Authorizing Network Control at Software Defined Internet Exchange Points
Abstract
Software Defined Internet Exchange Points (SDXes) increase the flexibility of interdomain traffic delivery on the Internet. Yet, an SDX inherently requires multiple participants to have access to a single, shared physical switch, which creates the need for an authorization mechanism to mediate this access. In this paper, we introduce a logic and mechanism called FLANC (A Formal Logic for Authorizing Network Control), which authorizes each participant to control forwarding actions on a shared switch and also allows participants to delegate forwarding actions to other participants at the switch (e.g., a trusted third party). FLANC extends “says” and “speaks for” logic that have been previously designed for operating system objects to handle expressions involving network traffic flows. We describe FLANC, explain how participants can use it to express authorization policies for realistic interdomain routing settings, and demonstrate that it is efficient enough to operate in operational settings.
People
BibTex
@INPROCEEDINGS{gupta2016authorizing,
isbn = {978-1-4503-4211-7},
doi = {10.1145/2890955.2890956},
year = {2016},
booktitle = {Proceedings of the Symposium on SDN Research (SOSR 2016)},
type = {Conference Paper},
author = {Gupta, Arpit and Feamster, Nick and Vanbever, Laurent},
size = {6 p.},
keywords = {Software defined networking (SDN); Internet exchange point (IXP); BGP},
language = {en},
address = {New York, NY},
publisher = {Association for Computing Machinery},
title = {Authorizing Network Control at Software Defined Internet Exchange Points},
PAGES = {16},
Note = {ACM Symposium on SDN Research, SOSR 2016; Conference Location: Santa Clara, CA, USA; Conference Date: March 14-17, 2016}
}
Research Collection: 20.500.11850/116436