Upload
farzaneh-pakzad
View
320
Download
1
Embed Size (px)
Citation preview
The (In) Security of Topology Discovery in Software Defined NetworksTalal Alharbi, Marius Portmann and Farzaneh Pakzad
School of ITEEThe University of Queensland, Australia
Background Attack Scenario Solution: OFDP_HMAC
Problem
References
The current version of OFDP is insecure and is vulnerable to topology spoofing attacks by hosts.
[1] H. Krawczyk, M. Bellare, and R. Canetti, “HMAC: Keyed-hashing for message authentication,” IETF RFC 2104,1997
Attack steps1) Host h1 injects an LLDP packet with the Switch ID set to S3, and the Port ID set to P1.
2) Switch S1 receives the LLDP packet, and adds its own Switch ID and the Port ID of the ingress port.
3) The controller receives the Packet-In message andidentifies the source of the LLDP packet from theTLVs in the payload as (S3, P1).
Adding a Hash-based cryptographic Message Authentication Code (MAC) to each LLDP packet.
SDNA new approach to manage computer networks, where the control plane is separated from the data plane.
Topology DiscoveryEssential service in SDN that underpins many higher layer services.
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
Network Operating System (Control layer)
Control Programs (application layer )
Southbound interface
SDN Controller
OFDPOpenFlow Discovery Protocol de facto standard
Implemented by most SDN controllers (uses LLDP packet format)
Evaluation
Data plane
Port 1
Port2
LLDP Packet
SDNControllerPacket
PacketPacket-out
LLDP Packet
Port 3
Switch S1
Switch S2 Port 3
Port 1
Port 2
LLDP Packet
Link spoofing attack prevention verified in Mininet and OFELIA. Overhead: OFDP_HMAC adds extra 8% controller CPU load compared to OFDP.
Topology Discovery
Packet-In
(S1, P3)- (S2, P2)
SDNController
Switch S2
Switch S1
Port 1
Port 2 Port 3 Port 2 Port 3
Switch S3
Port 1 Port 1
Port 2 Port 3
h1 h3h2Spoofed Link
Spoofed Link:(S1,P1) – (S3, P1)
SDNController
Switch S2
Switch S1
Port 1
Port 2 Port 3 Port 2 Port 3
Switch S3
Port 1 Port 1
Port 2 Port 3
h1 h3h2LLDP pkt
Chassis ID = S3Port ID = Port 1
Packet-In
First Step
Second Step
Third Step
Attack Implementation
SDN Controller: POXPacket Manipulation Tool: Scapy
Solution ImplementationImplemented in POX and Ryu controllersHMAC is added as extra TLV field to each LLDP packet
Spoofed link between S3 and S1 detected by controller
[1]
K is chosen randomly for each LLDP packet prevents replay attack