Policy Delegation and Migration for Software-Defined Networks (Andrew Ferguson PhD Thesis)

In today’s networks, non-administrative users have little interaction with a network’s control-plane. Such users can send probe tra›c to develop inferences about the network’s present state, yet they cannot directly contact the control-plane for answers because of security or privacy concerns. In addition to reading the controlplane’s state, modern applications have increasing need to write conguration state as well. ese applications, running in home, campus, and datacenter networks, know what they need from the network, yet cannot convey such intentions to the control-plane. is dissertation introduces participatory networking, a novel platform for delegating read and write authority from a network’s administrators to end users, or applications and devices acting on their behalf. Users can then work with the network, rather than around it, to achieve better performance, security, or predictable behavior. Our platform’s design addresses the two key challenges: how to safely decompose control and visibility of the network, and how to resolve conžicts between untrusted users and across requests, while maintaining baseline levels of fairness and security. We present a prototype implementation of participatory networking, structured as an API and controller for OpenFlow-based soŸware-dened networks (SDNs). We call our controller PANE, and demonstrate its usefulness by experiments with four real applications (Ekiga, SSHGuard, ZooKeeper, and Hadoop), and its practicality through microbenchmarks. Furthermore, we develop a mechanical proof for a key portion of PANE, the rst for an SDN controller. Unfortunately, network administrators interested in using SDN controllers such as PANE to manage the network face the herculean challenge of migrating existing policy to the new platform. To lessen this challenge, this dissertation introduces Exodus, the rst tool for directly translating existing network congurations in languages such as Cisco IOS and Linux iptables to SDN controller soŸware. ese controllers are written in Flowlog, a novel, rule-based, tierless language for SDNs we signicantly enhance for Exodus. Automatic migration of existing congurations into SDN controllers has exposed several limitations in both today’s languages for SDN programming, and OpenFlow itself. is dissertation explores these limits, and provides guidance on SDN migration and necessary switch features.


Andrew Ferguson

Andrew Ferguson

PhD Student (2009 - 2014)

Graduated 2014, now at Google

I am a fifth-year Ph.D. student in the Computer Science department of Brown University, advised by Rodrigo Fonseca. I’m broadly interested in operating systems and computer networks, which has led to my current focus on distributed systems, such as the Hadoop implementation of MapReduce, and the Internet. My research is currently exploring new designs for collaboratively sharing network resources, network filesystem issues in Hadoop, and the use of ISP backbone networks.