SDN in LANs: Programming the Network to Secure IoT Traffic

Nicolas Le Sauze and Mathieu Boussard, Nokia Bell Labs

 

Context: both SDN and high-end IoT gaining maturity

In today’s world, we are surrounded by more and more connected devices, collecting data and offering services to ease every aspect of our connected lives. Whether it is for work, leisure, health, etc., we will increasingly interact with smart devices that we either own, or that are made accessible to us by third parties as different as friends or smart city providers. However, recent studies have shown that end users are concerned about the privacy and security issues this future is introducing [Trustee2015]. Hurdles include:

1. security, as some of these devices may not be powerful enough to handle strong security processes and as such can become an attack vector towards other devices;
2. data privacy, as we often don’t know when and how our personal data is collected, and by whom and for what purpose.

In parallel, the advent of Software Defined Networking (SDN) is profoundly transforming how networks are managed. Introduced in data centers to cope with the “cloudification” of software services and the associated demands for more scalability, fast deployment and reconfiguration, SDN is now also starting to commercially impact core and access networks. Yet, SDN applicability to home LANs remains so far a limited research area [SIGCOM2011]. Historically, our home networks were tightly bound to the physical space of the home, relying on locally significant Layer 2 protocols and interconnecting with the outside world through an Internet Gateway. For example, the Universal Plug and Play (UPnP) protocols enable automatic detection and consumption of services offered by devices at home. The two drawbacks of this legacy are:

1. it requires a large degree of openness within the LAN so that unicast and multicast traffic can flow freely between devices, when security and privacy concerns would rather advocate for more control, e.g. through isolation, between devices of the LAN; and
2. we now live in a world where we want to have access to our home devices from anywhere, imposing complex Internet Gateway configuration procedures. More recent solutions avoid such problems by having connected devices work in silos and in relation with an external cloud service - but this introduces the aforementioned loss of control for the users, and a possible additional complexity to create interactions between devices from different service providers.

SDN benefits can remove remaining barriers for a faster and wider adoption of IoT devices in the home

The above considerations motivated our research of a Smart Environment Controller (SEC) to break silos between devices and networks by securely mixing resources within and across multiple IoT-based smart environments [ITC2015].

 

Figure 1: a) Smart Environment Controller (SEC) for home network and device fine-grain control, b) creation of a multi-location Software-Defined LANs between two remote homes.

Relying on SDN principles, the SEC creates a clear separation between the data/forwarding plane, the control and management plane, and the application plane (Figure 1a). Physical devices are represented as virtual objects (VO) to hide the underlying device-specifics [WoT2011], while the network controller enables controlled communication between devices thanks to a dynamic programming of the Open vSwitch (ovs)-based home gateway through OpenFlow commands. Acting as a software intermediary between the applications and the data plane, the SEC receives simple commands from the user to authorize communications between groups of devices that we called Communities of Virtual Objects (CoVO). The resulting network configuration for each CoVO is therefore called a Software-Defined LAN (SD-LAN): all specified devices of the CoVO can communicate as if they were on the same physical LAN (i.e. through unicast or multicast), while being isolated from non-participating devices. It is possible to have CoVOs spanning different domains, by coordinating the corresponding SEC components to establish communication links through appropriate tunnelling mechanisms (e.g. GRE, VXLAN). The resulting SD-LANs span multiple physical LANs, allowing distant end-users to easily and safely share devices with each other (Figure 1b). In [ITC2015], we report the results obtained with a first prototype enabling to realize the scenario of Figure 1, and for which we developed all components of the SEC, as well as an accompanying Android application providing a user interface to manage devices and CoVOs. Besides the CoVO business logic implementation and related interfaces, the SEC embeds a network controller implementation responsible for translating CoVO definitions into the proper Openflow-based forwarding rules to realize the corresponding SD-LAN. It is important to note that this implementation may either be instantiated in an ISP service suite or in a pure over-the-top mode. Software components may also run a physical box in the home (ISP gateway or additional IoT gateway) or partially in an edge-cloud. Such discussions are left for further studies, as it leads to very different business models and technical implementations, e.g. for interconnecting users from different ISPs.

Beyond home scenarios, a revolution for any smart environment

By enforcing network control (isolation, connection, monitoring), SD-LANs represent a straightforward manner to meet end-user expectations for better control of their security and privacy in smart environments. Through a simple user interface, we enable a fine-grained network control, while removing the technical hurdles generally associated with interconnecting multiple physical environments. Our approach allows building service-oriented overlay networks, dynamically following users and their evolving needs as suggested on the Figure 2. For instance, a user could create a number of service-specific CoVOs resulting in various shared or private SD-LANs.

Figure 2: Example of Service-oriented SD-LANs in/between home and business environments

The figure 2 also illustrates that different smart environments can be controlled in order to take into account the multiple identities of end-users (me and my devices at work, me and my devices at home). For example, in the enterprise domain, SD-LANs facilitate accommodating Bring Your Own Device (BYOD) behaviours. They improve network security by allowing both end-users and corporate network administrators to create specific isolated slices with well-defined characteristics. They can also advantageously be used in smart building scenarios to isolate fleets of devices while imposing specific networking characteristics among them. In the smart city domain, various silos can be enforced (e.g. for security/privacy purposes) or, on the contrary, intersected with a fine-grained control (by instantiating SD-LANs encompassing selected devices from different silos, and only those). More interestingly, and when authorized, SD-LANs can be created across these various domains and actors, for instance to add a private home device to a fleet of smart city devices or to define a short-lived connection between a corporate device and a home device with a specified Quality of Service (QoS).

Our first results show that there is great value for the end-user in considering the network of the Internet of Things not as a “dumb” pipe but as a key enabler of her security and privacy – it is about time we put the user back in control of her network, and as a result of her connected life!

 

[Trustee2015] https://www.truste.com/resources/privacy-research/us-internet-of-things-index-2015/

[SIGCOM2011] Y. Yiakoumis, K.-K. Yap, S. Katti, G. Parulkar, and N. McKeown, “Slicing home networks,” in Proceedings of The 2nd ACM SIGCOMM Workshop on Home Networks, 2011, pp. 1–6.

[ITC2015] Boussard, Mathieu; Bui, Dinh Thai; Ciavaglia, Laurent; Douville, Richard; Pallec, Michel Le; Sauze, Nicolas Le; Noirie, Ludovic; Papillon, Serge; Peloso, Pierre; Santoro, Francesco, "Software-Defined LANs for Interconnected Smart Environment," in Teletraffic Congress (ITC 27), 2015 27th International , vol., no., pp.219-227, 8-10 Sept. 2015

[WoT2011] M. Boussard, B. Christophe, O. Le Berre, V. Toubiana, "Providing user support in Web-of-Things enabled Smart Spaces" in proceedings of the 2nd International Workshop on the Web of Things (WoT 2011). ACM, San Francisco, USA, June 2011

 

---

 

Nicolas Le Sauze received his engineering degree in 1998 from the ENST Bretagne in France and joined the Alcatel corporate research centre to work on optical packet switches and optical Ethernet solutions for metropolitan networks until 2006. He then acted as research manager with Alcatel-Lucent Bell Labs in Villarceaux, leading various projects on Ethernet and IP technologies and related control protocols. From 2010 to 2013, he led the FP7 ETICS project on solutions and business models for inter-carrier QoS management. Since 2014, his research interests revolve around the evolutions of network protocols and network solutions in support of the emerging Internet of Things challenges.

He authored or co-authored around 30 technical papers in peer-reviewed international conferences or journals, and owns over 20 active patents.

 

Matthieu Boussard is a research fellow at Nokia Bell Labs. He received his engineering degree from the French ‘Institut National des Télécommunications’ in 2000, specializing on parallel and distributed computing. After working as a Guest Researcher at the National Institute of Standards and Technologies (NIST) on clustering environments, he joined telecom manufacturer Alcatel as a development and system engineer in 2001.

In 2004, he joined Alcatel’s Research & Innovation division, working on context-aware systems, multimodal user interfaces research and mobile and ubicomp applications, taking part in and coordinating multiple internal and collaborative research projects. During 2010-2013, he has been leading internal research projects investigating Web of Things and Smart Environments. Since 2014, he has been investigating the applicability of Software-Defined Networking to Internet of Things security and applications.

He has co-authored over 20 peer-reviewed publications and 20 patents.

 

Editor:

Stefano Salsano is Associate Professor at the University of Rome Tor Vergata. His current research interests include Software Defined Networking, Information-Centric Networking, Mobile and Pervasive Computing, Seamless Mobility. He participated in 16 research projects funded by the EU, being Work Package leader or unit coordinator in 8 of them (ELISA, AQUILA, SIMPLICITY, Simple Mobile Services, PERIMETER, OFELIA, DREAMER/GN3plus, SCISSOR) and technical coordinator in one of them (Simple Mobile Services). He has been principal investigator in several research and technology transfer contracts funded by industries (Docomo, NEC, Bull Italia, OpenTechEng, Crealab, Acotel, Pointercom, s2i Italia) with a total funding of more than 1.3M€. He has led the development of several testbeds and demonstrators in the context of EU projects, most of them released as Open Source software. He is co-author of an IETF RFC and of more than 130 papers and book chapters that have been collectively cited more than 2300 times. His h-index is 27.