Managing and controlling network traffic is undergoing a major change, which manifests itself in software defined networking (SDN). At the core of SDN is the separation between the network's data plane and its control plane. At the data plane, network packets are physically shipped from one network component to the next until they reach their destination. The control plane comprises a logically centralized software entity—the SDN controller—running on commodity hardware. Today's controllers like NOX (see, for reference, N. Gude et al.: “NOX: Towards an operating system for networks,” ACM SIGCOMM Computer Communication Review, 38(3):105-110, 2008) and Beacon (see, for reference, D. Erickson: “The Beacon OpenFlow controller,” in Workshop on Hot Topics in Software Defined Networking (HotSDN), 2013) provide an abstract view on the network and an interface based on the programming model defined by the OpenFlow standard (see, for reference, OpenFlow switch specification—version 1.0.0. Open Networking Foundation, 2009). OpenFlow provides the means to program the network resources, i.e. essentially switches, which the controller uses to interact with the data plane. Network applications, e.g., for managing and analyzing the network, run on top of the controller.
Sharing network resources with user groups, divisions, or even other companies in software defined networking (SDN) is recently gaining increasing attention, owing to its promises for better network utilization. Resource sharing is effectively realized in SDN by empowering the involved parties at the control plane with permissions for administrating network components or parts thereof. Different tenants can lease a network slice (and therefore share the network resources) by installing and running their own application atop the network owner's controller using a so-called north-bound API (Advanced Programming Interface). These different tenants usually share network resources and at the same time might also compete among each other.
In this case, restricting the access of the network users (i.e., the network owner and the leasing tenants) and the applications to the network components emerges as a necessity to ensure the correct operation of the SDN network. While some existing proposals (for instance R. Sherwood et al.: “Can the production network be the testbed?,” in Symposium on Operating Systems Design and Implementation (OSDI), 2010, or P. Porras et al.: “A security enforcement kernel for OpenFlow networks,” in Workshop on Hot Topics in Software Defined Networks (HotSDN), 2012) include best-effort mechanisms for restricting the access to the network resources, these mechanisms are limited in their scope, do not scale with the number of applications, and it is not clear what kind of access control policies can be realized by them.