ANCHOR
Diego Kreutz, Jiangshan Yu, Fernando M. V. Ramos, Paulo Esteves-Verissimo
2019
ACM Transactions on Privacy and Security
Software-defined networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional
more »
... perties like 'security' or 'dependability'. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the re-iteration of the successful formula behind SDN -'logical centralization'. As a general concept, we propose anchor, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on 'security' in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms, in a global and consistent manner. anchor sets to provide essential security mechanisms such as strong entropy, resilient pseudo-random generators, secure device registration and association, among other crucial services. We claim and justify in the paper that centralizing such mechanisms is key for their effectiveness, by allowing us to: define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and finally, better foster the resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms. -Verissimo. 2017. ANCHOR: logicallycentralized security for Software-Defined Networks . 1, 1, Article 1 (November 2017), 38 pages. https://doi.org/0000001.0000001 or clock synchronization parameters, can considerably degrade network operation [Akhunzada et al. 2015; Kloti et al. 2013; Scott-Hayward et al. 2016]. Addressing these problems in an ad-hoc, piecemeal way, may work, but will inevitably lead to efficiency and effectiveness problems. Although several specific works concerning non-functional properties have recently seen the light e.g., in dependability [Berde et al. 2014; Botelho et al. 2016; Katta et al. 2015; Kreutz et al. 2015; Ros and Ruiz 2014] or security [Porras et al. 2012; Scott-Hayward et al. 2016; Shin et al. , 2014 , enforcement of non-functional properties as a pillar of SDN robustness calls, in our opinion, for a systemic approach. As such, in this paper we claim for a re-iteration of the successful formula behind SDN -'logical centralization' -for its materialization. In fact, the problematic scenarios exemplified above can be best avoided by the logical centralization of the system-wide enforcement of non-functional properties, increasing the chances that the whole architecture inherits them in a more balanced and coherent way. The steps to achieve such goal are to: (a) select the crucial properties to enforce (dependability, security, quality-of-service, etc.); (b) identify the current gaps that stand in the way of achieving such properties in SDNs; (c) design a logically-centralized subsystem architecture and middleware, with hooks to the main SDN architectural components, in a way that they can Manuscript submitted to ACM ANCHOR: logically-centralized security for Software-Defined Networks 3 inherit the desired properties; (d) populate the middleware with the appropriate mechanisms and protocols to enforce the desired properties/predicates, across controllers and devices, in a global and consistent manner. Generically speaking, it is worth emphasizing that centralization has been proposed as a means to address different problems of current networks. For instance, the use of centralized cryptography schemes and centralized sources of trust to authenticate and authorize known entities has been pointed out as a solution for improving the security of Ethernet networks [Kiravuo et al. 2013] . Similarly, recent research has suggested network security as a service as a means to provide the required security of enterprise networks [Scott-Hayward et al. 2016 ]. However, centralization has its drawbacks, so let us explain why centralization of non-functional property enforcement brings important gains to software-defined networking. We claim, and justify ahead in the paper, that it allows to define and enforce global policies for those properties, reduce the complexity of networking devices, ensure higher levels of robustness for critical services, foster interoperability of the non-functional enforcement mechanisms, and better promote the resilience of the architecture itself. The reader will note that this design philosophy concerns non-functional properties in abstract. To prove our point, in this paper, we have chosen security as our use case and identified at least four gaps that stand in the way of achieving the former in current SDN systems: (i) security-performance gap; (ii) complexity-robustness gap; (iii) global security policies gap; and (iv) resilient roots-of-trust gap. The securityperformance gap comes from the frequent conflict between mechanisms enforcing those two properties. The complexity-robustness gap represents the conflict between the current complexity of security and crypto implementations, and the negative impact this has on robustness and hence correctness. The lack of global security policies leads to ad-hoc and discretionary solutions creating weak spots in architectures. The lack of a resilient root-of-trust burdens controllers and devices with trust enforcement mechanisms that are ad-hoc, have limited reach and are often sub-optimal. We further elaborate in the paper on the reasons behind these gaps, their negative effects in SDN architectures, and how they can possibly be mitigated through a logically-centralized security enforcement architecture. To achieve our goals, we propose anchor, a subsystem architecture that does not modify the essence of the current SDN architecture with its payload controllers and devices, but rather stands aside, 'anchors' (logically-centralizes) crucial functionality and properties, and 'hooks' to the latter components, in order to secure the desired properties. In this particular case study, the architecture middleware is populated with specific functionality whose main aim is to ensure the 'security' of control plane associations and of communication amongst controllers and devices. In addition, in this paper we give first steps in addressing a long-standing problem, the fact that a single root-of trust -like anchor, but also like any other standard trusted-third-party, like e.g., CAs in X.509 PKI or the KDC in Kerberos -is a single point failure (SPoF). There is nothing wrong with SPoFs, as long as they do not fail often, and/or the consequences of failure can be mitigated, which is unfortunately not the common case. As such, we start by carefully promoting reliability in the design of anchor, endowing it with robust functions in the different modules, in order to reduce the probability of failure/compromise. Moreover, the proposed architecture only requires symmetric key cryptography. This not only ensures a very high performance, but also makes the system secure against attacks by a quantum computer. Thus, the system is also post-quantum secure [Bernstein 2009 ]. Second, we mitigate the consequences of successful attacks, by protecting past, pre-compromise communication, and ensuring the quasi-automatic recovery of
doi:10.1145/3301305
fatcat:ekq3vhfngzaw5n2t46mtxiowhu