FFRI, Inc., profile picture
Uploaded byFFRI, Inc.
PDF, PPTX1,647 views

Mr201304 open flow_security_eng

This document provides an overview of OpenFlow technology and analyzes potential security threats. It describes OpenFlow and SDN concepts, the OpenFlow specification version 1.0, and example network designs using OpenFlow. The document then analyzes threats to OpenFlow assets like flow entries and network capabilities. Specific threats addressed include information leakage, traffic tampering, denial of service attacks, and system hacking. Countermeasures suggested involve using TLS, hardening switches and controllers, adding redundancy, and restricting traffic.

Embed presentation

Download as PDF, PPTX
Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp OpenFlow Security ver2.00.02 Junichi Murakami Executive Officer, Director of Advanced Development Division
Fourteenforty Research Institute, Inc. 1. Introduction 2. OpenFlow Overview – Software Defined Network(SDN) and OpenFlow – Background and circumstances – Technical basics – Controllers and Switches – Example of network design and traffic 3. Threat of OpenFlow – Threat analysis – Flow entry / Network capability / Switch / Controller – Conclusions – Further research 4. References Agenda 2
Fourteenforty Research Institute, Inc. • This slide describes an overview of OpenFlow technology and its threat analysis under the current specification • This research focuses on the specification of OpenFlow 1.0 • Threats described in this slide does not always mean the feasibility of attacks on the threats is proven Introduction 3
Fourteenforty Research Institute, Inc. • SDN – Usual networks are fixed system, which are defined by each network device’s deployment, connections and configurations – Virtualizations for servers and storages are in progress in a data center in recent years. – A network is not so flexible yet, so it needs to be re-designed and re- configured every time (operation cost is highly increasing) – SDN is general concept to define network as software for making it more flexible in terms of its design, control and management • OpenFlow – A kind of technology specifications to realize the SDN Software Defined Network(SDN) and OpenFlow 4
Fourteenforty Research Institute, Inc. • Open Networking Foundation(ONF) draws up the specification – https://www.opennetworking.org/ • Board member of ONF is shown as below(4/15/2013) – Deutsche Telekom, Facebook, Goldman Sachs, Google, Microsoft, NTT Communications, Verizon, Yahoo! • Currently most implementations are based on version 1.0 Background and circumstances 5 Date Occurrence 12/31/2009 Version 1.0 published(mainly worked by Stanford University) 2/28/2011 Version 1.1 published 3/21/2011 Open Networking Foundation Founded 12/5/2011 Version 1.2 published 5/25/2012 Version 1.3 published 9/6/2012 Version 1.3.1 published
Fourteenforty Research Institute, Inc. • Basic concept – Separate control plane from network devices – Build up network with OpenFlow Controllers and OpenFlow Switches – The specification mainly defines switch spec. and communication interface between OpenFlow Controllers and OpenFlow Switches Technical basis (1/5) 6 Data plane (frame transfer) Control plane (routing, etc.) Application (QoS, redundant, etc.) Data plane Control plane Application usual network device OpenFlow Switch OpenFlow Controller OpenFlow spec. Interface Switch spec.
Fourteenforty Research Institute, Inc. • Flow – A unit of traffic handled by OpenFlow • Flow Entry: management structure of Flow consists of 3 elements below – Header Fields:conditions to determine a target flow – Instructions: a set of actions which describes how the matched flow being processed – Counter:statistics information of the matched flow Technical Basis (2/5) 7 Header Fields Ingress port IP src Ether src IP dst Ether dst IP proto Ether type IP ToS bits VLAN id TCP/UDP src port VLAN priority TCP/UDP dst port Actions (partial) Forward output the flow to specified port DROP discard the flow Modify-Field modify specified fields of the flow
Fourteenforty Research Institute, Inc. • Controller – Write a flow entry to a switch – Respond to a switch’s query (shown as below) • Switch – Keep flow entries on a flow table – Process each flow based on a flow table – Query to controller if appropriate entry does not exist Technical Basis (3/5) 8 Controller Switch - output flow to port3 if IP_DST == 192.168.1.4 - drop all UDP flow - modify IP_SRC to 192.168.1.5 and output the flow to port5 if IP_DST == 10.1.3.51 Flow Entry query Flow Table * Flow Entry (eg.)
Fourteenforty Research Institute, Inc. • Can control switch behavior based on flow entry – repeater, switch, router, load balancer and so on • Doesn’t need to change physical connections and each device configurations • Retrieve counters from each switch’s flow table – Can manipulate routing appropriately according to flow type and load • Each flow entry on a flow table has a timeout – hard timeout – idle timeout Technical Basis (4/5) 9
Fourteenforty Research Institute, Inc. • Secure-Channel:communication interface between switches and controllers – following messages are exchanged over TCP or TLS connections a. Controller to Switch • Features:to request the capability of a switch • Configuration:to set and query configuration parameter in a switch • Modify-State: to add or delete entry in a flow table and modify port configuration • Read-State:to collect statistics from a switch b. Switch to Controller (asynchronous) • Packet-in:to notify an incoming packet which is not matched to any flow entry • Flow-Removed:to notify a flow has expired and is deleted from a table • Port-Status:to notify switch’s port configuration states has changed (eg. link- down) c. bidirectional (asynchronous) • HELLO: messages exchanged when establishing a connection • ECHO(Request/Reply):ping/pong over the secure-channel Technical Basis (5/5) 10
Fourteenforty Research Institute, Inc. Controllers and Switches 11 Software Hardware Switch • Open vSwitch(OSS) • Indigo(OSS) • LINC(OSS) • UNIVERGE PF1000(NEC) • UNIVERGE PF5220/PF5240/ PF5248/PF5820(NEC) • RackSwitch G8264/G8264T(IBM) • Pronto 3290/3780(Pica8) • AS4600-54T/L3(Riava) • HP2920-24G(HP) Controller • NOX(OSS) • POX(OSS) • Trema(OSS) • Floodlight(OSS) • Virtual Network Controller Version 2.0 (NTT data) • Ryu(OSS) • UNIVERGE PF6800(NEC) • Both software and hardware implantations are available • Hardware based switch is a bit expensive yet
Fourteenforty Research Institute, Inc. • Install Open vSwitch and Trema on Linux box • Create a bridge device as br0 and activate it • Run Trema on localhost:6633/tcp, and specify the controller’s address in the switch parameter • Run the controller code below on Trema which makes the switch act like an repeater Example of network design and traffic(1/4) 12 eth2eth1 host-1 host-2 trema 0.0.0.00.0.0.0 192.168.1.2/24192.168.1.1/24 127.0.0.1:6633/tcp src: http://www.trema.info/2012/09/repeater-hub/ class RepeaterHub < Controller def packet_in datapath_id, message send_flow_mod_add( datapath_id, :match => ExactMatch.from( message ), :actions => ActionOutput.new( OFPP_FLOOD ) ) send_packet_out( datapath_id, :packet_in => message, :actions => ActionOutput.new( OFPP_FLOOD ) ) end end Open vSwitch br0 secure-channel
Fourteenforty Research Institute, Inc. • Both controller and switch run on same Linux box • TCP based Secure-Channel (not TLS) • Red background on screen is the switch’s traffic Example of network design and traffic(2/4) 13 struct ofp_header { uint8_t version; uint8_t type; uint16_t length; uint32_t xid; }; enum ofp_type { OFTP_HELLO, // 0x0 OFTP_ERROR, // 0x1 OFTP_ECHO_REQUEST, // 0x2 OFTP_ECHO_REPLY, // 0x3 OFTP_VENDOR, // 0x4 OFTP_FEATURES_REQUEST // 0x5 OFTP_FEATURES_REPLY, // 0x6 ... OFTP_SET_CONFIG, // 0x9 OFTP_PACKET_IN, // 0xa ... OFTP_FLOW_MOD, // 0xe ■Exchanging HELLO messages between the switch and the controller
Fourteenforty Research Institute, Inc. Example of network design and traffic (3/4) 14 OFTP_FEATURES_REQUESTOFTP_FEATURES_REPLY replying port configurations ■Features request and reply
Fourteenforty Research Institute, Inc. Example of network design and traffic (4/4) 15 OFTP_PACKET_IN OFTP_FLOW_MOD ■Initial configuration and writing flow entry from controller / PACKET_IN message from switch 12 bytes OFTP_SET_CONFIG
Fourteenforty Research Institute, Inc. Threat analysis 16 [premises] • Assets: a)Flow entry in switch, b)Network capability offered by OpenFlow • Information system: c)Switch, d)Controller • Analyze assets’ threat against CIA and the others are against CIAAAR – CIAAAR: ISO/IEC TR 13335(GMITS) Assets Information system Flow entry Network capability Switch Controller Confidentiality Integrity Availability Authenticity Accountability Reliability region for analysis
Fourteenforty Research Institute, Inc. Flow entry 17 Assumed threat Countermeasure and comment C Information leaking on the network Using TLS for Secure-Channel Information leaking from switches Hardening switches Information leaking from controllers Hardening controllers I Tampering on the network Using TLS for Secure-Channel Tampering in switches Hardening switches Tampering from controllers Hardening controllers A Flooding a table using spoofed packet Applying flow entry to prohibit address spoofing (References 2.c) Flushing a flow table in switches Hardening switches
Fourteenforty Research Institute, Inc. Network capability 18 Assumed threat Countermeasure and comment C Information leaking by corrupted flow entry Hardening switches and controllers I Traffic tampering by corrupted flow entry Hardening switches and controllers Integrity loss by secure channel disconnection making secure-channel redundant A Denial of service by corrupted flow entry Hardening switches and controllers Denial of service by switches and controllers failure Hardening switches and controllers Network failure by secure channel disconnection making secure-channel redundant
Fourteenforty Research Institute, Inc. Switch 19 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening switches In Hacking a system (eg. exploiting, password cracking) Hardening switches Av Hacking a system (eg. exploiting, password cracking) Hardening switches DoS attack from controllers Hardening controllers (premise: controllers compromise) Dos attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening switches Redirection to fake controllers (eg. ARP Poisoning) Authenticating controllers using TLS based on certifications Ac Tampering logs by hacking Hardening switches Re Hacking a system (eg. exploiting, password cracking) Hardening switches
Fourteenforty Research Institute, Inc. Controller 20 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening controllers In Hacking a system (eg. exploiting, password cracking) Hardening controllers Av Hacking a system (eg. exploiting, password cracking) Hardening controllers DoS attack from switches Hardening switches (premise: switches compromise) DoS attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening controllers Redirection to fake switches (eg. ARP Poisoning) Authenticating switches using TLS based on certifications Ac Tampering logs by system hacking Hardening controllers Re Hacking a system (eg. exploiting, password cracking) Hardening controllers
Fourteenforty Research Institute, Inc. Threat sources Conclusions 21 • Hardening switches and controllers and TLS for Secure-Channel are required (depends on where both devices be deployed) • Both switches and controllers have software component in the system – usual countermeasures are important technically and operationally • Especially, should be careful about controllers as it might be an SPOF Controller breach Switch breach Hijacking the Secure-Channel Flow entry corruption Taking over the network
Fourteenforty Research Institute, Inc. • Any way to make a DoS situation to a controller by sending special crafted packet like smurf(#1) attack and DNS Amp(#2) attack? – Packet-in flood – Flow-Removed flood – Port-Status flood • remote flow entry detection by various probing packets • Auditing each individual device’s design and implementation • Security problem from actual environment and operations – Logic error in flow entry Further research 22 #1 http://www.ipa.go.jp/security/ciadr/crword.html#S #2 http://www.ipa.go.jp/security/vuln/documents/2008/200812_DNS.html
Fourteenforty Research Institute, Inc. 1. Books (Japanese) a. クラウド時代のネットワーク技術 OpenFlow実践入門 (ISBN-10: 4774154652) 2. Online resources a. Openflow Networking Foundation https://www.opennetworking.org/ b. OpenFlow Switch Specifications version 1.0.0 http://www.openflow.org/documents/openflow-spec-v1.0.0.pdf c. SDNのセキュリティ / Inter-Domain Routing Security 23 (Japanese) http://irs.ietf.to/wiki.cgi?page=IRS23 References 23

More Related Content

PDF
Cisco Openflow
byVijayaguru Jayaram
 
PPTX
Tcp ip management &amp; security
byAsif Qureshi
 
PDF
How does the ue know when an eNB is talking to it
byaliirfan04
 
PDF
An3906 serial to eth freescale
byFernando
 
PPTX
Dealing with Exceptions Computer Architecture part 1
byGaditek
 
PDF
Rfc1058
bykiennguyen1991
 
PDF
Introduction to OpenFlow
byrjain51
 
PDF
etherlink plus developers guide
bypanamjayait
 
Cisco Openflow
byVijayaguru Jayaram
 
Tcp ip management &amp; security
byAsif Qureshi
 
How does the ue know when an eNB is talking to it
byaliirfan04
 
An3906 serial to eth freescale
byFernando
 
Dealing with Exceptions Computer Architecture part 1
byGaditek
 
Rfc1058
bykiennguyen1991
 
Introduction to OpenFlow
byrjain51
 
etherlink plus developers guide
bypanamjayait
 

What's hot

PDF
Rfc1723
bykiennguyen1991
 
PDF
Sevana VQM Administration Manual
bySevana Oü
 
PDF
Central processing unit i
byJyotiprakashMishra18
 
PDF
H344250
byIJERA Editor
 
PDF
Vulnerabilities analysis of fault and Trojan attacks in FSM
byKurra Gopi
 
PDF
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
byVLSICS Design
 
PDF
Device drivers and interrupt service mechanism
byVijay Kumar
 
PPTX
Dealing with exceptions Computer Architecture part 2
byGaditek
 
PPT
Lte power management
byVu Nguyen
 
PDF
Profibus programming-guide
byWilliam Fernandes
 
PPTX
Pci
byIama Marsian
 
PPT
CCNA CHAPTER 6 BY jetarvind kumar madhukar
byALLCAD Services Pvt Limited
 
PPTX
VLAN
byISMT College
 
PDF
ASTROSAT SSR - 2015-05-15
byAritra Sarkar
 
PDF
Presentation_Final
byPriyanka Goswami
 
PPT
8251
byAisu
 
PDF
RFC 1058 - Routing Information Protocol
byHoàng Hải Nguyễn
 
PDF
Ccna2 ass
byFarhana Sharmin Tithi
 
PPTX
Pipelining of Processors
byGaditek
 
PPTX
Pheripheral interface
byJCT COLLEGE OF ENGINEERING AND TECHNOLOGY
 
Rfc1723
bykiennguyen1991
 
Sevana VQM Administration Manual
bySevana Oü
 
Central processing unit i
byJyotiprakashMishra18
 
H344250
byIJERA Editor
 
Vulnerabilities analysis of fault and Trojan attacks in FSM
byKurra Gopi
 
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
byVLSICS Design
 
Device drivers and interrupt service mechanism
byVijay Kumar
 
Dealing with exceptions Computer Architecture part 2
byGaditek
 
Lte power management
byVu Nguyen
 
Profibus programming-guide
byWilliam Fernandes
 
Pci
byIama Marsian
 
CCNA CHAPTER 6 BY jetarvind kumar madhukar
byALLCAD Services Pvt Limited
 
VLAN
byISMT College
 
ASTROSAT SSR - 2015-05-15
byAritra Sarkar
 
Presentation_Final
byPriyanka Goswami
 
8251
byAisu
 
RFC 1058 - Routing Information Protocol
byHoàng Hải Nguyễn
 
Ccna2 ass
byFarhana Sharmin Tithi
 
Pipelining of Processors
byGaditek
 
Pheripheral interface
byJCT COLLEGE OF ENGINEERING AND TECHNOLOGY
 

Viewers also liked

PDF
Enhancing Security in OpenFlow
byNiketa Chellani
 
PDF
OpenFlow Security Threat Detection and Defense Services
byEswar Publications
 
PDF
Mr201307 investigation into_emet4.0_jpn
byFFRI, Inc.
 
PPTX
Openflow Protocol
byKaliyaperumal Krishnan
 
PPTX
Architecture of OpenFlow SDNs
byUS-Ignite
 
PPTX
Software Define Network
bySubith Babu
 
PPT
OpenFlow tutorial
byopenflow
 
PDF
OpenFlow 1.5.1
byjungbh
 
Enhancing Security in OpenFlow
byNiketa Chellani
 
OpenFlow Security Threat Detection and Defense Services
byEswar Publications
 
Mr201307 investigation into_emet4.0_jpn
byFFRI, Inc.
 
Openflow Protocol
byKaliyaperumal Krishnan
 
Architecture of OpenFlow SDNs
byUS-Ignite
 
Software Define Network
bySubith Babu
 
OpenFlow tutorial
byopenflow
 
OpenFlow 1.5.1
byjungbh
 

Similar to Mr201304 open flow_security_eng

PDF
M 14ofl
byronsito
 
PPT
Software defined network and Virtualization
byidrajeev
 
PDF
Introduction to OpenFlow
byJoel W. King
 
PPT
OpenFlow Tutorial
byJa-seop Kwak
 
PPTX
lect4_SDNbasic_openflow.pptx
byJesicaDcruz1
 
PDF
SDN - OpenFlow protocol
byUlf Marxen
 
PPT
Naveen nimmu sdn future of networking
byOpenSourceIndia
 
PPT
Naveen nimmu sdn future of networking
bysuniltomar04
 
PPTX
08-Software Defined Networking Southern Carolina
bycustcharanhp2309
 
PPTX
Lecture14 1
byEdwin Castillo
 
PPTX
Network programmability: an Overview
byAymen AlAwadi
 
PPTX
IT1634 – SDN Unit 2 Software Defined Nwtwork
byssuser000e54
 
PDF
Openlab.2014 02-13.major.vi sion
byCcie Light
 
PPTX
Software-Defined Networking (SDN) is a transformative networking paradigm
byeticket4403
 
PPTX
OpenFlow
byKingston Smiler
 
PDF
SDN/OpenFlow #lspe
byChris Westin
 
PDF
OpenFlow — the key standard of Software-Defined Networks
byMinsk Linux User Group
 
PPTX
Set review 1
byAnkita Mandekar
 
PPTX
Floodlight with Firewall and Network Virtualization
byAnkita Mandekar
 
PPTX
Open Flow Protocol
byVishal S M B
 
M 14ofl
byronsito
 
Software defined network and Virtualization
byidrajeev
 
Introduction to OpenFlow
byJoel W. King
 
OpenFlow Tutorial
byJa-seop Kwak
 
lect4_SDNbasic_openflow.pptx
byJesicaDcruz1
 
SDN - OpenFlow protocol
byUlf Marxen
 
Naveen nimmu sdn future of networking
byOpenSourceIndia
 
Naveen nimmu sdn future of networking
bysuniltomar04
 
08-Software Defined Networking Southern Carolina
bycustcharanhp2309
 
Lecture14 1
byEdwin Castillo
 
Network programmability: an Overview
byAymen AlAwadi
 
IT1634 – SDN Unit 2 Software Defined Nwtwork
byssuser000e54
 
Openlab.2014 02-13.major.vi sion
byCcie Light
 
Software-Defined Networking (SDN) is a transformative networking paradigm
byeticket4403
 
OpenFlow
byKingston Smiler
 
SDN/OpenFlow #lspe
byChris Westin
 
OpenFlow — the key standard of Software-Defined Networks
byMinsk Linux User Group
 
Set review 1
byAnkita Mandekar
 
Floodlight with Firewall and Network Virtualization
byAnkita Mandekar
 
Open Flow Protocol
byVishal S M B
 

More from FFRI, Inc.

PDF
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
PDF
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
PDF
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
byFFRI, Inc.
 
PDF
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
byFFRI, Inc.
 
PDF
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
byFFRI, Inc.
 
PDF
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
byFFRI, Inc.
 
PDF
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
byFFRI, Inc.
 
PDF
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
byFFRI, Inc.
 
PDF
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
byFFRI, Inc.
 
PDF
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
byFFRI, Inc.
 
PDF
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
byFFRI, Inc.
 
PDF
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
byFFRI, Inc.
 
PDF
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
byFFRI, Inc.
 
PDF
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
byFFRI, Inc.
 
PDF
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
byFFRI, Inc.
 
PDF
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
byFFRI, Inc.
 
PDF
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
byFFRI, Inc.
 
PDF
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
byFFRI, Inc.
 
PDF
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
byFFRI, Inc.
 
PDF
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
byFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
byFFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
byFFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
byFFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
byFFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
byFFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
byFFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
byFFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
byFFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
byFFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
byFFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
byFFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
byFFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
byFFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
byFFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
byFFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
byFFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
byFFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
byFFRI, Inc.
 

Recently uploaded

PDF
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PPTX
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PDF
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
DOCX
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
PDF
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 

Mr201304 open flow_security_eng

  • 1.
    Fourteenforty Research Institute,Inc. Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp OpenFlow Security ver2.00.02 Junichi Murakami Executive Officer, Director of Advanced Development Division
  • 2.
    Fourteenforty Research Institute,Inc. 1. Introduction 2. OpenFlow Overview – Software Defined Network(SDN) and OpenFlow – Background and circumstances – Technical basics – Controllers and Switches – Example of network design and traffic 3. Threat of OpenFlow – Threat analysis – Flow entry / Network capability / Switch / Controller – Conclusions – Further research 4. References Agenda 2
  • 3.
    Fourteenforty Research Institute,Inc. • This slide describes an overview of OpenFlow technology and its threat analysis under the current specification • This research focuses on the specification of OpenFlow 1.0 • Threats described in this slide does not always mean the feasibility of attacks on the threats is proven Introduction 3
  • 4.
    Fourteenforty Research Institute,Inc. • SDN – Usual networks are fixed system, which are defined by each network device’s deployment, connections and configurations – Virtualizations for servers and storages are in progress in a data center in recent years. – A network is not so flexible yet, so it needs to be re-designed and re- configured every time (operation cost is highly increasing) – SDN is general concept to define network as software for making it more flexible in terms of its design, control and management • OpenFlow – A kind of technology specifications to realize the SDN Software Defined Network(SDN) and OpenFlow 4
  • 5.
    Fourteenforty Research Institute,Inc. • Open Networking Foundation(ONF) draws up the specification – https://www.opennetworking.org/ • Board member of ONF is shown as below(4/15/2013) – Deutsche Telekom, Facebook, Goldman Sachs, Google, Microsoft, NTT Communications, Verizon, Yahoo! • Currently most implementations are based on version 1.0 Background and circumstances 5 Date Occurrence 12/31/2009 Version 1.0 published(mainly worked by Stanford University) 2/28/2011 Version 1.1 published 3/21/2011 Open Networking Foundation Founded 12/5/2011 Version 1.2 published 5/25/2012 Version 1.3 published 9/6/2012 Version 1.3.1 published
  • 6.
    Fourteenforty Research Institute,Inc. • Basic concept – Separate control plane from network devices – Build up network with OpenFlow Controllers and OpenFlow Switches – The specification mainly defines switch spec. and communication interface between OpenFlow Controllers and OpenFlow Switches Technical basis (1/5) 6 Data plane (frame transfer) Control plane (routing, etc.) Application (QoS, redundant, etc.) Data plane Control plane Application usual network device OpenFlow Switch OpenFlow Controller OpenFlow spec. Interface Switch spec.
  • 7.
    Fourteenforty Research Institute,Inc. • Flow – A unit of traffic handled by OpenFlow • Flow Entry: management structure of Flow consists of 3 elements below – Header Fields:conditions to determine a target flow – Instructions: a set of actions which describes how the matched flow being processed – Counter:statistics information of the matched flow Technical Basis (2/5) 7 Header Fields Ingress port IP src Ether src IP dst Ether dst IP proto Ether type IP ToS bits VLAN id TCP/UDP src port VLAN priority TCP/UDP dst port Actions (partial) Forward output the flow to specified port DROP discard the flow Modify-Field modify specified fields of the flow
  • 8.
    Fourteenforty Research Institute,Inc. • Controller – Write a flow entry to a switch – Respond to a switch’s query (shown as below) • Switch – Keep flow entries on a flow table – Process each flow based on a flow table – Query to controller if appropriate entry does not exist Technical Basis (3/5) 8 Controller Switch - output flow to port3 if IP_DST == 192.168.1.4 - drop all UDP flow - modify IP_SRC to 192.168.1.5 and output the flow to port5 if IP_DST == 10.1.3.51 Flow Entry query Flow Table * Flow Entry (eg.)
  • 9.
    Fourteenforty Research Institute,Inc. • Can control switch behavior based on flow entry – repeater, switch, router, load balancer and so on • Doesn’t need to change physical connections and each device configurations • Retrieve counters from each switch’s flow table – Can manipulate routing appropriately according to flow type and load • Each flow entry on a flow table has a timeout – hard timeout – idle timeout Technical Basis (4/5) 9
  • 10.
    Fourteenforty Research Institute,Inc. • Secure-Channel:communication interface between switches and controllers – following messages are exchanged over TCP or TLS connections a. Controller to Switch • Features:to request the capability of a switch • Configuration:to set and query configuration parameter in a switch • Modify-State: to add or delete entry in a flow table and modify port configuration • Read-State:to collect statistics from a switch b. Switch to Controller (asynchronous) • Packet-in:to notify an incoming packet which is not matched to any flow entry • Flow-Removed:to notify a flow has expired and is deleted from a table • Port-Status:to notify switch’s port configuration states has changed (eg. link- down) c. bidirectional (asynchronous) • HELLO: messages exchanged when establishing a connection • ECHO(Request/Reply):ping/pong over the secure-channel Technical Basis (5/5) 10
  • 11.
    Fourteenforty Research Institute,Inc. Controllers and Switches 11 Software Hardware Switch • Open vSwitch(OSS) • Indigo(OSS) • LINC(OSS) • UNIVERGE PF1000(NEC) • UNIVERGE PF5220/PF5240/ PF5248/PF5820(NEC) • RackSwitch G8264/G8264T(IBM) • Pronto 3290/3780(Pica8) • AS4600-54T/L3(Riava) • HP2920-24G(HP) Controller • NOX(OSS) • POX(OSS) • Trema(OSS) • Floodlight(OSS) • Virtual Network Controller Version 2.0 (NTT data) • Ryu(OSS) • UNIVERGE PF6800(NEC) • Both software and hardware implantations are available • Hardware based switch is a bit expensive yet
  • 12.
    Fourteenforty Research Institute,Inc. • Install Open vSwitch and Trema on Linux box • Create a bridge device as br0 and activate it • Run Trema on localhost:6633/tcp, and specify the controller’s address in the switch parameter • Run the controller code below on Trema which makes the switch act like an repeater Example of network design and traffic(1/4) 12 eth2eth1 host-1 host-2 trema 0.0.0.00.0.0.0 192.168.1.2/24192.168.1.1/24 127.0.0.1:6633/tcp src: http://www.trema.info/2012/09/repeater-hub/ class RepeaterHub < Controller def packet_in datapath_id, message send_flow_mod_add( datapath_id, :match => ExactMatch.from( message ), :actions => ActionOutput.new( OFPP_FLOOD ) ) send_packet_out( datapath_id, :packet_in => message, :actions => ActionOutput.new( OFPP_FLOOD ) ) end end Open vSwitch br0 secure-channel
  • 13.
    Fourteenforty Research Institute,Inc. • Both controller and switch run on same Linux box • TCP based Secure-Channel (not TLS) • Red background on screen is the switch’s traffic Example of network design and traffic(2/4) 13 struct ofp_header { uint8_t version; uint8_t type; uint16_t length; uint32_t xid; }; enum ofp_type { OFTP_HELLO, // 0x0 OFTP_ERROR, // 0x1 OFTP_ECHO_REQUEST, // 0x2 OFTP_ECHO_REPLY, // 0x3 OFTP_VENDOR, // 0x4 OFTP_FEATURES_REQUEST // 0x5 OFTP_FEATURES_REPLY, // 0x6 ... OFTP_SET_CONFIG, // 0x9 OFTP_PACKET_IN, // 0xa ... OFTP_FLOW_MOD, // 0xe ■Exchanging HELLO messages between the switch and the controller
  • 14.
    Fourteenforty Research Institute,Inc. Example of network design and traffic (3/4) 14 OFTP_FEATURES_REQUESTOFTP_FEATURES_REPLY replying port configurations ■Features request and reply
  • 15.
    Fourteenforty Research Institute,Inc. Example of network design and traffic (4/4) 15 OFTP_PACKET_IN OFTP_FLOW_MOD ■Initial configuration and writing flow entry from controller / PACKET_IN message from switch 12 bytes OFTP_SET_CONFIG
  • 16.
    Fourteenforty Research Institute,Inc. Threat analysis 16 [premises] • Assets: a)Flow entry in switch, b)Network capability offered by OpenFlow • Information system: c)Switch, d)Controller • Analyze assets’ threat against CIA and the others are against CIAAAR – CIAAAR: ISO/IEC TR 13335(GMITS) Assets Information system Flow entry Network capability Switch Controller Confidentiality Integrity Availability Authenticity Accountability Reliability region for analysis
  • 17.
    Fourteenforty Research Institute,Inc. Flow entry 17 Assumed threat Countermeasure and comment C Information leaking on the network Using TLS for Secure-Channel Information leaking from switches Hardening switches Information leaking from controllers Hardening controllers I Tampering on the network Using TLS for Secure-Channel Tampering in switches Hardening switches Tampering from controllers Hardening controllers A Flooding a table using spoofed packet Applying flow entry to prohibit address spoofing (References 2.c) Flushing a flow table in switches Hardening switches
  • 18.
    Fourteenforty Research Institute,Inc. Network capability 18 Assumed threat Countermeasure and comment C Information leaking by corrupted flow entry Hardening switches and controllers I Traffic tampering by corrupted flow entry Hardening switches and controllers Integrity loss by secure channel disconnection making secure-channel redundant A Denial of service by corrupted flow entry Hardening switches and controllers Denial of service by switches and controllers failure Hardening switches and controllers Network failure by secure channel disconnection making secure-channel redundant
  • 19.
    Fourteenforty Research Institute,Inc. Switch 19 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening switches In Hacking a system (eg. exploiting, password cracking) Hardening switches Av Hacking a system (eg. exploiting, password cracking) Hardening switches DoS attack from controllers Hardening controllers (premise: controllers compromise) Dos attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening switches Redirection to fake controllers (eg. ARP Poisoning) Authenticating controllers using TLS based on certifications Ac Tampering logs by hacking Hardening switches Re Hacking a system (eg. exploiting, password cracking) Hardening switches
  • 20.
    Fourteenforty Research Institute,Inc. Controller 20 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening controllers In Hacking a system (eg. exploiting, password cracking) Hardening controllers Av Hacking a system (eg. exploiting, password cracking) Hardening controllers DoS attack from switches Hardening switches (premise: switches compromise) DoS attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening controllers Redirection to fake switches (eg. ARP Poisoning) Authenticating switches using TLS based on certifications Ac Tampering logs by system hacking Hardening controllers Re Hacking a system (eg. exploiting, password cracking) Hardening controllers
  • 21.
    Fourteenforty Research Institute,Inc. Threat sources Conclusions 21 • Hardening switches and controllers and TLS for Secure-Channel are required (depends on where both devices be deployed) • Both switches and controllers have software component in the system – usual countermeasures are important technically and operationally • Especially, should be careful about controllers as it might be an SPOF Controller breach Switch breach Hijacking the Secure-Channel Flow entry corruption Taking over the network
  • 22.
    Fourteenforty Research Institute,Inc. • Any way to make a DoS situation to a controller by sending special crafted packet like smurf(#1) attack and DNS Amp(#2) attack? – Packet-in flood – Flow-Removed flood – Port-Status flood • remote flow entry detection by various probing packets • Auditing each individual device’s design and implementation • Security problem from actual environment and operations – Logic error in flow entry Further research 22 #1 http://www.ipa.go.jp/security/ciadr/crword.html#S #2 http://www.ipa.go.jp/security/vuln/documents/2008/200812_DNS.html
  • 23.
    Fourteenforty Research Institute,Inc. 1. Books (Japanese) a. クラウド時代のネットワーク技術 OpenFlow実践入門 (ISBN-10: 4774154652) 2. Online resources a. Openflow Networking Foundation https://www.opennetworking.org/ b. OpenFlow Switch Specifications version 1.0.0 http://www.openflow.org/documents/openflow-spec-v1.0.0.pdf c. SDNのセキュリティ / Inter-Domain Routing Security 23 (Japanese) http://irs.ietf.to/wiki.cgi?page=IRS23 References 23