The dark side of SDN and OpenFlow
Security & Dependability issues, challenges, and research opportunities.
Attack vectors and threats.
Practical security assessment of OpenFlow-enabled networks.
Vulnerabilities of current Network Operating Systems (e.g., Cisco IOS).
Strategies for Landing an Oracle DBA Job as a Fresher
The dark side of SDN and OpenFlow
1. The
dark
side
of
SDN
and
OpenFlow
Diego
Kreutz
Navigators,
LaSIGE/FCUL,
University
of
Lisbon
NavTalks,
November,
2013
2. Main
threat
vectors
in
SDNs
Short
intro
to
SDN
Outline
Sec&Dep
issues
in
OpenFlow
SDNs
More
OpenFlow
security
issues
Just
out
of
curiosity
…
3. Main
threat
vectors
in
SDNs
Short
intro
to
SDN
Outline
Sec&Dep
issues
in
OpenFlow
SDNs
More
OpenFlow
security
issues
Just
out
of
curiosity
…
4. SDN
in
short
1. Decoupling
control
and
data
plane
2. Logical
centralizaCon
of
network
control
3. Programming
the
network
5. SDN CONTROLLER
APPLICATIONS
NETWORK
OPERATING
SYSTEM
ACCESS CONTROL SDN DEVICE
SOFTWAREHARDWARE
CONTROL
COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFTWARE
CONTROL
COMMUNICATIONS
SDN/OpenFlow
Data
plane
“instrucKon
set”
(what
to
look
for?
what
to
do
with…?
…)
Control
plane
communicaKon
channels
and
commands
6. SDN CONTROLLER
APPLICATIONS
NETWORK
OPERATING
SYSTEM
ACCESS CONTROL FIREWALL
SOFTWARE
CONTROL
COMMUNICATIONS
SDN/OpenFlow
Top
features
of
OpenFlow
controllers:
1.
Event-‐driven
model
(PACKET_IN,
PORT_STATUS,
FEATURE_REPLY,
STATS_REPLY)
2.
Packet
parsing
capabiliCes
(standard
procedures)
3. switch.send(msg)
• PACKET_OUT
(with
buffer_id
or
fabricated
packet)
• FLOW_MOD
(with
match
rules
and
acKons)
• FEATURE_REQUEST,
STATS_REQUEST,
BARRIER_REQUEST
7. SDN/OpenFlow
SDN CONTROLLER
APPLICATIONS
NETWORK
OPERATING
SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFTWAREHARDWARE
CONTROL
COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFTWARE
CONTROL
COMMUNICATIONS
RULE STATSACTION
Packet + counters
1. Forward packet to port(s)
2. Encapsulate and forward to controller
3. Drop packet
4. Send to normal processing pipeline
Switch
port
MAC
src
MAC
src
VLAN
ID
IP
src
TCP
sport
TCP
dport
IP
dst
FLOW TABLE
Eth
type
OpenFlow
specifies/recommends:
• TCP
and
TLS
connecKons
(C
ó
D)
• MulK-‐controller
connecKons
• MulKple
channels
(auxiliary
connecKons)
• Flow
table
with
<rule,
acKon,
stats>
• MulKple
flow
tables
• …
8. SDN/OpenFlow
Packet
in
from
network
OpKonal
802.1d
STP
processing
Table
lookup
Match
table
entry
0?
Apply
acCons
Send
to
controller
Match
table
entry
n?
No
No
Yes
Yes
Packet
flow
in
an
OpenFlow
switch
9. But
…
SDN
is
not
OpenFlow!
SDN CONTROLLER
APPLICATIONS
NETWORK
OPERATING
SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFTWAREHARDWARE
CONTROL
COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFTWARE
CONTROL
COMMUNICATIONS
RULE STATSACTION
Packet + counters
1. Forward packet to port(s)
2. Encapsulate and forward to controller
3. Drop packet
4. Send to normal processing pipeline
Switch
port
MAC
src
MAC
src
VLAN
ID
IP
src
TCP
sport
TCP
dport
IP
dst
FLOW TABLE
Eth
type
Examples
of
southbound
APIs:
• OpenFlow
• POF
(Portable
Oblivious
Forwarding)
• ForCES
• …
10. SDN/OpenFlow
SDN CONTROLLER
APPLICATIONS
NETWORK
OPERATING
SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFTWAREHARDWARE
CONTROL
COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFTWARE
CONTROL
COMMUNICATIONS
RULE STATSACTION
Packet + counters
1. Forward packet to port(s)
2. Encapsulate and forward to controller
3. Drop packet
4. Send to normal processing pipeline
Switch
port
MAC
src
MAC
src
VLAN
ID
IP
src
TCP
sport
TCP
dport
IP
dst
FLOW TABLE
Eth
type
Protocol
specific
header
fields,
increased
complexity
(specificaKon
and
backward
compaKbility),
…
11. SDN/POF:
how
it
should
be
Service
Controller
Forwarding
Element
ApplicaKon
OperaKng
System
CPU
API
Sys.
Call
Driver
Interrupt
InstrucKon
Set
SDN
Computer
12. SDN/POF:
how
it
is
SDN CONTROLLER
APPLICATIONS
NETWORK
OPERATING
SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFTWAREHARDWARE
CONTROL
COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFTWARE
CONTROL
COMMUNICATIONS
FIELDS INSTRUCTIONS
1. Goto-Table
2. Write-Metadata-From-Packet
3. Set/Modify the current protocol header
4. Add/Delete a protocol header
5. Copy the current protocol field to the metadata
6. Access control: forward/drop/send upward a
packet
7. …
type offset lenght
FLOW TABLE
• Protocol
header
agnosCc
• Simple
instrucCon
set
• Same
control
commands
as
OF
1.3
§ add/delete
flow
entries
§ …
• …
13. SDN/POF
Principle
and
Implementa/on
of
Protocol
Oblivious
Forwarding
h;p://goo.gl/BHXTzi
14. Main
threat
vectors
in
SDNs
Short
intro
to
SDN
Outline
Sec&Dep
issues
in
OpenFlow
SDNs
More
OpenFlow
security
issues
Just
out
of
curiosity
…
15. Data Plane!
Control & Management!
SDN
device
SDN
device
SDN
device
Admin
StaKon
SDN
Controller
SDN
device
1
Not
specific
to
SDNs,
but
can
be
a
door
for
augmented
DoS
afacks.
Possible
solu/ons:
IDS
+
rate
bounds
for
control
plane
requests
Threat
vectors
map
Threat
vector
1
forged
or
faked
traffic
flows
16. Data Plane!
Control & Management!
SDN
device
SDN
device
SDN
device
Admin
StaKon
SDN
Controller
2
SDN
device
Not
specific
to
SDNs,
but
now
the
impact
is
potenKally
augmented.
Possible
solu/ons:
sojware
afestaKon
with
autonomic
trust
management
Threat
vectors
map
Threat
vector
2
exploiKng
vulnerabiliKes
in
forwarding
devices
17. Data Plane!
Control & Management!
SDN
device
SDN
device
SDN
device
Admin
StaKon
3
SDN
Controller
SDN
device
Specific
to
SDNs:
communicaKon
with
logically
centralized
controllers
can
be
explored.
Possible
solu/ons:
threshold
crypto,
trust
management,
...
Threat
vectors
map
Threat
vector
3
afacking
control
communicaKons
18. Data Plane!
Control & Management!
SDN
device
SDN
device
SDN
device
Admin
StaKon
4
SDN
Controller
SDN
device
Specific
to
SDNs,
controlling
the
controller
may
compromise
the
enKre
network.
Possible
solu/ons:
replicaKon
+
diversity
+
recovery,
reliable
updates,
...
Threat
vectors
map
Threat
vector
4
exploiKng
vulnerabiliKes
in
controllers
19. Data Plane!
Control & Management!
SDN
device
SDN
device
SDN
device
Admin
StaKon
5
SDN
Controller
SDN
device
Specific
to
SDNs,
malicious
applicaKons
can
now
be
easily
developed
and
deployed
on
controllers.
Possible
solu/ons:
sojware
afestaKon,
security
domains,
...
Threat
vectors
map
Threat
vector
5
lack
of
trust
between
the
controller
and
apps
20. Data Plane!
Control & Management!
SDN
device
SDN
device
SDN
device
Admin
StaKon
6
SDN
Controller
SDN
device
Not
specific
to
SDNs,
but
now
the
impact
is
potenKally
augmented.
Possible
solu/ons:
double
credenKal
verificaKon,
reliable
recovey,
...
Threat
vectors
map
Threat
vector
6
exploiKng
vulnerabiliKes
in
admin
staKons
21. Data Plane!
Control & Management!
7
SDN
device
SDN
device
SDN
device
Admin
StaKon
SDN
Controller
SDN
device
Threat
vector
7
lack
of
trusted
resources
for
forensics
and
remediaKon
Not
specific
to
SDNs,
but
it
is
sKll
criKcal
to
assure
fast
recovery
and
diagnosis
when
faults
happen.
Possible
solu/ons:
immutable
and
secure
logging,
secure
and
reliable
snapshots
Threat
vectors
map
22. Data Plane!
Control & Management!
7
SDN
device
SDN
device
SDN
device
Admin
StaKon
6
5
4
3
SDN
Controller
SDN
control
protocol
(e.g.,
OpenFlow
)
Management
connecKon
(e.g.,
SSH
)
2
Data
plane
physical
/
logical
connecKons
SDN
device
1
Seven
main
threat
vectors
Ø 1
and
3:
communicaKons
Ø 2,
4,
5,
6:
elements
Ø 7:
communicaKons
and
elements
Threat
vectors
map
23. Threat
vectors
map
Threat
Specific
to
SDN?
Consequences
in
SDN
Vector
1
no
can
be
a
door
for
DoS
afacks
Vector
2
no
but
now
the
impact
is
potenKally
augmented
Vector
3
yes
communicaCon
with
logically
centralized
controllers
can
be
explored
Vector
4
yes
controlling
the
controller
may
compromise
the
enCre
network
Vector
5
yes
malicious
applicaCons
can
now
be
easily
developed
and
deployed
on
controllers
Vector
6
no
but
now
the
impact
is
potenKally
augmented
Vector
7
no
it
is
sKll
criKcal
to
assure
fast
recovery
and
diagnosis
when
faults
happen
24. Main
threat
vectors
in
SDNs
Short
intro
to
SDN
Outline
Sec&Dep
issues
in
OpenFlow
SDNs
More
OpenFlow
security
issues
Just
out
of
curiosity
…
25. Data Plane!
Control & Management!
Admin
StaKon
SDN
device
SDN
device
SDN
device
SDN
device
SDN
Controllers
3
Threat
Vector
3
in
OpenFlow
Networks
26. Data Plane!
Control Plane!
SDN
device
SDN
device
SDN
device
SDN
device
IPs
of
controllers
are
manually
configured
SDN
Controllers
OpenFlow
control
plane:
how
it
works
27. Data Plane!
Control Plane!
SDN
device
SDN
device
SDN
device
SDN
Controllers
SDN
device
Switches
can
connect
to
any
controller
OpenFlow
control
plane:
how
it
works
28. Data Plane!
Control Plane!
SDN
device
SDN
device
SDN
device
SDN
device
SDN
Controllers
No
cerKficate
management
soluKons
OpenFlow
control
plane:
how
it
works
29. Data Plane!
Control Plane!
SDN
device
SDN
device
SDN
device
SDN
device
No
trust
management
between
devices
SDN
Controllers
No
trust
management
between
devices
No
trust
management
between
devices
OpenFlow
control
plane:
how
it
works
30. Data Plane!
Control & Management!
Admin
StaKon
SDN
device
SDN
device
SDN
device
SDN
device
SDN
Controllers
4
Threat
Vector
4
in
OpenFlow
Networks
32. Master-‐slave
controllers
(what
if
B
fails?)
On
the
feasibility
of
a
consistent
and
fault-‐tolerant
data
store
for
SDNs
h;p://goo.gl/mF9HNB
Fault-‐
tolerant
distributed
datastore
Active"
Controller"
Active"
Controller"
Master
ConnecKon
Slave
ConnecKon
Active"
Controller"
Datastore "
33. Controller
App B App C
A:
10.0.0.1
V:
10.0.0.3
block
src=10.0.0.1
(to
dst=10.0.0.3)
rewrite
src=10.0.0.1
(to
src=10.0.0.2)
Apps/services
rewriKng
rules
(accidentally
or
maliciously)
…
34. AggregaCon
Flow
Table
(priority
and
isolaKon
of
signed
rules)
…
A
Security
Enforcement
Kernel
for
OpenFlow
Networks
h;p://goo.gl/4DJPbK
35. Data Plane!
Control & Management!
Admin
StaKon
SDN
device
SDN
device
SDN
device
SDN
device
SDN
Controllers
5
Threat
Vector
5
in
OpenFlow
Networks
36. Controller A
App A
Controller B
App B
Controller C
App C
Fault-‐tolerant
Distributed
Data
Store
Apps
trying
to
access
and/or
change/corrupt
shared
memory/objects
…
block
src=10.0.0.1
(to
dst=10.0.0.3)
allow
src=10.0.0.1
(to
dst=10.0.0.3)
Unauthorized
controller
and/or
app
Datastore "
38. Controller A
Fw A
Controller B
Fw B
Controller C
Fw C
Fault-‐tolerant
Distributed
Data
Store
Apps
trying
to
access
and/or
change/corrupt
shared
memory/objects
…
set
border
sec
level=2
set
border
sec
level=1
Malicious
or
buggy
controller/app
trying
to
enforce
a
lower
security
level
Afack
detected
on
network
perimeter
A
Datastore "
39. Controller A
Fw A
Controller B
Fw B
Controller C
Fw C
Fault-‐tolerant
Distributed
Data
Store
Apps
trying
to
access
and/or
change/corrupt
shared
memory/objects
…
set
border
sec
level=2
set
border
sec
level=1
1. set
rate
limit=1000
2. allow
direct
connecKons
1. set
rate
limit=500
2. force
all
suspected
conns
to
pass
through
Sec
Midbox
L1
Datastore "
40. Which
controller
should
take
over
the
forwarding
devices?
Controller A
DevM
Controller B
DevM
Controller C
DevM
AssociaKon
phase:
devices
receive
the
decision
signed
by
“all”
controllers
Consensus-‐as-‐a-‐service
to
help
in
such
decisions?
AssociaKon
phase:
devices
receive
the
decision
signed
by
“all”
DevMs
41. Main
threat
vectors
in
SDNs
Short
intro
to
SDN
Outline
Sec&Dep
issues
in
OpenFlow
SDNs
More
OpenFlow
security
issues
Just
out
of
curiosity
…
42. OpenFlow
security
issues
h;p://goo.gl/b5bzZC
,
h;p://goo.gl/2sf5CF
,
h;p://goo.gl/7opnZk
1. Lacks
TLS
and
access
control
2. Repeats
the
error
of
previous
protocols:
“the
link
should
be
physically
secure”
3. Man
in
the
middle:
simple
to
do
if
TLS
is
not
is
use
and/or
when
it
is
weakly
implemented
4. Listener
mode:
some
switches
accept
connecKons
from
any
source
(write
rules
and
read
informaKon)
5. Lack
of
switch
authenCcaCon
(e.g.,
request
traffic
redirecKon)
6. Flow
table
verificaCon:
lack
of
TLS
makes
it
impossible
to
verity
if
flow
tables
are
configured
with
the
expected
rules
7. Denial
of
service
risks:
specially
in
the
case
of
centralized
controllers
(single
points
of
failure)
8. Controller
vulnerabiliCes:
diverse
apps,
complex
protocols
parsing,
lack
of
priority-‐based
controls
and
isolaKon,
…
9. Resource
depleCon
acacks
(e.g.,
learning
switch
of
POX)
43. OpenFlow
security
issues
OpenFlow:
A
Security
Analysis
h;p://goo.gl/59CIVm
Threat
(STRIDE)
Security
Property
Possible
Acacks
Affected
OF
versions
Spoofing
AuthenKcaKon
MAC
and
IP
address
spoofing,
forged
ARP
and
IPv6
router
adverKsement
1.0,
1.2,
1.3,
1.3.1
Tampering
Integrity
Counters
falsificaKon,
install
rules
that
modify
packets,
redirect/clone
flows
1.0,
1.2,
1.3,
1.3.1
RepudiaKon
Non-‐
repudiaKon
Install
rules
to
forge
source
address
of
packets
1.0,
1.2,
1.3,
1.3.1
InformaKon
disclosure
ConfidenKality
Side
channel
afacks
to
figure
out
flow
rules
setup
1.0,
1.2,
1.3,
1.3.1
Denial
of
service
Availability
Augmented
new
flow
requests
to
the
controller
1.0,
1.2,
1.3,
1.3.1
ElevaKon
of
privilege
AuthorizaKon
Take
over
the
controller
by
exploiKng
implementaKon
flaws
1.0,
1.2,
1.3,
1.3.1
44. “OpenFlow
security
is
minimally
specified,
to
the
point
where
the
differences
between
mul/ple
OpenFlow
implementa/ons
could
cause
opera/onal
complexity,
interoperability
issues
or
unexpected
security
vulnerabili/es.”
(M.
Wasserman
and
S.
Hartman)
h;p://goo.gl/Ep5CXH
OpenFlow
security
issues
45. Main
threat
vectors
in
SDNs
Short
intro
to
SDN
Outline
Sec&Dep
issues
in
OpenFlow
SDNs
Some
OpenFlow
security
issues
Just
out
of
curiosity
…
46. Time
and
bandwidth
for
DoS
afacks
DoS
afacks
on
the
control
plane
h;p://goo.gl/2sf5CF
One
controller,
one
switch,
and
two
hosts.
HP
5406zl
like
switch
with
1.500
flow
rules
capacity.
47. SDN CONTROLLER
APPLICATIONS
NETWORK
OPERATING
SYSTEM
ACCESS CONTROL FIREWALL
SOFTWARE
CONTROL
COMMUNICATIONS
10
switches
=
a
powerful
weapon
DoS
afacks
on
controllers
With
10
switches,
one
can
easily
do
a
DoS
afack
to
significantly
impact
the
controller’s
performance.
h;p://goo.gl/WEmR7n
,
h;p://goo.gl/b5bzZC
,
h;p://goo.gl/2sf5CF
48. The
Network
Access
Layer
Goes
Virtual
Sojware
switching:
the
new
trend?!
The
Sandwich…
Network
Virtualiza/on
Main
Stage
at
Interop
h;p://goo.gl/yt9pi2
49. VulnerabiliKes
in
Cisco
IOS
0
5
10
15
20
25
30
35
40
45
50
1992 1995 1998 2001 2004 2007 2010 2013
Numberofvulnerabilities
Year of publication
Current
Network
OperaKng
Systems