ParaSDN: An Access Control Model for SDN Applications based on Parameterized Roles and Permissions

Abstract

Software Defined Networking (SDN) has become one of the most important network architectures for simplifying network management and enabling innovation through network programmability. Network applications submit network operations that directly and dynamically access critical network resources and manipulate the network behavior. Therefore, validating these operations submitted by SDN applications is critical for the security of SDNs. A feasible access control mechanism should allow system administrators to specify constraints that allow for applying minimum privileges on applications with high granularity. However, the granularity of access provided by current access control systems for SDN applications is not sufficient to satisfy such requirements. In this paper, we propose ParaSDN, an access control model to address the above problem using the concept of parameterized roles and permissions. Our model provides the benefits of enhancing access control granularity for SDN with support of role and permission parameters. We implemented a proof of concept prototype in an SDN controller to demonstrate the applicability and feasibility of our proposed model in identifying and rejecting unauthorized access requests submitted by controller applications.