OpenFlow protocol has a switch authentication vulnerability
It's old, it's everywhere and it's not likely to be fixed in a hurry
The early software-defined networking protocol, OpenFlow, has a vulnerability – but will anyone fix it?
That's the question on the mind of The Register's networking desk, as we await confirmation of the bug by the Open Networking Foundation.
In this post at the oss-sec list, Kashyap Thimmaraju from the Technical University of Berlin wrote that the OpenFlow handshake has always had a missing authentication step: it “does not require the controller to authenticate switches”, and “the controller is not required to authorise switches access to the controller.”
Because it's a protocol vulnerability, there's a chance that any OpenFlow implementation could inherit it.
OpenFlow controller design killing SDN, say network boffinsREAD MORE
The protocol designers may not have even considered this a vulnerability in February 2011 when OpenFlow Version 1.0 was published, because exploitation does require an attacker to attach a maliciously-configured switch to the target network (and establish a TLS connection to the controller).
In a post-Snowden world, though, it's no longer safe to assume that a physical access requirement protects a network.
The attack possibilities outlined in the advisory include:
- Denial of service – the malicious switch can spoof the data path identifiers that identify switches in OpenFlow;
- Covert communications – the advisory says “the OpenFlow 'Features Reply' message sent by the switch is inherently trusted by the controller”.
The researchers say in the absence of an update to the protocol (and a lot of third-party software updates), OpenFlow connections can be secured by giving switches unique TLS certificates, whitelisting switch DPIDs with controllers, and getting the controller to verify DPIDs and their certificates.
The Register contacted the Open Network Foundation for comment – and since the most recent OpenFlow switch specification was published in April 2015, we'll be interested to see whether there's much interest in rewriting the handshake.
As well as Thimmaraj, the university's Robert Krösche, Liron Schiff of GuardiCore Labs, and Stefan Schmid from University of Vienna contributed to the research. ®