Security analysis of OpenDaylight, ONOS, Rosemary and Ryu SDN controllers

There is an immense expectation on Software-Defined Networking (SDN) in industry as a novel approach towards potentially replacing conventional network management and control. However, SDN is not immune to security vulnerabilities which currently exist in the legacy systems or which may newly arise due to change in the network design. Since the beginning of SDN development, primary focus of research was on separation of control plane from data plane by keeping performance and operational flexibility unchanged. In the due course of achieving this, security aspects of an SDN have taken a back seat. Even though separation of control plane from a data plane is a great step towards simplification of network management, it subjects the network into a potential two way target for intruders to gain control. Due to the centralized design of SDN, compromising security of a controller will be as good as compromising the security of a whole network. Enterprises which are moving towards adapting SDN are concerned about security issues and the resulting problems. In this paper, we analyze the security issues of few of the widely used controllers. We found that the OpenDaylight controller is the most secure one compared to the other controllers. In addition, this paper also provides a snapshot of current development in security aspect of SDN controllers such that it may help SDN controller developers to identify the issues and rectify the same in future releases.

[1]  Kpatcha M. Bayarou,et al.  Security Analysis of Security Applications for Software Defined Networks , 2014, AINTEC.

[2]  Rahamatullah Khondoker,et al.  Security analysis of approaches to integrate middleboxes into software defined networks , 2016, 2016 3rd International Conference on Electrical Engineering and Information Communication Technology (ICEEICT).

[3]  Sandra Scott-Hayward,et al.  Design and deployment of secure, robust, and resilient SDN controllers , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[4]  Shaneel Narayan,et al.  TCP/IP Jumbo Frames Network Performance Evaluation on A Test- bed Infrastructure , 2012 .

[5]  David P. Gilliam,et al.  Integrating a flexible modeling framework (FMF) with the network security assessment instrument to reduce software security risk , 2002, Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[6]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[7]  A. S. Sodiya,et al.  Threat Modeling Using Fuzzy Logic Paradigm , 2007 .

[8]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[9]  Kpatcha M. Bayarou,et al.  AutoSecSDNDemo: Demonstration of automated end-to-end security in software-defined networks , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).

[10]  Jan Medved,et al.  OpenDaylight: Towards a Model-Driven SDN Controller architecture , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[11]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[12]  Kpatcha M. Bayarou,et al.  Security Analysis of Software Defined Networking Architectures: PCE, 4D and SANE , 2014, AINTEC.

[13]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[14]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[15]  Christian Köppe Observations on the observer pattern , 2010, PLOP '10.

[16]  Kpatcha M. Bayarou,et al.  Security Analysis of Software Defined Networking Applications for Monitoring and Measurement: sFlow and BigTap , 2015, CFI.

[17]  Rob Sherwood,et al.  FlowVisor: A Network Virtualization Layer , 2009 .

[18]  Hui Li,et al.  Centralized Flat Routing , 2014, 2014 International Conference on Computing, Management and Telecommunications (ComManTel).

[19]  Norival Figueira,et al.  Analysis of data center SDN controller architectures: Technology and business impacts , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).

[20]  Kpatcha M. Bayarou,et al.  OrchSec: An orchestrator-based architecture for enhancing network-security using Network Monitoring and SDN Control functions , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[21]  Alexander Shalimov,et al.  Advanced study of SDN/OpenFlow controllers , 2013 .

[22]  Ted Taekyoung Kwon,et al.  OpenSample: A Low-Latency, Sampling-Based Measurement Platform for Commodity SDN , 2014, 2014 IEEE 34th International Conference on Distributed Computing Systems.

[23]  Dianxiang Xu,et al.  Threat-driven modeling and verification of secure software using aspect-oriented Petri nets , 2006, IEEE Transactions on Software Engineering.

[24]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1989, RFC.

[25]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[26]  Daniel J. Barrett,et al.  SSH, The Secure Shell: The Definitive Guide , 2001 .

[27]  Ramesh Govindan,et al.  DREAM , 2014, SIGCOMM.