As an early software-defined network protocol, OpenFlow exposed a security flaw that was long-established, ubiquitous, and difficult to fix in a short time.
In an article posted on oss-sec by Kashyap Thimmaraju of the Technical University of Berlin, the handshake mechanism of the OpenFlow protocol has always been lack of authentication steps, it “does not require the controller to authenticate switches”, and “the controller is not required to authorize switches access to the controller.” Since this is a protocol vulnerability, any OpenFlow implementation may be affected by it.
However, after Snowden exposed a large number of security issues, researchers could no longer trust network design solutions that rely solely on physical access protection.
The potential attack paths mentioned in the article include:
“CVE-2018-1000155: Denial of Service, Improper Authentication and Authorization, and Covert Channel in the OpenFlow handshake
The OpenFlow handshake does not require the controller to authenticate switches during the OpenFlow handshake. Furthermore, the controller is not required to authorize switches access to the controller. The absence of authentication and authorization in the OpenFlow handshake allows one or more malicious switches connected to an OpenFlow controller to cause Denial of Service attacks in certain OpenFlow controllers by spoofing OpenFlow switch identifiers known as DataPath Identifiers (DPIDs). Additionally, the lack of authentication and authorization in the OpenFlow handshake can be exploited by malicious switches for covert communications, bypassing data plane (and potentially control plane) security mechanisms. In particular, the OpenFlow “Features Reply” message sent by the switch is inherently trusted by the controller. Note that for the attacker to launch an attack, the OpenFlow switch must first establish a (secure) transport connection with the OpenFlow controller (e.g., TLS and TCP), and the switch must be controlled by the attacker.”
Researchers said that without updating the protocol itself (and numerous third-party software), the OpenFlow connection can whitelist the switch DPID and controller by allowing the switch to provide a unique TLS certificate and allow the controller to Verify the DPID and its certificate.
Considering that the release of the latest OpenFlow switch specification was also a matter of April 2015, the researchers contacted the Open Network Foundation to learn whether the other party intended to rewrite the handshake protocol.
