1

IST-153 Workshop on CYBER RESILIENCE

Resilience and Security in Software Defined
Networking
Camen Mas-Machuca, Senior Member, IEEE, Petra Vizarreta, Raphael Durner, and Jacek Rak, Member, IEEE

Abstract—This paper gives an overview of the most important

issues on resilience and security in Software Defined Networking.

Network Traffic Bandwidth

monitoring engineering on demand
I. I NTRODUCTION
OFTWARE Defined Networking (SDN) is a recent
S paradigm that aims increasing network flexibility and
efficiency by separating the control from the data plane. The
SDN Controllers

SDN architecture is depicted in Figure 1. The data plane

consists of interconnected forwarding devices, which forward
packets based on their forwarding tables, which are built
based on the input from the controller. The control plane
is the intelligent layer that configures that path at the data
plane based on the requirements from the application layer
and also provides an abstract view of the data plane to the
application layer. Data flows can be set based on request from
the application layer, or based on new flows from connected Fig. 1. Software Defined Networking architecture (figure adapted from [1]).
users. In the last case, the forwarding device will contact the
controller through the so-called secured channel to know how
to proceed. forwarding components able to restore flows in case of one
Although the control plane is a logically centralized entity, local failure. The paper also proposes a reactive splicing
it can be physically distributed at different locations. In that module implemented at the controller, which allows to
case, forwarding devices are assigned to one (or more) con- restore flows in case of multiple failures. Flow restoration is
trollers. Coordination among the controllers is required (e.g., triggered by the controller and hence, it is important that the
federation, hierarchical). controller is available when the failure occurs. Furthermore,
each controller implementation offers different approaches
to address failures scenarios, which can be further extended
II. DATA P LANE R ESILIENCE (e.g., the POX controller offers several algorithms extended
Data plane resilience deals with the protection and by Vaghani et al. [5]).
restoration of data flows. Existing protection schemes for
transport networks such as dedicated or share path protection,
which finds link and/or node disjoint paths can be also III. C ONTROL P LANE R ESILIENCE
applied to SDN networks. These schemes aim at offering In SDN, the control plane of any network device is shifted to
100% reliability and have been further extended in order the SDN controller(s). Hence, any device has to be connected
to consider QoS/security aspects and use less resources at least to one controller. The loss of connectivity between the
when possible [2], [3]. The compromise between protection forwarding devices and their designated controllers, as well
and restoration in terms of flow restoration time and used as the failures of the controllers themselves, might seriously
resources is targeted by pre-computing several disjoint paths, diminish the overall network performance. Heegaard et al. [6]
from which the best one is selected in case of failure. presented five classes of threats to reliability in SDN, which
Another proposed technique by Xie et al. [4] proposes can be summarized as follows:
a proactive local failure recovery module running at the • Threats affecting Control Flows

C. Mas Machuca, P. Vizarreta and R. Durner are with the Chair of – Connectivity loss between forwarding devices and
Communication Networks, Technical University of Munich, TUM, Germany controller(s)
e-mail: (see http://lkn.ei.tum.de).
J. Rak is with the Telecommunications and Informatics Department of
– State consistency between the controller replicas
Computer Communications, Gdansk University of Technology, Poland • Threats affecting the controller
 2

– Controller outages enforcement of network performance policies, which requires

– Controller software design a rather complex software. Today’s production grade SDN
• Human error and misconfiguration of the network controllers have grown to have more than 3 million lines of
Let us briefly present several representative papers address- code [12], and software bugs are inevitable. Some software
ing these threats. The ”Human error and network misconfigu- bugs, such as an error in path computation element or concur-
ration” threat is not specific to SDN based networks, but has rency issues, cannot be overcome with the simple redundancy,
potentially have a much broader impact than in traditionally and more sophisticated fault tolerance mechanisms are needed.
distributed legacy networks, since controller would dissemi- The state-of-the-art literature is still missing a comprehensive
nate the configuration to the entire network. study on nature and frequency of software related failures.

IV. S ECURITY IN SDN

A. Control Flows
As SDN emerges from research to productive deployments,
The control plane in SDN is logically centralized, but may the security of SDN gains more and more importance. The
employ multiple physically distributed SDN controllers across most prominent SDN protocol is OpenFlow, which is de-
the network in order to improve the resilience [7]. Ross et al. scending from Ethane [13]. Ethane was developed to pro-
[8] showed that in order to achieve 99.999% availability of the vide fine grained control in enterprise networks in order to
control plane, the forwarding devices have to be connected to improve the security. One main difference is the change in
at least two controllers for most of today’s wide area networks. network behavior from ”allow-first-restrict-later” to ”restrict-
These control flows are referred as secure channels. first-allow-later”. This approach improves security in SDNs
The resilience of the control plane highly depends on the inherently, when compared to legacy networks . Additionally
number and the location of the controllers in the network. Sev- with the introduction of a centralized control plane, a global
eral controller placement algorithms maximizing the control network view is getting available. Using this global view,
path diversity [9], and optimization of minimal cut sets have largely facilitates network verification methods like introduced
been proposed literature. Vizarreta et al. [10] compared two for example by Kazemian et al. [14]. This is critical to ensure
control path protection designs and also proposed an optimal the isolation of multiple network zones with different security
strategy based on solution of the corresponding Integer Linear demands.
Programming (ILP) problem. It has been shown that protecting On the other hand, SDN also introduces new attack vec-
control paths can improve the control path loss up three orders tors. In the following, the main attack vectors are structured
of magnitude, while adding a small extra delay. However, since according to the planes introduced in Figure 1.
the problem of resilient control paths planning is NP-hard, this
approach does not scale for large networks. Recent efforts have
been focused on finding the efficient approximation algorithms A. Attacks from the Data Plane
for resilient control path design. If the attacker has only access to the data plane, like every
In order to improve the fault tolerance, controllers may host in the network, there are some possible attack vectors:
deploy distributed storage system to replicate the current state an attacker can try to overload the controller [15], the secure
of the nodes and flows under their control. Maintaining the channel between controller and forwarding devices [16] or
state consistency has to find the compromise between accuracy even the switch table [17] by injecting certain packets with
and control traffic, as the other controllers have to be informed high rate. Existing works that try to prevent these Denial of
about any state update (e.g., new flow rule installed). Sakic et Service attacks use anomaly detection mechanisms and block
al. [11] proposed an adaptive consistency framework, where the attacker’s packets directly in the data plane [18], [19]. One
sharing the state updates can be deferred in time, depending on main advantage of SDN is the automatic configuration of the
the application requirements, and hence balancing the trade- network. One example is the automatic topology discovery,
off between control plane latency and message overhead. It usually performed with the Link Layer Discovery Protocol
is important to provide and maintain the reliable connection (LLDP). Without any precautions, like for example authenti-
between the controllers to prevent the loss of the state update cated LLDP Packets, an attacker can manipulate the topology
messages, that could compromise the control plane reliability. view of the controller using forged packets. This can be further
exploited for eavesdropping attacks [17].
B. Controller
The SDN controller is essentially a software component B. Attacks from the Control Plane
running on commodity hardware which makes it susceptible If the attacker can get access to the control plane, by for
to different types of failures. In [1] different failure modes example hijacking a forwarding device, even more serious
of SDN controller were analyzed. The authors have shown threats are possible. An attacker could use conventional means
that the failures of hardware and operating system, although to perform a Man-in-the-middle attack against the secure
less frequent than software failures, contribute more to the channel [20], giving him full control over the network. Addi-
controller outages. tionally attacks with malformed packets in the control plane
The SDN controller is required to perform large set of tasks, can cause failures of the controllers [21] and in consequence
ranging from network state monitoring, traffic steering and cause network failures. To meet these risks, authentication
 3

and encryption of the secure channel is crucial. Unfortunately [9] L. F. Müller, R. R. Oliveira, M. C. Luizelli, L. P. Gaspary, and M. P.
authentication is not always supported in the current SDN Barcellos, “Survivor: an enhanced controller placement strategy for
improving sdn survivability,” in 2014 IEEE Global Communications
ecosystem [22]. Conference. IEEE, 2014, pp. 1909–1915.
[10] P. Vizarreta, C. M. Machuca, and W. Kellerer, “Controller placement
strategies for a resilient sdn control plane,” in Resilient Networks Design
C. Attacks from the Application Plane and Modeling (RNDM), 2016 8th International Workshop on. IEEE,
2016, pp. 253–259.
Additional risks can turn up from the usage of malicious [11] E. Sakic, F. Sardis, J. W. Guck, and W. Kellerer, “Towards adaptive
or malfunctioning SDN applications. This can be relieved state consistency in distributed sdn control plane,” in Conference on
using formal verification methods in the controller [23]. These Communications (ICC), 2017 IEEE International. IEEE, 2017.
[12] Linux Foundation, “Opendaylight.” [Online]. Available:
methods can be used to enforce security rules, like for example https://www.opendaylight.org/
the isolation of different network zones. [13] M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and
One issue for a secure operation of an SDN that remains S. Shenker, “Ethane: Taking control of the enterprise,” in Proceedings
of the 2007 Conference on Applications, Technologies, Architectures,
open is the verification of the security of all components and a and Protocols for Computer Communications, ser. SIGCOMM ’07.
full bottom up trust relationship between all components and New York, NY, USA: ACM, 2007, pp. 1–12. [Online]. Available:
layers. http://doi.acm.org/10.1145/1282380.1282382
[14] P. Kazemian, M. Chan, H. Zeng, G. Varghese, N. McKeown, and
S. Whyte, “Real time network policy checking using header space
V. C ONCLUSION analysis.” in NSDI, 2013, pp. 99–111.
[15] S. Shin and G. Gu, “Attacking software-defined networks: A first feasi-
This paper has given an overview of the most important bility study,” in Proceedings of the second ACM SIGCOMM workshop
on Hot topics in software defined networking. ACM, 2013, pp. 165–
issues and some proposed solutions in order to increase the 166.
reliability and security in Software Defined Networking. As [16] L. Schehlmann, S. Abt, and H. Baier, “Blessing or curse? revisiting se-
it has been mentioned, the flexibility and efficiency offered curity aspects of software-defined networking,” in Network and Service
Management (CNSM), 2014 10th International Conference on. IEEE,
by SDN comes with some challenges (e.g., higher software 2014, pp. 382–387.
failures). [17] R. Klöti, V. Kotronis, and P. Smith, “OpenFlow: A security analysis,”
Proceedings - International Conference on Network Protocols, ICNP,
2013.
ACKNOWLEDGMENT [18] S. M. Mousavi and M. St-Hilaire, “Early detection of DDoS attacks
against SDN controllers,” 2015 International Conference on Computing,
This article is based upon work from COST Action CA Networking and Communications, ICNC 2015, pp. 77–81, 2015.
15127 (Resilient communication services protecting end-user [19] R. Durner, C. Lorenz, M. Wiedemann, and W. Kellerer, “Detecting and
applications from disaster-based failures RECODIS) sup- mitigating denial of service attacks against the data plane in software
defined networks,” in IEEE Conference on Network Softwarization -
ported by COST (European Cooperation in Science and Tech- Workshop on Security in NFV-SDN, 2017.
nology. [20] K. Benton, L. J. Camp, and C. Small, “OpenFlow Vulnerability Assess-
ment Categories and Subject Descriptors,” Proceedings of the second
ACM SIGCOMM workshop on Hot topics in software defined networking
R EFERENCES - HotSDN ’13, pp. 151–152, 2013.
[21] A. Shalimov, D. Zuikov, D. Zimarina, V. Pashkov, and R. Smeliansky,
[1] P. Vizarreta, P. Heegaard, B. Helvik, W. Kellerer, and M. M. Carmen, “Advanced study of SDN/OpenFlow controllers,” Proceedings of the
“Characterization of failure dynamics in sdn controllers,” in Resilient 9th Central & Eastern European Software Engineering Conference
Networks Design and Modeling (RNDM), 2017 9th International Work- in Russia on - CEE-SECR ’13, pp. 1–6, 2013. [Online]. Available:
shop on. IEEE, 2017. http://dl.acm.org/citation.cfm?doid=2556610.2556621
[2] M. Furdek, N. Skorin-Kapov, and L. Wosinska, “Attack-aware dedicated [22] R. Durner and W. Kellerer, “The cost of security in the sdn control
path protection in optical networks,” Journal of Lightwave Technology, plane,” CoNEXT Student Workhop, 2015.
vol. 34, no. 4, pp. 1050–1061, Feb 2016. [23] H. Hu, W. Han, G.-j. Ahn, and Z. Zhao, “FLOWGUARD,”
[3] J. Yallouz and A. Orda, “Tunable qos-aware network survivability,” in Proceedings of the third workshop on Hot topics in
IEEE/ACM Transactions on Networking, vol. 25, no. 1, pp. 139–149, software defined networking - HotSDN ’14. New York, New
Feb 2017. York, USA: ACM Press, 2014, pp. 97–102. [Online]. Available:
[4] A. Xie, X. Wang, W. Wang, and S. Lu, “Designing a disaster-resilient http://dl.acm.org/citation.cfm?doid=2620728.2620749
network with software defined networking,” in 2014 IEEE 22nd Inter-
national Symposium of Quality of Service (IWQoS), May 2014, pp. 135–
140.
[5] R. Vaghani and C.-H. Lung, “A comparison of data forwarding schemes
for network resiliency in software defined networking,” Procedia
Computer Science, vol. 34, pp. 680 – 685, 2014, the 9th International
Conference on Future Networks and Communications (FNC’14)/The
11th International Conference on Mobile Systems and Pervasive
Computing (MobiSPC’14)/Affiliated Workshops. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S1877050914009521
[6] P. E. Heegaard, B. E. Helvik, and V. B. Mendiratta, “Achieving depend-
ability in software-defined networkinga perspective,” in Reliable Net-
works Design and Modeling (RNDM), 2015 7th International Workshop
on. IEEE, 2015, pp. 63–70.
[7] D. Levin, A. Wundsam, B. Heller, N. Handigol, and A. Feldmann,
“Logically centralized?: state distribution trade-offs in software defined
networks,” in Proceedings of the first workshop on Hot topics in software
defined networks. ACM, 2012, pp. 1–6.
[8] F. J. Ros and P. M. Ruiz, “Five nines of southbound reliability in
software-defined networks,” in Proceedings of the third workshop on
Hot topics in software defined networking. ACM, 2014, pp. 31–36.