Auto-Configuration of ACL Policy in Case of Topology Change in Hybrid SDN

Abstract

Software-defined networking (SDN) has emerged as a new network architecture, which decouples both the control and management planes from data plane at forwarding devices. However, SDN deployment is not widely adopted due to the budget constraints of organizations. This is because organizations are always reluctant to invest too much budget to establish a new network infrastructure from scratch. One feasible solution is to deploy a limited number of SDN-enabled devices along with traditional (legacy) network devices in the network of an organization by incrementally replacing traditional network by SDN, which is called hybrid SDN (Hybrid SDN) architecture. Network management and control in Hybrid SDN are vital tasks that require significant effort and resources. Manual handling of these tasks is error prone. Whenever network topology changes, network policies (e.g., access control list) configured at the interfaces of forwarding devices (switches/routers) may be violated. That creates severe security threats for the whole network and degrades the network performance. In this paper, we propose a new approach for Hybrid SDN that auto-detects the interfaces of forwarding devices and network policies that are affected due to change in network topology. In the proposed approach, we model network-wide policy and local policy at forwarding device using a three-tuple and a six-tuple, respectively. We compute graph to represent the topology of the network. By using graph difference technique, we detect a possible change in topology. In the case of topology change, we verify policy for updated topology by traversing tree using six-tuple. If there is any violation in policy implementation, then affected interfaces are indicated and policies that need to be configured are also indicated. Then, policies are configured on the updated topology according to specification in an improved way. Simulation results show that our proposed approach enhances the network efficiency in term of successful packet delivery ratio, the ratio of packets that violated the policy and normalized overhead.