SlideShare a Scribd company logo

The dark side of SDN and OpenFlow

Diego Kreutz
Diego Kreutz

The dark side of SDN and OpenFlow Security & Dependability issues, challenges, and research opportunities. Attack vectors and threats. Practical security assessment of OpenFlow-enabled networks. Vulnerabilities of current Network Operating Systems (e.g., Cisco IOS).

Technology
1 of 49
Download to read offline
The  dark  side  of  SDN  and   OpenFlow   Diego  Kreutz   Navigators,  LaSIGE/FCUL,  University  of  Lisbon     NavTalks,  November,  2013  
Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
SDN  in  short   1.  Decoupling  control   and  data  plane   2.  Logical  centralizaCon   of  network  control   3.  Programming  the   network  
SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS SDN/OpenFlow   Data  plane   “instrucKon   set”   (what  to   look  for?   what  to  do   with…?  …)   Control  plane   communicaKon   channels  and   commands  
SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL FIREWALL SOFTWARE CONTROL COMMUNICATIONS SDN/OpenFlow   Top  features  of  OpenFlow  controllers:   1.     Event-­‐driven  model                    (PACKET_IN,  PORT_STATUS,  FEATURE_REPLY,                    STATS_REPLY)   2.     Packet  parsing  capabiliCes                (standard  procedures)   3.  switch.send(msg)   •  PACKET_OUT  (with  buffer_id  or  fabricated   packet)   •  FLOW_MOD  (with  match  rules  and  acKons)   •  FEATURE_REQUEST,  STATS_REQUEST,   BARRIER_REQUEST  
SDN/OpenFlow   SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS RULE STATSACTION Packet + counters 1.  Forward packet to port(s) 2.  Encapsulate and forward to controller 3.  Drop packet 4.  Send to normal processing pipeline Switch port MAC src MAC src VLAN ID IP src TCP sport TCP dport IP dst FLOW TABLE Eth type OpenFlow  specifies/recommends:   •  TCP  and  TLS  connecKons  (C  ó  D)   •  MulK-­‐controller  connecKons   •  MulKple  channels  (auxiliary  connecKons)   •  Flow  table  with  <rule,  acKon,  stats>   •  MulKple  flow  tables   •  …  
SDN/OpenFlow   Packet  in  from   network   OpKonal  802.1d   STP  processing   Table  lookup   Match  table   entry  0?   Apply     acCons   Send  to     controller   Match  table   entry  n?   No   No   Yes   Yes   Packet  flow  in     an  OpenFlow     switch  
But  …  SDN  is  not  OpenFlow!   SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS RULE STATSACTION Packet + counters 1.  Forward packet to port(s) 2.  Encapsulate and forward to controller 3.  Drop packet 4.  Send to normal processing pipeline Switch port MAC src MAC src VLAN ID IP src TCP sport TCP dport IP dst FLOW TABLE Eth type Examples  of  southbound  APIs:   •  OpenFlow   •  POF  (Portable  Oblivious  Forwarding)   •  ForCES   •  …  
SDN/OpenFlow   SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS RULE STATSACTION Packet + counters 1.  Forward packet to port(s) 2.  Encapsulate and forward to controller 3.  Drop packet 4.  Send to normal processing pipeline Switch port MAC src MAC src VLAN ID IP src TCP sport TCP dport IP dst FLOW TABLE Eth type Protocol  specific   header  fields,   increased  complexity   (specificaKon  and   backward   compaKbility),  …  
SDN/POF:  how  it  should  be   Service   Controller   Forwarding   Element   ApplicaKon   OperaKng   System   CPU   API   Sys.  Call   Driver   Interrupt   InstrucKon  Set   SDN   Computer  
SDN/POF:  how  it  is   SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS FIELDS INSTRUCTIONS 1.  Goto-Table 2.  Write-Metadata-From-Packet 3.  Set/Modify the current protocol header 4.  Add/Delete a protocol header 5.  Copy the current protocol field to the metadata 6.  Access control: forward/drop/send upward a packet 7.  … type offset lenght FLOW TABLE •  Protocol  header  agnosCc   •  Simple  instrucCon  set     •  Same  control  commands  as  OF  1.3   §  add/delete  flow  entries   §  …   •  …  
SDN/POF   Principle  and  Implementa/on  of  Protocol  Oblivious  Forwarding     h;p://goo.gl/BHXTzi      
Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   SDN   Controller   SDN   device   1   Not  specific  to  SDNs,  but  can  be  a  door  for  augmented  DoS  afacks.   Possible  solu/ons:  IDS  +  rate  bounds  for  control  plane  requests   Threat  vectors  map   Threat  vector  1   forged  or  faked  traffic   flows  
Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   SDN   Controller   2   SDN   device   Not  specific  to  SDNs,  but  now  the  impact  is  potenKally  augmented.   Possible  solu/ons:  sojware  afestaKon  with  autonomic  trust  management   Threat  vectors  map   Threat  vector  2   exploiKng  vulnerabiliKes   in  forwarding  devices  
Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   3   SDN   Controller   SDN   device   Specific  to  SDNs:  communicaKon  with  logically  centralized  controllers  can  be   explored.   Possible  solu/ons:  threshold  crypto,  trust  management,  ...   Threat  vectors  map   Threat  vector  3   afacking  control   communicaKons  
Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   4   SDN   Controller   SDN   device   Specific  to  SDNs,  controlling  the  controller  may  compromise  the  enKre  network.   Possible  solu/ons:  replicaKon  +  diversity  +  recovery,  reliable  updates,  ...   Threat  vectors  map   Threat  vector  4   exploiKng  vulnerabiliKes   in  controllers  
Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   5   SDN   Controller   SDN   device   Specific  to  SDNs,  malicious  applicaKons  can  now  be  easily  developed  and  deployed   on  controllers.   Possible  solu/ons:  sojware  afestaKon,  security  domains,  ...   Threat  vectors  map   Threat  vector  5   lack  of  trust  between  the   controller  and  apps  
Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   6   SDN   Controller   SDN   device   Not  specific  to  SDNs,  but  now  the  impact  is  potenKally  augmented.   Possible  solu/ons:  double  credenKal  verificaKon,  reliable  recovey,  ...   Threat  vectors  map   Threat  vector  6   exploiKng  vulnerabiliKes   in  admin  staKons  
Data Plane! Control & Management! 7   SDN   device   SDN   device   SDN   device   Admin   StaKon   SDN   Controller   SDN   device   Threat  vector  7   lack  of  trusted  resources   for  forensics  and   remediaKon   Not  specific  to  SDNs,  but  it  is  sKll  criKcal  to  assure  fast  recovery  and  diagnosis   when  faults  happen.   Possible  solu/ons:  immutable  and  secure  logging,  secure  and  reliable  snapshots   Threat  vectors  map  
Data Plane! Control & Management! 7   SDN   device   SDN   device   SDN   device   Admin   StaKon   6   5   4   3   SDN   Controller   SDN  control  protocol   (e.g.,  OpenFlow  )   Management   connecKon  (e.g.,  SSH  )   2   Data  plane   physical  /  logical   connecKons   SDN   device   1   Seven  main  threat  vectors   Ø  1  and  3:  communicaKons   Ø  2,  4,  5,  6:  elements   Ø  7:  communicaKons  and  elements   Threat  vectors  map  
Threat  vectors  map   Threat   Specific   to  SDN?   Consequences  in  SDN   Vector  1   no   can  be  a  door  for  DoS  afacks   Vector  2   no   but  now  the  impact  is  potenKally  augmented   Vector  3   yes   communicaCon  with  logically  centralized   controllers  can  be  explored   Vector  4   yes   controlling  the  controller  may  compromise   the  enCre  network   Vector  5   yes   malicious  applicaCons  can  now  be  easily   developed  and  deployed  on  controllers   Vector  6   no   but  now  the  impact  is  potenKally  augmented   Vector  7   no   it  is  sKll  criKcal  to  assure  fast  recovery  and   diagnosis  when  faults  happen  
Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
Data Plane! Control & Management! Admin   StaKon   SDN   device   SDN   device   SDN   device   SDN   device   SDN   Controllers   3   Threat  Vector  3  in  OpenFlow   Networks  
Data Plane! Control Plane! SDN   device   SDN   device   SDN   device   SDN   device   IPs  of  controllers   are  manually   configured     SDN   Controllers   OpenFlow  control  plane:  how  it   works  
Data Plane! Control Plane! SDN   device   SDN   device   SDN   device   SDN   Controllers   SDN   device   Switches  can   connect  to  any   controller   OpenFlow  control  plane:  how  it   works  
Data Plane! Control Plane! SDN   device   SDN   device   SDN   device   SDN   device   SDN   Controllers   No  cerKficate   management   soluKons   OpenFlow  control  plane:  how  it   works  
Data Plane! Control Plane! SDN   device   SDN   device   SDN   device   SDN   device   No  trust   management   between  devices   SDN   Controllers   No  trust   management   between  devices   No  trust   management   between  devices   OpenFlow  control  plane:  how  it   works  
Data Plane! Control & Management! Admin   StaKon   SDN   device   SDN   device   SDN   device   SDN   device   SDN   Controllers   4   Threat  Vector  4  in  OpenFlow   Networks  
Controller A App A Controller B App A Controller C App A Master-­‐slave  controllers  (what  if  B  fails?)  
Master-­‐slave  controllers  (what  if  B  fails?)   On  the  feasibility  of  a  consistent  and  fault-­‐tolerant  data  store  for  SDNs     h;p://goo.gl/mF9HNB     Fault-­‐ tolerant   distributed   datastore   Active" Controller" Active" Controller" Master  ConnecKon   Slave  ConnecKon   Active" Controller" Datastore "
Controller App B App C A:  10.0.0.1   V:  10.0.0.3   block  src=10.0.0.1   (to  dst=10.0.0.3)   rewrite  src=10.0.0.1   (to  src=10.0.0.2)   Apps/services  rewriKng  rules  (accidentally  or  maliciously)  …  
AggregaCon  Flow  Table  (priority  and  isolaKon  of  signed  rules)  …   A  Security  Enforcement  Kernel  for  OpenFlow  Networks   h;p://goo.gl/4DJPbK      
Data Plane! Control & Management! Admin   StaKon   SDN   device   SDN   device   SDN   device   SDN   device   SDN   Controllers   5   Threat  Vector  5  in  OpenFlow   Networks  
Controller A App A Controller B App B Controller C App C Fault-­‐tolerant  Distributed  Data  Store   Apps  trying  to  access  and/or  change/corrupt  shared  memory/objects  …   block  src=10.0.0.1   (to  dst=10.0.0.3)   allow  src=10.0.0.1   (to  dst=10.0.0.3)   Unauthorized   controller   and/or  app   Datastore "
Moving  network  funcConality  to  the  edge…   Controller A Fw A Controller B Fw B Controller C Fw C
Controller A Fw A Controller B Fw B Controller C Fw C Fault-­‐tolerant  Distributed  Data  Store   Apps  trying  to  access  and/or  change/corrupt  shared  memory/objects  …   set  border   sec  level=2   set  border     sec  level=1   Malicious  or   buggy   controller/app   trying  to   enforce  a  lower   security  level   Afack   detected  on   network   perimeter  A   Datastore "
Controller A Fw A Controller B Fw B Controller C Fw C Fault-­‐tolerant  Distributed  Data  Store   Apps  trying  to  access  and/or  change/corrupt  shared  memory/objects  …   set  border   sec  level=2   set  border     sec  level=1   1.  set  rate   limit=1000   2.  allow  direct   connecKons   1.  set  rate   limit=500   2.  force  all   suspected   conns  to  pass   through  Sec   Midbox  L1   Datastore "
Which  controller  should  take  over  the  forwarding  devices?   Controller A DevM Controller B DevM Controller C DevM AssociaKon  phase:  devices  receive   the  decision  signed  by  “all”   controllers   Consensus-­‐as-­‐a-­‐service  to  help  in  such  decisions?   AssociaKon  phase:  devices  receive   the  decision  signed  by  “all”  DevMs  
Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
OpenFlow  security  issues   h;p://goo.gl/b5bzZC    ,  h;p://goo.gl/2sf5CF    ,  h;p://goo.gl/7opnZk     1.  Lacks  TLS  and  access  control   2.  Repeats  the  error  of  previous  protocols:  “the  link  should  be   physically  secure”   3.  Man  in  the  middle:  simple  to  do  if  TLS  is  not  is  use  and/or  when   it  is  weakly  implemented   4.  Listener  mode:  some  switches  accept  connecKons  from  any   source  (write  rules  and  read  informaKon)   5.  Lack  of  switch  authenCcaCon  (e.g.,  request  traffic  redirecKon)   6.  Flow  table  verificaCon:  lack  of  TLS  makes  it  impossible  to  verity   if  flow  tables  are  configured  with  the  expected  rules   7.  Denial  of  service  risks:  specially  in  the  case  of  centralized   controllers  (single  points  of  failure)   8.  Controller  vulnerabiliCes:  diverse  apps,  complex  protocols   parsing,  lack  of  priority-­‐based  controls  and  isolaKon,  …   9.  Resource  depleCon  acacks  (e.g.,  learning  switch  of  POX)  
OpenFlow  security  issues   OpenFlow:  A  Security  Analysis   h;p://goo.gl/59CIVm       Threat   (STRIDE)   Security   Property   Possible     Acacks   Affected   OF  versions   Spoofing   AuthenKcaKon   MAC  and  IP  address  spoofing,  forged   ARP  and  IPv6  router  adverKsement   1.0,  1.2,   1.3,  1.3.1   Tampering   Integrity   Counters  falsificaKon,  install  rules  that   modify  packets,  redirect/clone  flows   1.0,  1.2,   1.3,  1.3.1   RepudiaKon   Non-­‐ repudiaKon   Install  rules  to  forge  source  address  of   packets   1.0,  1.2,   1.3,  1.3.1   InformaKon   disclosure   ConfidenKality   Side  channel  afacks  to  figure  out  flow   rules  setup   1.0,  1.2,   1.3,  1.3.1   Denial  of   service   Availability   Augmented  new  flow  requests  to  the   controller   1.0,  1.2,   1.3,  1.3.1   ElevaKon  of   privilege   AuthorizaKon   Take  over  the  controller  by  exploiKng   implementaKon  flaws   1.0,  1.2,   1.3,  1.3.1  
“OpenFlow  security  is  minimally  specified,   to  the  point  where  the  differences  between   mul/ple  OpenFlow  implementa/ons  could   cause  opera/onal  complexity,   interoperability  issues  or  unexpected   security  vulnerabili/es.”       (M.  Wasserman  and  S.  Hartman)   h;p://goo.gl/Ep5CXH     OpenFlow  security  issues  
Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   Some  OpenFlow  security  issues   Just  out  of  curiosity  …  
Time  and  bandwidth  for  DoS  afacks   DoS  afacks  on  the  control  plane   h;p://goo.gl/2sf5CF     One  controller,  one  switch,  and  two  hosts.   HP  5406zl  like  switch  with  1.500  flow  rules  capacity.  
SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL FIREWALL SOFTWARE CONTROL COMMUNICATIONS 10  switches  =  a  powerful  weapon   DoS  afacks  on  controllers   With  10  switches,  one  can   easily  do  a  DoS  afack  to   significantly  impact  the   controller’s  performance.   h;p://goo.gl/WEmR7n    ,    h;p://goo.gl/b5bzZC    ,  h;p://goo.gl/2sf5CF    
The  Network  Access  Layer  Goes  Virtual   Sojware  switching:  the  new  trend?!   The  Sandwich…  Network  Virtualiza/on  Main  Stage  at  Interop   h;p://goo.gl/yt9pi2    
VulnerabiliKes  in  Cisco  IOS   0 5 10 15 20 25 30 35 40 45 50 1992 1995 1998 2001 2004 2007 2010 2013 Numberofvulnerabilities Year of publication Current  Network  OperaKng  Systems  

Recommended

SDNs: hot topics, evolution & research opportunities
SDNs: hot topics, evolution & research opportunitiesSDNs: hot topics, evolution & research opportunities
SDNs: hot topics, evolution & research opportunities
Diego Kreutz
 
The Challenges of SDN/OpenFlow in an Operational and Large-scale Network
The Challenges of SDN/OpenFlow in an Operational and Large-scale NetworkThe Challenges of SDN/OpenFlow in an Operational and Large-scale Network
The Challenges of SDN/OpenFlow in an Operational and Large-scale Network
Open Networking Summits
 
software defined network, openflow protocol and its controllers
software defined network, openflow protocol and its controllerssoftware defined network, openflow protocol and its controllers
software defined network, openflow protocol and its controllers
Isaku Yamahata
 
Software defined networks and openflow protocol
Software defined networks and openflow protocolSoftware defined networks and openflow protocol
Software defined networks and openflow protocol
Mahesh Mohan
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
Kingston Smiler
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security
David Jorm
 
Sdn ppt
Sdn pptSdn ppt
Sdn ppt
Pallavi Chhikara
 
Sdn presentation
Sdn presentation Sdn presentation
Sdn presentation
Frikha Nour
 

Recommended

SDNs: hot topics, evolution & research opportunities
SDNs: hot topics, evolution & research opportunitiesSDNs: hot topics, evolution & research opportunities
SDNs: hot topics, evolution & research opportunities
Diego Kreutz
 
The Challenges of SDN/OpenFlow in an Operational and Large-scale Network
The Challenges of SDN/OpenFlow in an Operational and Large-scale NetworkThe Challenges of SDN/OpenFlow in an Operational and Large-scale Network
The Challenges of SDN/OpenFlow in an Operational and Large-scale Network
Open Networking Summits
 
software defined network, openflow protocol and its controllers
software defined network, openflow protocol and its controllerssoftware defined network, openflow protocol and its controllers
software defined network, openflow protocol and its controllers
Isaku Yamahata
 
Software defined networks and openflow protocol
Software defined networks and openflow protocolSoftware defined networks and openflow protocol
Software defined networks and openflow protocol
Mahesh Mohan
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
Kingston Smiler
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security
David Jorm
 
Sdn ppt
Sdn pptSdn ppt
Sdn ppt
Pallavi Chhikara
 
Sdn presentation
Sdn presentation Sdn presentation
Sdn presentation
Frikha Nour
 
SDN Fundamentals - short presentation
SDN Fundamentals - short presentationSDN Fundamentals - short presentation
SDN Fundamentals - short presentation
Azhar Khuwaja
 
Modern Software Architecture
Modern Software Architecture Modern Software Architecture
Modern Software Architecture
Ahmed Marzouk
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
jyoti_lakhani
 
Why sdn
Why sdnWhy sdn
Why sdn
lz1dsb
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
Bangladesh Network Operators Group
 
Traffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined NetworksTraffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined Networks
Hai Dinh Tuan
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
NetCraftsmen
 
Tutorial on SDN data plane evolution
Tutorial on SDN data plane evolutionTutorial on SDN data plane evolution
Tutorial on SDN data plane evolution
Antonio Capone
 
Sdn and open flow tutorial 4
Sdn and open flow tutorial 4Sdn and open flow tutorial 4
Sdn and open flow tutorial 4
UmaMahesh Sistu
 
Software Defined Network (SDN)
Software Defined Network (SDN)Software Defined Network (SDN)
Software Defined Network (SDN)
Ahmed Ayman
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
rjain51
 
Software defined network
Software defined networkSoftware defined network
Software defined network
Deeptiman Mallick
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
rjain51
 
Software defined network and Virtualization
Software defined network and VirtualizationSoftware defined network and Virtualization
Software defined network and Virtualization
idrajeev
 
RTI Technical Road Show SPAWAR SD
RTI Technical Road Show SPAWAR SDRTI Technical Road Show SPAWAR SD
RTI Technical Road Show SPAWAR SD
Real-Time Innovations (RTI)
 
Industrial Internet of Things: Protocols an Standards
Industrial Internet of Things: Protocols an StandardsIndustrial Internet of Things: Protocols an Standards
Industrial Internet of Things: Protocols an Standards
Javier Povedano
 
API Management for Software Defined Network (SDN)
API Management for Software Defined Network (SDN)API Management for Software Defined Network (SDN)
API Management for Software Defined Network (SDN)
Apigee | Google Cloud
 
Telco Cloud 03 - Introduction to SDN
Telco Cloud 03 - Introduction to SDNTelco Cloud 03 - Introduction to SDN
Telco Cloud 03 - Introduction to SDN
Vikas Shokeen
 
SDN Networks Programming Languages
SDN Networks Programming LanguagesSDN Networks Programming Languages
SDN Networks Programming Languages
Flavio Vit
 
Carrier Ethernet
Carrier EthernetCarrier Ethernet
Carrier Ethernet
Azhar Khuwaja
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
Priyanka Aash
 

More Related Content

What's hot

Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
rjain51
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
rjain51
 
API Management for Software Defined Network (SDN)
API Management for Software Defined Network (SDN)API Management for Software Defined Network (SDN)
API Management for Software Defined Network (SDN)
Apigee | Google Cloud
 

What's hot (20)

SDN Fundamentals - short presentation
SDN Fundamentals - short presentationSDN Fundamentals - short presentation
SDN Fundamentals - short presentation
 
Modern Software Architecture
Modern Software Architecture Modern Software Architecture
Modern Software Architecture
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
 
Why sdn
Why sdnWhy sdn
Why sdn
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
Traffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined NetworksTraffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined Networks
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
 
Tutorial on SDN data plane evolution
Tutorial on SDN data plane evolutionTutorial on SDN data plane evolution
Tutorial on SDN data plane evolution
 
Sdn and open flow tutorial 4
Sdn and open flow tutorial 4Sdn and open flow tutorial 4
Sdn and open flow tutorial 4
 
Software Defined Network (SDN)
Software Defined Network (SDN)Software Defined Network (SDN)
Software Defined Network (SDN)
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
Software defined network
Software defined networkSoftware defined network
Software defined network
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
 
Software defined network and Virtualization
Software defined network and VirtualizationSoftware defined network and Virtualization
Software defined network and Virtualization
 
RTI Technical Road Show SPAWAR SD
RTI Technical Road Show SPAWAR SDRTI Technical Road Show SPAWAR SD
RTI Technical Road Show SPAWAR SD
 
Industrial Internet of Things: Protocols an Standards
Industrial Internet of Things: Protocols an StandardsIndustrial Internet of Things: Protocols an Standards
Industrial Internet of Things: Protocols an Standards
 
API Management for Software Defined Network (SDN)
API Management for Software Defined Network (SDN)API Management for Software Defined Network (SDN)
API Management for Software Defined Network (SDN)
 
Telco Cloud 03 - Introduction to SDN
Telco Cloud 03 - Introduction to SDNTelco Cloud 03 - Introduction to SDN
Telco Cloud 03 - Introduction to SDN
 
SDN Networks Programming Languages
SDN Networks Programming LanguagesSDN Networks Programming Languages
SDN Networks Programming Languages
 
Carrier Ethernet
Carrier EthernetCarrier Ethernet
Carrier Ethernet
 

Similar to The dark side of SDN and OpenFlow

BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
Provide a diagram and description of the flow table entries that can.pdf
Provide a diagram and description of the flow table entries that can.pdfProvide a diagram and description of the flow table entries that can.pdf
Provide a diagram and description of the flow table entries that can.pdf
arihantelehyb
 
SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3
Wen-Pai Lu
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
Priyanka Aash
 
An overview of SDN & Openflow
An overview of SDN & OpenflowAn overview of SDN & Openflow
An overview of SDN & Openflow
Peyman Faizian
 
Security of software defined networking (sdn) and cognitive radio network (crn)
Security of software defined networking (sdn) and cognitive radio network (crn)Security of software defined networking (sdn) and cognitive radio network (crn)
Security of software defined networking (sdn) and cognitive radio network (crn)
Ameer Sameer
 
Unified Security Plugin for Opendaylight Controller
Unified Security Plugin for Opendaylight ControllerUnified Security Plugin for Opendaylight Controller
Unified Security Plugin for Opendaylight Controller
Saikat Chaudhuri
 
Introduction to OpenFlow, SDN and NFV
Introduction to OpenFlow, SDN and NFVIntroduction to OpenFlow, SDN and NFV
Introduction to OpenFlow, SDN and NFV
Kingston Smiler
 
Software Defined Networking Attacks and Countermeasures .docx
Software Defined Networking Attacks and Countermeasures .docxSoftware Defined Networking Attacks and Countermeasures .docx
Software Defined Networking Attacks and Countermeasures .docx
rosemariebrayshaw
 
DTS Solution - Software Defined Security v1.0
DTS Solution - Software Defined Security v1.0DTS Solution - Software Defined Security v1.0
DTS Solution - Software Defined Security v1.0
Shah Sheikh
 

Similar to The dark side of SDN and OpenFlow (20)

BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
 
Sdn&security
Sdn&securitySdn&security
Sdn&security
 
Provide a diagram and description of the flow table entries that can.pdf
Provide a diagram and description of the flow table entries that can.pdfProvide a diagram and description of the flow table entries that can.pdf
Provide a diagram and description of the flow table entries that can.pdf
 
SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
 
An overview of SDN & Openflow
An overview of SDN & OpenflowAn overview of SDN & Openflow
An overview of SDN & Openflow
 
sdnppt.pdf
sdnppt.pdfsdnppt.pdf
sdnppt.pdf
 
Security of software defined networking (sdn) and cognitive radio network (crn)
Security of software defined networking (sdn) and cognitive radio network (crn)Security of software defined networking (sdn) and cognitive radio network (crn)
Security of software defined networking (sdn) and cognitive radio network (crn)
 
Unified Security Plugin for Opendaylight Controller
Unified Security Plugin for Opendaylight ControllerUnified Security Plugin for Opendaylight Controller
Unified Security Plugin for Opendaylight Controller
 
Introduction to OpenFlow, SDN and NFV
Introduction to OpenFlow, SDN and NFVIntroduction to OpenFlow, SDN and NFV
Introduction to OpenFlow, SDN and NFV
 
Sdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networksSdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networks
 
Software Defined Networking Attacks and Countermeasures .docx
Software Defined Networking Attacks and Countermeasures .docxSoftware Defined Networking Attacks and Countermeasures .docx
Software Defined Networking Attacks and Countermeasures .docx
 
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
SDN: an introduction
SDN: an introductionSDN: an introduction
SDN: an introduction
 
SDN-architecture
SDN-architectureSDN-architecture
SDN-architecture
 
OpenFlow Tutorial
OpenFlow TutorialOpenFlow Tutorial
OpenFlow Tutorial
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorial
 
DTS Solution - Software Defined Security v1.0
DTS Solution - Software Defined Security v1.0DTS Solution - Software Defined Security v1.0
DTS Solution - Software Defined Security v1.0
 

More from Diego Kreutz

Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz
 

More from Diego Kreutz (7)

Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
 
Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
 
Infrastructure Resilience against Attacks and Faults
Infrastructure Resilience against Attacks and FaultsInfrastructure Resilience against Attacks and Faults
Infrastructure Resilience against Attacks and Faults
 
Software-Defined Networking: Evolution or Revolution?
Software-Defined Networking: Evolution or Revolution?Software-Defined Networking: Evolution or Revolution?
Software-Defined Networking: Evolution or Revolution?
 
Computação em Nuvem: conceitos, tendências e aplicações em Software Livre
Computação em Nuvem: conceitos, tendências e aplicações em Software LivreComputação em Nuvem: conceitos, tendências e aplicações em Software Livre
Computação em Nuvem: conceitos, tendências e aplicações em Software Livre
 
Serviços de rede: uma visão de futuro
Serviços de rede: uma visão de futuroServiços de rede: uma visão de futuro
Serviços de rede: uma visão de futuro
 
SecFutNet project - Secutiry for Future Network
SecFutNet project - Secutiry for Future NetworkSecFutNet project - Secutiry for Future Network
SecFutNet project - Secutiry for Future Network
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

The dark side of SDN and OpenFlow

  • 1. The  dark  side  of  SDN  and   OpenFlow   Diego  Kreutz   Navigators,  LaSIGE/FCUL,  University  of  Lisbon     NavTalks,  November,  2013  
  • 2. Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
  • 3. Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
  • 4. SDN  in  short   1.  Decoupling  control   and  data  plane   2.  Logical  centralizaCon   of  network  control   3.  Programming  the   network  
  • 5. SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS SDN/OpenFlow   Data  plane   “instrucKon   set”   (what  to   look  for?   what  to  do   with…?  …)   Control  plane   communicaKon   channels  and   commands  
  • 6. SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL FIREWALL SOFTWARE CONTROL COMMUNICATIONS SDN/OpenFlow   Top  features  of  OpenFlow  controllers:   1.     Event-­‐driven  model                    (PACKET_IN,  PORT_STATUS,  FEATURE_REPLY,                    STATS_REPLY)   2.     Packet  parsing  capabiliCes                (standard  procedures)   3.  switch.send(msg)   •  PACKET_OUT  (with  buffer_id  or  fabricated   packet)   •  FLOW_MOD  (with  match  rules  and  acKons)   •  FEATURE_REQUEST,  STATS_REQUEST,   BARRIER_REQUEST  
  • 7. SDN/OpenFlow   SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS RULE STATSACTION Packet + counters 1.  Forward packet to port(s) 2.  Encapsulate and forward to controller 3.  Drop packet 4.  Send to normal processing pipeline Switch port MAC src MAC src VLAN ID IP src TCP sport TCP dport IP dst FLOW TABLE Eth type OpenFlow  specifies/recommends:   •  TCP  and  TLS  connecKons  (C  ó  D)   •  MulK-­‐controller  connecKons   •  MulKple  channels  (auxiliary  connecKons)   •  Flow  table  with  <rule,  acKon,  stats>   •  MulKple  flow  tables   •  …  
  • 8. SDN/OpenFlow   Packet  in  from   network   OpKonal  802.1d   STP  processing   Table  lookup   Match  table   entry  0?   Apply     acCons   Send  to     controller   Match  table   entry  n?   No   No   Yes   Yes   Packet  flow  in     an  OpenFlow     switch  
  • 9. But  …  SDN  is  not  OpenFlow!   SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS RULE STATSACTION Packet + counters 1.  Forward packet to port(s) 2.  Encapsulate and forward to controller 3.  Drop packet 4.  Send to normal processing pipeline Switch port MAC src MAC src VLAN ID IP src TCP sport TCP dport IP dst FLOW TABLE Eth type Examples  of  southbound  APIs:   •  OpenFlow   •  POF  (Portable  Oblivious  Forwarding)   •  ForCES   •  …  
  • 10. SDN/OpenFlow   SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS RULE STATSACTION Packet + counters 1.  Forward packet to port(s) 2.  Encapsulate and forward to controller 3.  Drop packet 4.  Send to normal processing pipeline Switch port MAC src MAC src VLAN ID IP src TCP sport TCP dport IP dst FLOW TABLE Eth type Protocol  specific   header  fields,   increased  complexity   (specificaKon  and   backward   compaKbility),  …  
  • 11. SDN/POF:  how  it  should  be   Service   Controller   Forwarding   Element   ApplicaKon   OperaKng   System   CPU   API   Sys.  Call   Driver   Interrupt   InstrucKon  Set   SDN   Computer  
  • 12. SDN/POF:  how  it  is   SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS FIELDS INSTRUCTIONS 1.  Goto-Table 2.  Write-Metadata-From-Packet 3.  Set/Modify the current protocol header 4.  Add/Delete a protocol header 5.  Copy the current protocol field to the metadata 6.  Access control: forward/drop/send upward a packet 7.  … type offset lenght FLOW TABLE •  Protocol  header  agnosCc   •  Simple  instrucCon  set     •  Same  control  commands  as  OF  1.3   §  add/delete  flow  entries   §  …   •  …  
  • 13. SDN/POF   Principle  and  Implementa/on  of  Protocol  Oblivious  Forwarding     h;p://goo.gl/BHXTzi      
  • 14. Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
  • 15. Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   SDN   Controller   SDN   device   1   Not  specific  to  SDNs,  but  can  be  a  door  for  augmented  DoS  afacks.   Possible  solu/ons:  IDS  +  rate  bounds  for  control  plane  requests   Threat  vectors  map   Threat  vector  1   forged  or  faked  traffic   flows  
  • 16. Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   SDN   Controller   2   SDN   device   Not  specific  to  SDNs,  but  now  the  impact  is  potenKally  augmented.   Possible  solu/ons:  sojware  afestaKon  with  autonomic  trust  management   Threat  vectors  map   Threat  vector  2   exploiKng  vulnerabiliKes   in  forwarding  devices  
  • 17. Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   3   SDN   Controller   SDN   device   Specific  to  SDNs:  communicaKon  with  logically  centralized  controllers  can  be   explored.   Possible  solu/ons:  threshold  crypto,  trust  management,  ...   Threat  vectors  map   Threat  vector  3   afacking  control   communicaKons  
  • 18. Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   4   SDN   Controller   SDN   device   Specific  to  SDNs,  controlling  the  controller  may  compromise  the  enKre  network.   Possible  solu/ons:  replicaKon  +  diversity  +  recovery,  reliable  updates,  ...   Threat  vectors  map   Threat  vector  4   exploiKng  vulnerabiliKes   in  controllers  
  • 19. Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   5   SDN   Controller   SDN   device   Specific  to  SDNs,  malicious  applicaKons  can  now  be  easily  developed  and  deployed   on  controllers.   Possible  solu/ons:  sojware  afestaKon,  security  domains,  ...   Threat  vectors  map   Threat  vector  5   lack  of  trust  between  the   controller  and  apps  
  • 20. Data Plane! Control & Management! SDN   device   SDN   device   SDN   device   Admin   StaKon   6   SDN   Controller   SDN   device   Not  specific  to  SDNs,  but  now  the  impact  is  potenKally  augmented.   Possible  solu/ons:  double  credenKal  verificaKon,  reliable  recovey,  ...   Threat  vectors  map   Threat  vector  6   exploiKng  vulnerabiliKes   in  admin  staKons  
  • 21. Data Plane! Control & Management! 7   SDN   device   SDN   device   SDN   device   Admin   StaKon   SDN   Controller   SDN   device   Threat  vector  7   lack  of  trusted  resources   for  forensics  and   remediaKon   Not  specific  to  SDNs,  but  it  is  sKll  criKcal  to  assure  fast  recovery  and  diagnosis   when  faults  happen.   Possible  solu/ons:  immutable  and  secure  logging,  secure  and  reliable  snapshots   Threat  vectors  map  
  • 22. Data Plane! Control & Management! 7   SDN   device   SDN   device   SDN   device   Admin   StaKon   6   5   4   3   SDN   Controller   SDN  control  protocol   (e.g.,  OpenFlow  )   Management   connecKon  (e.g.,  SSH  )   2   Data  plane   physical  /  logical   connecKons   SDN   device   1   Seven  main  threat  vectors   Ø  1  and  3:  communicaKons   Ø  2,  4,  5,  6:  elements   Ø  7:  communicaKons  and  elements   Threat  vectors  map  
  • 23. Threat  vectors  map   Threat   Specific   to  SDN?   Consequences  in  SDN   Vector  1   no   can  be  a  door  for  DoS  afacks   Vector  2   no   but  now  the  impact  is  potenKally  augmented   Vector  3   yes   communicaCon  with  logically  centralized   controllers  can  be  explored   Vector  4   yes   controlling  the  controller  may  compromise   the  enCre  network   Vector  5   yes   malicious  applicaCons  can  now  be  easily   developed  and  deployed  on  controllers   Vector  6   no   but  now  the  impact  is  potenKally  augmented   Vector  7   no   it  is  sKll  criKcal  to  assure  fast  recovery  and   diagnosis  when  faults  happen  
  • 24. Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
  • 25. Data Plane! Control & Management! Admin   StaKon   SDN   device   SDN   device   SDN   device   SDN   device   SDN   Controllers   3   Threat  Vector  3  in  OpenFlow   Networks  
  • 26. Data Plane! Control Plane! SDN   device   SDN   device   SDN   device   SDN   device   IPs  of  controllers   are  manually   configured     SDN   Controllers   OpenFlow  control  plane:  how  it   works  
  • 27. Data Plane! Control Plane! SDN   device   SDN   device   SDN   device   SDN   Controllers   SDN   device   Switches  can   connect  to  any   controller   OpenFlow  control  plane:  how  it   works  
  • 28. Data Plane! Control Plane! SDN   device   SDN   device   SDN   device   SDN   device   SDN   Controllers   No  cerKficate   management   soluKons   OpenFlow  control  plane:  how  it   works  
  • 29. Data Plane! Control Plane! SDN   device   SDN   device   SDN   device   SDN   device   No  trust   management   between  devices   SDN   Controllers   No  trust   management   between  devices   No  trust   management   between  devices   OpenFlow  control  plane:  how  it   works  
  • 30. Data Plane! Control & Management! Admin   StaKon   SDN   device   SDN   device   SDN   device   SDN   device   SDN   Controllers   4   Threat  Vector  4  in  OpenFlow   Networks  
  • 31. Controller A App A Controller B App A Controller C App A Master-­‐slave  controllers  (what  if  B  fails?)  
  • 32. Master-­‐slave  controllers  (what  if  B  fails?)   On  the  feasibility  of  a  consistent  and  fault-­‐tolerant  data  store  for  SDNs     h;p://goo.gl/mF9HNB     Fault-­‐ tolerant   distributed   datastore   Active" Controller" Active" Controller" Master  ConnecKon   Slave  ConnecKon   Active" Controller" Datastore "
  • 33. Controller App B App C A:  10.0.0.1   V:  10.0.0.3   block  src=10.0.0.1   (to  dst=10.0.0.3)   rewrite  src=10.0.0.1   (to  src=10.0.0.2)   Apps/services  rewriKng  rules  (accidentally  or  maliciously)  …  
  • 34. AggregaCon  Flow  Table  (priority  and  isolaKon  of  signed  rules)  …   A  Security  Enforcement  Kernel  for  OpenFlow  Networks   h;p://goo.gl/4DJPbK      
  • 35. Data Plane! Control & Management! Admin   StaKon   SDN   device   SDN   device   SDN   device   SDN   device   SDN   Controllers   5   Threat  Vector  5  in  OpenFlow   Networks  
  • 36. Controller A App A Controller B App B Controller C App C Fault-­‐tolerant  Distributed  Data  Store   Apps  trying  to  access  and/or  change/corrupt  shared  memory/objects  …   block  src=10.0.0.1   (to  dst=10.0.0.3)   allow  src=10.0.0.1   (to  dst=10.0.0.3)   Unauthorized   controller   and/or  app   Datastore "
  • 37. Moving  network  funcConality  to  the  edge…   Controller A Fw A Controller B Fw B Controller C Fw C
  • 38. Controller A Fw A Controller B Fw B Controller C Fw C Fault-­‐tolerant  Distributed  Data  Store   Apps  trying  to  access  and/or  change/corrupt  shared  memory/objects  …   set  border   sec  level=2   set  border     sec  level=1   Malicious  or   buggy   controller/app   trying  to   enforce  a  lower   security  level   Afack   detected  on   network   perimeter  A   Datastore "
  • 39. Controller A Fw A Controller B Fw B Controller C Fw C Fault-­‐tolerant  Distributed  Data  Store   Apps  trying  to  access  and/or  change/corrupt  shared  memory/objects  …   set  border   sec  level=2   set  border     sec  level=1   1.  set  rate   limit=1000   2.  allow  direct   connecKons   1.  set  rate   limit=500   2.  force  all   suspected   conns  to  pass   through  Sec   Midbox  L1   Datastore "
  • 40. Which  controller  should  take  over  the  forwarding  devices?   Controller A DevM Controller B DevM Controller C DevM AssociaKon  phase:  devices  receive   the  decision  signed  by  “all”   controllers   Consensus-­‐as-­‐a-­‐service  to  help  in  such  decisions?   AssociaKon  phase:  devices  receive   the  decision  signed  by  “all”  DevMs  
  • 41. Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   More  OpenFlow  security  issues   Just  out  of  curiosity  …  
  • 42. OpenFlow  security  issues   h;p://goo.gl/b5bzZC    ,  h;p://goo.gl/2sf5CF    ,  h;p://goo.gl/7opnZk     1.  Lacks  TLS  and  access  control   2.  Repeats  the  error  of  previous  protocols:  “the  link  should  be   physically  secure”   3.  Man  in  the  middle:  simple  to  do  if  TLS  is  not  is  use  and/or  when   it  is  weakly  implemented   4.  Listener  mode:  some  switches  accept  connecKons  from  any   source  (write  rules  and  read  informaKon)   5.  Lack  of  switch  authenCcaCon  (e.g.,  request  traffic  redirecKon)   6.  Flow  table  verificaCon:  lack  of  TLS  makes  it  impossible  to  verity   if  flow  tables  are  configured  with  the  expected  rules   7.  Denial  of  service  risks:  specially  in  the  case  of  centralized   controllers  (single  points  of  failure)   8.  Controller  vulnerabiliCes:  diverse  apps,  complex  protocols   parsing,  lack  of  priority-­‐based  controls  and  isolaKon,  …   9.  Resource  depleCon  acacks  (e.g.,  learning  switch  of  POX)  
  • 43. OpenFlow  security  issues   OpenFlow:  A  Security  Analysis   h;p://goo.gl/59CIVm       Threat   (STRIDE)   Security   Property   Possible     Acacks   Affected   OF  versions   Spoofing   AuthenKcaKon   MAC  and  IP  address  spoofing,  forged   ARP  and  IPv6  router  adverKsement   1.0,  1.2,   1.3,  1.3.1   Tampering   Integrity   Counters  falsificaKon,  install  rules  that   modify  packets,  redirect/clone  flows   1.0,  1.2,   1.3,  1.3.1   RepudiaKon   Non-­‐ repudiaKon   Install  rules  to  forge  source  address  of   packets   1.0,  1.2,   1.3,  1.3.1   InformaKon   disclosure   ConfidenKality   Side  channel  afacks  to  figure  out  flow   rules  setup   1.0,  1.2,   1.3,  1.3.1   Denial  of   service   Availability   Augmented  new  flow  requests  to  the   controller   1.0,  1.2,   1.3,  1.3.1   ElevaKon  of   privilege   AuthorizaKon   Take  over  the  controller  by  exploiKng   implementaKon  flaws   1.0,  1.2,   1.3,  1.3.1  
  • 44. “OpenFlow  security  is  minimally  specified,   to  the  point  where  the  differences  between   mul/ple  OpenFlow  implementa/ons  could   cause  opera/onal  complexity,   interoperability  issues  or  unexpected   security  vulnerabili/es.”       (M.  Wasserman  and  S.  Hartman)   h;p://goo.gl/Ep5CXH     OpenFlow  security  issues  
  • 45. Main  threat  vectors  in  SDNs   Short  intro  to  SDN   Outline   Sec&Dep  issues  in  OpenFlow  SDNs   Some  OpenFlow  security  issues   Just  out  of  curiosity  …  
  • 46. Time  and  bandwidth  for  DoS  afacks   DoS  afacks  on  the  control  plane   h;p://goo.gl/2sf5CF     One  controller,  one  switch,  and  two  hosts.   HP  5406zl  like  switch  with  1.500  flow  rules  capacity.  
  • 47. SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL FIREWALL SOFTWARE CONTROL COMMUNICATIONS 10  switches  =  a  powerful  weapon   DoS  afacks  on  controllers   With  10  switches,  one  can   easily  do  a  DoS  afack  to   significantly  impact  the   controller’s  performance.   h;p://goo.gl/WEmR7n    ,    h;p://goo.gl/b5bzZC    ,  h;p://goo.gl/2sf5CF    
  • 48. The  Network  Access  Layer  Goes  Virtual   Sojware  switching:  the  new  trend?!   The  Sandwich…  Network  Virtualiza/on  Main  Stage  at  Interop   h;p://goo.gl/yt9pi2    
  • 49. VulnerabiliKes  in  Cisco  IOS   0 5 10 15 20 25 30 35 40 45 50 1992 1995 1998 2001 2004 2007 2010 2013 Numberofvulnerabilities Year of publication Current  Network  OperaKng  Systems