Ronny Lam


Abusing Software Defined Networks

In my last post I mentioned that I was going to do less if Software Defined Networking. But @RaymondKuiper got my interest in jut one tweet.

With clear-text wire protocol implementations, little support for switch TLS, no authentication for nodes, poorly conceived rate-limiting features in the controllers, controller APIs that don’t require authentication, and back-door netconf access, the leading platforms Floodlight and OpenDaylight, are ripe for attack.

This was indeed bound to happen. Encryption is part of the standard, but not mandatory. And when it is not mandatory people are not going to use it, especially in lab-environments. This is partly understandable from an Open Source controller perspective. Developing software without encryption is always easier than with. But I do not understand it from the hardware vendors. We have fought and won the ssh-battle a while agon and now we are going back to plain-text protocols?

I good word for OpenDayLight. Thankfully they implemented TLS in their software. It is however turned of by default. Is this a problem? Since we don’t see a lot of production networks yet, it is not. But now is the time to call for awareness. Gregory Pickett did a great job. I can recommend his whitepaper and presentation.