Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ONOS Security proposal

ONOS Project
January 30, 2015
0
120

ONOS Security proposal

SRI International/KAIST security proposal for ONOS- targeted for Cardinal release

ONOS Project

January 30, 2015
Tweet

More Decks by ONOS Project

See All by ONOS Project
ONOS Developer Workshop at ONS - Thomas Vachuska
onosproject
1
780
CORD Presentation at ONS by Larry Peterson
onosproject
1
2k
Hands on ONOS Development ONS 2015
onosproject
1
580
Central Office Re-architected as Datacenter (CORD) Solution POC
onosproject
0
2.2k
ONOS presentation - AT&T talk (May 7th)
onosproject
0
290
ONOS Distributed Core and performance- AT&T talk (May 7th)
onosproject
0
240
ONOS presentation- Bell Labs meeting
onosproject
0
180
ONOS- the open source SDN NOS for Service Providers ( talk at MPLS/SDN/NFV conference, Paris)
onosproject
0
960
ONOS presentation
onosproject
1
330

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
33
2.9k
How GitHub (no longer) Works
holman
310
140k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
KATA
mclloyd
29
14k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
430
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
What's new in Ruby 2.0
geeforr
343
31k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k

Transcript

  1. ONOS Security: Conservative-mode Phillip Porras ([email protected]) Martin Fong ([email protected]) Seungwon

    Shin ([email protected]) Changhoon Yoon ([email protected]) SRI International KAIST Feature proposal

  2. Motivation ONOS applications are granted a powerful authority Can perform

    any network operations desired Install flow rules! Read flow statistics! … Modify network topology!? ONOS Network View App 2 control plane data plane Northbound API Southbound API IntentService .submit(A,B) DeviceProviderService .deviceDisconnected(SW1) A B SW1 SW2 A B SW1 SW2 Mission-critical applications may be affected App 1

  3. Offer a new option for granting the true minimum required

    capability to ONOS applications (Least-privileged) Let the network operators know what each ONOS application is capable of Conservative-mode ONOS: The Objectives

  4. Conservative-mode ONOS: Permission model (1) Bundle-level Role-based Access Control (2)

    Application-level Role-based Access Control (3) API-level Permission-based Access Control ONOS applications must ONLY access the NB APIs and other necessary utilities Non-administrative ONOS applications must NOT access the Administrative NB APIs (Admin Services) ONOS application must be granted a permission to make each API call

  5. Conservative-mode ONOS: Policy file (example) (1) Bundle-level Role-based Access Control

    (2) Application-level Role-based Access Control (3) API-level Permission-based Access Control (1) (2) (3) <type> : a bundle is an ONOS application or NOT <role> : an ONOS application is administrative app or NOT <uses-permission> : a list of permissions to be granted to an ONOS app bundle

  6. Thank you!

  7. Backup