The good news is that it appears to be a pretty secure protocol. The bad is that deployment inconsistencies could leave some vulnerable.
Nicholas Gray, a PhD student at the University of Würzburg in Germany, described in detail results from using automated software testing against OpenFlow in various Open vSwitch (OVS) deployments.
OpenFlow uses its protocol to connect and configure network devices like routers and switches to determine the best path for application traffic. There are other SDN protocols that a controller can use such as OpFlex, Yang, and NetConf.
OVS is an open source virtual switch that has become the de facto virtual switch for XEN Project hypervisor environments. It’s also playing a large part in other open source projects, like OpenStack.
Gray and his partners developed their Flow Fuzz tool as a way to perform “fuzz testing” on OpenFlow-based SDN switches. Fuzz testing in this instance was an automated technique of inundating the OVS on four SDN-enabled hardware switches with invalid or random data in an attempt to crack the system.
Gray explained there were several attack vectors that could be taken in order to test the security of software-controlled networks. His efforts were on the southbound application programming interfaces (APIs) into the SDN devices directly connected to the user traffic. This was to test the consistent connection needed between the switch and controller for optimal performance.
The testing showed a lot of “anomalies” across all OVS versions, which Gray explained would impact switch capacity. But, the latest 2.7 version of the OVS platform did not show any crashes. The OVS 2.7 version is supported by default up to the 1.3 version of OpenFlow, and must be enabled by the user in OpenFlow versions 1.4, 1.5, and 1.6.
The OVS 2.7 performance was a significant improvement over the 14 crashes seen in version 2.5, 10 crashes in version 2.0, and 13 crashes in version 1.5.
Gray indicated that while no new security flaws had been detected in the latest OVS-OpenFlow combination, he did add the word “yet” to the end of his sentence, adding “but we’re still looking.”
That looking is set to follow Flow Fuzz updates designed to reduce false positives, increase the test duration, and include more robust extensions.
In the end, Gray said his results showed SDN controllers can enhance network security, though user control and decisions during the deployment were key to that security success.