FedAAA-SDN: Federated Authentication, Authorization and Accounting in SDN controllers

Modern technology advancements such as Software Defined Networking (SDN) have been employed in distinct scenarios such as cloud computing and wireless networks, and have made network administration simpler since it gives greater flexibility in centralizing the configurations of a network and its data. Several SDN controllers have started to offer Authorization, Authentication, and Accounting (AAA) services to improve user management and security, including support for OAuth2.0. However, basic authentication schemes using the tuple username and password are not considered secure nowadays (prone to brute force attacks), or the use of basic tokens in OAuth 2.0 is propitious to security vulnerabilities not meeting the security requirements in current and future use cases dealing with authentication. Therefore, the main objective of this work is the design and evaluation of the FedAAA-SDN framework enabling authentication, authorization, and accounting mechanisms in SDN controllers controlling different types of networks. In particular, the FedAAASDN framework enables federated authentication and authorization processes for network functions by enabling the conveyance of identity and authentication information across heterogeneous domains/networks, allowing also network operators to enforce authorization policies for network functions in wired and wireless networks. A FedAAA-SDN proof of concept is implemented with OpenDaylight as the SDN controller, OpenID Connect as the authentication and authorization mechanism, and Keycloak as the OpenID Provider. FedAAA-SDN also includes the concept of trust levels and trust policies that rely on the context information of a user's device and associated connected access networks. The implementation of the FedAAA-SDN framework proof of concept involves modifications in the OpenDaylight AAA filter component to secure all the interactions with the several network applications/subcomponents of the OpenDaylight SDN controller. STRIDE security analysis demonstrates that the FedAAA-SDN framework is able to reduce the number of threats.