Distributed Access Control with Blockchain
This work addresses access control challenges for enterprises in multi-domain networks, but it is incremental as it builds on existing policy languages and blockchain technology.
The paper tackles the problem of enforcing network-wide access control policies across multiple administrative domains by extending Group-Based Policy with a permissioned blockchain (Hyperledger Fabric) and a LISP control plane, resulting in a prototype that addresses scalability and granularity issues with measurable performance in terms of network latency.
The specification and enforcement of network-wide policies in a single administrative domain is common in today's networks and considered as already resolved. However, this is not the case for multi-administrative domains, e.g. among different enterprises. In such situation, new problems arise that challenge classical solutions such as PKIs, which suffer from scalability and granularity concerns. In this paper, we present an extension to Group-Based Policy -- a widely used network policy language -- for the aforementioned scenario. To do so, we take advantage of a permissioned blockchain implementation (Hyperledger Fabric) to distribute access control policies in a secure and auditable manner, preserving at the same time the independence of each organization. Network administrators specify polices that are rendered into blockchain transactions. A LISP control plane (RFC 6830) allows routers performing the access control to query the blockchain for authorizations. We have implemented an end-to-end experimental prototype and evaluated it in terms of scalability and network latency.