Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ONOS Security proposal

ONOS Project
January 30, 2015
0
120

ONOS Security proposal

SRI International/KAIST security proposal for ONOS- targeted for Cardinal release

ONOS Project

January 30, 2015
Tweet

More Decks by ONOS Project

See All by ONOS Project
ONOS Developer Workshop at ONS - Thomas Vachuska
onosproject
1
780
CORD Presentation at ONS by Larry Peterson
onosproject
1
2k
Hands on ONOS Development ONS 2015
onosproject
1
580
Central Office Re-architected as Datacenter (CORD) Solution POC
onosproject
0
2.2k
ONOS presentation - AT&T talk (May 7th)
onosproject
0
290
ONOS Distributed Core and performance- AT&T talk (May 7th)
onosproject
0
240
ONOS presentation- Bell Labs meeting
onosproject
0
180
ONOS- the open source SDN NOS for Service Providers ( talk at MPLS/SDN/NFV conference, Paris)
onosproject
0
960
ONOS presentation
onosproject
1
330

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Writing Fast Ruby
sferik
626
61k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Ruby is Unlike a Banana
tanoku
96
11k
Side Projects
sachag
452
42k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
Agile that works and the tools we love
rasmusluckow
327
21k
The Art of Programming - Codeland 2020
erikaheidi
51
13k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
290
Testing 201, or: Great Expectations
jmmastey
38
7k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
The Cult of Friendly URLs
andyhume
78
6k

Transcript

  1. ONOS Security: Conservative-mode Phillip Porras ([email protected]) Martin Fong ([email protected]) Seungwon

    Shin ([email protected]) Changhoon Yoon ([email protected]) SRI International KAIST Feature proposal

  2. Motivation ONOS applications are granted a powerful authority Can perform

    any network operations desired Install flow rules! Read flow statistics! … Modify network topology!? ONOS Network View App 2 control plane data plane Northbound API Southbound API IntentService .submit(A,B) DeviceProviderService .deviceDisconnected(SW1) A B SW1 SW2 A B SW1 SW2 Mission-critical applications may be affected App 1

  3. Offer a new option for granting the true minimum required

    capability to ONOS applications (Least-privileged) Let the network operators know what each ONOS application is capable of Conservative-mode ONOS: The Objectives

  4. Conservative-mode ONOS: Permission model (1) Bundle-level Role-based Access Control (2)

    Application-level Role-based Access Control (3) API-level Permission-based Access Control ONOS applications must ONLY access the NB APIs and other necessary utilities Non-administrative ONOS applications must NOT access the Administrative NB APIs (Admin Services) ONOS application must be granted a permission to make each API call

  5. Conservative-mode ONOS: Policy file (example) (1) Bundle-level Role-based Access Control

    (2) Application-level Role-based Access Control (3) API-level Permission-based Access Control (1) (2) (3) <type> : a bundle is an ONOS application or NOT <role> : an ONOS application is administrative app or NOT <uses-permission> : a list of permissions to be granted to an ONOS app bundle

  6. Thank you!

  7. Backup