Security analysis of OpenDaylight, ONOS, Rosemary and Ryu SDN controllers

Arbettu, Ramachandra Kamath; Khondoker, Rahamatullah; Bayarou, Kpatcha M.; Weber, Frank

doi:10.1109/netwks.2016.7751150

Cited by 41 publications

(15 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For this reason, there are entities dedicated to vulnerability and security analysis and that try to guide industry and academia towards the search for new and better security alternatives (e.g., Red Hat, OWASP 3 , academia). In this regard, in [76], the authors perform a security analysis of the following drivers: ODL, ONOS, Rosemary, and Ryu, looking at the security measures that each driver has. After this analysis, the authors determine that although there is no completely secure controller, the controllers with the best countermeasures against attacks are ODL followed by ONOS.…”

Section: B East/westbound Interface and Control Planementioning

confidence: 99%

A Survey of the Main Security Issues and Solutions for the SDN Architecture

et al. 2021

View full text Add to dashboard Cite

The software-defined networking (SDN) paradigm proposes the decoupling of control and data planes and a centralized software-oriented management approach based on a central controller, easing the development of new applications and services. These design principles pave the way for a more flexible, fast, and dynamic software-controlled network. However, in terms of security, the elements that comprise the SDN architecture present several vulnerabilities, which could be exploited by attackers to carry out malicious actions and thus affect the network and its services. Although for several years, some studies have already focused on identifying the weaknesses of the SDN layer structure, the nature of the attacks, and possible solutions for this paradigm, the literature contains few contributions that review and discuss this topic in an integral fashion. This paper provides a comprehensive, updated, and detailed review of the main security issues and mitigating measures for all layers and interfaces of the SDN architecture, classifying the contributions according to the STRIDE threat modeling methodology categories. Finally, this manuscript identifies, discusses, and synthesizes open challenges and future research directions in this area.

show abstract

Section: B East/westbound Interface and Control Planementioning

confidence: 99%

A Survey of the Main Security Issues and Solutions for the SDN Architecture

et al. 2021

View full text Add to dashboard Cite

show abstract

“…We chose the Ryu SDN open-source controller as it supports TLS communication with OpenFlow switches 8 . It is written in Python and is widely used in research [3] and in commercial products 9 . To exercise the communication between the SDN controller and the virtual switch and to capture latency measurements, we designed the SDN controller as a learning L2 switch, with a MAC address to port number mapping table.…”

Section: Testbedmentioning

confidence: 99%

Trust Anchors in Software Defined Networks

2018

View full text Add to dashboard Cite

Advances in software virtualization and network processing lead to increasing network softwarization. Software network elements running on commodity platforms replace or complement hardware components in cloud and mobile network infrastructure. However, such commodity platforms have a large attack surface and often lack granular control and tight integration of the underlying hardware and software stack. Often, software network elements are either themselves vulnerable to software attacks or can be compromised through the bloated trusted computing base. To address this, we protect the core security assets of network elements -authentication credentials and cryptographic context -by provisioning them to and maintaining them exclusively in isolated execution environments. We complement this with a secure and scalable mechanism to enroll network elements into software defined networks. Our evaluation results show a negligible impact on run-time performance and only a moderate performance impact at the deployment stage. arXiv:1806.07302v1 [cs.NI] 19 Jun 2018 directly (by intercepting or modifying traffic), or indirectly through horizontal attacks aimed to leak authentication credentials and encryption keys [54].Earlier research addressed SDN security through additional services [48,53,21], formal verification [6] and isolated execution using Intel Software Guard Extensions (SGX) [52,43,28,44], and most popular network element implementation support communication over transport layer security (TLS) [15]. Despite these efforts, the confidentiality and integrity of authentication credentials of network elements in SDN remain unaddressed. In particular, the existing approaches to provision authentication credentials to network elements in SDN are either plain insecure or both insecure and unscalable, requiring manual steps 4 [38]. Moreover, credentials provisioned to network elements in virtualized environments are often stored in plaintext on the file system. Adversaries exploiting vulnerabilities in process and virtualization isolation can access authentication credentials to perform network attacks or impersonate network elements. In this paper, we address two complementary questions: (1) How can authentication credentials be securely provisioned to software network elements in SDN deployments? and (2) How can the TLS context of virtual switches be protected on compromised hosts? ContributionsIn this work, we present the following contributions:-A secure, practical, and scalable mechanism to provision authentication credentials and bootstrap communication between software network elements. -TLSonSGX 5 , a library allowing to maintain authentication credentials and the TLS context exclusively in isolated execution environments. -A novel approach to restricting the availability of authentication credentials for SDN components to hosts with an attested trusted computing base. -A first thorough analysis of the performance trade-offs of deploying components of network elements in SGX enclaves. StructureThe remainder of thi...

show abstract

“…The log file in the switch captures and saves diverse file formats. Other research studies have also been conducted using Ryu controller in SDN [14][15][16][17][18][19][20][21][22][23].…”

Section: Introductionmentioning

confidence: 99%

Generation and collection of data for normal and conflicting flows in software defined network flow table

Khairi

Ariffin

Latiff

et al. 2021

IJEECS

View full text Add to dashboard Cite

<a name="_Hlk31039004"></a><span lang="EN-US">In terms of network simplification and regulation, Software Defined Networking (SDN) is a new form of infrastructure that offers greater adaptability and flexibility. SDN, however, is an invention that is logically centralized. </span><span>In addition, the optimization of the control plane and data plane in SDN has become an area deserving of more attention. The flow in OpenFlow has been one of the essential parameters in the SDN standards, in which every individual flow includes packet matching fields, flow priority, separate counters, instructions for packet forwarding, flow timeouts and a cookie. This research work is conducted in order to produce and collect flows from the OpenFlow switch in two scenarios; in normal flows and when conflict policy rules are enforced in the network. In this article, the throughput is required to review and evaluate the conflict impact on two protocols as a performance metric; the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) that flows via a forwarded plane. During the simulation of the SDN OpenFlow network, the metrics are tested using MININET. The results demonstrate that the existence of SDN conflict rules allows TCP and UDP to have a significant average change in bandwidth that eventually affects the network and operations performance.</span>

show abstract

Security analysis of OpenDaylight, ONOS, Rosemary and Ryu SDN controllers

Cited by 41 publications

References 25 publications

A Survey of the Main Security Issues and Solutions for the SDN Architecture

A Survey of the Main Security Issues and Solutions for the SDN Architecture

Trust Anchors in Software Defined Networks

Generation and collection of data for normal and conflicting flows in software defined network flow table

Contact Info

Product

Resources

About