Professional Documents
Culture Documents
net/publication/281776990
CITATIONS READS
10 332
2 authors, including:
Christian Banse
Fraunhofer AISEC
18 PUBLICATIONS 106 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Christian Banse on 03 February 2016.
Abstract—Software-Defined Networking (SDN) promises to build applications across a wide range of controller platforms.
introduce flexibility and programmability into networks by of- Thirdly, most designs focus on applications which reside
fering a northbound interface (NBI) for developers to create directly within the controller, for example as a controller
SDN applications. However, current designs and implementations
have several drawbacks, including the lack of extended security module, rather than external applications.
features. In this paper, we present a secure northbound interface, In this paper, we present a web-based northbound inter-
through which an SDN controller can offer network resources, face which is secure, controller-independent, and supports the
such as statistics, flow information or topology data, via a REST- deployment of external applications. Its architecture adheres
like API to registered SDN applications. A trust manager ensures to a Security-by-Design approach and incorporates security
that only authenticated and trusted applications can utilize the
interface. Furthermore, a permission system allows for fine- features such as encrypted communication, capability-based
grained authorization and access control to the aforementioned trust management and a resource-based access control model.
resources. We present a prototypical implementation of our This allows to restrict access to only authenticated and trusted
interface and developed example applications using our interface, applications. By encrypting the communication between SDN
including an SDN management dashboard. applications and the controller, we ensure the confidentiality
Keywords-Software-Defined Networking; SDN; network secu- and integrity of the transmitted messages. Additionally, while
rity; northbound interface; trust most web-based NBIs only offer unidirectional communica-
tion, for example by an SDN application accessing resources
I. I NTRODUCTION of the controller, our architecture enables bi-directional com-
Software-Defined Networking (SDN) is a new network munication. This allows us to push events, such as network
paradigm which enables dynamic programmability of the topology and application state changes, from the controller to
underlying network infrastructure. This is achieved by decou- the SDN applications.
pling the decision logic (the control plane) from the individual The rest of the paper is structured as follows. Section
network elements (the data plane) [1]. According to the II gives an overview of related work on the topic of SDN
SDN architecture [2], established by the Open Networking security. Section III postulates design requirements for a secure
Foundation (ONF)1 , SDN controllers act as entities which northbound interface. Section IV provides an overview of
manage the control plane and offer the possibility for SDN our proposed design and Section V describes its prototype
applications to further extend the functionality of a network. implementation. Finally, Section VI concludes this paper.
Possible use cases for SDN applications include virtualized
network functions and business applications that retrieve data II. R ELATED W ORK
from external sources, such as an enterprise resource planning
Previous work, including [3] and [4], has detailed security
(ERP) system, to enforce business policies on a network level.
challenges and threats that arise from SDN. They primarily
As seen in Figure 1, these applications communicate with the
highlight the importance of achieving several security goals
controller and have the ability to program the underlying in-
such as confidentiality, authenticity, integrity and availability
frastructure through interfaces, usually called SDN northbound
interfaces (NBIs).
However, current implementations of these interfaces have SDN Application SDN Application
SDN applications. Without these security features in place, Control Plane SDN Controller
by default, all SDN applications have full access to the under- Southbound Interface (e.g. OpenFlow)
of various entities within the SDN architecture. However, they 3) Authenticity: Additionally, the authenticity of all in-
do not propose any concrete security mechanisms required to volved communication parties, such as the controller and
achieve these goals. SDN applications, needs to be enforced. This is necessary in
To address some of these security goals, the authors of [5] order to prevent the deployment of malicious applications that
have proposed PermOF, a permission system for OpenFlow masquerade as legitimate ones.
implementations. However, the focus is on what the authors 4) Accountability: Lastly, it must be possible to trace the
refer to as OF apps, which represent applications that reside source of each request on the northbound interface. In case
directly within the control plane. This approach is only effec- of a misconfiguration or an attack on the network, the faulty
tive as long as the applications reside in the controller and fails request can then be traced back to its originating application.
to address the security challenges that arise while applications
are deployed external to the controller.
In a similar approach, [6] proposes the OperationCheckpoint B. Application Life Cycle
system which enables the restriction of applications using the
In order to achieve the design of a developer-friendly
API of the open source controller Floodlight. This approach,
interface, we propose, that a northbound interface needs to
however, is controller-dependent and also lacks a mechanism
at least partially support an SDN application’s life cycle.
to verify the authenticity of external applications.
Additionally, SE-floodlight2 , which is an extension of Fort- 1) Deployment: As a prerequisite, the actual source or
NOX [7], also provides a controller-dependent solution and is binary code of an application needs to be deployed. Common
more focused on addressing the security issues surrounding scenarios include deployment on physical machines, VMs or
application residing within the controller. cloud infrastructures, such as OpenStack3 or Amazon EC2,
Lastly, the authors of [8] examined the possibility of ma- as well as new container technologies, such as Docker4 .
licious network services, by analyzing the security of dif- Regardless of the type of deployment, the application requires
ferent controller implementations. As a countermeasure, they network connectivity to the SDN controller. Furthermore, this
introduce a sandbox which controls system-level operations of stage should also encompass the creation of certificates for all
modules running inside a controller. involved communication parties as well as the exchange of
Thus, no solution for a controller-independent secure inte- trust anchors, if a non-public Public Key Infrastructure (PKI)
gration of external SDN applications, as we introduce in this is used.
paper, exists. 2) Registration: In the next step, the controller should
be made aware of available SDN applications. For example,
III. D ESIGN R EQUIREMENTS the SDN controller can offer a registration service, which
In order to support the design of a secure and developer- applications can use to register themselves. To fulfill the
friendly northbound interface, this section formulates a set of security goals confidentiality and authenticity, this registration
requirements that are to be fulfilled. process needs to incorporate an identification of the application
as well as the negotiation of access control mechanisms, such
A. Security Challenges and Goals as permissions.
To adhere to a Security-by-Design approach, several secu- 3) Operations: During operations, an application accesses,
rity challenges and goals have to be addressed when designing modifies or creates network resources through the controller.
a web-based northbound interface. To achieve the aforementioned security goals, communication
1) Confidentiality: The confidentially of messages ex- between the SDN applications and the controller needs to
changed between the applications and the controller may be encrypted. Furthermore, each resource request needs to
contain sensitive information, such as the internal topology undergo an access control check, to ensure that the application
of networks or sometimes even user data, and therefore needs is authorized for the particular request.
to be ensured. Additionally, network resources managed by a
controller must not be accessible by applications that do not
possess the appropriate permission. C. Controller Independence
2) Integrity: The integrity of the transmitted messages
needs to be protected as well. This is required in order to As stated in Section II, most of the previous work related to
protect against a malicious entity which may modify com- securing northbound interfaces has been controller-dependent.
mands issued by a legitimate application, resulting in faulty or We, however, want to achieve the design of an interface that is
harmful messages. Furthermore, the integrity of the controller open, flexible, and independent from the underlying controller
and SDN applications themselves also needs to be protected. platform.
However, since this paper is focused on the communication A possible way to achieve this, is to rely on a web-based
aspect between the entities, this is not within our current scope. interface and a service-oriented approach. In this approach, the
It is, however, a potential challenge that we want to address controller offers the possibility to access and modify resources
in the future. Promising technologies that can be leveraged through a web-service. The web-service acts as an abstraction
include remote attestation techniques and integrity monitoring of the actual controller implementation.
of the container or host that the application is running on.
3 http://www.openstack.org
2 http://www.openflowsec.org/Technologies.html 4 https://www.docker.com
3
TABLE I
R ESOURCES OFFERED BY THE C ONTROLLER S ERVICE messages. For example, an application might be allowed to
create control messages containing new flow rules, but not
Resource Associated Permission Groups allowed to create messages related to configuration.
Hosts permission.hosts.view In our reference design, we utilize the popular SDN protocol
Switches permission.switches.view OpenFlow [10]. However, our approach is generic and the
Applications permission.applications.view control plane protocol could be exchanged or even a multitude
Application Events, permission.applications.events, of different protocols could be used. Furthermore, the mapping
Topology Events, permission.topology.view,
Message Events permission.messages.* of these permissions is configurable. We have chosen a specific
(depends on message, see Table II) set of permissions based on the functionality of the OpenFlow
Network Topology permission.topology.view message type (see Table II).
Network Statistics permission.messages.statistics
Messages permission.messages.* TABLE II
(depends on message, see Table II) M APPING P ERMISSIONS TO O PEN F LOW MESSAGES
B. Events
A. Controller Service
An application can register several listeners to receive the
The Controller Service is a web-service comparable to following event types:
existing controller REST APIs and offers a set of resources 1) Topology Events: An application can be informed about
representing the SDN network. Table I provides an overview of changes in the topology, e.g. when a new switch is added to
resources that a controller service should offer according to our the control plane or a switch is removed. It needs to possess
architecture. Depending on the actual implementation and the the permission permissions.topology.view to receive this kind
designated role of the underlying SDN controller, the service of information.
may offer additional resources, e.g. virtualized networks or 2) Message Events: An application can register to receive
routers. OpenFlow messages originating from the switches or from the
All resources are associated with a certain set of permis- controller itself. The application only receives those messages
sions. These permissions are enforced every time an applica- for which it has been granted permissions.
tion is trying to access, modify or create a specific resource. 3) Application Events: Lastly, by registering this listener,
The granularity of permissions can vary, as demonstrated in the an application can receive all activities originating from
resource Messages, which allows the creation of SDN control other SDN applications. This is useful for the implementa-
tion of monitoring applications. It requires the permission
permission.applications.events.
Certificate
CN=Vendor
CN=Application, O=Vendor
C. Trust Management
SDN Application All communication end-points in our proposed architecture
require valid certificates, e.g. based on X.509 [11], [12]. The
SDN controller needs to possess a valid server certificate,
called the Controller Service Certificate. This certificate must
Certificate
be issued to the domain name of the host running the controller
CN=controller.sdn.domain and it must be signed by an appropriate certificate authority
Controller Service (CA). As a first step in establishing the trust relationship
SDN Controller between the controller and SDN applications, the SDN ap-
plications need to either directly trust this particular CA or
Fig. 2. Service Architecture. trust one of the CAs in the certificate chain.
4
Furthermore, each application needs to possess an individual paradigm of Perfect Forward Secrecy. With perfect forward
Application Certificate, signed by a CA representing the ven- secrecy, the disclosure of the long-term key material does
dor of the application. We denote the certificate of this CA as not lead to the compromise of the exchanged keys used to
Vendor Certificate. Since a commercial application is usually encrypt a session [14]. Hence, when used with TLS within
deployed to multiple customers, it is recommended to generate our architecture, the disclosure of the private asymmetric key
individual application certificates for each deployment. of the controller does not lead to the leakage of the ephemeral
With each deployed application having its own set of key used to encrypt the actual communication between two
application and vendor certificates, it is easy to establish a parties.
trust management based on the aforementioned certificates. Furthermore, it must be ensured that weak ciphers such as
This trust management can then be used to restrict access RC4 [15] are excluded by the endpoint’s TLS configuration.
to the northbound interface to only authenticated and trusted Instead ciphers which are still considered secure, such as AES,
applications. are to be used.
If a trust entry is found, the set of allowed permissions an overview of all applications and network nodes, such
contained in the trust entry are compared against the requested as switches and hosts.. It registers several event listeners
permissions. If the requested permissions exceed the allowed to be immediately informed about changes in the topology.
ones, the application is Rejected. Otherwise, the state of the Additionally, the dashboard is able to provide insight into the
application is set to Registered. In any case, an identifier for configuration of the trust manager, to see the set of permissions
each application is generated by applying a SHA-1 hash to certain applications or vendors can request.
the application certificate’s distinguished name (DN) as well The dashboard makes use of the fact, that the northbound
as the vendor certificate’s DN. interface offers the possibility for an application to retrieve
After a successful registration, the application can now all events generated by other applications. By observing these
issue commands to the controller service and receive events events, it is possible to calculate a Security Status for each
by registering the appropriate event listeners. During the application. This status can have the following characteristics,
runtime phase, the certificates exchanged in the associated TLS which are assigned to the colors red, yellow and green,
sessions are used to identify the individual applications. This respectively.
is done by mapping the SHA-1 hash of the application and • Critical: An application has shown a critical policy vio-
vendor certificate’s DN to an application ID. lation, e.g. by requesting permissions during registration
To enforce the requirement for access control, each com- that exceed the assigned trust.
mand issued by an application is checked against the set • Warning: A warning is triggered, if an application shows
of allowed permissions. The permission system is imple- unusual behavior during runtime, e.g. by executing com-
mented using the Java annotation paradigm8 , which allows mands which exceed the allowed permissions.
the annotation of meta-data to individual Java classes. In our • Good: The default case, if no policy violations or other
implementation, a Java class representing a certain resource is warnings occur.
annotated with a set of required permissions. While accessing
This way, an administrator can use the dashboard to easily
this particular resource through its Java class, the controller re-
observe all SDN applications and check whether they are
trieves the associated permission annotations. If the associated
operating according to their assigned policy.
permissions exceed the allowed permissions for the issuing
application, the command is blocked.
To not be constrained by placing permissions directly into VI. C ONCLUSION
the source code, we employ the Java project annox9 . It enables Software-Defined Networking (SDN) promises to introduce
the storage of annotations in external XML files, allowing us to flexibility and programmability into the network by extracting
re-configure the mapping of permissions to resources without the control plane of a network into a dedicated controller
the need to change the source code. entity. By offering a northbound interface, the functionality
As mentioned before, the controller service is independent of a controller can greatly be extended. However, current
from actual the underlying SDN controller implementation. approaches have several drawbacks, including the lack of
We make heavy use of the Java interface paradigm to achieve extended security features and the dependence on a specific
this. It is necessary to develop a controller-specific stub, for- controller implementation.
warding the request to the actual internal controller code. For In this paper we present an open, flexible and secure north-
our reference implementation, we developed this controller- bound interface based on a REST-like architecture. The NBI
specific module for Floodlight10 , an open-source SDN con- utilizes an encrypted connection to maintain the confidentially,
troller, written in Java. It supports OpenFlow versions up until authenticity and integrity security goals. Furthermore, the
1.4 through a flexible OpenFlow library. integrated trust manager enables the restriction of the inter-
face to only authenticated and trusted applications. Finally, a
B. Applications configurable permission system allows the enforcement of an
We developed a Java framework for SDN applications, authorization concept.
which allows them to use the northbound interface offered by In future work, we want to further strengthen the security
the controller service. It utilizes the REST client implementa- level of our approach by introducing an integrity monitoring
tion of JAX-RS, to register the application with a controller of external SDN applications.
and to issue commands after a successful registration.
To test our framework, we created several example SDN
ACKNOWLEDGMENT
applications that access or modify the network through the
designed northbound interface. Specifically, we implemented This work has been partially funded in the project SASER-
a simplistic rule-based firewall application and an SDN dash- SIEGFRIED by the German Federal Ministry of Education
board which serves as a management console for the network. and Research under the reference 16BP12301.
This dashboard makes use of almost the full range of
functionality that the controller service is offering. It includes R EFERENCES
8 https://docs.oracle.com/javase/8/docs/technotes/guides/language/
[1] O. N. Foundation, “Software-Defined Networking: The New Norm
annotations.html for Networks,” Open Networking Foundation, Tech. Rep., 2012.
9 https://java.net/projects/annox
[Online]. Available: https://www.opennetworking.org/images/stories/
10 http://www.projectfloodlight.org/floodlight/ downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf
6