovery of policy anomalies in distributed firewalls. In In IEEE INFOCOM '04, pages 2605--2616, 2004.Google Scholar
- }}R. Alimi, Y. Wang, and Y. R. Yang. Shadow configuration as a network management primitive. SIGCOMM Comput. Commun. Rev., 38(4):111--122, 2008. Google ScholarDigital Library
- }}R. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE Transactions on Computers, C-35(8):677--691, August 1986. Google ScholarDigital Library
- }}J. Burch, E. Clarke, K. McMillan, D. Dill, and J. Hwang. Symbolic model checking: 1020 states and beyond. Journal of Information and Computation, 98(2):1--33, June 1992. Google ScholarDigital Library
- }}R. Bush and T. G. Griffin. Integrity for virtual private routed networks. In IEEE INFOCOM 2003, volume 2, pages 1467--1476, 2003.Google ScholarCross Ref
- }}E. A. Emerson. Temporal and modal logic. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B, chapter 16, pages 995--1072. MIT Press, 1990. Google ScholarDigital Library
- }}N. Feamster and H. Balakrishnan. Detecting BGP configuration faults with static analysis. In NSDI, 2005. Google ScholarDigital Library
- }}M. Gouda and X. Liu. Firewall design: Consistency, completeness, and compactness. In The 24th IEEE Int. Conference on Distributed Computing Systems (ICDCS'04), March 2004. Google ScholarDigital Library
- }}T. G. Griffin and G. Wilfong. On the correctness of IBGP configuration. In SIGCOMM '02: Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, pages 17--29, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
- }}N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker. Nox: towards an operating system for networks. SIGCOMM Comput. Commun. Rev., 38(3):105--110, 2008. Google ScholarDigital Library
- }}H. Hamed, E. Al-Shaer, and W. Marrero. Modeling and verification of ipsec and vpn security policies. In ICNP '05: Proceedings of the 13TH IEEE International Conference on Network Protocols, pages 259--278, 2005. Google ScholarDigital Library
- }}J. Lind-Nielsen. The BuDDy OBDD package. http://www.bdd-portal.org/buddy.html.Google Scholar
- }}R. Mahajan, D. Wetherall, and T. Anderson. Understanding BGP misconfiguration. In SIGCOMM '02: Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, pages 3--16, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
- }}N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. Openflow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev., 38(2):69--74, 2008. Google ScholarDigital Library
- }}R. Sherwood, G. Gibb, K.-K. Yap, G. Appenzeller, M. Casado, N. McKeown, and G. Parulkar. Flowvisor: A network virtualization layer. Technical Report OpenFlow Technical Report 2009-1, Deutsche Telekom Inc. R&D Lab, Stanford University, Nicira Networks, October 2009.Google Scholar
- }}G. Xie, J. Z. D. Maltz, H. Zhang, A. G. G. Hjalmtysson, and J. Rexford. On static reachability analysis of ip networks. In IEEE INFOCOM 2005, volume 3, pages 2170--2183, 2005.Google ScholarCross Ref
- }}L. Yuan, J. Mai, Z. Su, H. Chen, C. Chuah, and P. Mohapatra. FIREMAN: A toolkit for firewall modeling and analysis. In IEEE Symposium on Security and Privacy (SSP'06), May 2006. Google ScholarDigital Library
Index Terms
- FlowChecker: configuration analysis and verification of federated openflow infrastructures
Recommendations
Challenges and Preparedness of SDN-based Firewalls
SDN-NFV Sec'18: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function VirtualizationSoftware-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of ...
Performance Analysis of SDN/OpenFlow Controllers: POX Versus Floodlight
Software-Defined Networking (SDN) is an emerging network architecture that is adaptable, dynamic, cost-effective, and manageable. The SDN architecture is a form of network virtualization where the network controlling functions and forwarding functions ...
Auto-Configuration of SDN Switches in SDN/Non-SDN Hybrid Network
AINTEC '15: Proceedings of the 11th Asian Internet Engineering ConferenceThis paper proposes an auto-configuration mechanism for a newly attached SDN (Software-defined Networking) switch and intermediate switches in an SDN/non-SDN hybrid network. Automation of initial configuration of SDN switches brings the benefit of ...
Comments