1 IST-153 Workshop on CYBER RESILIENCE Resilience and Security in Software Defined Networking Camen Mas-Machuca, Senior Member, IEEE, Petra Vizarreta, Raphael Durner, and Jacek Rak, Member, IEEE Abstract—This paper gives an overview of the most important issues on resilience and security in Software Defined Networking. Network Traffic Bandwidth monitoring engineering on demand I. I NTRODUCTION OFTWARE Defined Networking (SDN) is a recent S paradigm that aims increasing network flexibility and efficiency by separating the control from the data plane. The SDN Controllers SDN architecture is depicted in Figure 1. The data plane consists of interconnected forwarding devices, which forward packets based on their forwarding tables, which are built based on the input from the controller. The control plane is the intelligent layer that configures that path at the data plane based on the requirements from the application layer and also provides an abstract view of the data plane to the application layer. Data flows can be set based on request from the application layer, or based on new flows from connected Fig. 1. Software Defined Networking architecture (figure adapted from [1]). users. In the last case, the forwarding device will contact the controller through the so-called secured channel to know how to proceed. forwarding components able to restore flows in case of one Although the control plane is a logically centralized entity, local failure. The paper also proposes a reactive splicing it can be physically distributed at different locations. In that module implemented at the controller, which allows to case, forwarding devices are assigned to one (or more) con- restore flows in case of multiple failures. Flow restoration is trollers. Coordination among the controllers is required (e.g., triggered by the controller and hence, it is important that the federation, hierarchical). controller is available when the failure occurs. Furthermore, each controller implementation offers different approaches to address failures scenarios, which can be further extended II. DATA P LANE R ESILIENCE (e.g., the POX controller offers several algorithms extended Data plane resilience deals with the protection and by Vaghani et al. [5]). restoration of data flows. Existing protection schemes for transport networks such as dedicated or share path protection, which finds link and/or node disjoint paths can be also III. C ONTROL P LANE R ESILIENCE applied to SDN networks. These schemes aim at offering In SDN, the control plane of any network device is shifted to 100% reliability and have been further extended in order the SDN controller(s). Hence, any device has to be connected to consider QoS/security aspects and use less resources at least to one controller. The loss of connectivity between the when possible [2], [3]. The compromise between protection forwarding devices and their designated controllers, as well and restoration in terms of flow restoration time and used as the failures of the controllers themselves, might seriously resources is targeted by pre-computing several disjoint paths, diminish the overall network performance. Heegaard et al. [6] from which the best one is selected in case of failure. presented five classes of threats to reliability in SDN, which Another proposed technique by Xie et al. [4] proposes can be summarized as follows: a proactive local failure recovery module running at the • Threats affecting Control Flows C. Mas Machuca, P. Vizarreta and R. Durner are with the Chair of – Connectivity loss between forwarding devices and Communication Networks, Technical University of Munich, TUM, Germany controller(s) e-mail: (see http://lkn.ei.tum.de). J. Rak is with the Telecommunications and Informatics Department of – State consistency between the controller replicas Computer Communications, Gdansk University of Technology, Poland • Threats affecting the controller 2 – Controller outages enforcement of network performance policies, which requires – Controller software design a rather complex software. Today’s production grade SDN • Human error and misconfiguration of the network controllers have grown to have more than 3 million lines of Let us briefly present several representative papers address- code [12], and software bugs are inevitable. Some software ing these threats. The ”Human error and network misconfigu- bugs, such as an error in path computation element or concur- ration” threat is not specific to SDN based networks, but has rency issues, cannot be overcome with the simple redundancy, potentially have a much broader impact than in traditionally and more sophisticated fault tolerance mechanisms are needed. distributed legacy networks, since controller would dissemi- The state-of-the-art literature is still missing a comprehensive nate the configuration to the entire network. study on nature and frequency of software related failures. IV. S ECURITY IN SDN A. Control Flows As SDN emerges from research to productive deployments, The control plane in SDN is logically centralized, but may the security of SDN gains more and more importance. The employ multiple physically distributed SDN controllers across most prominent SDN protocol is OpenFlow, which is de- the network in order to improve the resilience [7]. Ross et al. scending from Ethane [13]. Ethane was developed to pro- [8] showed that in order to achieve 99.999% availability of the vide fine grained control in enterprise networks in order to control plane, the forwarding devices have to be connected to improve the security. One main difference is the change in at least two controllers for most of today’s wide area networks. network behavior from ”allow-first-restrict-later” to ”restrict- These control flows are referred as secure channels. first-allow-later”. This approach improves security in SDNs The resilience of the control plane highly depends on the inherently, when compared to legacy networks . Additionally number and the location of the controllers in the network. Sev- with the introduction of a centralized control plane, a global eral controller placement algorithms maximizing the control network view is getting available. Using this global view, path diversity [9], and optimization of minimal cut sets have largely facilitates network verification methods like introduced been proposed literature. Vizarreta et al. [10] compared two for example by Kazemian et al. [14]. This is critical to ensure control path protection designs and also proposed an optimal the isolation of multiple network zones with different security strategy based on solution of the corresponding Integer Linear demands. Programming (ILP) problem. It has been shown that protecting On the other hand, SDN also introduces new attack vec- control paths can improve the control path loss up three orders tors. In the following, the main attack vectors are structured of magnitude, while adding a small extra delay. However, since according to the planes introduced in Figure 1. the problem of resilient control paths planning is NP-hard, this approach does not scale for large networks. Recent efforts have been focused on finding the efficient approximation algorithms A. Attacks from the Data Plane for resilient control path design. If the attacker has only access to the data plane, like every In order to improve the fault tolerance, controllers may host in the network, there are some possible attack vectors: deploy distributed storage system to replicate the current state an attacker can try to overload the controller [15], the secure of the nodes and flows under their control. Maintaining the channel between controller and forwarding devices [16] or state consistency has to find the compromise between accuracy even the switch table [17] by injecting certain packets with and control traffic, as the other controllers have to be informed high rate. Existing works that try to prevent these Denial of about any state update (e.g., new flow rule installed). Sakic et Service attacks use anomaly detection mechanisms and block al. [11] proposed an adaptive consistency framework, where the attacker’s packets directly in the data plane [18], [19]. One sharing the state updates can be deferred in time, depending on main advantage of SDN is the automatic configuration of the the application requirements, and hence balancing the trade- network. One example is the automatic topology discovery, off between control plane latency and message overhead. It usually performed with the Link Layer Discovery Protocol is important to provide and maintain the reliable connection (LLDP). Without any precautions, like for example authenti- between the controllers to prevent the loss of the state update cated LLDP Packets, an attacker can manipulate the topology messages, that could compromise the control plane reliability. view of the controller using forged packets. This can be further exploited for eavesdropping attacks [17]. B. Controller The SDN controller is essentially a software component B. Attacks from the Control Plane running on commodity hardware which makes it susceptible If the attacker can get access to the control plane, by for to different types of failures. In [1] different failure modes example hijacking a forwarding device, even more serious of SDN controller were analyzed. The authors have shown threats are possible. An attacker could use conventional means that the failures of hardware and operating system, although to perform a Man-in-the-middle attack against the secure less frequent than software failures, contribute more to the channel [20], giving him full control over the network. Addi- controller outages. tionally attacks with malformed packets in the control plane The SDN controller is required to perform large set of tasks, can cause failures of the controllers [21] and in consequence ranging from network state monitoring, traffic steering and cause network failures. To meet these risks, authentication 3 and encryption of the secure channel is crucial. Unfortunately [9] L. F. Müller, R. R. Oliveira, M. C. Luizelli, L. P. Gaspary, and M. P. authentication is not always supported in the current SDN Barcellos, “Survivor: an enhanced controller placement strategy for improving sdn survivability,” in 2014 IEEE Global Communications ecosystem [22]. Conference. IEEE, 2014, pp. 1909–1915. [10] P. Vizarreta, C. M. Machuca, and W. Kellerer, “Controller placement strategies for a resilient sdn control plane,” in Resilient Networks Design C. Attacks from the Application Plane and Modeling (RNDM), 2016 8th International Workshop on. IEEE, 2016, pp. 253–259. Additional risks can turn up from the usage of malicious [11] E. Sakic, F. Sardis, J. W. Guck, and W. Kellerer, “Towards adaptive or malfunctioning SDN applications. This can be relieved state consistency in distributed sdn control plane,” in Conference on using formal verification methods in the controller [23]. These Communications (ICC), 2017 IEEE International. IEEE, 2017. [12] Linux Foundation, “Opendaylight.” [Online]. Available: methods can be used to enforce security rules, like for example https://www.opendaylight.org/ the isolation of different network zones. [13] M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and One issue for a secure operation of an SDN that remains S. Shenker, “Ethane: Taking control of the enterprise,” in Proceedings of the 2007 Conference on Applications, Technologies, Architectures, open is the verification of the security of all components and a and Protocols for Computer Communications, ser. SIGCOMM ’07. full bottom up trust relationship between all components and New York, NY, USA: ACM, 2007, pp. 1–12. [Online]. Available: layers. http://doi.acm.org/10.1145/1282380.1282382 [14] P. Kazemian, M. Chan, H. Zeng, G. Varghese, N. McKeown, and S. Whyte, “Real time network policy checking using header space V. C ONCLUSION analysis.” in NSDI, 2013, pp. 99–111. [15] S. Shin and G. Gu, “Attacking software-defined networks: A first feasi- This paper has given an overview of the most important bility study,” in Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 2013, pp. 165– issues and some proposed solutions in order to increase the 166. reliability and security in Software Defined Networking. As [16] L. Schehlmann, S. Abt, and H. Baier, “Blessing or curse? revisiting se- it has been mentioned, the flexibility and efficiency offered curity aspects of software-defined networking,” in Network and Service Management (CNSM), 2014 10th International Conference on. IEEE, by SDN comes with some challenges (e.g., higher software 2014, pp. 382–387. failures). [17] R. Klöti, V. Kotronis, and P. Smith, “OpenFlow: A security analysis,” Proceedings - International Conference on Network Protocols, ICNP, 2013. ACKNOWLEDGMENT [18] S. M. Mousavi and M. St-Hilaire, “Early detection of DDoS attacks against SDN controllers,” 2015 International Conference on Computing, This article is based upon work from COST Action CA Networking and Communications, ICNC 2015, pp. 77–81, 2015. 15127 (Resilient communication services protecting end-user [19] R. Durner, C. Lorenz, M. Wiedemann, and W. Kellerer, “Detecting and applications from disaster-based failures RECODIS) sup- mitigating denial of service attacks against the data plane in software defined networks,” in IEEE Conference on Network Softwarization - ported by COST (European Cooperation in Science and Tech- Workshop on Security in NFV-SDN, 2017. nology. [20] K. Benton, L. J. Camp, and C. Small, “OpenFlow Vulnerability Assess- ment Categories and Subject Descriptors,” Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking R EFERENCES - HotSDN ’13, pp. 151–152, 2013. [21] A. Shalimov, D. Zuikov, D. Zimarina, V. Pashkov, and R. Smeliansky, [1] P. Vizarreta, P. Heegaard, B. Helvik, W. Kellerer, and M. M. Carmen, “Advanced study of SDN/OpenFlow controllers,” Proceedings of the “Characterization of failure dynamics in sdn controllers,” in Resilient 9th Central & Eastern European Software Engineering Conference Networks Design and Modeling (RNDM), 2017 9th International Work- in Russia on - CEE-SECR ’13, pp. 1–6, 2013. [Online]. Available: shop on. IEEE, 2017. http://dl.acm.org/citation.cfm?doid=2556610.2556621 [2] M. Furdek, N. Skorin-Kapov, and L. Wosinska, “Attack-aware dedicated [22] R. Durner and W. Kellerer, “The cost of security in the sdn control path protection in optical networks,” Journal of Lightwave Technology, plane,” CoNEXT Student Workhop, 2015. vol. 34, no. 4, pp. 1050–1061, Feb 2016. [23] H. Hu, W. Han, G.-j. Ahn, and Z. Zhao, “FLOWGUARD,” [3] J. Yallouz and A. Orda, “Tunable qos-aware network survivability,” in Proceedings of the third workshop on Hot topics in IEEE/ACM Transactions on Networking, vol. 25, no. 1, pp. 139–149, software defined networking - HotSDN ’14. New York, New Feb 2017. York, USA: ACM Press, 2014, pp. 97–102. [Online]. Available: [4] A. Xie, X. Wang, W. Wang, and S. Lu, “Designing a disaster-resilient http://dl.acm.org/citation.cfm?doid=2620728.2620749 network with software defined networking,” in 2014 IEEE 22nd Inter- national Symposium of Quality of Service (IWQoS), May 2014, pp. 135– 140. [5] R. Vaghani and C.-H. Lung, “A comparison of data forwarding schemes for network resiliency in software defined networking,” Procedia Computer Science, vol. 34, pp. 680 – 685, 2014, the 9th International Conference on Future Networks and Communications (FNC’14)/The 11th International Conference on Mobile Systems and Pervasive Computing (MobiSPC’14)/Affiliated Workshops. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S1877050914009521 [6] P. E. Heegaard, B. E. Helvik, and V. B. Mendiratta, “Achieving depend- ability in software-defined networkinga perspective,” in Reliable Net- works Design and Modeling (RNDM), 2015 7th International Workshop on. IEEE, 2015, pp. 63–70. [7] D. Levin, A. Wundsam, B. Heller, N. Handigol, and A. Feldmann, “Logically centralized?: state distribution trade-offs in software defined networks,” in Proceedings of the first workshop on Hot topics in software defined networks. ACM, 2012, pp. 1–6. [8] F. J. Ros and P. M. Ruiz, “Five nines of southbound reliability in software-defined networks,” in Proceedings of the third workshop on Hot topics in software defined networking. ACM, 2014, pp. 31–36.