-
Distributed Access Control with Blockchain
Authors:
Jordi Paillisse,
Jordi Subira,
Albert Lopez,
Alberto Rodriguez-Natal,
Vina Ermagan,
Fabio Maino,
Albert Cabellos
Abstract:
The specification and enforcement of network-wide policies in a single administrative domain is common in today's networks and considered as already resolved. However, this is not the case for multi-administrative domains, e.g. among different enterprises. In such situation, new problems arise that challenge classical solutions such as PKIs, which suffer from scalability and granularity concerns.…
▽ More
The specification and enforcement of network-wide policies in a single administrative domain is common in today's networks and considered as already resolved. However, this is not the case for multi-administrative domains, e.g. among different enterprises. In such situation, new problems arise that challenge classical solutions such as PKIs, which suffer from scalability and granularity concerns. In this paper, we present an extension to Group-Based Policy -- a widely used network policy language -- for the aforementioned scenario. To do so, we take advantage of a permissioned blockchain implementation (Hyperledger Fabric) to distribute access control policies in a secure and auditable manner, preserving at the same time the independence of each organization. Network administrators specify polices that are rendered into blockchain transactions. A LISP control plane (RFC 6830) allows routers performing the access control to query the blockchain for authorizations. We have implemented an end-to-end experimental prototype and evaluated it in terms of scalability and network latency.
△ Less
Submitted 11 January, 2019;
originally announced January 2019.
-
IPchain: Securing IP Prefix Allocation and Delegation with Blockchain
Authors:
Jordi Paillisse,
Miquel Ferriol,
Eric Garcia,
Hamid Latif,
Carlos Piris,
Albert Lopez,
Brenden Kuerbis,
Alberto Rodriguez-Natal,
Vina Ermagan,
Fabio Maino,
Albert Cabellos
Abstract:
We present IPchain, a blockchain to store the allocations and delegations of IP addresses, with the aim of easing the deployment of secure interdomain routing systems. Interdomain routing security is of vital importance to the Internet since it prevents unwanted traffic redirections. IPchain makes use of blockchains' properties to provide flexible trust models and simplified management when compar…
▽ More
We present IPchain, a blockchain to store the allocations and delegations of IP addresses, with the aim of easing the deployment of secure interdomain routing systems. Interdomain routing security is of vital importance to the Internet since it prevents unwanted traffic redirections. IPchain makes use of blockchains' properties to provide flexible trust models and simplified management when compared to existing systems. In this paper we argue that Proof of Stake is a suitable consensus algorithm for IPchain due to the unique incentive structure of this use-case. We have implemented and evaluated IPchain's performance and scalability storing around 150k IP prefixes in a 1GB chain.
△ Less
Submitted 11 May, 2018;
originally announced May 2018.
-
Securing the Control-plane Channel and Cache of Pull-based ID/LOC Protocols
Authors:
Paul Almasan,
Jordi Paillisse,
Alberto Rodriguez-Natal,
Pere Barlet-Ros,
Florin Coras,
Vina Ermagan,
Fabio Maino,
Albert Cabellos-Aparicio
Abstract:
Pull-based ID/LOC split protocols, such as LISP (RFC6830), retrieve mappings from a mapping system to encapsulate and forward packets. This is done by means of a control-plane channel. In this short paper we describe three attacks against this channel (Denial-of-Service and overflowing) as well as the against the local cache used to store such mappings. We also provide a solution against such atta…
▽ More
Pull-based ID/LOC split protocols, such as LISP (RFC6830), retrieve mappings from a mapping system to encapsulate and forward packets. This is done by means of a control-plane channel. In this short paper we describe three attacks against this channel (Denial-of-Service and overflowing) as well as the against the local cache used to store such mappings. We also provide a solution against such attacks that implements a per-source rate-limiter using a Count-Min Sketch data-structure.
△ Less
Submitted 22 March, 2018;
originally announced March 2018.
-
SDN for End-Nodes: Scenario Analysis and Architectural Guidelines
Authors:
Alberto Rodriguez-Natal,
Vina Ermagan,
Kien Nguyen,
Sharon Barkai,
Yusheng Ji,
Fabio Maino,
Albert Cabellos-Aparicio
Abstract:
The advent of SDN has brought a plethora of new architectures and controller designs for many use-cases and scenarios. Existing SDN deployments focus on campus, datacenter and WAN networks. However, little research efforts have been devoted to the scenario of effectively controlling a full deployment of end-nodes (e.g. smartphones) that are transient and scattered across the Internet. In this pape…
▽ More
The advent of SDN has brought a plethora of new architectures and controller designs for many use-cases and scenarios. Existing SDN deployments focus on campus, datacenter and WAN networks. However, little research efforts have been devoted to the scenario of effectively controlling a full deployment of end-nodes (e.g. smartphones) that are transient and scattered across the Internet. In this paper, we present a rigorous analysis of the challenges associated with an SDN architecture for end-nodes, show that such challenges are not found in existing SDN scenarios, and provide practical design guidelines to address them. Then, and following these guidelines we present a reference architecture based on a decentralized, distributed and symmetric controller with a connectionless pull-oriented southbound and an intent-driven northbound. Finally, we measure a proof-of-concept deployment to assess the validity of the analysis as well as the architecture.
△ Less
Submitted 16 March, 2018;
originally announced March 2018.
-
Knowledge-Defined Networking
Authors:
Albert Mestres,
Alberto Rodriguez-Natal,
Josep Carner,
Pere Barlet-Ros,
Eduard Alarcón,
Marc Solé,
Victor Muntés,
David Meyer,
Sharon Barkai,
Mike J Hibbett,
Giovani Estrada,
Khaldun Ma`ruf,
Florin Coras,
Vina Ermagan,
Hugo Latapie,
Chris Cassar,
John Evans,
Fabio Maino,
Jean Walrand,
Albert Cabellos
Abstract:
The research community has considered in the past the application of Artificial Intelligence (AI) techniques to control and operate networks. A notable example is the Knowledge Plane proposed by D.Clark et al. However, such techniques have not been extensively prototyped or deployed in the field yet. In this paper, we explore the reasons for the lack of adoption and posit that the rise of two rece…
▽ More
The research community has considered in the past the application of Artificial Intelligence (AI) techniques to control and operate networks. A notable example is the Knowledge Plane proposed by D.Clark et al. However, such techniques have not been extensively prototyped or deployed in the field yet. In this paper, we explore the reasons for the lack of adoption and posit that the rise of two recent paradigms: Software-Defined Networking (SDN) and Network Analytics (NA), will facilitate the adoption of AI techniques in the context of network operation and control. We describe a new paradigm that accommodates and exploits SDN, NA and AI, and provide use cases that illustrate its applicability and benefits. We also present simple experimental results that support its feasibility. We refer to this new paradigm as Knowledge-Defined Networking (KDN).
△ Less
Submitted 23 June, 2016; v1 submitted 20 June, 2016;
originally announced June 2016.
