[Nicolas Herbaut] SDN Intent-based conformance checking: application to security policies

Nicolas Herbaut , Camilo Correa , Jacques Robin Centre de Recherche en Informatique, Université Paris 1 Panthon-Sorbonne
Paris, France  and  Raul Mazo, Lab-STICC ENSTA Bretagne Brest, France

Access the paper: https://hal.archives-ouvertes.fr/hal-03207525v1

Abstract—With the popularity of software defined networking architectures, the growing complexity of its use cases dictates
the need for better auditability especially for security. In this paper, we aim at facilitating high-level management-plane policy
configuration conformance auditing and their reflection in the data plane, to detect missing or spurious flow rules with respect to security policies. To this end, we propose an efficient conformance checking approach based on an intentional northbound interface as well as traces of management, control and data plane. Leveraging a proof-of-concept implementation of our approach, we compare its conformance-checking runtime and precision against a direct method on virtual topologies and find that it significantly improves scalability. We conclude by proposing directions for further enhancements extending the techniques presented herein.

Index Terms—Software-defined networking, Intent-based networking, security, conformance checking,