Efficient Distribution of Security Policy Filtering Rules in Software Defined Networks
Autor: | Remi Garcia, Adel Bouhoula, Abdelkader Lahmadi, Michaël Rusinowitch, Ahmad Abboud |
---|---|
Přispěvatelé: | ABBOUD, Ahmad, Resilience and Elasticity for Security and ScalabiliTy of dynamic networked systems (RESIST), Inria Nancy - Grand Est, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Department of Networks, Systems and Services (LORIA - NSS), Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA), Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA), Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS), Ecole Nationale Supérieure d'Electronique, Informatique et Radiocommunications de Bordeaux (ENSEIRB), École Nationale Supérieure d'Électronique, Informatique et Radiocommunications de Bordeaux (ENSEIRB), Proof techniques for security protocols (PESTO), Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Department of Formal Methods (LORIA - FM), NUMERYX, Arabian Gulf University |
Jazyk: | angličtina |
Rok vydání: | 2020 |
Předmět: |
business.product_category
Computer science business.industry Software defined networks Distributed computing 0102 computer and information sciences 02 engineering and technology Complex network [INFO] Computer Science [cs] Security policy 01 natural sciences 020202 computer hardware & architecture Packet filtering Set (abstract data type) Software 010201 computation theory & mathematics 0202 electrical engineering electronic engineering information engineering Network security policy Table (database) Network switch [INFO]Computer Science [cs] business Software-defined networking Rule placement |
Zdroj: | NCA 2020-19th IEEE International Symposium on Network Computing and Applications NCA 2020-19th IEEE International Symposium on Network Computing and Applications, Nov 2020, Online conference, France NCA |
Popis: | International audience; Software Defined Networks administrators can specify and smoothly deploy abstract network-wide policies, and then the controller acting as a central authority implements them in the flow tables of the network switches. The rule sets of these policies are specified in the forwarding tables, which are usually accessed using very expensive and power-hungry ternary content-addressable memory (TCAM). Consequently, a given table can only contain a limited number of rules. However, various applications need large rule sets to perform filtering on diverse flows. In this paper, we propose several algorithms for decomposing and distributing a rule set on network switches of limited flow tables size, while preserving the network policy semantics. Through experiments on several rule sets with single and multiple dimensions, we evaluate and analyse the performance of our rule placement techniques. Our results show that our proposals are efficient in practice. |
Databáze: | OpenAIRE |
Externí odkaz: |