Advertisement

High Level Policies in SDN

  • Libor Polčák
  • Leo Caldarola
  • Amine Choukir
  • Davide Cuda
  • Marco Dondero
  • Domenico Ficara
  • Barbora Franková
  • Martin Holkovič
  • Roberto Muccifora
  • Antonio Trifilo
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 585)

Abstract

Policies for network traffic handling define packet routes through networks, enforce required quality of service, and protect networks from security threats. When expressing a policy, one needs to characterise the traffic to which the policy applies by traffic identifiers. Low level traffic identifiers, such as IP addresses and port numbers, are available in each packet. Indeed, low level traffic identifiers are perfect for data plane routing and switching. However, high level traffic identifiers, such as user name and application name, are better for the readability and clarity of a policy. In this paper, we extend software defined networks with high level traffic identifiers. We propose to add additional interface to SDN controllers for collecting traffic meta data and high level traffic identifiers. The controller maintains a database that maps high level traffic identifiers to a set of flows defined by low level traffic identifiers. SDN applications can apply policies based on both high level and low level traffic identifiers. We leave the southbound protocols intact. This paper provides two examples of High Level SDN paradigms – Application-Aware Networks and Identity-Aware Networks. The first paradigm enables policies depending on application names and characteristics. The latter allows policies based on user names and their roles.

Notes

Acknowledgements

This work was supported by Cisco Systems Switzerland where the idea of AAN emerged, was implemented, tested and evaluated. The work focusing on IAN and generic High Level SDN is a part of the project VG20102015022 supported by Ministry of the Interior of the Czech Republic and it was also supported by the BUT project FIT-S-14–2299.

References

  1. 1.
    Bendrath, R.: Global technology trends and national regulation: explaining variation in the governance of deep packet inspection. Technical report, Delft University of Technology (2009), Paper originally prepared for the International Studies Annual ConventionGoogle Scholar
  2. 2.
    Bredel, M., Barczyk, A., Newman, H.: Application-aware traffic engineering for wide area networks using openflow. In: SuperComputing Conference, Emerging Technologies (2013)Google Scholar
  3. 3.
    Caldarola, L., Choukir, A., Cuda, D., Dondero, M., Ficara, D., Muccifora, R., Polčák, L., Trifilo, A.: Towards a real application-aware network. In: Proceedings of the 6th International Conference on Data Communication Networking (DCNET-2015), pp. 5–12. SciTePress - Science and Technology Publications (2015)Google Scholar
  4. 4.
    Choukir, A., Caldarola, L., Cuda, D., Dondero, M., Ficara, D., Muccifora, R., Polčák, L., Trifilo, A.: Towards a real application aware network (2013). http://youtu.be/QHYPhAhIwVw
  5. 5.
  6. 6.
  7. 7.
    Cisco Systems: Application Visibility and Control (2014). http://www.cisco.com/c/en/us/products/routers/avc_control.html
  8. 8.
    Council of Europe: Convention on Cybercrime (2001), ETS No. 185Google Scholar
  9. 9.
    Curtis, A.R., Kim, W., Yalagandula, P.: Mahout: low-overhead datacenter traffic management using end-host-based elephant detection. In: IEEE INFOCOM (2011)Google Scholar
  10. 10.
    Dainotti, A., Pescape, A., Claffy, K.: Issues and future directions in traffic classification. IEEE Network 26(1), 35–40 (2012)CrossRefGoogle Scholar
  11. 11.
    Das, S., Yiakoumis, Y., Parulkar, G., McKeown, N.: Application-aware aggregation and traffic engineering in a converged packet-circuit network. In: Optical Fiber Communication Conference and Exposition (OFC/NFOEC) and the National Fiber Optic Engineers Conference (2011)Google Scholar
  12. 12.
    ETSI: ETSI ES 201 158: Telecommunications security; Lawful Interception (LI); Requirements for network functions. European Telecommunications Standards Institute (2002), version 1.2.1Google Scholar
  13. 13.
    Fraleigh, C., Moon, S., Lyles, B., Cotton, C., Khan, M., Moll, D., Rockell, R., Seely, T., Diot, S.: Packet-level traffic measurements from the sprint IP backbone. IEEE Network 17(6), 6–16 (2003)CrossRefGoogle Scholar
  14. 14.
    Franková, B.: Lawful Interception in Software Defined Networks (2015). Master’s thesis (in Czech), Brno University of Technology, CZGoogle Scholar
  15. 15.
    Hewlett-Packard: Identity driven management: technical brief (2015). http://www.hp.com/rnd/pdf_html/IDM_technical_brief.htm
  16. 16.
    Holkovič, M.: SDN Controlled According to User Identity (2015). Master’s thesis, Brno University of Technology, CZGoogle Scholar
  17. 17.
    Jarschel, M., Wamser, F., Hohn, T., Zinner, T., Tran-Gia, P.: SDN-based application-aware networking on the example of youtube video streaming. In: European Workshop on Software Defined Networks (2013)Google Scholar
  18. 18.
    Juniper Networks: Identity and policy control (2015). http://www.juniper.net/us/en/products-services/ipc/
  19. 19.
    Juniper Networks Inc: Junos Application Aware: Deep packet Inspection (2015). http://www.juniper.net/us/en/products-services/network-edge-services/service-control/junos-application-aware/
  20. 20.
    Mattos, D.M.F., Ferraz, L.H.G., Duarte, O.C.M.B.: AuthFlow: Authentication and Access Control Mechanism for Software Defined Networking, Technical Report, Electrical Engineering Program, COPPE/UFRJ, April 2014. http://www.gta.ufrj.br/ftp/gta/TechReports/MFD14.pdf
  21. 21.
    McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: Openflow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)CrossRefGoogle Scholar
  22. 22.
    Moore, A.W., Papagiannaki, K.: Toward the accurate identification of network applications. In: Dovrolis, C. (ed.) PAM 2005. LNCS, vol. 3431, pp. 41–54. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Nayak, A.K., Reimers, A., Feamster, N., Clark, R.: Resonance: dynamic access control for enterprise networks. In: Proceedings of the 1st ACM workshop on Research on Enterprise Networking, pp. 11–18, ACM (2009)Google Scholar
  24. 24.
    PLUMgrid: PLUMgrid: virtual network infrastructure (2014). http://plumgrid.com
  25. 25.
    Polčák, L.: Integration of SDN and medianet metadata (2014). http://youtu.be/CqDYn4-DKn8
  26. 26.
    The Council of the European Union: COUNCIL RESOLUTION of 17 January 1995 on the lawful interception of telecommunications (96/C 329/01) (1996)Google Scholar
  27. 27.
    Wilkins, S.: Designing for Cisco Internetwork Solutions (DESGN) Foundation Learning Guide (CCDA DESGN 640–864). Pearson Education, Boston (2011)Google Scholar
  28. 28.
    Zhang, D., Mai, S., Guo, H., Tsuritani, T., Wu, J., Morita, I.: Openflow-based control plane for the application-aware lobs network. In: OptoElectronics and Communications Conference (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Libor Polčák
    • 1
  • Leo Caldarola
    • 2
  • Amine Choukir
    • 2
  • Davide Cuda
    • 2
  • Marco Dondero
    • 2
  • Domenico Ficara
    • 2
  • Barbora Franková
    • 1
  • Martin Holkovič
    • 1
  • Roberto Muccifora
    • 2
  • Antonio Trifilo
    • 2
  1. 1.Faculty of Information TechnologyBrno University of TechnologyBrnoCzech Republic
  2. 2.Cisco Systems SarlRolleSwitzerland

Personalised recommendations