SDNRG R. Marin-Lopez Internet-Draft G. Lopez-Millan Intended status: Experimental University of Murcia Expires: May 14, 2016 November 11, 2015 Software-Defined Networking (SDN)-based AAA Infrastructures Management draft-marin-sdnrg-sdn-aaa-mng-00 Abstract This document describes the management of Authentication, Authorization and Accounting (AAA) infraesctrutures by means of a Software-Defined Network (SDN) controller and raises the requirements to support this service. It considers the management of AAA routing and the establishment of security associations between AAA entities. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 14, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 1] Internet-Draft SDN AAA Management November 2015 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 6 5. AAA flow based routing . . . . . . . . . . . . . . . . . . . 6 6. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. AAA routing and security association establishment . . . 10 6.2. AAA agents under different SDN controllers . . . . . . . 12 7. Relationship with I2NSF . . . . . . . . . . . . . . . . . . . 13 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 10.1. Normative References . . . . . . . . . . . . . . . . . . 14 10.2. Informative References . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 1. Introduction Software-Defined Networking (SDN) is an architecture that enables users to directly program, orchestrate, control and manage network resources through software. SDN paradigm relocates the control of network resources to a dedicated network element, namely SDN controller. The SDN controller manages and configures the distributed network resources and provides an abstracted view of the network resources to the SDN applications. The SDN application can customize and automate the operations (including management) of the abstracted network resources in a programmable manner via this interface [RFC7149][ITU-T.Y.3300] [ONF-SDN-Architecture][ONF-OpenFlow]. Authentication, Authorization and Accounting (AAA) [RFC2903][RFC2904] infrastructures manage three basic security services to control the access to network resources: Authentication, in order to determine who the end user is; Authorization, in order to determine under what conditions an end user is granted access to the network resource; and Accounting, in order to account the resource usage of the end user. Following the terminology in [RFC6733], an AAA infrastructure is formed by AAA nodes. An AAA protocol is used to exchange AAA information between them. RADIUS [RFC2865], [RFC2866] and Diameter [RFC6733]. These AAA nodes can be classified as follows: o AAA client. It is a AAA node that implement the client part of a AAA protocol. Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 2] Internet-Draft SDN AAA Management November 2015 o AAA server. AAA node that handles authentication, authorization, and accounting requests for a particular realm. o AAA agent. AAA node that implements one of the following functionalities: o * Relay Agents. They are agents that accept requests and route messages (making use of a routing table) to other nodes based on information found in the DIAMETER messages. * Proxy Agents. Similarly to relays, proxy agents also route messages using a routing table. However, they differ since they modify messages to implement policy enforcement. * Redirect Agents. Redirect agents do not relay Diameter messages, they return an answer with the information required by the agents to communicate directly, so they do not modify messages. They are useful in scenarios where routing configuration needs to be centralized. * Translation Agents. A translation agent is a device that provides translation between two protocols (e.g., RADIUS<->Diameter, TACACS+<->Diameter). As depicted in Figure 1, the AAA framework [RFC2903] defines a model consisting of the User desiring gain access to a specific network service; the AAA server in the User Home Organization (UHO) which has registered the User's identity and credentials; and the AAA server located in the Service Provider (SP) operating and controlling the access to the network service through a Service Equipment. In non- federated environments, User Home Organization and Service Provider are the same organization. In federated environments, they are two separate organizations. Between the AAA client and the AAA server in the UHO, the AAA infrastructure can deploy other intermediate AAA agents to forward the information between both entities. RADIUS defines, apart from the RADIUS client and RADIUS server, the role of proxy RADIUS or forwarding RADIUS. Proxy RADIUS receives authentication requests from a RADIUS client, forwards the request to a remote RADIUS server, receives authentication responses from the remote server and forwards the response to the client. In Diameter, apart from the AAA client and the AAA server, it defines a set of these Diameter agents that corresponds with the agents described above. Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 3] Internet-Draft SDN AAA Management November 2015 It is important to note that the AAA node can act as AAA server in a realm but also can act as, for example, Relay/Proxy agent for those types of AAA requests that cannot be processed and need to be forwarded to the next AAA node. It is also important to note that some kind of trust relationship is required to be established between these AAA nodes, in order to protect the AAA traffic Typically, Proxy RADIUS and Diameter agents (from now on AAA agents) hold and manage AAA routing information. Moreover AAA infrastructures are manually configured, specially the AAA routing information. For example, RADIUS implementations typically require the name or address of servers or clients be manually configured, besides passwords or cryptographic material to establish a security associations between AAA entities. It makes difficult their management and generates a lack of flexibility, specially if the number of entities is high and the AAA infrastructure is complex. With the grow of SDN-based scenarios where network resources are deployed in an autonomous manner, a mechanism to manage AAA infrastructures according to the SDN paradigm becomes more relevant. Thus, the SDN-based service described in this document deals with AAA infrastructures in such as an autonomous manner. Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 4] Internet-Draft SDN AAA Management November 2015 +------+ +-------------------------+ | | | User Home Organization | | | | +-------------------+ | | | | | AAA Server | | | | | | | | | | | +-------------------+ | | | | | | | +-------------------------+ | | | | | | | User | +-------------------------+ | | | Service Provider | | | | +-------------------+ | | | | | AAA Server | | | | | | | | | | | +-------------------+ | | | | | | | | +-------------------+ | | | | | AAA Client | | | | | |-------------------| | | | | | Service | | | | | | Equipment | | | | | +-------------------+ | | | | | +------+ +-------------------------+ Figure 1: AAA framework 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. When these words appear in lower case, they have their natural language meaning. 3. Terminology This document uses the terminology described in [RFC7149], [RFC6733], [ITU-T.Y.3300], [ONF-SDN-Architecture], [ONF-OpenFlow], [ITU-T.X.1252], and [ITU-T.X.800]. In addition, the following terms are defined below: o Software-Defined Networking: A set of techniques enabling to directly program, orchestrate, control, and manage network resources, which facilitates the design, delivery and operation of network services in a dynamic and scalable manner [ITU-T.Y.3300]. Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 5] Internet-Draft SDN AAA Management November 2015 4. Objectives o Flow-based AAA traffic routing: SDN-based management allows to route AAA traffic (flow) between different AAA agents so that the authentication, authorization and accounting tasks can be preformed. Thus, it can adapt quickly the routing information when a AAA route is not available to redirect the AAA traffic to other nodes. o Bootstrapping security associations: SDN-based flow protection allows the centralized bootstrapping of credentials to protect the AAA traffic between two adjacent AAA nodes (hop-by-hop) or between two separate AAA nodes without intermediate AAA nodes in between (end-to-end). 5. AAA flow based routing As mentioned, the AAA infrastructure is formed by a set of AAA nodes. These nodes interconnect each other using the AAA protocol, such as RADIUS or Diameter. When the User desires to access a service which requires authentication and authorization, she typically sends her identity to the Service Equipment. The Service Equipment (e.g. an WiFi access point) deploys the AAA client to interact with the AAA infrastructure. The User's identity contains the realm where she belongs to. For example, an identity can be "alice@um.es". The identifier is "alice" and the realm is "um.es". Based on this realm (realm-based routing), the AAA agents, for example, AAA relay or proxy, route the AAA information to the specific AAA server in the User Home Organization that has a register of "alice@um.es". This AAA server will be in charge of authenticate and authorize the Users in the realm. In order to achieve a correct routing of AAA information each AAA agent maintains a AAA routing table and another table with the adjacent AAA servers, which are considered as next "AAA hop". As an example of AAA routing table, Diameter defines a format where each table entry contains the following fields: Realm Name This is the field that MUST be used as a primary key in the routing table lookups. Note that some implementations perform their lookups based on longest-match-from-the-right on the realm rather than requiring an exact match. Application Identifier Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 6] Internet-Draft SDN AAA Management November 2015 A Diameter Application (i.e. NAS-REQ, EAP, etc.) is identified by an Application Id. The Diameter message can have a different destination (route entry) based on the Application Id in the message header. This field MUST be used as a secondary key field in routing table lookups. Local Action The Local Action field is used to identify how a message should be treated. The following actions are supported: 1. LOCAL - Diameter messages that can be satisfied locally, and do not need to be routed to another Diameter entity. 2. RELAY - All Diameter messages that fall within this category MUST be routed to a next hop Diameter entity that is indicated by the identifier described below. Routing is done without modifying any non-routing AVPs. 3. PROXY - All Diameter messages that fall within this category MUST be routed to a next Diameter entity that is indicated by the identifier described below. The local server MAY apply its local policies to the message by including new AVPs to the message prior to routing. 4. REDIRECT - Diameter messages that fall within this category MUST have the identity of the home Diameter server(s) appended, and returned to the sender of the message. Additionally, Diameter specification defines the Peer Table, which is used for message forwarding, and referenced by the Routing Table. A Peer Table entry contains the following fields: Host identity The name of the peer (i.e. Diameter URI of the peer). StatusT This is the state of the peer entry. Static or Dynamic Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 7] Internet-Draft SDN AAA Management November 2015 Specifies whether a peer entry was statically configured or dynamically discovered. Expiration time Specifies the time at which dynamically discovered peer table entries are to be either refreshed, or expired. TLS/TCP and DTLS/SCTP Enabled Specifies whether TLS/TCP or DTLS/SCTP is to be used when communicating with the peer. Thus, the general idea presented in the document assumes that a SDN controller can manage and fill this routing information in the different AAA entities under its control. In particular, a set of tasks (not exhaustive) that the SDN controller can perform over the AAA infrastructure is the following: o The SDN controller can provide this AAA routing information to the AAA agents so having a dynamic AAA routing. In general, the SDN controller can fill the AAA routing and peer table of any AAA agents and servers, but also the AAA client to indicate the next AAA hop. This brings all the existing advantages right now for general IP routing with SDN paradigm to AAA routing. That is, it provides flexibility, scalability, availability, and security. o AAA entity and its adjacent ones typically keep a security association (hop-by-hop security). For example, RADIUS has a simple and weak model based on shared secrets. Extensions such as RADSec [RFC6614] has been proposed for running TLS between two RADIUS servers. Diameter mandates the usage of TLS and optionally IPsec. To avoid manual configuration of these security associations, the SDN controller can dynamically provide this cryptographic information to both interacting AAA servers. o When forming AAA federations, security is usually provided hop-by- hop, which means that, between each pair of neighboring AAA entities, the AAA protocol provides message protection. Sometimes, for example in RADIUS, this protection is based on message authentication, but not message encryption. So these intermediate AAA entities can see all the information in clear. To avoid this, end-to-end security MAY be required. With a SDN- approach we foresee achieving the following. When the SP's AAA server observes that the User belongs to a different realm that it Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 8] Internet-Draft SDN AAA Management November 2015 does not know (managed by the UHO's AAA server), it can inform the SDN controller. The SDN controller can then enforce cryptographic material to both the UHO's AAA and SP's AAA server to establish a direct security association between them. Thus, in a simple architecture, the SDN controller would act as the manager of the federation. Nevertheless, more complex cases can be envisages such as each AAA server is managed by a different SDN-controller. o The SDN controller can modulate the behaviour between a relay, proxy and translation agent. For example, the SDN controller can enforce routing tables but not sending any particular policy to the agent, so that it behaves as a relay agent. However, if a proxy is required the particular behaviour is enforced by the controller based on internal policies. For certain routes the AAA agent can act as a Redirect Agent. In fact, in relationship with Network Function Virtualization (NVF) and Network Security Function (NSF), we envisage that the SDN controller can order the instantiation of a particular AAA agent (VNF) when it is required and "places it" in the path of the chain of AAA agents where the AAA requests and responses have to travel. For example, if the SDN controller realizes the request is a RADIUS message and it has to traverse a Diameter-based AAA infrastructure, it can instantiate a Translation Agent, so that the requests and responses are automatically translated from and to the different AAA protocols. Once it is instantiated, the SDN controller can install a routing entry in the RADIUS proxy so that the AAA request goes through the Translation Agent. o The SDN controller MAY also manage the User's credentials. In other words, the SDN controller can store all the User information provided by the administrator. When the AAA server is going to act as UHO's AAA server for a set of services and users, it will require this information to complete the authentication and authorization steps. The SDN can proactively push this information to the AAA server. Or, reactively, when the AAA server does not know how to authenticate and authorize a request it can ask for the advice of the SDN controller and the controller can enforce the behaviour and the user's 'information. o The SDN controller can also select the AAA server in charge of (exclusively) Accounting. This accounting information can be also route to the specific AAA server. NOTE: In general, the SDN controller MAY make use of NETCONF and YANG model for AAA entities to configure them. Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 9] Internet-Draft SDN AAA Management November 2015 6. Scenarios This section explains two main use cases as examples for the SDN- based AAA management: first, when a single SDN controller is used; second, when multiple SDN controllers take place in the infrastructure. 6.1. AAA routing and security association establishment As depicted in Figure 2, the SDN controller represents the "AAA control plane" where the decisions of AAA routing are taken based on AAA policies provided by the administrator (1). Once, the SDN controller interprets these policies (2), it sends the AAA routing information ("AAA data plane") to the AAA entities (e.g. Relay, Proxies or Redirect) to carry out the forwarding of the AAA request. This information is used to fill the AAA routing table and peer table of AAA agent 1 and AAA agent 2 (3). Associated to this routing information any security credential is also provided (4) by the SDN controller to establish hop-by-hop security (5). In general, the SDN controller can fill all the required information to the different AAA agents that form the AAA routing path to the destination. +----------------------------------------+ | SDN Controller | | | (1)| +--------------+ (2)+--------------+ | AAA ------>| AAA Routing/ |--->| South. Prot. | | Policies | | Key Distr. | | | | | +--------------+ +--------------+ | | AAA Control Plane | | | | | | | +--------------------------|-----|-------+ | | | (3) | |--------------------------+ (4) +---| AAA V AAA Data Plane V AAA request +-------------+ +-----------+request ------->| AAA |===============>| AAA |------> | agent 1 | hop-by-hop | agent 2 | | | security | | +-------------+ (5) +-----------+ Figure 2: Example of AAA agent-to-agent routing. Figure 3 represents the case where end-to-end security (5) is established. In this case, the SDN controller enables credential and AAA routing information so that the AAA request goes directly between Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 10] Internet-Draft SDN AAA Management November 2015 the SP's AAA server and the UHO's AAA server without passing through any intermediate AAA entity. +----------------------------------------+ | SDN Controller | | | (1)| +--------------+ (2)+--------------+ | AAA --------| AAA Routing/ |--->| South. Prot. | | Policies. | Key Distr. | | | | | +--------------+ +--------------+ | | AAA Control Plane | | | | | | | +--------------------------|----------|--+ | | (3) (4) | | (3)(4) |--------------------+ + -----| V AAA Data Plane V AAA request +----------------+ +-----------+ ------>| SP's AAA | | UHO's AAA | | server |=================>| Server | +----------------+ (5) +-----------+ end-to-end security Figure 3: Example of AAA server-to-server routing (end-to-end security). Finally, Figure 4 describes the case of pushing AAA routing information only when really required (reactive). Let us assume that the administrator has provided general AAA policies (1). When a initial AAA request arrives the first time to the AAA agent 1, it notifies about the request to the SDN Controller (2). The SDN Controller looks for AAA routing information associated with the AAA policies and the information in the AAA request. It decides that the AAA request has to be forwarded to AAA agent 2 (3). The SDN controller installs then AAA routing information in the routing table and peer table in AAA agent 1 (4). Moreover, it fills the routing and peer tables within AAA agent 2 (5). It also sends credentials to both agents to establish a security association (6) in order to provide hop-by-hop or end-to-end security (7). Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 11] Internet-Draft SDN AAA Management November 2015 +----------------------------------------+ | (1) SDN Controller | AAA ----------------+ | Policies | V | | +----------+ (3) +-------------+ | ---------->| AAA |<--->|South. Prot. | | | | | Policies | | | | | | +----------+ +-------------+ | | | | | | | | | | | (2) | +------------------------| --- | --------+ | | | | (4)(6)| |(5)(6) | |------------------------+ +--| AAA | V V AAA request +-------------+ +-----------+request ------->| AAA |================= >| AAA |------> | agent 1 | hop-to-hop/ | agent 2 | | | security | | +-------------+ (7) +-----------+ Figure 4: Example of SDN controller pushing AAA routing information (reactive) NOTE: It is worth noting that for the same AAA request some information can be enforced proactively and other can be retrieved reactively during the travel of the AAA request. 6.2. AAA agents under different SDN controllers Another case (Figure 5) is when, for example, two organizations, ISP A and ISP B have their own SDN controller (A and B respectively), each one controlling a different set of AAA agents. During the travel of a AAA request, it may need to pass from the AAA agent 1 controlled by SDN Controller A to another AAA agent 2 which is under the control of a different SDN controller B. In this case, both SDN controllers may coordinate each other and determine whether the AAA request is allowed to traverse through both realms or not (1). If they agree the conditions (2), the AAA policies that represents this agreement are enforced by the SDN controllers as AAA routing information and credentials into the AAA agents (3). Then the AAA request can move forward (4). Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 12] Internet-Draft SDN AAA Management November 2015 +-------------+ +-------------+ AAA | SDN |<=================>| SDN | Policy. -->| Controller A| (2) |Controller B | (1) | | | | +-------------+ +-------------+ | | | (3) (3) | AAA V V AAA request +-------------+ +-------------+ request ------>| AAA agent 1 |<=============>| AAA agent 2 |------> +-------------+ (4) +-------------+ Figure 5: Gateway-to-gateway multi controller flow in case 1 7. Relationship with I2NSF According to [I-D.merged-i2nsf-framework-04] I2NSF needs to provide identity information, along with additional data that Authentication, Authorization, and Accounting (AAA) frameworks can use. This enables those frameworks to perform AAA functions on the I2NSF traffic. In this sense, we assume that each AAA entity is, in the end, a NSF that may need to be configured with AAA-related information and where the administrator can obtain some valuable information such as, number authentications executed, number of active users accessing the service, accounting records, etc. We envisage that SDN controller MAY also instantiate a vNSF acting as one of the AAA agents (relay, proxy, redirect, translation, server, etc...) when necessary. Even more, an administrator MAY instantiate a AAA server that works as UHO's AAA server. For that, apart from create the vNSF, it needs to register the users that the AAA server needs. Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 13] Internet-Draft SDN AAA Management November 2015 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Application | App. | (e.g.Identity and AAA Management) | Layer +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Application Support | SDN/ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Security |AAA Control Plane(routing,key distribution.| Controller +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AAA server | AAA Data Plane |(NSF) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----> | Policy and Event Repository (PER) | ---> +-------------------------------------------+ | AAA routing table (AAA-RT) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 6: High-level Architecture for SDN-based AAA management Figure 6 describes the mapping with our use cases. In the right side of the figure each entity follows the same terminology than [I-D.merged-i2nsf-framework-04] 8. Security Considerations TBD. 9. Acknowledgements TBD. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, DOI 10.17487/RFC2865, June 2000, . Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 14] Internet-Draft SDN AAA Management November 2015 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, DOI 10.17487/RFC2866, June 2000, . [RFC2903] de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., and D. Spence, "Generic AAA Architecture", RFC 2903, DOI 10.17487/RFC2903, August 2000, . [RFC2904] Vollbrecht, J., Calhoun, P., Farrell, S., Gommans, L., Gross, G., de Bruijn, B., de Laat, C., Holdrege, M., and D. Spence, "AAA Authorization Framework", RFC 2904, DOI 10.17487/RFC2904, August 2000, . [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga, "Transport Layer Security (TLS) Encryption for RADIUS", RFC 6614, DOI 10.17487/RFC6614, May 2012, . [RFC6733] Fajardo, V., Ed., Arkko, J., Loughney, J., and G. Zorn, Ed., "Diameter Base Protocol", RFC 6733, DOI 10.17487/RFC6733, October 2012, . 10.2. Informative References [I-D.merged-i2nsf-framework-04] Lopez, E., Lopez, D., Zhuang, X., Dunbar, L., Parrott, J., Krishnan, R., and SR. Durbha, "Framework for Interface to Network Security Functions", draft-merged-i2nsf-framework- 04.txt (work in progress), October 2015. [ITU-T.X.1252] "Baseline Identity Management Terms and Definitions", April 2010. [ITU-T.X.800] "Security Architecture for Open Systems Interconnection for CCITT Applications", March 1991. [ITU-T.Y.3300] "Recommendation ITU-T Y.3300", June 2014. [ONF-OpenFlow] ONF, "OpenFlow Switch Specification (Version 1.4.0)", October 2013. Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 15] Internet-Draft SDN AAA Management November 2015 [ONF-SDN-Architecture] "SDN Architecture", June 2014. [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined Networking: A Perspective from within a Service Provider Environment", RFC 7149, DOI 10.17487/RFC7149, March 2014, . Authors' Addresses Rafa Marin-Lopez University of Murcia Campus de Espinardo S/N, Faculty of Computer Science Murcia 30100 Spain Phone: +34 868 88 85 01 Email: rafa@um.es Gabriel Lopez-Millan University of Murcia Campus de Espinardo S/N, Faculty of Computer Science Murcia 30100 Spain Phone: +34 868 88 85 04 Email: gabilm@um.es Marin-Lopez & Lopez-MillaExpires May 14, 2016 [Page 16]