Abstract:
Aggressive usage of wildcard rules has been shown to be crucial to scaling software defined networks to large, policy rich enterprise networks. However, the full potentia...Show MoreMetadata
Abstract:
Aggressive usage of wildcard rules has been shown to be crucial to scaling software defined networks to large, policy rich enterprise networks. However, the full potential of wildcard rules is only realized through effective aggregation of users. In this paper, we take the position that this aggregation is best achieved through the use of separate identifiers for policy enforcement and packet forwarding. We present two contributions. First, we present three arguments against the current practice that uses IP addresses to enforce policy: (i) aggregation for policy rules conflicts with aggregation for forwarding, (ii) using IP addresses cannot adequately represent the multiple logical groups which a single user belongs to, and (iii) using IP addresses requires management domains to expose their IP allocation scheme to others. Second, we present a novel architecture that uses separate identifiers and tables for policy enforcement and packet forwarding, enabling optimal aggregation of users for both purposes. We carefully designed our architecture so that it can be readily implemented using functionalities provided by commodity OpenFlow switches.
Date of Conference: 07-09 January 2019
Date Added to IEEE Xplore: 14 March 2019
ISBN Information: