The dark side of SDN and OpenFlow
4 likes2,639 views
The document discusses the security concerns and threat vectors associated with Software-Defined Networks (SDN) and OpenFlow, highlighting vulnerabilities such as forged traffic, controller exploitation, and lack of trust in communications. It outlines potential security solutions and emphasizes that SDN is distinct from OpenFlow, although they are interconnected. Additionally, it identifies critical areas for improvement in security protocols and emphasizes the importance of resilience and trust management within SDN architectures.
The dark side of SDN and OpenFlow
- 1. The dark side of SDN and OpenFlow Diego Kreutz Navigators, LaSIGE/FCUL, University of Lisbon NavTalks, November, 2013
- 2. Main threat vectors in SDNs Short intro to SDN Outline Sec&Dep issues in OpenFlow SDNs More OpenFlow security issues Just out of curiosity …
- 3. Main threat vectors in SDNs Short intro to SDN Outline Sec&Dep issues in OpenFlow SDNs More OpenFlow security issues Just out of curiosity …
- 4. SDN in short 1. Decoupling control and data plane 2. Logical centralizaCon of network control 3. Programming the network
- 5. SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS SDN/OpenFlow Data plane “instrucKon set” (what to look for? what to do with…? …) Control plane communicaKon channels and commands
- 6. SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL FIREWALL SOFTWARE CONTROL COMMUNICATIONS SDN/OpenFlow Top features of OpenFlow controllers: 1. Event-‐driven model (PACKET_IN, PORT_STATUS, FEATURE_REPLY, STATS_REPLY) 2. Packet parsing capabiliCes (standard procedures) 3. switch.send(msg) • PACKET_OUT (with buffer_id or fabricated packet) • FLOW_MOD (with match rules and acKons) • FEATURE_REQUEST, STATS_REQUEST, BARRIER_REQUEST
- 7. SDN/OpenFlow SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS RULE STATSACTION Packet + counters 1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline Switch port MAC src MAC src VLAN ID IP src TCP sport TCP dport IP dst FLOW TABLE Eth type OpenFlow specifies/recommends: • TCP and TLS connecKons (C ó D) • MulK-‐controller connecKons • MulKple channels (auxiliary connecKons) • Flow table with <rule, acKon, stats> • MulKple flow tables • …
- 8. SDN/OpenFlow Packet in from network OpKonal 802.1d STP processing Table lookup Match table entry 0? Apply acCons Send to controller Match table entry n? No No Yes Yes Packet flow in an OpenFlow switch
- 9. But … SDN is not OpenFlow! SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS RULE STATSACTION Packet + counters 1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline Switch port MAC src MAC src VLAN ID IP src TCP sport TCP dport IP dst FLOW TABLE Eth type Examples of southbound APIs: • OpenFlow • POF (Portable Oblivious Forwarding) • ForCES • …
- 10. SDN/OpenFlow SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS RULE STATSACTION Packet + counters 1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline Switch port MAC src MAC src VLAN ID IP src TCP sport TCP dport IP dst FLOW TABLE Eth type Protocol specific header fields, increased complexity (specificaKon and backward compaKbility), …
- 11. SDN/POF: how it should be Service Controller Forwarding Element ApplicaKon OperaKng System CPU API Sys. Call Driver Interrupt InstrucKon Set SDN Computer
- 12. SDN/POF: how it is SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL SDN DEVICE SOFTWAREHARDWARE CONTROL COMMUNICATIONS FLOW TABLES FIREWALL SOFTWARE CONTROL COMMUNICATIONS FIELDS INSTRUCTIONS 1. Goto-Table 2. Write-Metadata-From-Packet 3. Set/Modify the current protocol header 4. Add/Delete a protocol header 5. Copy the current protocol field to the metadata 6. Access control: forward/drop/send upward a packet 7. … type offset lenght FLOW TABLE • Protocol header agnosCc • Simple instrucCon set • Same control commands as OF 1.3 § add/delete flow entries § … • …
- 13. SDN/POF Principle and Implementa/on of Protocol Oblivious Forwarding h;p://goo.gl/BHXTzi
- 14. Main threat vectors in SDNs Short intro to SDN Outline Sec&Dep issues in OpenFlow SDNs More OpenFlow security issues Just out of curiosity …
- 15. Data Plane! Control & Management! SDN device SDN device SDN device Admin StaKon SDN Controller SDN device 1 Not specific to SDNs, but can be a door for augmented DoS afacks. Possible solu/ons: IDS + rate bounds for control plane requests Threat vectors map Threat vector 1 forged or faked traffic flows
- 16. Data Plane! Control & Management! SDN device SDN device SDN device Admin StaKon SDN Controller 2 SDN device Not specific to SDNs, but now the impact is potenKally augmented. Possible solu/ons: sojware afestaKon with autonomic trust management Threat vectors map Threat vector 2 exploiKng vulnerabiliKes in forwarding devices
- 17. Data Plane! Control & Management! SDN device SDN device SDN device Admin StaKon 3 SDN Controller SDN device Specific to SDNs: communicaKon with logically centralized controllers can be explored. Possible solu/ons: threshold crypto, trust management, ... Threat vectors map Threat vector 3 afacking control communicaKons
- 18. Data Plane! Control & Management! SDN device SDN device SDN device Admin StaKon 4 SDN Controller SDN device Specific to SDNs, controlling the controller may compromise the enKre network. Possible solu/ons: replicaKon + diversity + recovery, reliable updates, ... Threat vectors map Threat vector 4 exploiKng vulnerabiliKes in controllers
- 19. Data Plane! Control & Management! SDN device SDN device SDN device Admin StaKon 5 SDN Controller SDN device Specific to SDNs, malicious applicaKons can now be easily developed and deployed on controllers. Possible solu/ons: sojware afestaKon, security domains, ... Threat vectors map Threat vector 5 lack of trust between the controller and apps
- 20. Data Plane! Control & Management! SDN device SDN device SDN device Admin StaKon 6 SDN Controller SDN device Not specific to SDNs, but now the impact is potenKally augmented. Possible solu/ons: double credenKal verificaKon, reliable recovey, ... Threat vectors map Threat vector 6 exploiKng vulnerabiliKes in admin staKons
- 21. Data Plane! Control & Management! 7 SDN device SDN device SDN device Admin StaKon SDN Controller SDN device Threat vector 7 lack of trusted resources for forensics and remediaKon Not specific to SDNs, but it is sKll criKcal to assure fast recovery and diagnosis when faults happen. Possible solu/ons: immutable and secure logging, secure and reliable snapshots Threat vectors map
- 22. Data Plane! Control & Management! 7 SDN device SDN device SDN device Admin StaKon 6 5 4 3 SDN Controller SDN control protocol (e.g., OpenFlow ) Management connecKon (e.g., SSH ) 2 Data plane physical / logical connecKons SDN device 1 Seven main threat vectors Ø 1 and 3: communicaKons Ø 2, 4, 5, 6: elements Ø 7: communicaKons and elements Threat vectors map
- 23. Threat vectors map Threat Specific to SDN? Consequences in SDN Vector 1 no can be a door for DoS afacks Vector 2 no but now the impact is potenKally augmented Vector 3 yes communicaCon with logically centralized controllers can be explored Vector 4 yes controlling the controller may compromise the enCre network Vector 5 yes malicious applicaCons can now be easily developed and deployed on controllers Vector 6 no but now the impact is potenKally augmented Vector 7 no it is sKll criKcal to assure fast recovery and diagnosis when faults happen
- 24. Main threat vectors in SDNs Short intro to SDN Outline Sec&Dep issues in OpenFlow SDNs More OpenFlow security issues Just out of curiosity …
- 25. Data Plane! Control & Management! Admin StaKon SDN device SDN device SDN device SDN device SDN Controllers 3 Threat Vector 3 in OpenFlow Networks
- 26. Data Plane! Control Plane! SDN device SDN device SDN device SDN device IPs of controllers are manually configured SDN Controllers OpenFlow control plane: how it works
- 27. Data Plane! Control Plane! SDN device SDN device SDN device SDN Controllers SDN device Switches can connect to any controller OpenFlow control plane: how it works
- 28. Data Plane! Control Plane! SDN device SDN device SDN device SDN device SDN Controllers No cerKficate management soluKons OpenFlow control plane: how it works
- 29. Data Plane! Control Plane! SDN device SDN device SDN device SDN device No trust management between devices SDN Controllers No trust management between devices No trust management between devices OpenFlow control plane: how it works
- 30. Data Plane! Control & Management! Admin StaKon SDN device SDN device SDN device SDN device SDN Controllers 4 Threat Vector 4 in OpenFlow Networks
- 31. Controller A App A Controller B App A Controller C App A Master-‐slave controllers (what if B fails?)
- 32. Master-‐slave controllers (what if B fails?) On the feasibility of a consistent and fault-‐tolerant data store for SDNs h;p://goo.gl/mF9HNB Fault-‐ tolerant distributed datastore Active" Controller" Active" Controller" Master ConnecKon Slave ConnecKon Active" Controller" Datastore "
- 33. Controller App B App C A: 10.0.0.1 V: 10.0.0.3 block src=10.0.0.1 (to dst=10.0.0.3) rewrite src=10.0.0.1 (to src=10.0.0.2) Apps/services rewriKng rules (accidentally or maliciously) …
- 34. AggregaCon Flow Table (priority and isolaKon of signed rules) … A Security Enforcement Kernel for OpenFlow Networks h;p://goo.gl/4DJPbK
- 35. Data Plane! Control & Management! Admin StaKon SDN device SDN device SDN device SDN device SDN Controllers 5 Threat Vector 5 in OpenFlow Networks
- 36. Controller A App A Controller B App B Controller C App C Fault-‐tolerant Distributed Data Store Apps trying to access and/or change/corrupt shared memory/objects … block src=10.0.0.1 (to dst=10.0.0.3) allow src=10.0.0.1 (to dst=10.0.0.3) Unauthorized controller and/or app Datastore "
- 37. Moving network funcConality to the edge… Controller A Fw A Controller B Fw B Controller C Fw C
- 38. Controller A Fw A Controller B Fw B Controller C Fw C Fault-‐tolerant Distributed Data Store Apps trying to access and/or change/corrupt shared memory/objects … set border sec level=2 set border sec level=1 Malicious or buggy controller/app trying to enforce a lower security level Afack detected on network perimeter A Datastore "
- 39. Controller A Fw A Controller B Fw B Controller C Fw C Fault-‐tolerant Distributed Data Store Apps trying to access and/or change/corrupt shared memory/objects … set border sec level=2 set border sec level=1 1. set rate limit=1000 2. allow direct connecKons 1. set rate limit=500 2. force all suspected conns to pass through Sec Midbox L1 Datastore "
- 40. Which controller should take over the forwarding devices? Controller A DevM Controller B DevM Controller C DevM AssociaKon phase: devices receive the decision signed by “all” controllers Consensus-‐as-‐a-‐service to help in such decisions? AssociaKon phase: devices receive the decision signed by “all” DevMs
- 41. Main threat vectors in SDNs Short intro to SDN Outline Sec&Dep issues in OpenFlow SDNs More OpenFlow security issues Just out of curiosity …
- 42. OpenFlow security issues h;p://goo.gl/b5bzZC , h;p://goo.gl/2sf5CF , h;p://goo.gl/7opnZk 1. Lacks TLS and access control 2. Repeats the error of previous protocols: “the link should be physically secure” 3. Man in the middle: simple to do if TLS is not is use and/or when it is weakly implemented 4. Listener mode: some switches accept connecKons from any source (write rules and read informaKon) 5. Lack of switch authenCcaCon (e.g., request traffic redirecKon) 6. Flow table verificaCon: lack of TLS makes it impossible to verity if flow tables are configured with the expected rules 7. Denial of service risks: specially in the case of centralized controllers (single points of failure) 8. Controller vulnerabiliCes: diverse apps, complex protocols parsing, lack of priority-‐based controls and isolaKon, … 9. Resource depleCon acacks (e.g., learning switch of POX)
- 43. OpenFlow security issues OpenFlow: A Security Analysis h;p://goo.gl/59CIVm Threat (STRIDE) Security Property Possible Acacks Affected OF versions Spoofing AuthenKcaKon MAC and IP address spoofing, forged ARP and IPv6 router adverKsement 1.0, 1.2, 1.3, 1.3.1 Tampering Integrity Counters falsificaKon, install rules that modify packets, redirect/clone flows 1.0, 1.2, 1.3, 1.3.1 RepudiaKon Non-‐ repudiaKon Install rules to forge source address of packets 1.0, 1.2, 1.3, 1.3.1 InformaKon disclosure ConfidenKality Side channel afacks to figure out flow rules setup 1.0, 1.2, 1.3, 1.3.1 Denial of service Availability Augmented new flow requests to the controller 1.0, 1.2, 1.3, 1.3.1 ElevaKon of privilege AuthorizaKon Take over the controller by exploiKng implementaKon flaws 1.0, 1.2, 1.3, 1.3.1
- 44. “OpenFlow security is minimally specified, to the point where the differences between mul/ple OpenFlow implementa/ons could cause opera/onal complexity, interoperability issues or unexpected security vulnerabili/es.” (M. Wasserman and S. Hartman) h;p://goo.gl/Ep5CXH OpenFlow security issues
- 45. Main threat vectors in SDNs Short intro to SDN Outline Sec&Dep issues in OpenFlow SDNs Some OpenFlow security issues Just out of curiosity …
- 46. Time and bandwidth for DoS afacks DoS afacks on the control plane h;p://goo.gl/2sf5CF One controller, one switch, and two hosts. HP 5406zl like switch with 1.500 flow rules capacity.
- 47. SDN CONTROLLER APPLICATIONS NETWORK OPERATING SYSTEM ACCESS CONTROL FIREWALL SOFTWARE CONTROL COMMUNICATIONS 10 switches = a powerful weapon DoS afacks on controllers With 10 switches, one can easily do a DoS afack to significantly impact the controller’s performance. h;p://goo.gl/WEmR7n , h;p://goo.gl/b5bzZC , h;p://goo.gl/2sf5CF
- 48. The Network Access Layer Goes Virtual Sojware switching: the new trend?! The Sandwich… Network Virtualiza/on Main Stage at Interop h;p://goo.gl/yt9pi2
- 49. VulnerabiliKes in Cisco IOS 0 5 10 15 20 25 30 35 40 45 50 1992 1995 1998 2001 2004 2007 2010 2013 Numberofvulnerabilities Year of publication Current Network OperaKng Systems