Implementation of C-BAS: Certificate-Based AAA for SDN Experimental Facilities

Recent work in software-defined networking experimental facilities has been shifting towards large scale deployments through federation of resources that span across continents and make it possible to perform experiments at a global scale. The success of such deployments very much depends on the design and implementation of essential, secure mechanisms for authentication, authorization, and accounting (AAA) that not only ensure the robustness of such facilities against intrusions and unauthorized use but also ease experimentation and system administration in such complex environments. C-BAS is an initiative in this direction that uses a secure and flexible certificate-based AAA architecture for SDN experimental facilities. Advanced certificate-based authentication and authorization makes C-BAS inherently resilient against attacks specific to traditional AAA mechanisms, increases flexibility and autonomy in experimental facility system administration, and facilitates federation. This article introduces the implementation details of C-BAS, explains its features through use cases, and evaluates its computational performance.