ACLFLOW: An NFV/SDN Security Framework for Provisioning and Managing Access Control Lists

Abstract

Router Access Control Lists (ACLs) are a traditional way to filter traffic on cloud computing selectively. However, a large number of rules may be required, whereas the storage capacity of router Ternary Content Addressable Memories (TCAMs) is scarce and expensive. This paper proposes a Network Functions Virtualization (NFV)/Software-Defined Networking (SDN) security framework, named ACLFLOW. ACLFLOW (i) translates regular ACLs (source/destination IP, source/destination port, and protocol) into OpenFlow filtering rules; (ii) creates and manages large OpenFlow ACLs on distributed software switches, which act as security virtual network functions (named OpenFlow VNF-ACLs), to address the TCAM storage capacity problem; (iii) implements a proposed algorithm to dynamically prioritize the most popular rule to accelerate switching operations; and (iv) orchestrates and accelerates the deployment of NFV/SDN environments into production clouds. We have implemented a framework prototype into the Open Platform for NFV (OPNFV) and evaluated its performance using different tools and scenarios. Results show that OpenFlow VNF-ACL improves maximum throughput by up to 90%, its HTTP request rates are up to 50% better, and it reduces Round Trip Time (RTT) by 70% when its performance is compared with a stateless Iptables running in virtual machines. Moreover, the proposed algorithm dynamically improves HTTP request rate of flows with the highest traffic volume by 15% and reduces RTT by 25% when compared with ACLFLOW without prioritization.