• Home

  • Software

  • The (In) Security of Topology Discovery in Software Defined Networks
1
The (In) Security of Topology Discovery in Software Defined Networks Talal Alharbi, Marius Portmann and Farzaneh Pakzad School of ITEE The University of Queensland, Australia Background Attack Scenario Solution: OFDP_HMAC Problem References The current version of OFDP is insecure and is vulnerable to topology spoofing attacks by hosts. [1] H. Krawczyk, M. Bellare, and R. Canetti, “HMAC: Keyed-hashing for message authentication,” IETF RFC 2104,1997 Attack steps 1) Host h1 injects an LLDP packet with the Switch ID set to S3, and the Port ID set to P1. 2) Switch S1 receives the LLDP packet, and adds its own Switch ID and the Port ID of the ingress port. 3) The controller receives the Packet-In message and identifies the source of the LLDP packet from the TLVs in the payload as (S3, P1). Adding a Hash-based cryptographic Message Authentication Code (MAC) to each LLDP packet. SDN A new approach to manage computer networks, where the control plane is separated from the data plane. Topology Discovery Essential service in SDN that underpins many higher layer services. Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Network Operating System (Control layer) Control Programs (application layer ) Southbound interface SDN Controller OFDP OpenFlow Discovery Protocol de facto standard Implemented by most SDN controllers (uses LLDP packet format) Evaluation Data plane Port 1 Port2 LLDP Packet SDN Control ler Packet Packet Packet-out LLDP Packet Port 3 Switc h S1 Switc h S2 Port 3 Port 1 Port 2 LLDP Packet Link spoofing attack prevention verified in Mininet and OFELIA. Overhead: OFDP_HMAC adds extra 8% controller CPU load compared to OFDP. Topology Discovery Packet-In (S1, P3)- (S2, P2) SDN Control ler Switch S2 Switch S1 Port 1 Port 2 Port 3 Port 2 Port 3 Switch S3 Port 1 Port 1 Port 2 Port 3 h 1 h 3 h 2 Spoofed Link Spoofed Link: (S1,P1) – (S3, P1) SDN Controll er Switch S2 Switch S1 Port 1 Port 2 Port 3 Port 2 Port 3 Switch S3 Port 1 Port 1 Port 2 Port 3 h1 h3 h2 LLDP pkt Chassis ID = S3 Port ID = Port 1 Packet-In First Step Second Step Third Step Attack Implementation SDN Controller : POX Packet Manipulation Tool : Scapy Solution Implementation Implemented in POX and Ryu controllers HMAC is added as extra TLV field to each LLDP packet Spoofed link between S3 and S1 detected by controller [1 ] K is chosen randomly for each LLDP packet prevents replay attack

The (In) Security of Topology Discovery in Software Defined Networks

Embed Size (px)

Citation preview

Page 1: The (In) Security of Topology Discovery in Software Defined Networks

The (In) Security of Topology Discovery in Software Defined NetworksTalal Alharbi, Marius Portmann and Farzaneh Pakzad

School of ITEEThe University of Queensland, Australia

Background Attack Scenario Solution: OFDP_HMAC

Problem

References

The current version of OFDP is insecure and is vulnerable to topology spoofing attacks by hosts.

[1] H. Krawczyk, M. Bellare, and R. Canetti, “HMAC: Keyed-hashing for message authentication,” IETF RFC 2104,1997

Attack steps1) Host h1 injects an LLDP packet with the Switch ID set to S3, and the Port ID set to P1.

2) Switch S1 receives the LLDP packet, and adds its own Switch ID and the Port ID of the ingress port.

3) The controller receives the Packet-In message andidentifies the source of the LLDP packet from theTLVs in the payload as (S3, P1).

Adding a Hash-based cryptographic Message Authentication Code (MAC) to each LLDP packet.

SDNA new approach to manage computer networks, where the control plane is separated from the data plane.

Topology DiscoveryEssential service in SDN that underpins many higher layer services.

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

Network Operating System (Control layer)

Control Programs (application layer )

Southbound interface

SDN Controller

OFDPOpenFlow Discovery Protocol de facto standard

Implemented by most SDN controllers (uses LLDP packet format)

Evaluation

Data plane

Port 1

Port2

LLDP Packet

SDNControllerPacket

PacketPacket-out

LLDP Packet

Port 3

Switch S1

Switch S2 Port 3

Port 1

Port 2

LLDP Packet

Link spoofing attack prevention verified in Mininet and OFELIA. Overhead: OFDP_HMAC adds extra 8% controller CPU load compared to OFDP.

Topology Discovery

Packet-In

(S1, P3)- (S2, P2)

SDNController

Switch S2

Switch S1

Port 1

Port 2 Port 3 Port 2 Port 3

Switch S3

Port 1 Port 1

Port 2 Port 3

h1 h3h2Spoofed Link

Spoofed Link:(S1,P1) – (S3, P1)

SDNController

Switch S2

Switch S1

Port 1

Port 2 Port 3 Port 2 Port 3

Switch S3

Port 1 Port 1

Port 2 Port 3

h1 h3h2LLDP pkt

Chassis ID = S3Port ID = Port 1

Packet-In

First Step

Second Step

Third Step

Attack Implementation

SDN Controller: POXPacket Manipulation Tool: Scapy

Solution ImplementationImplemented in POX and Ryu controllersHMAC is added as extra TLV field to each LLDP packet

Spoofed link between S3 and S1 detected by controller

[1]

K is chosen randomly for each LLDP packet prevents replay attack

Information Services, Topology and Discovery Working Group IS-WG

Information Services, Topology and Discovery Working Group IS-WG

Documents
Efficient Topology Discovery in Software Defined Networks

Efficient Topology Discovery in Software Defined Networks

Technology
Efficient Topology Discovery in OpenFlow-based Software Defined …541407/UQ541407... · 2019. 10. 11. · increasing number of SDN enabled switches and other devices, as well as

Efficient Topology Discovery in OpenFlow-based Software Defined …541407/UQ541407... · 2019. 10. 11. · increasing number of SDN enabled switches and other devices, as well as

Documents
LOCATION AND TOPOLOGY DISCOVERY IN WIRELESS SENSOR NETWORKS

LOCATION AND TOPOLOGY DISCOVERY IN WIRELESS SENSOR NETWORKS

Documents
Efficient discovery of network topology and routing policy in the

Efficient discovery of network topology and routing policy in the

Documents
Efficient discovery of network topology and routing policy in

Efficient discovery of network topology and routing policy in

Documents
Network Discovery - IITKhome.iitk.ac.in/~amritami/index_files/ee673_term_paper.pdf · What is the main motivation for Network Discovery? Network topology constantly changes as new

Network Discovery - IITKhome.iitk.ac.in/~amritami/index_files/ee673_term_paper.pdf · What is the main motivation for Network Discovery? Network topology constantly changes as new

Documents
Molecular Topology – An Introductionpaupert/Moritzslides.pdf · Molecular topology reveals the topological symmetry -- defined in terms of connectivity Expresses the equivalence

Molecular Topology – An Introductionpaupert/Moritzslides.pdf · Molecular topology reveals the topological symmetry -- defined in terms of connectivity Expresses the equivalence

Documents
Embedded WiFi Kit Quick Guide · Link-Layer Topology Discovery Mapper I/O Driver Link-Layer Topology Discovery Responder Connect using: ... See Figure 5, 6. Example: AP_50217365 Figure

Embedded WiFi Kit Quick Guide · Link-Layer Topology Discovery Mapper I/O Driver Link-Layer Topology Discovery Responder Connect using: ... See Figure 5, 6. Example: AP_50217365 Figure

Documents
The OSiRIS Project: Collaborative Access to Data · Technical Goals - Topology Discovery GOAL: Network topology discovery - We have developed a discovery application integrated with

The OSiRIS Project: Collaborative Access to Data · Technical Goals - Topology Discovery GOAL: Network topology discovery - We have developed a discovery application integrated with

Documents
1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level

1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level

Documents
A Mesh-basedRobust Topology Discovery Algorithm for Hybrid W

A Mesh-basedRobust Topology Discovery Algorithm for Hybrid W

Documents
Topology Discovery at the Router Level: A New Hybrid Tool

Topology Discovery at the Router Level: A New Hybrid Tool

Documents
Topology optimization process for new designs of ......topology optimization problem. The topology optimization problem was defined to minimize the compliance of the structure with

Topology optimization process for new designs of ......topology optimization problem. The topology optimization problem was defined to minimize the compliance of the structure with

Documents
Internet measurements: fault detection, identification, and topology discovery

Internet measurements: fault detection, identification, and topology discovery

Documents
Information Services, Topology and Discovery Working Group IS- WG

Information Services, Topology and Discovery Working Group IS- WG

Documents
Link Layer Topology Discovery in an Uncooperative Ethernet Environment

Link Layer Topology Discovery in an Uncooperative Ethernet Environment

Documents
Efï¬cient Network Tomography for Internet Topology Discovery

Efï¬cient Network Tomography for Internet Topology Discovery

Documents
DNA Topology in Chromatin is Defined by Nucleosome Spacing · DNA topology in chromatin is defined by nucleosome spacing Tatiana Nikitina1, Davood Norouzi1, Sergei A. Grigoryev2*,

DNA Topology in Chromatin is Defined by Nucleosome Spacing · DNA topology in chromatin is defined by nucleosome spacing Tatiana Nikitina1, Davood Norouzi1, Sergei A. Grigoryev2*,

Documents
Hynetd v0.2.5 Manual Hybrid Network Topology Discovery ...traffic.comics.unina.it/software/TD/download/manual-0.2.5.pdf · Hynetd v0.2.5 Manual (Hybrid Network Topology Discovery)

Hynetd v0.2.5 Manual Hybrid Network Topology Discovery ...traffic.comics.unina.it/software/TD/download/manual-0.2.5.pdf · Hynetd v0.2.5 Manual (Hybrid Network Topology Discovery)

Documents
Link Layer Topology Discovery in an Uncooperative Ethernet

Link Layer Topology Discovery in an Uncooperative Ethernet

Documents
Topology Discovery, Loop Finding and Alternative Path Solution in

Topology Discovery, Loop Finding and Alternative Path Solution in

Documents
Internet Topology Discovery · Internet Topology Discovery Reza Motamedi University of Oregon motamedi@cs.uoregon.edu ABSTRACT Capturing an accurate view of the Internet topology

Internet Topology Discovery · Internet Topology Discovery Reza Motamedi University of Oregon [email protected] ABSTRACT Capturing an accurate view of the Internet topology

Documents
Camera Network Topology Discovery Literature Review · how to handle camera network topology discovery. Here we present a literature review on the problem of camera network topology

Camera Network Topology Discovery Literature Review · how to handle camera network topology discovery. Here we present a literature review on the problem of camera network topology

Documents
Automated Discovery and Maintenance of Enterprise Topology ... · Automated Discovery and Maintenance of Enterprise Topology Graphs Tobias Binz 1, Uwe Breitenbucher¨ , Oliver Kopp1,2,

Automated Discovery and Maintenance of Enterprise Topology ... · Automated Discovery and Maintenance of Enterprise Topology Graphs Tobias Binz 1, Uwe Breitenbucher¨ , Oliver Kopp1,2,

Documents
RPR Topology Discovery Proposal...802-17-01-00115 jf_topo_04.pdf 1 RPR Topology Discovery Proposal Italo Busi, Alcatel Jeanne De Jaegher, Alcatel Jason Fan, Luminous Chi-Ping Fu, NEC

RPR Topology Discovery Proposal...802-17-01-00115 jf_topo_04.pdf 1 RPR Topology Discovery Proposal Italo Busi, Alcatel Jeanne De Jaegher, Alcatel Jason Fan, Luminous Chi-Ping Fu, NEC

Documents
Internet measurements: topology discovery and dynamics

Internet measurements: topology discovery and dynamics

Documents
Algorithms and Techniques Used for Auto-discovery of ... · 3.1 Network Topology Discovery One common technique for discovering the topology of a network involves sending a series

Algorithms and Techniques Used for Auto-discovery of ... · 3.1 Network Topology Discovery One common technique for discovering the topology of a network involves sending a series

Documents
Internet Topology Mapping Hakan Kardes University of Nevada, Reno Modified version of Dr. Gunes’s Presentation on Internet Topology Discovery

Internet Topology Mapping Hakan Kardes University of Nevada, Reno Modified version of Dr. Gunes’s Presentation on Internet Topology Discovery

Documents
BMC Foundation Discovery and BMC Topology Discovery · PDF fileBMC Foundation Discovery and BMC Topology ... BMC Remedy Asset Management 7.0 ... BMC Analytics for Business Service

BMC Foundation Discovery and BMC Topology Discovery · PDF fileBMC Foundation Discovery and BMC Topology ... BMC Remedy Asset Management 7.0 ... BMC Analytics for Business Service

Documents