skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Provenance for Intent-Based Networking
Intent-based networking (IBN) promises to simplify the network management and automated orchestration of high-level policies in future networking architectures such as software-defined networking (SDN). However, such abstraction and automation creates new network visibility challenges. Existing SDN network forensics and diagnostics tools operate at a lower level of network abstraction, which makes intent-level reasoning difficult. We present PROVINTENT, a framework extension for SDN control plane tools that accounts for intent semantics. PROVINTENT records the provenance and evolution of intents as the network’s state and apps’ requests change over time and enables reasoning at multiple abstractions. We define an intent provenance model, we implement a proof-of-concept tool, and we evaluate the efficacy of PROVINTENT’s explanatory capabilities by using a representative intent-driven network application.  more » « less
Award ID(s):
1657534 1750024
PAR ID:
10146534
Author(s) / Creator(s):
; ;
Date Published:
Journal Name:
Proceedings of the IEEE Conference on Network Softwarization
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; ; (, USENIX Security Symposium)
    null (Ed.)
    Software-defined networking (SDN) has emerged as a flexible network architecture for central and programmatic control. Although SDN can improve network security oversight and policy enforcement, ensuring the security of SDN from sophisticated attacks is an ongoing challenge for practitioners. Existing network forensics tools attempt to identify and track such attacks, but holistic causal reasoning across control and data planes remains challenging. We present PicoSDN, a provenance-informed causal observer for SDN attack analysis. PicoSDN leverages fine-grained data and execution partitioning techniques, as well as a unified control and data plane model, to allow practitioners to efficiently determine root causes of attacks and to make informed decisions on mitigating them. We implement PicoSDN on the popular ONOS SDN controller. Our evaluation across several attack case studies shows that PicoSDN is practical for the identification, analysis, and mitigation of SDN attacks. 
    more » « less
  2. ; ; ; ; ; (, 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN))
    One of the goals of Software-Defined Networking (SDN) is to allow users to specify high-level policies into lower level network rules. Managing a network and decide what policy set is appropriate requires, however, expertise and low level know-how. An emerging SDN paradigm is to allow higher level network level decisions wishes in the form of “intents”. Despite its importance in simplifying network management, intent specification is not yet standardized. In this work, we propose a northbound interface (NBI) for intent declaration, based on Behavior-Driven Development. In our approach, intents are specified in plain English and translated by our system into pre-compiled network policies, that are in turn, converted into low-level rules by the software-defined infrastructure e.g. an SDN controller. We demonstrated our behavior-driven approach with two practical use cases: service function chaining deployed on OpenStack, supported by both ONOS and Ryu controllers, and dynamic firewall programming. We also measured the overhead and response time of our NBI. We believe that our approach is far more general and paves the way for a more expressive and simplified northbound interface for intent-driven networking. 
    more » « less
  3. ; ; ; (, 2017 IEEE Conference on Network Softwarization (NetSoft))
    Software-defined networking (SDN) overcomes many limitations of traditional networking architectures because of its programmable and flexible nature. Security applications, for instance, can dynamically reprogram a network to respond to ongoing threats in real time. However, the same flexibility also creates risk, since it can be used against the network. Current SDN architectures potentially allow adversaries to disrupt one or more SDN system components and to hide their actions in doing so. That makes assurance and reasoning about past network events more difficult, if not impossible. In this paper, we argue that an SDN architecture must incorporate various notions of accountability for achieving systemwide cyber resiliency goals. We analyze accountability based on a conceptual framework, and we identify how that analysis fits in with the SDN architecture’s entities and processes. We further consider a case study in which accountability is necessary for SDN network applications, and we discuss the limits of current approaches 
    more » « less
  4. ; ; ; ; ; ; (, Gateways 2017)
    To interconnect research facilities across wide geographic areas, network operators deploy science networks, also referred to as Research and Education (R&E) networks. These networks allow experimenters to establish dedicated network connections between research facilities for transferring large amounts of data. Recently, R&E networks have started using Software-Defined Networking (SDN) and Software Defined Exchanges (SDX) for deploying these connections. AtlanticWave/SDX is a response to the growing demand to support end-to-end network services spanning multiple SDN domains. However, requesting these services is a challenging task for domain-expert scientists, because the interfaces of the R&E networks have been developed by network operators for network operators. In this paper, we propose interfaces that allow domain expert scientists to reserve resources of the scientific network using abstractions that focus on their data transfer needs for scientific workflow management. Recent trends in the networking field pursue better interfaces for requesting network services (e.g., intent-based networking). Although intents are sufficient for the needs of network operations, they are not abstract enough in most cases to be used by domain-expert scientists. This is an issue we are addressing in the AtlanticWave/SDX design: network operators and domain-expert scientists will have their own interfaces focusing on their specific needs. 
    more » « less
  5. ; ; ; ; ; ; (, Gateways 2017)
    Poster Abstract: To interconnect research facilities across wide geographic areas, network operators deploy science networks, also referred to as Research and Education (R&E) networks. These networks allow experimenters to establish dedicated network connections between research facilities for transferring large amounts of data. Recently, R&E networks have started using Software-Defined Networking (SDN) and Software Defined Exchanges (SDX) for deploying these connections. AtlanticWave/SDX is a response to the growing demand to support end-to-end network services spanning multiple SDN domains. However, requesting these services is a challenging task for domain-expert scientists, because the interfaces of the R&E networks have been developed by network operators for network operators. In this paper, we propose interfaces that allow domain expert scientists to reserve resources of the scientific network using abstractions that focus on their data transfer needs for scientific workflow management. Recent trends in the networking field pursue better interfaces for requesting network services (e.g., intent-based networking). Although intents are sufficient for the needs of network operations, they are not abstract enough in most cases to be used by domain-expert scientists. This is an issue we are addressing in the AtlanticWave/SDX design: network operators and domain expert scientists will have their own interfaces focusing on their specific needs. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email