SlideShare a Scribd company logo

Unified Security Plugin for Opendaylight Controller

Download as DOC, PDF
Saikat Chaudhuri, profile picture
Saikat Chaudhuri

This document discusses the implementation of a unified security plugin for the Opendaylight SDN controller. It begins by describing how SDN architectures introduce new security challenges by making the controller a single point of failure. It then outlines some existing security measures in Opendaylight but notes remaining vulnerabilities, such as from packet-in flooding attacks. The document proposes a unified security plugin that would monitor the controller's interfaces and APIs to identify attacks and share security-related information for mitigation. It provides an example of how the plugin could help detect and block a packet-in flooding attack aimed at overwhelming the controller.

1 of 7
Download to read offline
1
2
3
4
5
6
7
Unified Security Plugin for Opendaylight Controller ABSTRACT For the last two years, there is a definite buzz around SDN which is complemented by NFV. The strong focus on SDN is vindicated by the fact that by 2016, there is a prediction that more than 10,000 enterprises will deploy SDN in their networks, which is almost a ten-fold increase from the data in 2014 [1]. Also, according to a survey done by Juniper in 2014, out of 400 U.S. Businesses, around 52.5 percent of the companies plan to adopt SDN in the future. 27 percent out of these companies have stated that they are ready or almost ready to adopt SDN [2]. SDN architecture is proposed to be widely deployed for branch networks. Opendaylight (ODL) as an open source SDN controller has gained prominence from contributions across the industry and promises to become the most widely used open source controller. This White Paper discusses the implementation of a security plugin that provides a single pane of glass for providing information about controller security. The controller is well accepted as the single most vulnerable element in the network from a security point of view. It may be threatened in multiple ways like denial of service attacks or maliciously crafted data to force the controller to misbehave. The threat to the controller arises from the north-bound, south-bound and east-west interfaces in a myriad of ways. If messages from north-bound applications are allowed to communicate with the controller unchecked, then there is possibility of message exchange with unauthenticated sources. There is also a risk of the north-bound messages being modified in transit by intermediate nodes and yet going undetected at the controller unless message integrity verification is done. The same concern exists for the other interfaces like the east-west communication with peer controller and south-bound interface as well. Possibility of a data flood from north-bound or south-bound entities trying to bring down the controller is also probable. If any of the above mentioned methods to over-whelm the controller is successful, the ramifications of such attacks are huge and has the potential to affect the entire network. Hence, it is highly recommended that the security for the controller should be granular and robust to be successfully able to be thwart attacks from the network and hold back the attacker till the mitigation system can detect the attack and block the source. The paper starts off discussing the problems associated with security in SDN in general and then covers the Opendaylight specific issues in particular. 1. INTRODUCTION 1.1 Why SDN? SDN is a term coined to exhibit the concept in networking where the control plane is decoupled from the physical infrastructure and is instead moved out into a separate entity called the controller. The controller provides networking services that help to manage the network and also determine how the data plane flows are configured. Since the controller runs as a separate software to manage the entire network, hence its termed as ‘Software Defined Networking’ aka SDN. The switches (physical infrastructure), that handle the traffic flow, may be made available from multiple vendors as long as they are compatible with the protocol of communication between the controller and the switch. This reduces dependency on any particular equipment manufacturer and the service provider has the flexibility to use switches of their choice that gives them the cost and operational advantage. According to a survey by Spirent in 2014 covering service providers that control 51% of global telecom capex, the main driver for SDN adoption is revenue generation through cloud services aided by SDN [3]. 1.2 What is the Challenge with SDN Security? A recollection of the native network topology exhibits a network that is a mix of routers and switches (combinedly referred to as the network elements in future course of this paper) interconnecting the LANs and the WANs to the end-points. The network elements have the control plane and the data plane that reside inside individual boxes and is responsible for session establishment as well as data forwarding. In a private network, security is deployed at the network gateway and the De-Militarized Zones inside the network. A mix of network (FW / Proxy Servers / IPS / IDS etc) and host based (end-point FW / IDS etc.) security devices are used to protect such networks. With the advent of SDN, the network security has a whole new network node to secure. That new network node is the SDN Controller. While the controller provides a bird’s eye view of the network and therefore acts as an enabler to program the underlying network and also enhance its security, but, at the same time it opens up a host of security issues due to its own existence. The controller is susceptible to attacks from the users and applications, the peer controller with which it talks to and also from the underlying network elements that it controls. Therefore, the SDN architecture has a new challenge on its hands to protect the controller that forms the backbone of the network. Copyright 2015 Page 1 of 7
While the network and transport protocol level vulnerabilities needs to be addressed by the Operating System on which the controller runs, there are other application layer security issues that have to be handled at the controller. We will discuss some of the application layer security issues in the subsequent sections from the Opendaylight (ODL) controller perspective. The following figure is a diagrammatic representation of the ODL controller vulnerabilities from the different interfaces. Fig1. ODL Controller vulnerability from different interfaces Apart than the controller, there are vulnerabilities exposed in the SDN network under the purview of the ODL controller as well. Discussions on the network vulnerabilities is outside the scope of this paper. 2. THE GAPS IN ODL CONTROLLER SECURITY: This section delves briefly on the security solutions that have already been implemented to protect the ODL controller and the areas of vulnerability that still exist till date. 2.1 Controller defense already in place: 2.1.1 AAA project: For a controller platform that supervises and manages the network, it is important to have restrictive and role based access for the users that log into it. This is essential to maintain the identity of the users and provide security from controller access falling into the wrong hands. The AAA project is key to the authentication and authorization of the users and applications that log on to the controller. This ensures that the north-bound entities do not gain access to the controller without their identities being verified and therefore, protects the controller from rouge applications/users. It also defines the services that users/applications can access based on their role based access. 2.1.2 SSL/TLS based protection to the interfaces: The HTTPS support for the Restconf interface brings in the added security provided by the Secure Socket Layer. This adds to the integrity check verification and encryption of the message contents that are sent to the controller by the application. Similarly, TLS based protection to the Openflow messages from the network provides the necessary authentication, confidentiality and integrity verification that is necessary to protect the network nodes from a rouge controller and also for the controller itself to verify identity of the network elements before exchanging data. 2.1.3 Service Function Chaining: Service Function Chain which provides an ordered list of network services provides a platform to program message flows through chain of devices to aid in the network and controller security. The chaining of the DPI / FW / IPS / IDS / Load Balancers help secure the message flows and provides depth to the perimeter security as per requirements of the network tenant. 2.1.4 Openflow Plugin Overload Protection: The Openflow Plugin protection adds to the plugin protection from a flurry of Packet-In messages from the network. It maintains queues for each network switch with which it interacts and ensures that the number of packets punted to the controller at any point of time is limited by the size of the queue. The number of packets in the queue is dependent on the rate of packets punted from the network as well as the rate at which the packets are de-queued for processing. If the queue gets full, then there are resulting tail drops due to queue congestion. 2.2 The existing Controller Vulnerabilities: Despite the closure of security gaps discussed in Sec-2.1 to secure the ODL Controller, there are certain vulnerabilities that still remain to be addressed. The following sections highlights the vulnerabilities (which are not claimed to be an exhaustive list) and sets the scope of this paper to discuss some of them in detail along with their mitigation strategies and introduce the concept of the Unified Security Plugin. 2.2.1 Controller security from packet-in attacks: We have already discussed in the previous section that the Openflow Plugin is protected from Packet-In messages via a defense mechanism of Overload-Protection. However, this mechanism of defense only helps to thwart off an immediate attack on the plugin. It does not address the root of the issue since it makes no attempt of identify the source of the attack. Also, congestion of the queue does not necessarily identify an attack. It is possible that the issue might be linked to a delay in the de-queuing and processing of the packets thereby leading to a build of congestion in queue. However, on the contrary, if the queue is getting congested due to heavy inflow of packets from the network, then measures need to be adopted to identify the source of the packet influx and block them. In order to do so, it is imperative that there needs to be some application that can program the controller accordingly. We will discuss more about the mitigation mechanism in a subsequent section. Copyright 2015 Page 2 of 7
2.2.2 BGP Link-State connectivity and secured exchange of SDNi messages: The BGP plugin provides BGP Link-state Distribution as a source of L3 topology information. The BGP Plugin sets up a TCP connection with the peer before it starts exchanging the link-state messages. However, the TCP connection is not a secure one and is susceptible to MITM attack and DoS attacks. Also, there is no authentication of the peer before a BGP session is established. This is risky in particular if the SDNi application is run in conjunction with BGP. SDNi is an application that runs on top of the ODL controller to establish east-west communication between peer controllers and exchange various network information elements like topology, policy, QoS details etc. with peer controller. This is particularly useful to help identify the best path for packet delivery to the destination node(s) in a CDN via multiple networks controlled by separate ODL controllers. The reason for the alarm with SDNi is because of the fact that it leverages the BGP plugin to share important information with peer controller(s). This exposes it to various risks like interaction with rogue controllers or modification of data by intermediate network elements which may go undetected. The impacts of such attacks can be very disruptive. If any network element gets access to the network sensitive data in the transit, it feeds the attacker with extensive information to launch specific attacks on the controller or its network and overwhelm them. Also, the rogue controller may make it appear as if data path via its network offers best bandwidth availability, thereby, forcing the network data to be steered to its network for easy interception. Therefore, there needs to be a mechanism in place to perform authentication of the peer followed by adding confidentiality and integrity checks in the message exchange procedure to make the system more secure. The details of the mitigation solution towards this end will be discussed in detail in a subsequent section. 2.2.3 Protection of other South Bound plugins: Other than the Openflow and BGP plugin, there are other southbound plugins in Opendaylight controller like NETCONF, SNMP, OVSDB etc. that can also open up vulnerabilities for the controller. While some of the protocol based plugins operate over a secured interface to protect against eavesdropping, they however may not be protected from DoS attacks from the underlying network elements. Mitigation of the security issues that are opened up by these South Bound plugins other than Openflow Plugin and BGP is not discussed in this paper. 2.2.4 Secured exchange of data between clustered controllers: Controller clustering is important from the High-Availability point of view especially since the controller is the programmer of the underlying network. This not only adds redundancy to the architecture but also increases the scalability of the model Current ODL controller clustering is built on top of Infinispan distributed-caching/data-grid platform. Infinispan uses Jgroups as a reliable messaging layer for the cluster. Jgroups authorization and encryption features need to be enabled to ensure the security of the message exchange between the clusters. Clustered controller security is outside the purview of this paper. 3. THE UNIFIED SECURITY PLUGIN: While security has been operating mostly in silos in the native networks, the SDN architecture provides a cost effective and unique scope to unify the collation of information that can aid in enhancing the security of the controller in particular and the network in general. The plugin is being developed as part of the ODL Beryllium Release [4].This is because the SDN controller has a complete view of the network and can therefore tap into the packet contents flowing in the network for better visibility. The Unified Security Plugin (USecPlugin) is developed for ODL controller as an infrastructure that provides a single pane of visibility related to controller security. The plugin collates the security related information from various interfaces and is made available to the ODL northbound APIs for external parties to retrieve the information. The security information could be handy in identifying attacks on ports exposed by the SB plugins, suspected controller intrusions or information about trusted controllers in the network. Information collected at the plugin may also be used to configure Firewalls and create IP Blacklists for the network. The USecPlugin is designed to provide ‘security service function’ for the Opendaylight controller. The utility of the USecPlugin is better understood from the perspective of the use cases described in the following sections 4 and 5. However, the USecPlugin may be further enhanced to cover use cases related to controller security beyond what we have described here. 4. CASE1 - THE PACKET-IN ATTACK AND ITS MITIGATION: 4.1 Explaining Packet-In Attack and Simulation In an SDN architecture supporting Openflow switches, the switches are flow programmed by the controller to determine the path for the packet to its destination. When a packet arrives at an Openflow switch, the packet header and metadata is matched against the flow tables in the switch and instructions are executed as per the flow table. If a matching flow table entry is not found, then the packet might either be dropped or sent to the controller based on the configuration of the table-miss flow entry. Moreover, packets are sent to the controller if an explicit action is present in the switch to handle incoming packets with an action=CONTROLLER or a data packet arrives with an invalid TTL. If the packet is sent to the controller over the control channel, it is sent as a Packet-In message. The structure of the Openflow message with Packet-In is represented in the figure below: Fig2. Openflow Message Structure with Packet-In The Packet-In field of the Openflow message has the payload containing information of the IPv4/ IPv6 address source and destination for which the Packet-In message is crafted. Once a connection has been established between the controller and the switch, multiple packet-in messages from the switch can force large scale consumption of CPU and memory utilization at the controller. This can be exploited as a vulnerability by an attacker that can force the Openflow plugin to be overwhelmed. Copyright 2015 Page 3 of 7
In order to empirically prove the point, we carried out a Packet-In attack on the controller running Opendaylight Helium SR3 release. The network simulation of the attack was done using Mininet. Sustained Packet-In messages from Network were created by configuring switch with default flow to ODL controller in case of a table-miss entry. Packets were sent to the controller at the rate of 20K PPS. A diagrammatic representation of the problem is shown in the figure below: Fig3. Packet-In Attack As a consequence of the attack, Controller CPU utilization shoots up to ~150% (On dual-core x86 processor). Approximately 35% Memory utilization is observed with system having 4GB RAM. Additionally we could also observe the following statistics with packet tail drops happening: • Total Packets sent from the switch: 9600645 Packets. • Total Packets count processed by Openflow Plugin in Controller: 9001148 • ~ 6% packet drops on controller. In order to plug this vulnerability, queue based handling of Packet-In messages is already designed and implemented in ODL, thereby providing the first level of defense to the controller against such attacks. A snapshot of the resource utilization on the system running the controller is displayed in the figure below: Fig4. Resource utilization of system during Packet-In Attack From the snapshot, it is visible that the CPU utilization is significantly higher due to the packet-in attack. Also, the figures shared earlier shows an approximate 6% packet drop due to the attack. This implies that if there is an attack happening with fast punting of packets to the controller from any port in the switch, then packets coming through other ports in the same switch and sent as packet-in message to the controller will start getting impacted as well due to the packet drops. So, while the queue based packet handling at the controller is able to fend off the packet-in attack, it is having collateral impact on the resource utilization and packet handling. 4.2 Attack Mitigation from Packet-In Messages: Considering the collateral impacts of a Packet-In attack as discussed in Sec-3.1, it is imperative that we look at means to mitigate such attacks rather than just thwarting them. Also, a deep-dive into the details of the source of packet-in attack is necessary to be able to build an information base to protect the system from such future attacks. In order to build a solution to mitigate the problem, details of the rate of packet influx for Packet-In messages from Openflow plugin is required. This information is used to design a system for detecting an impending attack. The details of the design is discussed below. 4.2.1 Designing the Mitigation System: In order to have a mitigation system in place, four key factors need to be kept in mind: a) There needs to be a fair estimate of the rate of packet influx to be able to figure out an impending and/or actual attack on the system. b) The source of the packet-in messages needs to be identified. c) Design a notification mechanism to send notifications to interested parties when an attack is impending or detected. d) Have a persistent database to record the source of high Packet- In messages for current or any future reference. The design factors are discussed in detail below: The estimation of the packet influx in the system can be calculated by registering the USecPlugin for notification of Packet-In messages from the Openflow plugin. Once registered, plugin starts receiving continuous notification from the Openflow plugin whenever a Packet-In message is received from the network. The Packet-In message notification is received with the ‘Data-Path Id’ of the switch and the node-connector information to identify the port (in the switch). This information is collated over a period of time continuously (when there is no attack from the network) to calculate the average rate of packet influx (Sav) on per switch basis. Collecting of the above mentioned information for extended period of time provides us with the historical levels of average packet-influx for a switch at peace-time levels. USecPlugin screens samples of Packet-In message payload contents at regular intervals of time to get the source address of legal packets at peace-time and stores the same in a persistent database. These source addresses will be maintained in a White-List of addresses for future reference. With the peace-time level packet influx rate already calculated, next the USecPlugin compares the packet influx rate on a continuous basis and raise the first alarm (Alarm1) for a switch if the present influx rate on the switch (Sp) is a certain percentage value (which is configurable) – referred to as the Low Water mark (Nlw), over and above the historical average for a configured period of time (t1). Copyright 2015 Page 4 of 7
Calculation - Alarm1: if ‘Sp > ((100 + Nlw ) * Sav ) / 100’ for time ‘t1’ Nlw is the ‘Low Water’ mark percentage value. ‘t1’ is the time for which the Low Water mark breach should happen to raise Alarm1. [Both Nlw and ‘t1’ are configurable values] Once Alarm1 is raised, USecPlugin screens the payload of Packet-In messages on the affected switch to get the source address for the messages. This information is crucial to identify particular source address or group of source addresses for the high influx Packet-In messages. All source addresses recorded for the Packet-In messages for switch are stored in a temporary data-store along with the influx packet rate, dp-id and node- connector value. If the high influx of packet-in messages is a result of a sudden spike and Sp eventually goes below the Low Water mark (and stays below the mark) for t2 seconds, then Alarm1 is cleared off. [t2 is a configurable value and may be of value greater than or equal to t1 ]. Along with clearing off the alarm, the source addresses, influx packet rate, dp-id and node-connector values written to the temporary data-sore since Alarm1 are also cleared off. This event is classified as a ‘Temporary Spike’. On the contrary, if Sp persistently stays above the Low Water mark and eventually hits the High Water mark (which is determined by a certain percentage value Nhw over and above the historical average), then the second alarm (Alarm2) is raised for the switch. Alarm2: if ‘Sp > ((100 + Nhw ) * Sav ) / 100’ [Nhw is a configurable value] Alarm2 is classified as a ‘Permanent Spike’. Along with the raising of the Alarm2, the temporary data in the data-store is removed and written to a persistent database. This is intended to help mitigate the Packet-In attack and correlating the source address for similar attacks in future. The source of attack is populated in a Black List of IP addresses with a count of the number of times it has triggered an attack. If the same source figures in the list of White Listed IP Address, then it is removed from that list. The same source addresses can be used for deriving correlation if any other forms of attack are detected and reported to the USecPlugin in future. While we previously talked about the logic for generation of alarms based on calculation of the historical peace time packet influx rates of a switch, the implementation also provides an alternative option to the controller user to configure specific values of packet rates for low and high water marks on the basis of which alarms need be raised instead of relying on peace time readings. This option offers additional flexibility to the user for tweaking the alarm generation system as per choice and requirement of the network. The alarms that are generated are meant for consumption by third-party external applications that may want to utilize the information for mitigation of the Packet-In attack. Depending on the different alarms that are registered for by the applications, the USecPlugin will notify the same back to the applications. Also, the USecPlugin provides Restconf interfaces to the applications to fetch the details of the source address(es), influx packet rate(s), dp-id(‘s) and node-connector information that may be involved in the Packet-In attack. This is a polling mechanism in addition to the notification mechanism mentioned earlier. The methodology adopted by the application to correlate the information from the USecPlugin and formulate strategy for attack mitigation is left to the third-party application logic and outside the purview of this paper. 5. CASE2 - SECURED EXCHANGE OF SDNI MESSAGES: 5.1 Preview to BGP and SDNi concepts: As discussed earlier in Sec-2.2.2, the BGP link state protocol serves to exchange the network topology with peer networks for optimized routing. The SDNi project in Opendaylight is designed to establish communication between multiple SDN controllers. The data shared is control plane parameters like Topology, Quality of Service (QoS), policy etc. Since SDNi uses BGP session to exchange information with peer controller(s), therefore, the steps to initiate exchange messages is as follows: 1. First establish a TCP connection between two controllers to exchange BGP information. 2. Establish a BGP connection between the BGP speakers in the controller. 3. Start sending and receiving the NLRI updates between the controllers, containing the QoS and other updates depending on the use cases designed with SDNi. 5.2 Security Concerns with SDNi: Since SDNi depends on the Topology, QoS. Policy and other info shared by peer controllers for conceptualizing Bandwidth-On- Demand or servicing CDN, it is important to ensure the following: 1. Authenticity of the peer controller(s). 2. Data Integrity verification check for the information shared by inter-subnet controllers. 3. Encryption of data exchanged to protect the network details from being exposed to the external entities in the network. If the peer controller remains unauthenticated, it raises the spectre of a MITM attack resulting in bogus session establishment with rogue peer controller. A diagrammatic representation of the problem is shown in the figure below: Fig5. MITM Attack (Bogus Session) Authenticity of the controller is essential to ensure that the peers that interact with each other verify that none of the controllers are masquerading. Copyright 2015 Page 5 of 7
5.3 MITM Attack Mitigation: The implementation in its present form in the ODL Controller Lithium Release verifies the authenticity of the peer using TCP MD5 authentication mechanism as detailed in RFC 2385 (Protection of BGP Sessions via the TCP MD5 Signature Option). The implementation of the TCP MD5 authentication is optional configuration in ODL controller considering that it needs support for the same on the peer controller before it can be deployed. If the peer controller does not support the authentication mechanism, then there is presently no other way in which the peer controller may be authenticated before a BGP Session establishment. However, keeping in mind that authentication is an important aspect before SDNi sessions are established, therefore, there needs to be a mechanism for determining whether the peer is authenticated. Only if the peer controller is authenticated should an SDNi session be ideally established to prevent MITM attacks. Considering that the TCP MD5 authentication is based on the shared password used for creation of the MD5 digest, the authentication mechanism is not a full proof one. Also, maintaining the same password forever is not suggested from security perspective lest it may get leaked to the attacker at some point of time. However, changing the password and sharing the same with the peer is also a challenge and leaves the possibility of a security breach. In order to make communication more secure, the TCP connection for BGP Link-State protocol should be secured with a SSL/TLS security to encrypt the data and ensure data integrity verification. Again, the SSL/TLS security is dependent on whether the peer controller also supports the same for added security. The SDNi session establishment may optionally want to establish session with peer controllers that have the SSL/TLS security layer on top of the TCP connection. Keeping the above security mechanisms in mind, the information about the authentication or encryption on the interface connection to the peer controller is updated in the USecPlugin. Whenever SDNi wants to establish a new session with peer controller, it should check the USecPlugin for the security related information before it decides on the session establishment. However, for providing Authentication, Integrity Check and Encryption, it is advisable to add SSL/TLS security on a TCP connection before establishing a BGP session. 6. USecPlugin Architecture: Having detailed out the use cases for the USecPlugin in sections 4 and 5, this section gives an overview of the architecture for the plugin. Fig6: Unified Security Plugin architecture The above figure shows the architecture of the USecPlugin which provides Security Service function for the ODL Controller. The USecPlugin registers for the Packet-Notifications in MD-SAL. These notifications are received from the Openflow Plugin for detecting Packet-In Attack. The Openflow plugin also writes the contents of the Packet-In messages to the OF Data Store. The USecPlugin needs to access the OF Data Store to access the Packet-In message metadata. The USecPlugin has its own data store in MD Sal to temporarily store the Packet-In message metadata as detailed in Sec 4.2.1 above. The temporarily stored metadata is written to the persistent database when the attack is confirmed. Similarly, for protection of the SDNi application, the authentication of peer controller and interface security details of the inter-SDN connection is updated to the USecPlugin and stored in a persistent database. USecPlugin exposes a NB API for the SDNi application to fetch information related to east-west interface security before exchanging the network updates. The USecPlugin is developed in a modular manner leaving scope to extend for other security related events in the controller that may require to be store in a central repository. 7. ONCLUSION The USecPlugin is a novel design to provide a centralized database of all security related information for the ODL controller. Though the plugin has been conceptualized for the ODL controller, the same can be implemented for other SDN controllers as well to add visibility to security related information for controllers. As discussed above, the utility of the plugin is not restricted to the use cases discussed above and can be extended to cover other types of controller vulnerabilities exposed by the application protocols that are running in the controller. The collation of security related information by the USecPlugin allows for running analytics based engine to detect anomalous Copyright 2015 Page 6 of 7
behavior which could point to an impending attack. This makes handling of security in controller much more intelligent and adaptable for user to configure threshold parameters as per network fluctuations. The USecPlugin is not designed to add layers of security within the controller since that is not the objective of the controller. There are separate security appliances that can run separately outside the controller to protect the network nodes including the controller. The USecPlugin just acts as an enabler to add visibility to any security risks arising out of the events handled within the controller. This helps to make security more granular and program the network to mitigate risks by integrating with third party external application. 8. ABBREVIATIONS AAA – Authentication Authorization Accounting API – Application Programming Interface BGP – Border Gateway Protocol CDN – Content Delivery Network DoS – Denial of Service DPI – Deep Packet Inspection FW - Firewall HTTPS – Hyper Text Transport Protocol Secure IDS – Intrusion Detection System IPS – Intrusion Prevention System MD5 – Message Digest 5 MITM – Man In The Middle NETCONF – Network Configuration Protocol NFV - Network Function Virtualization NLRI - Network Layer Reachability Information OF – Open Flow ODL - Opendaylight OVSDB – Open vSwitch Database Management Protocol PPS – Packets Per Second RFC – Request For Comments QoS – Quality of Service SDN - Software Defined Network SDNi – Inter-Software Defined Network SNMP – Simple Network Management Protocol SSL – Security Socket Layer TCP – Transport Control Protocol TLS – Transport Layer Security TTL – Time To Live 9. REFERENCES [1] http://blogs.gartner.com/andrew- lerner/2014/12/08/predicting-sdn-adoption/ [2] http://newsroom.juniper.net/press-releases/new-juniper- networks-study-finds-u-s-companies-sp-nyse-jnpr-1134411 [3] Infonetics Research: SDN and NFV Strategies: Global Service Provider Survey, March 2014 (51% of world telecom capex) [4] https://wiki.opendaylight.org/view/Project_Proposals:Contro ller_Shield Copyright 2015 Page 7 of 7

More Related Content

PDF
Evaluation of Authentication Mechanisms in Control Plane Applications for Sof...
Siyabonga Masuku
 
PDF
Attacking SDN infrastructure: Are we ready for the next gen networking
Priyanka Aash
 
PPTX
Software defined networking players
Ameer Sameer
 
PPTX
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
PDF
Security Analysis and Improvement for IEEE 802.11i
inventionjournals
 
PDF
Indexing Building Evaluation Criteria
IJERA Editor
 
PDF
A Novel SDN Architecture for IoT Security
ijtsrd
 
PDF
Performance Analysis of Wireless Trusted Software Defined Networks
IRJET Journal
 
Evaluation of Authentication Mechanisms in Control Plane Applications for Sof...
Siyabonga Masuku
 
Attacking SDN infrastructure: Are we ready for the next gen networking
Priyanka Aash
 
Software defined networking players
Ameer Sameer
 
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
Security Analysis and Improvement for IEEE 802.11i
inventionjournals
 
Indexing Building Evaluation Criteria
IJERA Editor
 
A Novel SDN Architecture for IoT Security
ijtsrd
 
Performance Analysis of Wireless Trusted Software Defined Networks
IRJET Journal
 

What's hot (19)

PDF
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET Journal
 
PDF
IRJET- Software Defined Network: DDOS Attack Detection
IRJET Journal
 
PDF
A review on software defined network security risks and challenges
TELKOMNIKA JOURNAL
 
PDF
Cloud computing challenges and solutions
IJCNCJournal
 
DOC
A secure intrusion detection system against ddos attack in wireless mobile ad...
vishnuRajan20
 
PDF
Megaplex nerc-cip-compliance
Nir Cohen
 
PDF
IRJET- A Survey on DDOS Attack in Manet
IRJET Journal
 
PDF
By25450453
IJERA Editor
 
PPTX
Mobile slide
Aman singh
 
PDF
Enhancing Security in OpenFlow
Niketa Chellani
 
PDF
Enhancing the impregnability of linux servers
IJNSA Journal
 
PDF
A Defense-in-depth Cybersecurity for Smart Substations
IJECEIAES
 
PDF
Preventing Distributed Denial of Service Attacks in Cloud Environments
IJITCA Journal
 
PDF
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
IJCI JOURNAL
 
PDF
Data Transfer Security solution for Wireless Sensor Network
Editor IJCATR
 
PDF
ClubHack Magazine issue 26 March 2012
ClubHack
 
PDF
Next Generation Network: Security and Architecture
ijsrd.com
 
PDF
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...
IRJET Journal
 
PDF
Defending Industrial Control Systems From Cyberattack
Mountain States Engineering and Controls
 
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET Journal
 
IRJET- Software Defined Network: DDOS Attack Detection
IRJET Journal
 
A review on software defined network security risks and challenges
TELKOMNIKA JOURNAL
 
Cloud computing challenges and solutions
IJCNCJournal
 
A secure intrusion detection system against ddos attack in wireless mobile ad...
vishnuRajan20
 
Megaplex nerc-cip-compliance
Nir Cohen
 
IRJET- A Survey on DDOS Attack in Manet
IRJET Journal
 
By25450453
IJERA Editor
 
Mobile slide
Aman singh
 
Enhancing Security in OpenFlow
Niketa Chellani
 
Enhancing the impregnability of linux servers
IJNSA Journal
 
A Defense-in-depth Cybersecurity for Smart Substations
IJECEIAES
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
IJITCA Journal
 
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITY
IJCI JOURNAL
 
Data Transfer Security solution for Wireless Sensor Network
Editor IJCATR
 
ClubHack Magazine issue 26 March 2012
ClubHack
 
Next Generation Network: Security and Architecture
ijsrd.com
 
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...
IRJET Journal
 
Defending Industrial Control Systems From Cyberattack
Mountain States Engineering and Controls
 
Ad

Viewers also liked (20)

PPT
The munoz migration - geography family tree1
pmunoz01
 
PDF
GetBetter
Greg Minerva
 
PPTX
Hyper-V Disaster Recovery Optimizing
Ahmad Firdaus
 
PDF
Coal mines bill, 2015, India
atul baride
 
PDF
IT Next January 2010 Issue
Shashwat DC
 
PDF
IBM X Force threat intelligence quarterly 1Q 2014
IBM Software India
 
PDF
ICMA Quarterly Report - FIRST QUARTER 2014
International Capital Market Association (ICMA)
 
PDF
GBNews_DEC09
Sabrina Davis
 
PDF
The Creditsafe Commercial Credit Managment Suite
CreditsafeUK
 
PDF
SeGW Whitepaper from Radisys
Shah Sheikh
 
PDF
NREF Annual Report
Eugene Vaios, MD MBA
 
PDF
Radisys Optimizing VAS for Greater Revenue Generation
Radisys Corporation
 
PDF
Rrgreenhandslof
Rajesh Sivaji
 
PDF
Spain 7 Getting Started
SUDIPTO BOSE
 
PPT
Wb engineering
Jason899
 
DOCX
Gaurav Kumar Resume
Gaurav kumar
 
PDF
Kofax Virtual Hospital
Mainstay
 
PPT
EdgeBuilder : Overview
EllisDonConstruction
 
PDF
Training & Development at Jindal SAW Ltd
Prateek Gahlot
 
PDF
Kofax Oil and Gas Solution
Mainstay
 
The munoz migration - geography family tree1
pmunoz01
 
GetBetter
Greg Minerva
 
Hyper-V Disaster Recovery Optimizing
Ahmad Firdaus
 
Coal mines bill, 2015, India
atul baride
 
IT Next January 2010 Issue
Shashwat DC
 
IBM X Force threat intelligence quarterly 1Q 2014
IBM Software India
 
ICMA Quarterly Report - FIRST QUARTER 2014
International Capital Market Association (ICMA)
 
GBNews_DEC09
Sabrina Davis
 
The Creditsafe Commercial Credit Managment Suite
CreditsafeUK
 
SeGW Whitepaper from Radisys
Shah Sheikh
 
NREF Annual Report
Eugene Vaios, MD MBA
 
Radisys Optimizing VAS for Greater Revenue Generation
Radisys Corporation
 
Rrgreenhandslof
Rajesh Sivaji
 
Spain 7 Getting Started
SUDIPTO BOSE
 
Wb engineering
Jason899
 
Gaurav Kumar Resume
Gaurav kumar
 
Kofax Virtual Hospital
Mainstay
 
EdgeBuilder : Overview
EllisDonConstruction
 
Training & Development at Jindal SAW Ltd
Prateek Gahlot
 
Kofax Oil and Gas Solution
Mainstay
 
Ad

Similar to Unified Security Plugin for Opendaylight Controller (20)

DOCX
Software Defined Networking Attacks and Countermeasures .docx
rosemariebrayshaw
 
PDF
Security sdn
Priya Singh
 
PPT
Security of software defined networking (sdn) and cognitive radio network (crn)
Ameer Sameer
 
PDF
Security of software defined networks: evolution and challenges
International Journal of Reconfigurable and Embedded Systems
 
PPTX
Sdn pres v2-Software-defined networks
ahmad abdelhafeez
 
PDF
TACTiCS_WP Security_Addressing Security in SDN Environment
Saikat Chaudhuri
 
PDF
Security and risk analysis in the cloud with software defined networking arch...
IJECEIAES
 
PDF
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
IJNSA Journal
 
PDF
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
IJNSA Journal
 
PDF
Controller Placement Problem Resiliency Evaluation in SDN-based Architectures
IJCNCJournal
 
PDF
Controller Placement Problem resiliency evaluation in SDN-based architectures
IJCNCJournal
 
PDF
Controller Placement Problem Resiliency Evaluation in SDN-based Architectures
IJCNCJournal
 
PDF
SDN: A New Approach to Networking Technology
IRJET Journal
 
PDF
Web-Based User Interface for the Floodlight SDN Controller
Eswar Publications
 
PDF
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
IJNSA Journal
 
PDF
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
IJNSA Journal
 
DOC
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
DMV SAI
 
PDF
Efficient Data Aggregation in Wireless Sensor Networks
IJAEMSJORNAL
 
PDF
Denial of Service Attacks in Software Defined Networking - A Survey
IRJET Journal
 
PDF
IRJET- A Study of DDoS Attacks in Software Defined Networks
IRJET Journal
 
Software Defined Networking Attacks and Countermeasures .docx
rosemariebrayshaw
 
Security sdn
Priya Singh
 
Security of software defined networking (sdn) and cognitive radio network (crn)
Ameer Sameer
 
Security of software defined networks: evolution and challenges
International Journal of Reconfigurable and Embedded Systems
 
Sdn pres v2-Software-defined networks
ahmad abdelhafeez
 
TACTiCS_WP Security_Addressing Security in SDN Environment
Saikat Chaudhuri
 
Security and risk analysis in the cloud with software defined networking arch...
IJECEIAES
 
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
IJNSA Journal
 
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
IJNSA Journal
 
Controller Placement Problem Resiliency Evaluation in SDN-based Architectures
IJCNCJournal
 
Controller Placement Problem resiliency evaluation in SDN-based architectures
IJCNCJournal
 
Controller Placement Problem Resiliency Evaluation in SDN-based Architectures
IJCNCJournal
 
SDN: A New Approach to Networking Technology
IRJET Journal
 
Web-Based User Interface for the Floodlight SDN Controller
Eswar Publications
 
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
IJNSA Journal
 
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
IJNSA Journal
 
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
DMV SAI
 
Efficient Data Aggregation in Wireless Sensor Networks
IJAEMSJORNAL
 
Denial of Service Attacks in Software Defined Networking - A Survey
IRJET Journal
 
IRJET- A Study of DDoS Attacks in Software Defined Networks
IRJET Journal
 

Unified Security Plugin for Opendaylight Controller

  • 1. Unified Security Plugin for Opendaylight Controller ABSTRACT For the last two years, there is a definite buzz around SDN which is complemented by NFV. The strong focus on SDN is vindicated by the fact that by 2016, there is a prediction that more than 10,000 enterprises will deploy SDN in their networks, which is almost a ten-fold increase from the data in 2014 [1]. Also, according to a survey done by Juniper in 2014, out of 400 U.S. Businesses, around 52.5 percent of the companies plan to adopt SDN in the future. 27 percent out of these companies have stated that they are ready or almost ready to adopt SDN [2]. SDN architecture is proposed to be widely deployed for branch networks. Opendaylight (ODL) as an open source SDN controller has gained prominence from contributions across the industry and promises to become the most widely used open source controller. This White Paper discusses the implementation of a security plugin that provides a single pane of glass for providing information about controller security. The controller is well accepted as the single most vulnerable element in the network from a security point of view. It may be threatened in multiple ways like denial of service attacks or maliciously crafted data to force the controller to misbehave. The threat to the controller arises from the north-bound, south-bound and east-west interfaces in a myriad of ways. If messages from north-bound applications are allowed to communicate with the controller unchecked, then there is possibility of message exchange with unauthenticated sources. There is also a risk of the north-bound messages being modified in transit by intermediate nodes and yet going undetected at the controller unless message integrity verification is done. The same concern exists for the other interfaces like the east-west communication with peer controller and south-bound interface as well. Possibility of a data flood from north-bound or south-bound entities trying to bring down the controller is also probable. If any of the above mentioned methods to over-whelm the controller is successful, the ramifications of such attacks are huge and has the potential to affect the entire network. Hence, it is highly recommended that the security for the controller should be granular and robust to be successfully able to be thwart attacks from the network and hold back the attacker till the mitigation system can detect the attack and block the source. The paper starts off discussing the problems associated with security in SDN in general and then covers the Opendaylight specific issues in particular. 1. INTRODUCTION 1.1 Why SDN? SDN is a term coined to exhibit the concept in networking where the control plane is decoupled from the physical infrastructure and is instead moved out into a separate entity called the controller. The controller provides networking services that help to manage the network and also determine how the data plane flows are configured. Since the controller runs as a separate software to manage the entire network, hence its termed as ‘Software Defined Networking’ aka SDN. The switches (physical infrastructure), that handle the traffic flow, may be made available from multiple vendors as long as they are compatible with the protocol of communication between the controller and the switch. This reduces dependency on any particular equipment manufacturer and the service provider has the flexibility to use switches of their choice that gives them the cost and operational advantage. According to a survey by Spirent in 2014 covering service providers that control 51% of global telecom capex, the main driver for SDN adoption is revenue generation through cloud services aided by SDN [3]. 1.2 What is the Challenge with SDN Security? A recollection of the native network topology exhibits a network that is a mix of routers and switches (combinedly referred to as the network elements in future course of this paper) interconnecting the LANs and the WANs to the end-points. The network elements have the control plane and the data plane that reside inside individual boxes and is responsible for session establishment as well as data forwarding. In a private network, security is deployed at the network gateway and the De-Militarized Zones inside the network. A mix of network (FW / Proxy Servers / IPS / IDS etc) and host based (end-point FW / IDS etc.) security devices are used to protect such networks. With the advent of SDN, the network security has a whole new network node to secure. That new network node is the SDN Controller. While the controller provides a bird’s eye view of the network and therefore acts as an enabler to program the underlying network and also enhance its security, but, at the same time it opens up a host of security issues due to its own existence. The controller is susceptible to attacks from the users and applications, the peer controller with which it talks to and also from the underlying network elements that it controls. Therefore, the SDN architecture has a new challenge on its hands to protect the controller that forms the backbone of the network. Copyright 2015 Page 1 of 7
  • 2. While the network and transport protocol level vulnerabilities needs to be addressed by the Operating System on which the controller runs, there are other application layer security issues that have to be handled at the controller. We will discuss some of the application layer security issues in the subsequent sections from the Opendaylight (ODL) controller perspective. The following figure is a diagrammatic representation of the ODL controller vulnerabilities from the different interfaces. Fig1. ODL Controller vulnerability from different interfaces Apart than the controller, there are vulnerabilities exposed in the SDN network under the purview of the ODL controller as well. Discussions on the network vulnerabilities is outside the scope of this paper. 2. THE GAPS IN ODL CONTROLLER SECURITY: This section delves briefly on the security solutions that have already been implemented to protect the ODL controller and the areas of vulnerability that still exist till date. 2.1 Controller defense already in place: 2.1.1 AAA project: For a controller platform that supervises and manages the network, it is important to have restrictive and role based access for the users that log into it. This is essential to maintain the identity of the users and provide security from controller access falling into the wrong hands. The AAA project is key to the authentication and authorization of the users and applications that log on to the controller. This ensures that the north-bound entities do not gain access to the controller without their identities being verified and therefore, protects the controller from rouge applications/users. It also defines the services that users/applications can access based on their role based access. 2.1.2 SSL/TLS based protection to the interfaces: The HTTPS support for the Restconf interface brings in the added security provided by the Secure Socket Layer. This adds to the integrity check verification and encryption of the message contents that are sent to the controller by the application. Similarly, TLS based protection to the Openflow messages from the network provides the necessary authentication, confidentiality and integrity verification that is necessary to protect the network nodes from a rouge controller and also for the controller itself to verify identity of the network elements before exchanging data. 2.1.3 Service Function Chaining: Service Function Chain which provides an ordered list of network services provides a platform to program message flows through chain of devices to aid in the network and controller security. The chaining of the DPI / FW / IPS / IDS / Load Balancers help secure the message flows and provides depth to the perimeter security as per requirements of the network tenant. 2.1.4 Openflow Plugin Overload Protection: The Openflow Plugin protection adds to the plugin protection from a flurry of Packet-In messages from the network. It maintains queues for each network switch with which it interacts and ensures that the number of packets punted to the controller at any point of time is limited by the size of the queue. The number of packets in the queue is dependent on the rate of packets punted from the network as well as the rate at which the packets are de-queued for processing. If the queue gets full, then there are resulting tail drops due to queue congestion. 2.2 The existing Controller Vulnerabilities: Despite the closure of security gaps discussed in Sec-2.1 to secure the ODL Controller, there are certain vulnerabilities that still remain to be addressed. The following sections highlights the vulnerabilities (which are not claimed to be an exhaustive list) and sets the scope of this paper to discuss some of them in detail along with their mitigation strategies and introduce the concept of the Unified Security Plugin. 2.2.1 Controller security from packet-in attacks: We have already discussed in the previous section that the Openflow Plugin is protected from Packet-In messages via a defense mechanism of Overload-Protection. However, this mechanism of defense only helps to thwart off an immediate attack on the plugin. It does not address the root of the issue since it makes no attempt of identify the source of the attack. Also, congestion of the queue does not necessarily identify an attack. It is possible that the issue might be linked to a delay in the de-queuing and processing of the packets thereby leading to a build of congestion in queue. However, on the contrary, if the queue is getting congested due to heavy inflow of packets from the network, then measures need to be adopted to identify the source of the packet influx and block them. In order to do so, it is imperative that there needs to be some application that can program the controller accordingly. We will discuss more about the mitigation mechanism in a subsequent section. Copyright 2015 Page 2 of 7
  • 3. 2.2.2 BGP Link-State connectivity and secured exchange of SDNi messages: The BGP plugin provides BGP Link-state Distribution as a source of L3 topology information. The BGP Plugin sets up a TCP connection with the peer before it starts exchanging the link-state messages. However, the TCP connection is not a secure one and is susceptible to MITM attack and DoS attacks. Also, there is no authentication of the peer before a BGP session is established. This is risky in particular if the SDNi application is run in conjunction with BGP. SDNi is an application that runs on top of the ODL controller to establish east-west communication between peer controllers and exchange various network information elements like topology, policy, QoS details etc. with peer controller. This is particularly useful to help identify the best path for packet delivery to the destination node(s) in a CDN via multiple networks controlled by separate ODL controllers. The reason for the alarm with SDNi is because of the fact that it leverages the BGP plugin to share important information with peer controller(s). This exposes it to various risks like interaction with rogue controllers or modification of data by intermediate network elements which may go undetected. The impacts of such attacks can be very disruptive. If any network element gets access to the network sensitive data in the transit, it feeds the attacker with extensive information to launch specific attacks on the controller or its network and overwhelm them. Also, the rogue controller may make it appear as if data path via its network offers best bandwidth availability, thereby, forcing the network data to be steered to its network for easy interception. Therefore, there needs to be a mechanism in place to perform authentication of the peer followed by adding confidentiality and integrity checks in the message exchange procedure to make the system more secure. The details of the mitigation solution towards this end will be discussed in detail in a subsequent section. 2.2.3 Protection of other South Bound plugins: Other than the Openflow and BGP plugin, there are other southbound plugins in Opendaylight controller like NETCONF, SNMP, OVSDB etc. that can also open up vulnerabilities for the controller. While some of the protocol based plugins operate over a secured interface to protect against eavesdropping, they however may not be protected from DoS attacks from the underlying network elements. Mitigation of the security issues that are opened up by these South Bound plugins other than Openflow Plugin and BGP is not discussed in this paper. 2.2.4 Secured exchange of data between clustered controllers: Controller clustering is important from the High-Availability point of view especially since the controller is the programmer of the underlying network. This not only adds redundancy to the architecture but also increases the scalability of the model Current ODL controller clustering is built on top of Infinispan distributed-caching/data-grid platform. Infinispan uses Jgroups as a reliable messaging layer for the cluster. Jgroups authorization and encryption features need to be enabled to ensure the security of the message exchange between the clusters. Clustered controller security is outside the purview of this paper. 3. THE UNIFIED SECURITY PLUGIN: While security has been operating mostly in silos in the native networks, the SDN architecture provides a cost effective and unique scope to unify the collation of information that can aid in enhancing the security of the controller in particular and the network in general. The plugin is being developed as part of the ODL Beryllium Release [4].This is because the SDN controller has a complete view of the network and can therefore tap into the packet contents flowing in the network for better visibility. The Unified Security Plugin (USecPlugin) is developed for ODL controller as an infrastructure that provides a single pane of visibility related to controller security. The plugin collates the security related information from various interfaces and is made available to the ODL northbound APIs for external parties to retrieve the information. The security information could be handy in identifying attacks on ports exposed by the SB plugins, suspected controller intrusions or information about trusted controllers in the network. Information collected at the plugin may also be used to configure Firewalls and create IP Blacklists for the network. The USecPlugin is designed to provide ‘security service function’ for the Opendaylight controller. The utility of the USecPlugin is better understood from the perspective of the use cases described in the following sections 4 and 5. However, the USecPlugin may be further enhanced to cover use cases related to controller security beyond what we have described here. 4. CASE1 - THE PACKET-IN ATTACK AND ITS MITIGATION: 4.1 Explaining Packet-In Attack and Simulation In an SDN architecture supporting Openflow switches, the switches are flow programmed by the controller to determine the path for the packet to its destination. When a packet arrives at an Openflow switch, the packet header and metadata is matched against the flow tables in the switch and instructions are executed as per the flow table. If a matching flow table entry is not found, then the packet might either be dropped or sent to the controller based on the configuration of the table-miss flow entry. Moreover, packets are sent to the controller if an explicit action is present in the switch to handle incoming packets with an action=CONTROLLER or a data packet arrives with an invalid TTL. If the packet is sent to the controller over the control channel, it is sent as a Packet-In message. The structure of the Openflow message with Packet-In is represented in the figure below: Fig2. Openflow Message Structure with Packet-In The Packet-In field of the Openflow message has the payload containing information of the IPv4/ IPv6 address source and destination for which the Packet-In message is crafted. Once a connection has been established between the controller and the switch, multiple packet-in messages from the switch can force large scale consumption of CPU and memory utilization at the controller. This can be exploited as a vulnerability by an attacker that can force the Openflow plugin to be overwhelmed. Copyright 2015 Page 3 of 7
  • 4. In order to empirically prove the point, we carried out a Packet-In attack on the controller running Opendaylight Helium SR3 release. The network simulation of the attack was done using Mininet. Sustained Packet-In messages from Network were created by configuring switch with default flow to ODL controller in case of a table-miss entry. Packets were sent to the controller at the rate of 20K PPS. A diagrammatic representation of the problem is shown in the figure below: Fig3. Packet-In Attack As a consequence of the attack, Controller CPU utilization shoots up to ~150% (On dual-core x86 processor). Approximately 35% Memory utilization is observed with system having 4GB RAM. Additionally we could also observe the following statistics with packet tail drops happening: • Total Packets sent from the switch: 9600645 Packets. • Total Packets count processed by Openflow Plugin in Controller: 9001148 • ~ 6% packet drops on controller. In order to plug this vulnerability, queue based handling of Packet-In messages is already designed and implemented in ODL, thereby providing the first level of defense to the controller against such attacks. A snapshot of the resource utilization on the system running the controller is displayed in the figure below: Fig4. Resource utilization of system during Packet-In Attack From the snapshot, it is visible that the CPU utilization is significantly higher due to the packet-in attack. Also, the figures shared earlier shows an approximate 6% packet drop due to the attack. This implies that if there is an attack happening with fast punting of packets to the controller from any port in the switch, then packets coming through other ports in the same switch and sent as packet-in message to the controller will start getting impacted as well due to the packet drops. So, while the queue based packet handling at the controller is able to fend off the packet-in attack, it is having collateral impact on the resource utilization and packet handling. 4.2 Attack Mitigation from Packet-In Messages: Considering the collateral impacts of a Packet-In attack as discussed in Sec-3.1, it is imperative that we look at means to mitigate such attacks rather than just thwarting them. Also, a deep-dive into the details of the source of packet-in attack is necessary to be able to build an information base to protect the system from such future attacks. In order to build a solution to mitigate the problem, details of the rate of packet influx for Packet-In messages from Openflow plugin is required. This information is used to design a system for detecting an impending attack. The details of the design is discussed below. 4.2.1 Designing the Mitigation System: In order to have a mitigation system in place, four key factors need to be kept in mind: a) There needs to be a fair estimate of the rate of packet influx to be able to figure out an impending and/or actual attack on the system. b) The source of the packet-in messages needs to be identified. c) Design a notification mechanism to send notifications to interested parties when an attack is impending or detected. d) Have a persistent database to record the source of high Packet- In messages for current or any future reference. The design factors are discussed in detail below: The estimation of the packet influx in the system can be calculated by registering the USecPlugin for notification of Packet-In messages from the Openflow plugin. Once registered, plugin starts receiving continuous notification from the Openflow plugin whenever a Packet-In message is received from the network. The Packet-In message notification is received with the ‘Data-Path Id’ of the switch and the node-connector information to identify the port (in the switch). This information is collated over a period of time continuously (when there is no attack from the network) to calculate the average rate of packet influx (Sav) on per switch basis. Collecting of the above mentioned information for extended period of time provides us with the historical levels of average packet-influx for a switch at peace-time levels. USecPlugin screens samples of Packet-In message payload contents at regular intervals of time to get the source address of legal packets at peace-time and stores the same in a persistent database. These source addresses will be maintained in a White-List of addresses for future reference. With the peace-time level packet influx rate already calculated, next the USecPlugin compares the packet influx rate on a continuous basis and raise the first alarm (Alarm1) for a switch if the present influx rate on the switch (Sp) is a certain percentage value (which is configurable) – referred to as the Low Water mark (Nlw), over and above the historical average for a configured period of time (t1). Copyright 2015 Page 4 of 7
  • 5. Calculation - Alarm1: if ‘Sp > ((100 + Nlw ) * Sav ) / 100’ for time ‘t1’ Nlw is the ‘Low Water’ mark percentage value. ‘t1’ is the time for which the Low Water mark breach should happen to raise Alarm1. [Both Nlw and ‘t1’ are configurable values] Once Alarm1 is raised, USecPlugin screens the payload of Packet-In messages on the affected switch to get the source address for the messages. This information is crucial to identify particular source address or group of source addresses for the high influx Packet-In messages. All source addresses recorded for the Packet-In messages for switch are stored in a temporary data-store along with the influx packet rate, dp-id and node- connector value. If the high influx of packet-in messages is a result of a sudden spike and Sp eventually goes below the Low Water mark (and stays below the mark) for t2 seconds, then Alarm1 is cleared off. [t2 is a configurable value and may be of value greater than or equal to t1 ]. Along with clearing off the alarm, the source addresses, influx packet rate, dp-id and node-connector values written to the temporary data-sore since Alarm1 are also cleared off. This event is classified as a ‘Temporary Spike’. On the contrary, if Sp persistently stays above the Low Water mark and eventually hits the High Water mark (which is determined by a certain percentage value Nhw over and above the historical average), then the second alarm (Alarm2) is raised for the switch. Alarm2: if ‘Sp > ((100 + Nhw ) * Sav ) / 100’ [Nhw is a configurable value] Alarm2 is classified as a ‘Permanent Spike’. Along with the raising of the Alarm2, the temporary data in the data-store is removed and written to a persistent database. This is intended to help mitigate the Packet-In attack and correlating the source address for similar attacks in future. The source of attack is populated in a Black List of IP addresses with a count of the number of times it has triggered an attack. If the same source figures in the list of White Listed IP Address, then it is removed from that list. The same source addresses can be used for deriving correlation if any other forms of attack are detected and reported to the USecPlugin in future. While we previously talked about the logic for generation of alarms based on calculation of the historical peace time packet influx rates of a switch, the implementation also provides an alternative option to the controller user to configure specific values of packet rates for low and high water marks on the basis of which alarms need be raised instead of relying on peace time readings. This option offers additional flexibility to the user for tweaking the alarm generation system as per choice and requirement of the network. The alarms that are generated are meant for consumption by third-party external applications that may want to utilize the information for mitigation of the Packet-In attack. Depending on the different alarms that are registered for by the applications, the USecPlugin will notify the same back to the applications. Also, the USecPlugin provides Restconf interfaces to the applications to fetch the details of the source address(es), influx packet rate(s), dp-id(‘s) and node-connector information that may be involved in the Packet-In attack. This is a polling mechanism in addition to the notification mechanism mentioned earlier. The methodology adopted by the application to correlate the information from the USecPlugin and formulate strategy for attack mitigation is left to the third-party application logic and outside the purview of this paper. 5. CASE2 - SECURED EXCHANGE OF SDNI MESSAGES: 5.1 Preview to BGP and SDNi concepts: As discussed earlier in Sec-2.2.2, the BGP link state protocol serves to exchange the network topology with peer networks for optimized routing. The SDNi project in Opendaylight is designed to establish communication between multiple SDN controllers. The data shared is control plane parameters like Topology, Quality of Service (QoS), policy etc. Since SDNi uses BGP session to exchange information with peer controller(s), therefore, the steps to initiate exchange messages is as follows: 1. First establish a TCP connection between two controllers to exchange BGP information. 2. Establish a BGP connection between the BGP speakers in the controller. 3. Start sending and receiving the NLRI updates between the controllers, containing the QoS and other updates depending on the use cases designed with SDNi. 5.2 Security Concerns with SDNi: Since SDNi depends on the Topology, QoS. Policy and other info shared by peer controllers for conceptualizing Bandwidth-On- Demand or servicing CDN, it is important to ensure the following: 1. Authenticity of the peer controller(s). 2. Data Integrity verification check for the information shared by inter-subnet controllers. 3. Encryption of data exchanged to protect the network details from being exposed to the external entities in the network. If the peer controller remains unauthenticated, it raises the spectre of a MITM attack resulting in bogus session establishment with rogue peer controller. A diagrammatic representation of the problem is shown in the figure below: Fig5. MITM Attack (Bogus Session) Authenticity of the controller is essential to ensure that the peers that interact with each other verify that none of the controllers are masquerading. Copyright 2015 Page 5 of 7
  • 6. 5.3 MITM Attack Mitigation: The implementation in its present form in the ODL Controller Lithium Release verifies the authenticity of the peer using TCP MD5 authentication mechanism as detailed in RFC 2385 (Protection of BGP Sessions via the TCP MD5 Signature Option). The implementation of the TCP MD5 authentication is optional configuration in ODL controller considering that it needs support for the same on the peer controller before it can be deployed. If the peer controller does not support the authentication mechanism, then there is presently no other way in which the peer controller may be authenticated before a BGP Session establishment. However, keeping in mind that authentication is an important aspect before SDNi sessions are established, therefore, there needs to be a mechanism for determining whether the peer is authenticated. Only if the peer controller is authenticated should an SDNi session be ideally established to prevent MITM attacks. Considering that the TCP MD5 authentication is based on the shared password used for creation of the MD5 digest, the authentication mechanism is not a full proof one. Also, maintaining the same password forever is not suggested from security perspective lest it may get leaked to the attacker at some point of time. However, changing the password and sharing the same with the peer is also a challenge and leaves the possibility of a security breach. In order to make communication more secure, the TCP connection for BGP Link-State protocol should be secured with a SSL/TLS security to encrypt the data and ensure data integrity verification. Again, the SSL/TLS security is dependent on whether the peer controller also supports the same for added security. The SDNi session establishment may optionally want to establish session with peer controllers that have the SSL/TLS security layer on top of the TCP connection. Keeping the above security mechanisms in mind, the information about the authentication or encryption on the interface connection to the peer controller is updated in the USecPlugin. Whenever SDNi wants to establish a new session with peer controller, it should check the USecPlugin for the security related information before it decides on the session establishment. However, for providing Authentication, Integrity Check and Encryption, it is advisable to add SSL/TLS security on a TCP connection before establishing a BGP session. 6. USecPlugin Architecture: Having detailed out the use cases for the USecPlugin in sections 4 and 5, this section gives an overview of the architecture for the plugin. Fig6: Unified Security Plugin architecture The above figure shows the architecture of the USecPlugin which provides Security Service function for the ODL Controller. The USecPlugin registers for the Packet-Notifications in MD-SAL. These notifications are received from the Openflow Plugin for detecting Packet-In Attack. The Openflow plugin also writes the contents of the Packet-In messages to the OF Data Store. The USecPlugin needs to access the OF Data Store to access the Packet-In message metadata. The USecPlugin has its own data store in MD Sal to temporarily store the Packet-In message metadata as detailed in Sec 4.2.1 above. The temporarily stored metadata is written to the persistent database when the attack is confirmed. Similarly, for protection of the SDNi application, the authentication of peer controller and interface security details of the inter-SDN connection is updated to the USecPlugin and stored in a persistent database. USecPlugin exposes a NB API for the SDNi application to fetch information related to east-west interface security before exchanging the network updates. The USecPlugin is developed in a modular manner leaving scope to extend for other security related events in the controller that may require to be store in a central repository. 7. ONCLUSION The USecPlugin is a novel design to provide a centralized database of all security related information for the ODL controller. Though the plugin has been conceptualized for the ODL controller, the same can be implemented for other SDN controllers as well to add visibility to security related information for controllers. As discussed above, the utility of the plugin is not restricted to the use cases discussed above and can be extended to cover other types of controller vulnerabilities exposed by the application protocols that are running in the controller. The collation of security related information by the USecPlugin allows for running analytics based engine to detect anomalous Copyright 2015 Page 6 of 7
  • 7. behavior which could point to an impending attack. This makes handling of security in controller much more intelligent and adaptable for user to configure threshold parameters as per network fluctuations. The USecPlugin is not designed to add layers of security within the controller since that is not the objective of the controller. There are separate security appliances that can run separately outside the controller to protect the network nodes including the controller. The USecPlugin just acts as an enabler to add visibility to any security risks arising out of the events handled within the controller. This helps to make security more granular and program the network to mitigate risks by integrating with third party external application. 8. ABBREVIATIONS AAA – Authentication Authorization Accounting API – Application Programming Interface BGP – Border Gateway Protocol CDN – Content Delivery Network DoS – Denial of Service DPI – Deep Packet Inspection FW - Firewall HTTPS – Hyper Text Transport Protocol Secure IDS – Intrusion Detection System IPS – Intrusion Prevention System MD5 – Message Digest 5 MITM – Man In The Middle NETCONF – Network Configuration Protocol NFV - Network Function Virtualization NLRI - Network Layer Reachability Information OF – Open Flow ODL - Opendaylight OVSDB – Open vSwitch Database Management Protocol PPS – Packets Per Second RFC – Request For Comments QoS – Quality of Service SDN - Software Defined Network SDNi – Inter-Software Defined Network SNMP – Simple Network Management Protocol SSL – Security Socket Layer TCP – Transport Control Protocol TLS – Transport Layer Security TTL – Time To Live 9. REFERENCES [1] http://blogs.gartner.com/andrew- lerner/2014/12/08/predicting-sdn-adoption/ [2] http://newsroom.juniper.net/press-releases/new-juniper- networks-study-finds-u-s-companies-sp-nyse-jnpr-1134411 [3] Infonetics Research: SDN and NFV Strategies: Global Service Provider Survey, March 2014 (51% of world telecom capex) [4] https://wiki.opendaylight.org/view/Project_Proposals:Contro ller_Shield Copyright 2015 Page 7 of 7