A method of OpenFlow-based real-time conflict detection and resolution for SDN access control policies

Software-Defined Networking (SDN) is an innovational network framework introduced by Clean Slate at Stanford University. It enables programmers to control and define the networks by software programming. Additionally, SDN separates data plane and control plane in the networks, and it provides open API and programmability. All of these features provide a new way for the study of new Internet architecture, and have greatly promoted the development of Internet. OpenFlow is a standard protocol of SDN, which defines the communication protocol between SDN controllers and switches. Nowadays, many SDN devices based on OpenFlow have been deployed. However, it is faced with many security challenges and one of the most critical challenges is how to implement a secure and reliable SDN firewall application. Due to the statelessness of OpenFlow protocol, the existing firewall security policy for SDN could be easily bypassed by rewriting the flow entries in the switches. To address such a threat, we present a novel approach for real-time policy conflict detection and resolution based on Flowpath. Our approach can accurately detect and effectively resolve policy conflicts through acquiring the network state of SDN in real time. In addition, we present FlowVerifier architecture and implement the SDN firewall application based on our proposed approach in Floodlight. We also evaluate the performance and effectiveness of FlowVerifier in Mininet. Our evaluation results demonstrate that FlowVerifier can automatically detect and resolve the threats of policy conflicts induced by rewriting flow entries.