SDN Intent-based conformance checking: application to security policies

With the popularity of software defined networking architectures, the growing complexity of its use cases dictates the need for better auditability especially for security. In this paper, we aim at facilitating high-level management-plane policy configuration conformance auditing and their reflection in the data plane, to detect missing or spurious flow rules with respect to security policies. To this end, we propose an efficient conformance checking approach based on an intentional northbound interface as well as traces of management, control and data plane. Leveraging a proof-of-concept implementation of our approach, we compare its conformance-checking runtime and precision against a direct method on virtual topologies and find that it significantly improves scalability. We conclude by proposing directions for further enhancements extending the techniques presented herein.