A Framework and Comparative Analysis of Control Plane Security of SDN and Conventional Networks Abdelrahman Abdou and Paul C

A Framework and Comparative Analysis of Control Plane Security of SDN and Conventional Networks Abdelrahman Abdou and Paul C

1 A Framework and Comparative Analysis of Control Plane Security of SDN and Conventional Networks AbdelRahman Abdou and Paul C. van Oorschot Tao Wan Carleton University, Canada Huawei Canada Abstract—Software defined networking implements the net- a multitude of network devices within its administrative work control plane in an external entity, rather than in each domain. By providing application programming inter- individual device as in conventional networks. This architectural faces (APIs), SDN makes it possible to develop net- difference implies a different design for control functions neces- sary for essential network properties, e.g., loop prevention and working applications, e.g., traffic engineering [3], thus link redundancy. We explore how such differences redefine the enabling network innovation. In contrast, CN devices are security weaknesses in the SDN control plane and provide a proprietary and closed, making it hard or impossible to framework for comparative analysis which focuses on essential develop innovative network applications. network properties required by typical production networks. The concept of SDN has evolved since the term was This enables analysis of how these properties are delivered by the control planes of SDN and conventional networks, and to originally coined in 2009 [4]. Here we try to clarify the critical compare security risks and mitigations. Despite the architectural properties of SDN from the perspective of network devices. difference, we find similar, but not identical, exposures in control A network device can be pure SDN, non-SDN, or hybrid. plane security if both network paradigms provide the same A pure SDN device implements no control function and is network properties and are analyzed under the same threat fully controlled by an external SDN controller. A non-SDN model. However, defenses vary; SDN cannot depend on edge based filtering to protect its control plane, while this is arguably device implements all of its own control functions and is not the primary defense in conventional networks. Our concrete controlled by any SDN controller. A hybrid SDN device both security analysis suggests that a distributed SDN architecture implements control functions, and is controlled by an SDN that supports fault tolerance and consistency checks is important controller. Based on this classification of network devices, a for SDN control plane security. Our analysis methodology may network can also be one of three types. A pure SDN network be of independent interest for future security analysis of SDN and conventional networks. consists of at least one SDN controller and network devices all of which are fully controlled by the controller. A non- Index Terms—Network security, SDN security, Control plane i.e., security, OpenFlow security SDN network ( CN) consists of network devices all of which implement and run their own control functions with I. INTRODUCTION no controlling external entity. A hybrid network consists of hybrid devices and at least one SDN controller. Software-Defined Networking is a relatively new network In academic work, “SDN" often implies a pure SDN net- architecture in which the control plane is separated from work, such as an OpenFlow network, and many academic each individual network device and instead implemented in SDN security research papers (e.g., [5]) focus primarily on the an external software entity. The external entity has complete security of OpenFlow networks. SDN controllers originating in knowledge of the topology of a network under its control, academic work, such as FloodLight and NOX, also primarily and programs the forwarding tables of each individual device support OpenFlow and control OpenFlow switches which arXiv:1703.06992v3 [cs.NI] 6 Dec 2017 in the network. In contrast in conventional networks (CNs), implement no control functionality (i.e., are pure SDN, rather the control plane, including implementation of e.g., a routing than hybrid). protocol such as Open Shortest Path First (OSPF) [1], runs In contrast in industry, SDN commonly refers to hybrid inside each network device to learn forwarding tables in a networks consisting primarily of CN devices, augmented with distributed fashion. SDN architectures have two distinguishing open interfaces also allowing external control by an SDN properties of direct interest herein [2]: controller. For example Broadcom, a leading provider of 1) Control and data plane separation. Removing the switch chips, published OpenFlow Data Plane Abstraction control plane from network devices and implementing it (OF-DPA) software [6] to allow switches based on Broad- in an external SDN controller significantly reduces the com chips to be controlled by OpenFlow. Note those CN complexity of network devices, making them simpler devices, although often claimed to support OpenFlow and and cheaper than CN devices whose distributed control which can be controlled using the OpenFlow protocol, do plane functionality is implemented across millions of not actually implement OpenFlow tables and are not true lines of code, defined across hundreds of RFCs. OpenFlow switches. Rather, they use conventional tables such 2) Network programmability. An SDN controller, with as L3 tables and Access Control Lists (ACLs) to emulate complete knowledge of a network’s topology, controls the behavior of OpenFlow tables, which allows packets to be processed beyond destination addresses. As another example, Version: December 7, 2017 OpenDayLight [7] and ONOS [8], two leading open source 2 SDN controllers, can control not only OpenFlow switches but modularized SDN software architecture to facilitate imple- also conventional devices, e.g., using NETCONF [9]. It is clear mentation there. Our finding is supported by detailed security that industrial network practitioners focus more on network analysis. We argue that our methodology for comparative programmability than on the separation of control and data analysis will be of independent interest, to guide future SDN planes. We refrain from speculating on which type of SDN is security analysis in both academia and by practitioners. better, or is the future. The sequel is organized as follows. Section II provides back- We study and compare the control plane security of a pure ground information on CN and SDN architecture. Section III SDN (hereafter referred to as SDN) and a CN. While hybrid outlines fundamental network properties required by typical networks are more popular in the field, there is no clear production networks, as well as the threat model used for our consensus on how to best divide control functions locally analysis. Sections IV and V analyze the security risks of the inside a device and externally into a controller. Further, by control plane of conventional Layer-2 (L2) and Layer-3 (L3) studying the security of both SDN and CNs, we hope that networks respectively. Section VI analyzes security risks in security threats identified in each can be selectively applied to SDN networks. We compare the security risks and mitigation a given hybrid network when its local and external controls of SDN with CN in Section VII. Section VIII reviews related are well defined. work. Section IX concludes. Research on the security of SDN and CNs is in two distinct states. On one hand, the security of CNs has received II. BACKGROUND less academic attention but is well understood by network security practitioners; aside from the area of routing (e.g., Here we provide background on conventional and SDN BGP security [10]) there are relatively few academic papers networks for consistent terminology and later reference. Net- on the control plane security of a CN, security threats are working experts may advance to Section III. well understood by equipment vendors and many security mitigations are built into CN products (e.g., switches, routers). A. Conventional Networks In contrast, SDN security has received considerable academic attention (e.g., [11], [12], [13]), but its progress is considered A CN can be L2 or L3. A network consisting of only L2 slow (at best) by industrial measures. For example, neither of switches as its intermediate systems is called an L2 network. the two leading open source SDN controllers, OpenDaylight Two (or more) L2 networks can be connected, e.g., using an and ONOS, has implemented significant security mitigation. L3 router. A network of L3 routers is called an L3 network. These different states of SDN and CN security research have Other than using different types of destination addresses for attracted little attention. We offer the following explanation. forwarding, L2 and L3 networks differ mainly in two aspects: We observe that many papers on SDN security assume a sim- 1) They use different mechanisms in constructing their ple network, ignoring practical properties such as redundancy forwarding tables. L2 devices learn their forwarding and scalability essential to realistic networks—thus excluding tables (i.e., MAC tables) from the data plane. L3 routers security risks faced by important network control functionality. build routing tables from the control plane using routing Further, security threats identified for SDN are not properly protocols. Note: MAC tables map MAC addresses to compared with those in CN. We suggest that the lack of switch ports, not to be confused with ARP tables which academic scrutiny, particularly systematization literature, on map IP addresses to MAC addresses. CN security, may be a significant contributing factor in the 2) They handle unknown packets differently. An unknown considerable academic research on SDN security having failed packet is a packet without any corresponding forwarding to have major impact in industry. rules. An L2 device floods an unknown packet to all We aim to address the gap by a comparative security ports except the receiving one to learn the forwarding assessment of conventional and SDN networks. Rather than rule, while an L3 router drops an unknown packet (and a security analysis of all aspects, we focus on control plane may also notify the packet source, e.g., using ICMP). security, since it is in their control plane architecture that CNs Due to these differences, L2 and L3 networks face different and SDN differ primarily.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    14 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us