Enforcing Optimal ACL Policies Using K-Partite Graph in Hybrid SDN

Abstract

Software Defined Networking (SDN) as an innovative network paradigm that separates the management and control planes from the data plane of forwarding devices by implementing both the management and control planes at a logically centralized entity, called controller. Therefore, it ensures simple network management and control. However, due to several reasons (e.g., deployment cost, fear of downtime) organizations are very reluctant to adopt SDN in practice. Therefore, a viable solution is to replace the legacy devices by SDN devices incrementally. This results in a new network architecture called hybrid SDN. In hybrid SDN, both SDN and legacy devices operate in such a way to achieve the maximum benefit of SDN. The legacy devices are running a traditional protocol and SDN devices are operating using Open-flow protocols. Network policies play an essential role to secure the entire network from several types of attacks like unauthorized access and port/protocol control. In a hybrid SDN, policy implementation is a tedious task that requires extreme care and attention due to the hybrid nature of network traffic. Network policies may be implemented at various positions in hybrid SDN, e.g., near the destination or source node, and at the egress or ingress ports of a router. Each of these schemes has some trade-offs. For example, if policies are implemented near the source nodes then each packet generated from the source must pass through the filter and, thus, requires more processing power, time, resources, etc. Similarly, if policies are installed near the destination nodes, then a lot of unwanted traffic generated causing network congestion. This is an NP-hard problem. To address these challenges, we propose a systematic design approach to implement network policies optimally by using decision tree and K-partite graph. By traversing all the policies, we built up the decision tree that identifies which source nodes can communicate with which destination. Then, we traverse the decision tree and constructs K-partite graph to find possible places (interfaces of the routers) where ACL policies are to be implemented based on the different criteria (i.e., the minimum number of ACL rules and the minimum number of transmissions for unwanted traffic). The edge weight represents the cost per criteria. Then, we traverse the K-partite graph to find the optimal place for ACL rules implementation according to the given criteria. The simulation results indicate that the proposed technique outperforms existing approaches in terms of computation time, traffic optimization and successful packet delivery, etc. The results also indicate that the proposed method improves network performance and efficiency by decreasing network congestion and providing ease of policy implementation.