Post on 16-Jul-2015
The dark side of SDN and OpenFlow
Diego Kreutz Navigators, LaSIGE/FCUL, University of Lisbon
NavTalks, November, 2013
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
SDN in short 1. Decoupling control
and data plane
2. Logical centralizaCon of network control
3. Programming the network
SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
SDN/OpenFlow Data plane “instrucKon
set” (what to look for? what to do with…? …)
Control plane communicaKon channels and commands
SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
SDN/OpenFlow
Top features of OpenFlow controllers: 1. Event-‐driven model (PACKET_IN, PORT_STATUS, FEATURE_REPLY, STATS_REPLY)
2. Packet parsing capabiliCes (standard procedures) 3. switch.send(msg)
• PACKET_OUT (with buffer_id or fabricated packet)
• FLOW_MOD (with match rules and acKons) • FEATURE_REQUEST, STATS_REQUEST,
BARRIER_REQUEST
SDN/OpenFlow SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
RULE STATS ACTION
Packet + counters
1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline
Switch port
MAC src
MAC src
VLAN ID
IP src
TCP sport
TCP dport
IP dst
FLOW TABLE
Eth type
OpenFlow specifies/recommends: • TCP and TLS connecKons (C ó D) • MulK-‐controller connecKons • MulKple channels (auxiliary connecKons) • Flow table with <rule, acKon, stats> • MulKple flow tables • …
SDN/OpenFlow
Packet in from network
OpKonal 802.1d STP processing Table lookup
Match table entry 0?
Apply acCons
Send to controller
Match table entry n?
No
No
Yes
Yes Packet flow in an OpenFlow
switch
But … SDN is not OpenFlow! SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
RULE STATS ACTION
Packet + counters
1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline
Switch port
MAC src
MAC src
VLAN ID
IP src
TCP sport
TCP dport
IP dst
FLOW TABLE
Eth type
Examples of southbound APIs: • OpenFlow • POF (Portable Oblivious Forwarding) • ForCES • …
SDN/OpenFlow SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
RULE STATS ACTION
Packet + counters
1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline
Switch port
MAC src
MAC src
VLAN ID
IP src
TCP sport
TCP dport
IP dst
FLOW TABLE
Eth type
Protocol specific header fields,
increased complexity (specificaKon and
backward compaKbility), …
SDN/POF: how it should be
Service
Controller
Forwarding Element
ApplicaKon
OperaKng System
CPU
API Sys. Call
Driver Interrupt
InstrucKon Set
SDN Computer
SDN/POF: how it is SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
FIELDS INSTRUCTIONS
1. Goto-Table 2. Write-Metadata-From-Packet 3. Set/Modify the current protocol header 4. Add/Delete a protocol header 5. Copy the current protocol field to the metadata 6. Access control: forward/drop/send upward a
packet 7. …
type offset lenght
FLOW TABLE
• Protocol header agnosCc • Simple instrucCon set • Same control commands as OF 1.3
§ add/delete flow entries § …
• …
SDN/POF
Principle and Implementa/on of Protocol Oblivious Forwarding h;p://goo.gl/BHXTzi
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon SDN
Controller
SDN device
1
Not specific to SDNs, but can be a door for augmented DoS afacks.
Possible solu/ons: IDS + rate bounds for control plane requests
Threat vectors map
Threat vector 1 forged or faked traffic
flows
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon SDN
Controller
2 SDN device
Not specific to SDNs, but now the impact is potenKally augmented.
Possible solu/ons: sojware afestaKon with autonomic trust management
Threat vectors map
Threat vector 2 exploiKng vulnerabiliKes in forwarding devices
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon
3
SDN Controller
SDN device
Specific to SDNs: communicaKon with logically centralized controllers can be explored.
Possible solu/ons: threshold crypto, trust management, ...
Threat vectors map
Threat vector 3 afacking control communicaKons
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon
4
SDN Controller
SDN device
Specific to SDNs, controlling the controller may compromise the enKre network.
Possible solu/ons: replicaKon + diversity + recovery, reliable updates, ...
Threat vectors map
Threat vector 4 exploiKng vulnerabiliKes
in controllers
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon
5
SDN Controller
SDN device
Specific to SDNs, malicious applicaKons can now be easily developed and deployed on controllers.
Possible solu/ons: sojware afestaKon, security domains, ...
Threat vectors map
Threat vector 5 lack of trust between the
controller and apps
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon
6
SDN Controller
SDN device
Not specific to SDNs, but now the impact is potenKally augmented.
Possible solu/ons: double credenKal verificaKon, reliable recovey, ...
Threat vectors map
Threat vector 6 exploiKng vulnerabiliKes
in admin staKons
Data Plane!
Control & Mana
gement!
7
SDN device
SDN device
SDN device
Admin StaKon SDN
Controller
SDN device
Threat vector 7 lack of trusted resources
for forensics and remediaKon
Not specific to SDNs, but it is sKll criKcal to assure fast recovery and diagnosis when faults happen.
Possible solu/ons: immutable and secure logging, secure and reliable snapshots
Threat vectors map
Data Plane!
Control & Mana
gement!
7
SDN device
SDN device
SDN device
Admin StaKon
6 5
4
3
SDN Controller
SDN control protocol (e.g., OpenFlow )
Management connecKon (e.g., SSH )
2
Data plane physical / logical connecKons
SDN device
1
Seven main threat vectors Ø 1 and 3: communicaKons Ø 2, 4, 5, 6: elements Ø 7: communicaKons and elements
Threat vectors map
Threat vectors map
Threat Specific to SDN?
Consequences in SDN
Vector 1 no can be a door for DoS afacks Vector 2 no but now the impact is potenKally augmented Vector 3 yes communicaCon with logically centralized
controllers can be explored Vector 4 yes controlling the controller may compromise
the enCre network Vector 5 yes malicious applicaCons can now be easily
developed and deployed on controllers Vector 6 no but now the impact is potenKally augmented Vector 7 no it is sKll criKcal to assure fast recovery and
diagnosis when faults happen
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
Data Plane!
Control & Mana
gement!Admin StaKon
SDN device
SDN device
SDN device SDN
device
SDN Controllers
3
Threat Vector 3 in OpenFlow Networks
Data Plane!
Control Plane!
SDN device
SDN device
SDN device SDN
device
IPs of controllers are manually configured
SDN Controllers
OpenFlow control plane: how it works
Data Plane!
Control Plane!
SDN device
SDN device
SDN device
SDN Controllers
SDN device
Switches can connect to any
controller
OpenFlow control plane: how it works
Data Plane!
Control Plane!
SDN device
SDN device
SDN device SDN
device
SDN Controllers
No cerKficate management soluKons
OpenFlow control plane: how it works
Data Plane!
Control Plane!
SDN device
SDN device
SDN device SDN
device
No trust management
between devices
SDN Controllers
No trust management
between devices
No trust management
between devices
OpenFlow control plane: how it works
Data Plane!
Control & Mana
gement!Admin StaKon
SDN device
SDN device
SDN device SDN
device
SDN Controllers
4
Threat Vector 4 in OpenFlow Networks
Controller A
App A
Controller B
App A
Controller C
App A
Master-‐slave controllers (what if B fails?)
Master-‐slave controllers (what if B fails?)
On the feasibility of a consistent and fault-‐tolerant data store for SDNs h;p://goo.gl/mF9HNB
Fault-‐tolerant
distributed datastore
Active"Controller"
Active"Controller"
Master ConnecKon
Slave ConnecKon
Active"Controller"
Datastore "
Controller
App B App C
A: 10.0.0.1 V: 10.0.0.3
block src=10.0.0.1 (to dst=10.0.0.3)
rewrite src=10.0.0.1 (to src=10.0.0.2)
Apps/services rewriKng rules (accidentally or maliciously) …
AggregaCon Flow Table (priority and isolaKon of signed rules) …
A Security Enforcement Kernel for OpenFlow Networks h;p://goo.gl/4DJPbK
Data Plane!
Control & Mana
gement!Admin StaKon
SDN device
SDN device
SDN device SDN
device
SDN Controllers
5
Threat Vector 5 in OpenFlow Networks
Controller A
App A
Controller B
App B
Controller C
App C
Fault-‐tolerant Distributed Data Store
Apps trying to access and/or change/corrupt shared memory/objects …
block src=10.0.0.1 (to dst=10.0.0.3)
allow src=10.0.0.1 (to dst=10.0.0.3)
Unauthorized controller and/or app
Datastore "
Moving network funcConality to the edge…
Controller A
Fw A
Controller B
Fw B
Controller C
Fw C
Controller A
Fw A
Controller B
Fw B
Controller C
Fw C
Fault-‐tolerant Distributed Data Store
Apps trying to access and/or change/corrupt shared memory/objects …
set border sec level=2
set border sec level=1
Malicious or buggy
controller/app trying to
enforce a lower security level
Afack detected on network
perimeter A Datastore "
Controller A
Fw A
Controller B
Fw B
Controller C
Fw C
Fault-‐tolerant Distributed Data Store
Apps trying to access and/or change/corrupt shared memory/objects …
set border sec level=2
set border sec level=1
1. set rate limit=1000
2. allow direct connecKons
1. set rate limit=500
2. force all suspected conns to pass through Sec Midbox L1
Datastore "
Which controller should take over the forwarding devices?
Controller A
DevM
Controller B
DevM
Controller C
DevM
AssociaKon phase: devices receive the decision signed by “all”
controllers
Consensus-‐as-‐a-‐service to help in such decisions?
AssociaKon phase: devices receive the decision signed by “all” DevMs
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
OpenFlow security issues
h;p://goo.gl/b5bzZC , h;p://goo.gl/2sf5CF , h;p://goo.gl/7opnZk
1. Lacks TLS and access control 2. Repeats the error of previous protocols: “the link should be
physically secure” 3. Man in the middle: simple to do if TLS is not is use and/or when
it is weakly implemented 4. Listener mode: some switches accept connecKons from any
source (write rules and read informaKon) 5. Lack of switch authenCcaCon (e.g., request traffic redirecKon) 6. Flow table verificaCon: lack of TLS makes it impossible to verity
if flow tables are configured with the expected rules 7. Denial of service risks: specially in the case of centralized
controllers (single points of failure) 8. Controller vulnerabiliCes: diverse apps, complex protocols
parsing, lack of priority-‐based controls and isolaKon, … 9. Resource depleCon acacks (e.g., learning switch of POX)
OpenFlow security issues
OpenFlow: A Security Analysis h;p://goo.gl/59CIVm
Threat (STRIDE)
Security Property
Possible Acacks
Affected OF versions
Spoofing AuthenKcaKon MAC and IP address spoofing, forged ARP and IPv6 router adverKsement
1.0, 1.2, 1.3, 1.3.1
Tampering Integrity Counters falsificaKon, install rules that modify packets, redirect/clone flows
1.0, 1.2, 1.3, 1.3.1
RepudiaKon Non-‐repudiaKon
Install rules to forge source address of packets
1.0, 1.2, 1.3, 1.3.1
InformaKon disclosure
ConfidenKality Side channel afacks to figure out flow rules setup
1.0, 1.2, 1.3, 1.3.1
Denial of service
Availability Augmented new flow requests to the controller
1.0, 1.2, 1.3, 1.3.1
ElevaKon of privilege
AuthorizaKon Take over the controller by exploiKng implementaKon flaws
1.0, 1.2, 1.3, 1.3.1
“OpenFlow security is minimally specified, to the point where the differences between mul/ple OpenFlow implementa/ons could
cause opera/onal complexity, interoperability issues or unexpected
security vulnerabili/es.”
(M. Wasserman and S. Hartman) h;p://goo.gl/Ep5CXH
OpenFlow security issues
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
Some OpenFlow security issues
Just out of curiosity …
Time and bandwidth for DoS afacks
DoS afacks on the control plane
h;p://goo.gl/2sf5CF One
con
troller, on
e sw
itch, and
two ho
sts.
HP 5406zl like sw
itch with
1.500
flow
rules c
apacity
.
SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
10 switches = a powerful weapon
DoS afacks on controllers
With 10 switches, one can easily do a DoS afack to significantly impact the controller’s performance.
h;p://goo.gl/WEmR7n , h;p://goo.gl/b5bzZC , h;p://goo.gl/2sf5CF
The Network Access Layer Goes Virtual
Sojware switching: the new trend?!
The Sandwich… Network Virtualiza/on Main Stage at Interop h;p://goo.gl/yt9pi2
VulnerabiliKes in Cisco IOS
0 5
10 15 20 25 30 35 40 45 50
1992 1995 1998 2001 2004 2007 2010 2013
Num
ber o
f vul
nera
bilit
ies
Year of publication
Current Network OperaKng Systems