Security Requirements in the Software Defined Networking Model
draft-hartman-sdnsec-requirements-00

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Last updated 2012-10-15
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         S. Hartman
Internet-Draft                                              M. Wasserman
Intended status: Informational                         Painless Security
Expires: April 18, 2013                                         D. Zhang
                                             Huawei Technologies co. ltd
                                                        October 15, 2012

     Security Requirements in the Software Defined Networking Model
                  draft-hartman-sdnsec-requirements-00

Abstract

   Software defined/driven networks provide new dimensions of
   flexibility in network design.  This document analyzes security
   requirements as we design protocols to support multiple network
   applications on an SDN in an open manner.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 18, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as

Hartman, et al.          Expires April 18, 2013                 [Page 1]
Internet-Draft          SDN Security Requirements           October 2012

   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Moving Beyond a Single Application . . . . . . . . . . . . . .  3
     2.1.  Class 1: Network Sensitive Applications  . . . . . . . . .  3
     2.2.  Class 2: Services for the Network  . . . . . . . . . . . .  4
     2.3.  Class 3: Packaged Network Services . . . . . . . . . . . .  5
   3.  Authentication, Authorization and Multiple Organizations . . .  6
   4.  Security Requirements  . . . . . . . . . . . . . . . . . . . .  8
     4.1.  Nested Application Security  . . . . . . . . . . . . . . .  9
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
   7.  Informative References . . . . . . . . . . . . . . . . . . . . 10
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10

Hartman, et al.          Expires April 18, 2013                 [Page 2]
Internet-Draft          SDN Security Requirements           October 2012

1.  Introduction

   This document analyzes the security of SDN architectures as we work
   to build SDN frameworks supporting multiple applications at the same
   time.  The assumption of this protocol is that protocols like
   Openflow will be used between a SDN controller and switches.  However
   this document assumes that there will be additional protocols between
   controllers and between controllers and applications.  That is the
   focus for the current analysis.

2.  Moving Beyond a Single Application

   Openflow defines a protocol between a physical switch and a
   controller.  Several factors motivate a layer between the controller
   and applications.  For example [I-D.nadeau-sdn-problem-statement]
   discusses a model where managed service providers (MSPs) provide
   networking services to applications.  This model involves the
   following attributes that significantly impact SDN security analysis:

   o  An application in one organization may use an MSP in another

   o  MSPs may be nested; one MSP may use the services of another

   o  Privacy concerns may limit what information should be exposed

   o  Applications require significant authorization and policy

   The remainder of this section examines a few classes of applications
   in order to identify characteristics of SDN use cases that affect
   security.

2.1.  Class 1: Network Sensitive Applications

   Some applications require particular characteristics from the
   network.  For example an application might need access to ports in a
Show full document text