Different from the ACL, which focuses on controlling the forwarding in data plane, the management of network resource (e.g., network statistics, flow rules etc.) in SDN-based cloud can be enforced from two aspects, configuration and accessing. Correct network configuration can ensure tenants operating in a legal network space. And effective access control can manage the privilege of tenants and protect controller resources.
To address this issue, SDNKeeper, a generic and fine-grained policy enforcement system in SDN-based cloud is proposed, which can avoid network resource misconfiguration and defend against unauthorized attacks. With the usage of SDNKeeper, numerous flexible network management policies can be created by administrators, which give administrators the discretionary room on controlling the network resource of any tenant. To be specific, SDNKeeper can reject any over-privilege network resource request from the tenant to SDN controller. Moreover, SDNKeeper is a system which is application-transparent and supports runtime policy updating.