Skip to main content
SpringerLink
Log in

DACAS: integration of attribute-based access control for northbound interface security in SDN

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

Since Software-Defined Networking (SDN) allows apps to interact with network-critical resources at the control plane through northbound interface, people hope that these apps have the same level of trust as the controller. Most researchers use static access control policies to solve this problem. In this paper, we achieve a dynamic access control model called DACAS, which is an implementation of attribute-based access control (ABAC) model in the context of the SDN control plane. We analyze how applications can influence SDN through northbound interface and the security requirements of the permission on mainstream controllers. In addition to the security issues caused by the misuse of sensitive APIs, it is found that the northbound and southbound interfaces share the same bandwidth in the network. Once the bandwidth is saturated with requests from the northbound interface, the southbound interface may lose packets. In addition, the storage space of switches is limited. Malicious applications can occupy the living space of normal flow tables by inserting a large number of redundant flow rules. In order to solve these problems, we use the linear quadratic exponential smoothing method to calculate the threshold of inserting flow entries and the upper limit of access time, which can help us implement dynamic access control scheme. In addition, the existing static access control scheme do not take the dynamic or random behavior of the apps into account, which means they cannot adapt to the changing situation in reality. DACAS achieves fine-grained permission management by designing single-case filters and multi-case filters. The prototype system of DACAS is implemented on Ryu controller. Through feasibility analysis, functional evaluation, performance evaluation and security analysis, we demonstrate the robustness and extensibility of DACAS.The run-time overhead introduced by DACAS is on the order of microseconds, which is about 2 ms, but the flexibility of the system is greatly increased by increasing the context attribute in DACAS.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9

Similar content being viewed by others

Data availability

Data available upon request. The data that support the findings of this study are available from the corresponding author upon reasonable request.

References

  1. Fu, Y., Zheng, Y., Hui, L., et al.: A secure SDN based multi-RANs architecture for future 5G networks[J]. Comput. Secur. 70, 648–662 (2017)

    Article  Google Scholar 

  2. Shi, Z., Tian, Y., Wang, X., et al.: Po-Fi: Facilitating innovations on WiFi networks with an SDN approach[J]. Comput. Netw. 187, 107781 (2021)

    Article  Google Scholar 

  3. Cheng, L., Wang, Y., Liu, Q., et al.: Network-aware locality scheduling for distributed data operators in data centers[J]. IEEE Trans. Parallel Distrib. Syst. 32(6), 1494–1510 (2021)

    Article  Google Scholar 

  4. Gheisariy, M., Wang, G., Khanz, W.Z., et al.: A context-aware privacy-preserving method for IoT-based smart city using software defined networking[J]. Comput. Secur. 87, 101470 (2019)

    Article  Google Scholar 

  5. Khan, S., Hussain, F.K., Hussain, O.K.: Guaranteeing end-to-end QoS provisioning in SOA based SDN architecture: A survey and Open Issues[J]. Futur. Gener. Comput. Syst. 119, 176–187 (2021)

    Article  Google Scholar 

  6. Latif, Z., Sharif, K., Li, F., et al.: A comprehensive survey of interface protocols for software defined networks[J]. J. Netw. Comput. Appl. 156, 1–28 (2020)

  7. Cui, H., Chen, Z., Yu, L., et al.: Authentication mechanism for network applications in SDN environments[C]// International Symposium on Wireless Personal Multimedia Communications. IEEE (2017)

  8. Wen, X., Chen, Y., Hu, C., et al.: Towards a secure controller platform for openflow applications[C]//Acm Sigcomm Workshop on Hot Topics in Software Defined Networking, pp.171–172 (2013)

  9. Jin, L., Zhang, Y., Chen, X., et al.: Secure attribute-based data sharing for resource-limited users in cloud computing[J]. Comput. Secur. 72, 1–12 (2018)

    Article  Google Scholar 

  10. Wen, X., Bo, Y., Yan, C., et al.: SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets[C]// IEEE/IFIP International Conference on Dependable Systems & Networks. IEEE Computer Society, pp.121–132 (2016)

  11. A Big Switch Networks. Project Floodlight. [Online]. Available: http://www.projectfloodlight.org/floodlight/ (2013). Accessed 12 Feb 2018

  12. RYU project team. RYU SDN Framework, Release 1.0. RYU project team (2014)

  13. Medved, J., Varga, R., Tkacik, A., Gray, K.: “OpenDaylight: Towards a model-driven SDN controller architecture,” in Proc. IEEE 15th Int.Symp. World Wireless, Mobile Multimedia Netw, pp.1–6 (2014)

  14. Berde, P., et al.: “ONOS: Towards an open, distributed SDN OS,” in Proc.3rd Workshop Hot Topics Softw. Defined Netw., pp.1–6 (2014)

  15. Hu, V. C., Ferraiolo, D., Kuhn, R., et al.: Guide to attribute based access control (ABAC) definition and considerations[J]. Itlb (2014)

  16. Singh, M.P., Sural, S., Vaidya, J., et al.: Managing attribute-based access control policies in a unified framework using data warehousing and in-memory database[J]. Comput. Secur. 86, 183–205 (2019)

    Article  Google Scholar 

  17. Shin, S., Song, Y., Lee, T., et al.: Rosemary: A robust, secure, and high-performance network operating system[C]. Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, 78–89 (2014)

  18. Tseng, Y., Pattaranantakul, M., He, R., et al.: Controller DAC: Securing SDN controller with dynamic access control[C]// 2017 IEEE International Conference on Communications (ICC). IEEE (2017)

  19. Tao, H., Zhen, Z.A., Peng, Y.A., et al.: SEAPP: A secure application management framework based on REST API access control in SDN-enabled cloud environment[J]. J. Parallel Distrib. Comput. 147, 108–123 (2021)

    Article  Google Scholar 

  20. Padekar, H., Park, Y., Hu, H., et al.: Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks. ACM, pp.51–61 (2016)

  21. Oktian, Y.E., Lee, S.G., Lam, J.H.: OAuthkeeper: An authorization framework for software defined network[J]. J. Netw. Syst. Manage. 26, 147–168 (2017)

    Article  Google Scholar 

  22. Tseng, Y., Nait-Abdesselam, F., Khokhar, A.: SENAD: Securing Network Application Deployment in Software Defined Networks[C]//2018 IEEE International Conference on Communications (ICC 2018). IEEE, pp.1–6 (2018)

  23. Paladi, N., Gehrmann, C.: SDN access control for the masses[J]. Comput. Secur. 80, 155–172 (2019)

    Article  Google Scholar 

  24. Zou, D., Lu, Y., Yuan, B., et al.: A fine-grained multi-tenant permission management framework for SDN and NFV[J]. IEEE Access 6, 25562–25572 (2018)

    Article  Google Scholar 

  25. Chang, D., Sun, W., Yang, Y., et al.: An E-ABAC-Based SDN Access Control Method[C]// 2019 6th International Conference on Information Science and Control Engineering (ICISCE), pp.668–672 (2019)

  26. Cuppens, N., Zerkane, S., Li, Y., et al.: Firewall Policies Provisioning Through SDN in the Cloud[C]// 2017 IFIP Annual Conference on Data and Applications Security and Privacy, pp.293-310 (2017)

  27. Alexander, K., Reiner, A.: Attribute-based Network and System Access Control Architecture for Industrial Machines [C]// 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), pp.299–306 (2019)

  28. Faizullah, S., Khan, M. A., Alzahrani, A., et al: Permissioned Blockchain-Based Security for SDN in IoT Cloud Networks[C]// 2020 International Conference on Advances in the Emerging Computing Technologies (AECT) (2020)

  29. Paladi, N., Gehrmann, C.: SDN access control for the masses[J]. Comput. Secur. 80, 155–172 (2018)

    Article  Google Scholar 

  30. Zhang, Y., Shoji, K., Shen, Y., et al.: Smart contract-based access control for the internet of things[J]. IEEE Internet Things J. 6(2), 1594–1605 (2018)

    Article  Google Scholar 

Download references

Acknowledgements

This work is supported by joint funds of the national natural science foundation of China (U1936122) and Primary Research & Development Plan of Hubei Province (2020BAB101).

Author information

Authors and Affiliations

  1. School of Cyber Science and Engineering, Wuhan University, Wuhan, Hubei, China

    Yifan Liu, Bo Zhao & Jiabao Guo

  2. School of Computer Science, Wuhan University, Wuhan, China

    Yang An

Authors
  1. Yifan Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bo Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yang An
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jiabao Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Yifan Liu is the first author of the article. Her main contributions are the design of the method and the creation of the access control model. Her contribution also includes writing the initial draft (including substantive translation). Bo Zhao is the corresponding author. His main contribution is the formulation of the overall research goals and objectives. He has oversight and leadership responsibility for the planning and execution of research activities. Yang An is the third author. Her main contribution is a survey of the current state of research at home and abroad. She is also responsible for the construction of part of the model. Jiabao Guo is the fourth author. Her main contribution is software development and drawing of diagrams in the paper and revision of the article.

Corresponding author

Correspondence to Bo Zhao.

Ethics declarations

Competing interests

The authors declare no competing interests.

Additional information

Publisher's note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, Y., Zhao, B., An, Y. et al. DACAS: integration of attribute-based access control for northbound interface security in SDN. World Wide Web 26, 2143–2173 (2023). https://doi.org/10.1007/s11280-022-01130-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-022-01130-2

Keywords

Search

Navigation