the dark side of sdn and openflow
TRANSCRIPT
![Page 1: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/1.jpg)
The dark side of SDN and OpenFlow
Diego Kreutz Navigators, LaSIGE/FCUL, University of Lisbon
NavTalks, November, 2013
![Page 2: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/2.jpg)
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
![Page 3: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/3.jpg)
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
![Page 4: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/4.jpg)
SDN in short 1. Decoupling control
and data plane
2. Logical centralizaCon of network control
3. Programming the network
![Page 5: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/5.jpg)
SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
SDN/OpenFlow Data plane “instrucKon
set” (what to look for? what to do with…? …)
Control plane communicaKon channels and commands
![Page 6: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/6.jpg)
SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
SDN/OpenFlow
Top features of OpenFlow controllers: 1. Event-‐driven model (PACKET_IN, PORT_STATUS, FEATURE_REPLY, STATS_REPLY)
2. Packet parsing capabiliCes (standard procedures) 3. switch.send(msg)
• PACKET_OUT (with buffer_id or fabricated packet)
• FLOW_MOD (with match rules and acKons) • FEATURE_REQUEST, STATS_REQUEST,
BARRIER_REQUEST
![Page 7: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/7.jpg)
SDN/OpenFlow SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
RULE STATS ACTION
Packet + counters
1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline
Switch port
MAC src
MAC src
VLAN ID
IP src
TCP sport
TCP dport
IP dst
FLOW TABLE
Eth type
OpenFlow specifies/recommends: • TCP and TLS connecKons (C ó D) • MulK-‐controller connecKons • MulKple channels (auxiliary connecKons) • Flow table with <rule, acKon, stats> • MulKple flow tables • …
![Page 8: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/8.jpg)
SDN/OpenFlow
Packet in from network
OpKonal 802.1d STP processing Table lookup
Match table entry 0?
Apply acCons
Send to controller
Match table entry n?
No
No
Yes
Yes Packet flow in an OpenFlow
switch
![Page 9: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/9.jpg)
But … SDN is not OpenFlow! SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
RULE STATS ACTION
Packet + counters
1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline
Switch port
MAC src
MAC src
VLAN ID
IP src
TCP sport
TCP dport
IP dst
FLOW TABLE
Eth type
Examples of southbound APIs: • OpenFlow • POF (Portable Oblivious Forwarding) • ForCES • …
![Page 10: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/10.jpg)
SDN/OpenFlow SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
RULE STATS ACTION
Packet + counters
1. Forward packet to port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline
Switch port
MAC src
MAC src
VLAN ID
IP src
TCP sport
TCP dport
IP dst
FLOW TABLE
Eth type
Protocol specific header fields,
increased complexity (specificaKon and
backward compaKbility), …
![Page 11: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/11.jpg)
SDN/POF: how it should be
Service
Controller
Forwarding Element
ApplicaKon
OperaKng System
CPU
API Sys. Call
Driver Interrupt
InstrucKon Set
SDN Computer
![Page 12: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/12.jpg)
SDN/POF: how it is SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL
SDN DEVICE
SOFT
WA
RE
HA
RD
WA
RE
CONTROL COMMUNICATIONS
FLOW TABLES
FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
FIELDS INSTRUCTIONS
1. Goto-Table 2. Write-Metadata-From-Packet 3. Set/Modify the current protocol header 4. Add/Delete a protocol header 5. Copy the current protocol field to the metadata 6. Access control: forward/drop/send upward a
packet 7. …
type offset lenght
FLOW TABLE
• Protocol header agnosCc • Simple instrucCon set • Same control commands as OF 1.3
§ add/delete flow entries § …
• …
![Page 13: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/13.jpg)
SDN/POF
Principle and Implementa/on of Protocol Oblivious Forwarding h;p://goo.gl/BHXTzi
![Page 14: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/14.jpg)
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
![Page 15: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/15.jpg)
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon SDN
Controller
SDN device
1
Not specific to SDNs, but can be a door for augmented DoS afacks.
Possible solu/ons: IDS + rate bounds for control plane requests
Threat vectors map
Threat vector 1 forged or faked traffic
flows
![Page 16: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/16.jpg)
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon SDN
Controller
2 SDN device
Not specific to SDNs, but now the impact is potenKally augmented.
Possible solu/ons: sojware afestaKon with autonomic trust management
Threat vectors map
Threat vector 2 exploiKng vulnerabiliKes in forwarding devices
![Page 17: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/17.jpg)
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon
3
SDN Controller
SDN device
Specific to SDNs: communicaKon with logically centralized controllers can be explored.
Possible solu/ons: threshold crypto, trust management, ...
Threat vectors map
Threat vector 3 afacking control communicaKons
![Page 18: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/18.jpg)
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon
4
SDN Controller
SDN device
Specific to SDNs, controlling the controller may compromise the enKre network.
Possible solu/ons: replicaKon + diversity + recovery, reliable updates, ...
Threat vectors map
Threat vector 4 exploiKng vulnerabiliKes
in controllers
![Page 19: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/19.jpg)
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon
5
SDN Controller
SDN device
Specific to SDNs, malicious applicaKons can now be easily developed and deployed on controllers.
Possible solu/ons: sojware afestaKon, security domains, ...
Threat vectors map
Threat vector 5 lack of trust between the
controller and apps
![Page 20: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/20.jpg)
Data Plane!
Control & Mana
gement!
SDN device
SDN device
SDN device
Admin StaKon
6
SDN Controller
SDN device
Not specific to SDNs, but now the impact is potenKally augmented.
Possible solu/ons: double credenKal verificaKon, reliable recovey, ...
Threat vectors map
Threat vector 6 exploiKng vulnerabiliKes
in admin staKons
![Page 21: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/21.jpg)
Data Plane!
Control & Mana
gement!
7
SDN device
SDN device
SDN device
Admin StaKon SDN
Controller
SDN device
Threat vector 7 lack of trusted resources
for forensics and remediaKon
Not specific to SDNs, but it is sKll criKcal to assure fast recovery and diagnosis when faults happen.
Possible solu/ons: immutable and secure logging, secure and reliable snapshots
Threat vectors map
![Page 22: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/22.jpg)
Data Plane!
Control & Mana
gement!
7
SDN device
SDN device
SDN device
Admin StaKon
6 5
4
3
SDN Controller
SDN control protocol (e.g., OpenFlow )
Management connecKon (e.g., SSH )
2
Data plane physical / logical connecKons
SDN device
1
Seven main threat vectors Ø 1 and 3: communicaKons Ø 2, 4, 5, 6: elements Ø 7: communicaKons and elements
Threat vectors map
![Page 23: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/23.jpg)
Threat vectors map
Threat Specific to SDN?
Consequences in SDN
Vector 1 no can be a door for DoS afacks Vector 2 no but now the impact is potenKally augmented Vector 3 yes communicaCon with logically centralized
controllers can be explored Vector 4 yes controlling the controller may compromise
the enCre network Vector 5 yes malicious applicaCons can now be easily
developed and deployed on controllers Vector 6 no but now the impact is potenKally augmented Vector 7 no it is sKll criKcal to assure fast recovery and
diagnosis when faults happen
![Page 24: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/24.jpg)
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
![Page 25: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/25.jpg)
Data Plane!
Control & Mana
gement!Admin StaKon
SDN device
SDN device
SDN device SDN
device
SDN Controllers
3
Threat Vector 3 in OpenFlow Networks
![Page 26: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/26.jpg)
Data Plane!
Control Plane!
SDN device
SDN device
SDN device SDN
device
IPs of controllers are manually configured
SDN Controllers
OpenFlow control plane: how it works
![Page 27: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/27.jpg)
Data Plane!
Control Plane!
SDN device
SDN device
SDN device
SDN Controllers
SDN device
Switches can connect to any
controller
OpenFlow control plane: how it works
![Page 28: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/28.jpg)
Data Plane!
Control Plane!
SDN device
SDN device
SDN device SDN
device
SDN Controllers
No cerKficate management soluKons
OpenFlow control plane: how it works
![Page 29: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/29.jpg)
Data Plane!
Control Plane!
SDN device
SDN device
SDN device SDN
device
No trust management
between devices
SDN Controllers
No trust management
between devices
No trust management
between devices
OpenFlow control plane: how it works
![Page 30: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/30.jpg)
Data Plane!
Control & Mana
gement!Admin StaKon
SDN device
SDN device
SDN device SDN
device
SDN Controllers
4
Threat Vector 4 in OpenFlow Networks
![Page 31: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/31.jpg)
Controller A
App A
Controller B
App A
Controller C
App A
Master-‐slave controllers (what if B fails?)
![Page 32: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/32.jpg)
Master-‐slave controllers (what if B fails?)
On the feasibility of a consistent and fault-‐tolerant data store for SDNs h;p://goo.gl/mF9HNB
Fault-‐tolerant
distributed datastore
Active"Controller"
Active"Controller"
Master ConnecKon
Slave ConnecKon
Active"Controller"
Datastore "
![Page 33: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/33.jpg)
Controller
App B App C
A: 10.0.0.1 V: 10.0.0.3
block src=10.0.0.1 (to dst=10.0.0.3)
rewrite src=10.0.0.1 (to src=10.0.0.2)
Apps/services rewriKng rules (accidentally or maliciously) …
![Page 34: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/34.jpg)
AggregaCon Flow Table (priority and isolaKon of signed rules) …
A Security Enforcement Kernel for OpenFlow Networks h;p://goo.gl/4DJPbK
![Page 35: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/35.jpg)
Data Plane!
Control & Mana
gement!Admin StaKon
SDN device
SDN device
SDN device SDN
device
SDN Controllers
5
Threat Vector 5 in OpenFlow Networks
![Page 36: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/36.jpg)
Controller A
App A
Controller B
App B
Controller C
App C
Fault-‐tolerant Distributed Data Store
Apps trying to access and/or change/corrupt shared memory/objects …
block src=10.0.0.1 (to dst=10.0.0.3)
allow src=10.0.0.1 (to dst=10.0.0.3)
Unauthorized controller and/or app
Datastore "
![Page 37: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/37.jpg)
Moving network funcConality to the edge…
Controller A
Fw A
Controller B
Fw B
Controller C
Fw C
![Page 38: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/38.jpg)
Controller A
Fw A
Controller B
Fw B
Controller C
Fw C
Fault-‐tolerant Distributed Data Store
Apps trying to access and/or change/corrupt shared memory/objects …
set border sec level=2
set border sec level=1
Malicious or buggy
controller/app trying to
enforce a lower security level
Afack detected on network
perimeter A Datastore "
![Page 39: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/39.jpg)
Controller A
Fw A
Controller B
Fw B
Controller C
Fw C
Fault-‐tolerant Distributed Data Store
Apps trying to access and/or change/corrupt shared memory/objects …
set border sec level=2
set border sec level=1
1. set rate limit=1000
2. allow direct connecKons
1. set rate limit=500
2. force all suspected conns to pass through Sec Midbox L1
Datastore "
![Page 40: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/40.jpg)
Which controller should take over the forwarding devices?
Controller A
DevM
Controller B
DevM
Controller C
DevM
AssociaKon phase: devices receive the decision signed by “all”
controllers
Consensus-‐as-‐a-‐service to help in such decisions?
AssociaKon phase: devices receive the decision signed by “all” DevMs
![Page 41: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/41.jpg)
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
More OpenFlow security issues
Just out of curiosity …
![Page 42: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/42.jpg)
OpenFlow security issues
h;p://goo.gl/b5bzZC , h;p://goo.gl/2sf5CF , h;p://goo.gl/7opnZk
1. Lacks TLS and access control 2. Repeats the error of previous protocols: “the link should be
physically secure” 3. Man in the middle: simple to do if TLS is not is use and/or when
it is weakly implemented 4. Listener mode: some switches accept connecKons from any
source (write rules and read informaKon) 5. Lack of switch authenCcaCon (e.g., request traffic redirecKon) 6. Flow table verificaCon: lack of TLS makes it impossible to verity
if flow tables are configured with the expected rules 7. Denial of service risks: specially in the case of centralized
controllers (single points of failure) 8. Controller vulnerabiliCes: diverse apps, complex protocols
parsing, lack of priority-‐based controls and isolaKon, … 9. Resource depleCon acacks (e.g., learning switch of POX)
![Page 43: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/43.jpg)
OpenFlow security issues
OpenFlow: A Security Analysis h;p://goo.gl/59CIVm
Threat (STRIDE)
Security Property
Possible Acacks
Affected OF versions
Spoofing AuthenKcaKon MAC and IP address spoofing, forged ARP and IPv6 router adverKsement
1.0, 1.2, 1.3, 1.3.1
Tampering Integrity Counters falsificaKon, install rules that modify packets, redirect/clone flows
1.0, 1.2, 1.3, 1.3.1
RepudiaKon Non-‐repudiaKon
Install rules to forge source address of packets
1.0, 1.2, 1.3, 1.3.1
InformaKon disclosure
ConfidenKality Side channel afacks to figure out flow rules setup
1.0, 1.2, 1.3, 1.3.1
Denial of service
Availability Augmented new flow requests to the controller
1.0, 1.2, 1.3, 1.3.1
ElevaKon of privilege
AuthorizaKon Take over the controller by exploiKng implementaKon flaws
1.0, 1.2, 1.3, 1.3.1
![Page 44: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/44.jpg)
“OpenFlow security is minimally specified, to the point where the differences between mul/ple OpenFlow implementa/ons could
cause opera/onal complexity, interoperability issues or unexpected
security vulnerabili/es.”
(M. Wasserman and S. Hartman) h;p://goo.gl/Ep5CXH
OpenFlow security issues
![Page 45: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/45.jpg)
Main threat vectors in SDNs
Short intro to SDN
Outline
Sec&Dep issues in OpenFlow SDNs
Some OpenFlow security issues
Just out of curiosity …
![Page 46: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/46.jpg)
Time and bandwidth for DoS afacks
DoS afacks on the control plane
h;p://goo.gl/2sf5CF One
con
troller, on
e sw
itch, and
two ho
sts.
HP 5406zl like sw
itch with
1.500
flow
rules c
apacity
.
![Page 47: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/47.jpg)
SDN CONTROLLER
APPLICATIONS
NETWORK OPERATING SYSTEM
ACCESS CONTROL FIREWALL
SOFT
WA
RE
CO
NTR
OL
CO
MM
UN
ICAT
ION
S
10 switches = a powerful weapon
DoS afacks on controllers
With 10 switches, one can easily do a DoS afack to significantly impact the controller’s performance.
h;p://goo.gl/WEmR7n , h;p://goo.gl/b5bzZC , h;p://goo.gl/2sf5CF
![Page 48: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/48.jpg)
The Network Access Layer Goes Virtual
Sojware switching: the new trend?!
The Sandwich… Network Virtualiza/on Main Stage at Interop h;p://goo.gl/yt9pi2
![Page 49: The dark side of SDN and OpenFlow](https://reader034.vdocuments.site/reader034/viewer/2022042701/55a7815f1a28ab1f3e8b466c/html5/thumbnails/49.jpg)
VulnerabiliKes in Cisco IOS
0 5
10 15 20 25 30 35 40 45 50
1992 1995 1998 2001 2004 2007 2010 2013
Num
ber o
f vul
nera
bilit
ies
Year of publication
Current Network OperaKng Systems