Browse Prior Art Database

Method of authentication of a Hypervisor with an SDN controller Disclosure Number: IPCOM000238116D
Publication Date: 2014-Aug-01
Document File: 5 page(s) / 137K

Publishing Venue

The Prior Art Database


Disclosed is a method to introduce authentication steps before the end host (hypervisor) can register in the Software-Defined Networking (SDN) controller. This increases security, as authentication is obtained before the host is listed as a host in the SDN controller.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 38% of the total text.

Page 01 of 5

Method of authentication of a Hypervisor with an SDN controller

Current data centers are longer static networks; logical networks are increasingly coming into deployment. The logical networks are essentially the network overlays, which can be created from virtual machine (VM) to VM, with full abstraction on the underlay

(e.g., type of switches or router, etc.). These logical networks can be made in a single data center, or can span over multiple data centers, as shown in Figure 1.

Figure 1: Logical network spanning over multiple data centers

This technology encapsulates the VM to VM packets with some tunnel driven parameters (e.g., General Routing Encapsulation (GRE), Virtual Extensible Local Area Network (VxLAN), etc.). Thus, the packet can be sent to the other logical end, and the underline network is not aware of the VM specific network. Essentially, overlays make tunnels to make the underlay network abstracted.

The current solution starts with a host (a hypervisor) connecting to the Software-Defined Networking (SDN) controller. Then, the controller makes a map of all the available hosts. Based on that map, it can then make a logical network by provisioning tunnels.


Page 02 of 5

All the technologies used to make these tunnels are open standard. The real issue is that a hacker can easily overload the SDN controller, because there is no authentication mechanism in place, by connecting too many false hosts to it. The host sends some form of connect packet and the SDN controller and accepts the connection. If the host intention is not right, then it can make an incorrect topology map in the controller; hence, breaking the solution.

A method is needed to obtain the host authentication before it is listed as a host in the SDN controller.

The novel solution is a method to introduce authentication steps before the end host (hypervisor) can register in the SDN controller. The method of performing this authentication is to use the MD5 hash algorithm and use the Internet Protocol (IP) address of the controller as the data. If the hash matches, then that is where the host can be authenticated. Using the IP address as data ensures that the correct SDN controller is targeted, in the event that the network contains multiple SDN controllers. The key for MD5 authentication can be either pre-shared key or given by a certification authority.

The steps for implementing the solution in a preferred embodiment follow.

On the SDN Controller:

1. Power on SDN controller

2. Assign IP address to SDN controller

3. Configure Pre-shared key and supported authentication algorithms

4. Create a digest with the combination of the pre-shared key and the associated IP (i.e. SDN controller IP)

5. Configure whether or not SDN controller accepts non-authentication hosts/hypervisors

On Hypervisor:

1. Power on Hypervisor

2. Assign management IP address to Hypervisor

3. Configure Pre-Shared key and supported authentication algorithms

4. Configure support (allow/deny...