The promises of agility, simplified control, and real-time programmability offered by software-defined networking (SDN) are attractive incentives for operators to keep network evolution apace with advances in virtualization technologies. But do these capabilities undermine security? To answer this question, we have investigated the potential vulnerabilities of SDN. Centralization equips networks for programmability, which in turn increases autonomy. One possibility enabled by programmability is the automatic detection and mitigation of DDoS attacks, which results in rapid resolution of any problems that may arise. Programmability also allows network resources to be shared automatically, which – together with the capability to create virtual networks created on top of existing network infrastructure – enables automatic sharing by multiple tenants. At the heart of SDN architecture lies the SDN controller (SDNc). Logically positioned between network elements (NEs) and SDN applications (SDN apps), the SDNc provides an interface between the two. Its centralized position enables it to provide other SDN components with a global overview of what is happening in the network. The SDNc and the shift to centralized control set SDN architecture apart from traditional networks – in which control is distributed. Unfortunately, the centralized position of the SDNc makes it a primary attack surface.

1. WHAT DOES SDN EXPOSE? ✱
AUGUST 31, 2015 ✱ ERICSSON TECHNOLOGY REVIEW 1
C H A R T I N G T H E F U T U R E O F I N N O V A T I O N V O L U M E 9 2 | # 7 . 2 0 1 5
Review
IDENTIFYINGAND
ADDRESSINGTHE
VULNERABILITIES
ANDSECURITYISSUES
OFSDN
ERICSSON
TECHNOLOGY
Tenants
Network elements
C
Applic
Managementmodules
Management
plane
SDN applications
SDN controllers
D-CPI
A-CPI
MM
MM
MM SDN
app
SDNc
NE NE

2. ✱ WHAT DOES SDN EXPOSE?
2 ERICSSON TECHNOLOGY REVIEW ✱ AUGUST 31, 2015
vulnerabilities
IDENTIFYING AND ADDRESSING THE
KRISTIAN SLAVOV
DANIEL MIGAULT
MAKAN POURZANDI
The promises of agility, simplified control, and real-time programmability
offered by software-defined networking (sdn) are attractive incentives for
operators to keep network evolution apace with advances in virtualization
technologies. But do these capabilities undermine security? To answer
this question, we have investigated the potential vulnerabilities of sdn.
The aim is for this architecture to serve as a secure complement to cloud
computing, and to ensure that networks are protected from attack by
malicious intruders.
Tr a d i t i o n a l n e t w o r k architecture
has reached the point where its ability to
adapt to dynamic environments, like those
enabled by virtualization technologies, has
become a hindrance. By separating the
control plane from the data plane, sdn raises
the level of system abstraction, which in turn
opens the door for network programmability,
increased speed of operations, and
simplification: in short, the key to delivering
on its promises, and enabling telecom
networks and it to develop in parallel.
Attheheartofsdn architectureliesthesdn
controller(sdnc).Logicallypositionedbetween
networkelements(nes)andsdn applications(sdn
apps),thesdnc providesaninterfacebetweenthe
two.Itscentralizedpositionenablesittoprovide
othersdn componentswithaglobaloverviewof
whatishappeninginthenetwork;itcanconfigure
nesontheflyanddeterminethebestpathfortraffic.
Thesdnc andtheshifttocentralizedcontrolset
sdn architectureapartfromtraditionalnetworks
–inwhichcontrolisdistributed.Unfortunately,the
centralizedpositionofthesdnc makesitaprimary
surfaceforattack.
SECURITY ISSUES OF SDN
&

3. WHAT DOES SDN EXPOSE? ✱
AUGUST 31, 2015 ✱ ERICSSON TECHNOLOGY REVIEW 3
Forthepurposesofthisarticle,welimited
thescopeofourstudyintothevulnerabilitiesof
sdn tothesinglecontrollerusecase(withone
controllergoverningthedataplane),eventhough
sdn architectureallowsforseveral.Ourdiscussion
coversthesdn elementsandtheirinteractionsin
thesinglecontrollercase,aswellastheinteractions
betweenthesdnc andthemanagementplane.
Whycentralize?
Asdefinedbyonf1
,alogicallycentralizedcontrol
planemakesitpossibletomaintainanetwork-
wideviewofresources,whichcanthenbe
exposedtotheapplicationlayer.Toprovidesuch
acentralizedarchitecture,sdn usesoneormore
nesthatinterfacewiththesdnc.Thebenefitof
buildingnetworksinthiswayissimplifiednetwork
management,andimprovedagility.
Centralizationequipsnetworksfor
programmability,whichinturnincreasesautonomy.
Onepossibilityenabledbyprogrammabilityis
theautomaticdetectionandmitigationofddos
attacks,whichresultsinrapidresolutionofany
problemsthatmayarise.Programmabilityalso
allowsnetworkresourcestobesharedautomatically,
which–togetherwiththecapabilitytocreate
virtualnetworkscreatedontopofexistingnetwork
infrastructure–enablesautomaticsharingby
multipletenants.
Benefitsandvulnerabilities
sdn facilitatestheintegrationofsecurityappliances
intonetworks,whichcanbeimplementeddirectlyon
topofthecontrolplane,ratherthanbeingaddedas
separateappliancesorinstantiatedwithinmultiple
nes.sdn’scentralizedmanagementapproach
enableseventswithintheentirenetworktobe
collectedandaggregated,Theresultingbroader,
morecoherentandmoreaccurateimageofthe
network’sstatus,makessecuritystrategiesboth
easiertoenforceandtomonitor.
Theabilitytoimplementsecuritymechanisms
directlyontopofthecontrolleroronsteeringtraffic
atruntime(usinglegacyapplianceswhennecessary)
makesitpossibletodynamicallyaddtapsand
sensorsatvariousplacesinthenetwork–which
makesformoreeffectivenetworkmonitoring.With
anaccuratepictureofitsstatus,thenetworkcan
morereadilydetectattacks,andthenumberoffalse
positivesreportedcanbereduced.Inpractice,ifa
tapindicatestothesdnc thatadeviceisshowing
signsofbeinghijackedbyabotnet,thesdnc can
steerthepotentiallyoffendingtraffictoanids for
analysisandmonitoring.Ifthetrafficisdeemed
maliciousbytheids,thesdnc canfilteritand
instructthefirst-hopne accordingly.
Itsabilitytofacilitatethecollectionofnetwork-
statusinformationaswellasenablingautomatic
detectionandresolutionofanybreachinsecurity,
makessdn idealforintegrationintonetworkthreat
intelligencecentersandServiceOperationCenters
(socs).Unfortunately,therichfeaturesetofsdn
alsoprovidesalargerattacksurfacecomparedwith
traditionalnetworks–anissuedocumentedina
numberofrecentlypublishedresearchpapers2
.
Referencemodel
Theoverallsdn architecturecomprisesthe
followingelements:
〉〉 nes–whichareresponsibleforforwardingpacketsto
thenextappropriatene orendhost;
〉〉 sdnc –whichsendsforwardingrulesontothenes
accordingtoinstructionsitreceivesfromsdn apps;
Termsand abbreviations
ddos–Distributed DoS | dos–Denial of Service | gre–Generic Routing Encapsulation | ids–intrusion detection system |
ipsec–Internet Protocol Security | mm– management module | mpls–multi-protocol label switching |
ne–network element | onf–Open Networking Foundation | rbac role-based access control | sdnsoftware-defined
networking | sdnc–sdn controller | sla–Service Level Agreement | tls–Transport Layer Security domain-specific
modeling language

4. ✱ WHAT DOES SDN EXPOSE?
4 ERICSSON TECHNOLOGY REVIEW ✱ AUGUST 31, 2015
Tenants
Network elements
Data plane
Control plane
Application plane
Managementmodules
Management
plane
SDN applications
SDN controllers
D-CPI
A-CPI
MM
MM
MM SDN
app
SDNc
NE NE
Figure 1
sdn architecture

5. AUGUST 31, 2015 ✱ ERICSSON TECHNOLOGY REVIEW 5
〉〉 sdn apps–whichissuecommandstodynamically
configurethenetwork;
〉〉 tenants–thelogicalownersofthevirtualnetwork,who
provideconfigurationandpolicyinformationthrough
networkapps;and
〉〉 managementmodules(mms)–whichareresponsible
fordeviceadministration.
AsillustratedinFigure1,thesdn architecture
comprisesfourplanes:thedataplane,thecontrol
plane,theapplicationandthemanagementplane.
Thedataplanecarriesusertrafficthroughthe
differentnes,whicharedynamicallyprogrammed
torespondtothepoliciesofthedifferenttenants.
Forwardingpoliciesareelaborated,andsenton
bythecontrolplanetoeachne.Themanagement
planeisdedicatedtoinfrastructuremanagement,
physicaldevicemanagementaswellasplatform
managementissuessuchasfirmwareandsoftware
upgrades3,4
.Theapplicationplaneisconstitutedby
allapplicationsthatprogramthenetworkthrough
interactionswiththesdnc.Theseapplicationsmay
beindependentandownedbydifferenttenants.
Networksthatarebuiltaccordingtosdn
architectureprinciplesneedtoprotectanumberof
keysecurityassets:
〉〉 availability–thenetworkshouldremainoperational
evenunderattack;
〉〉 performance–thenetworkshouldbeabletoguarantee
abaselinebandwidthandlatencyintheeventofan
attack;
〉〉 integrityandconfidentiality–controlplaneanddata
planeintegrityandisolationshouldbeupheldbetween
tenants.
Toassureprotectionoftheseassets,anumberof
processesneedtobeinplace:
Authenticationandauthorization
Onlyauthenticatedandauthorizedactorsshould
beabletoaccesssdn components.Thegranularity
ofauthenticationandauthorizationmustbe
detailedenoughtolimittheconsequencesofstolen
credentialsoridentityhijacking.
Resiliency
Networksmustbeabletorecoverasautonomously
aspossiblefromanattack,orasoftwareorhardware
failure.Alternatively,networksmustbeableto
dynamicallyworkaroundanyaffectedfunctionality.
Contractualcompliance
Tofulfillslas,mitigationtechniquesmustbe
implemented,andproofthatsuchtechniqueshave
beenactivatedeffectivelymustbeprovided.
Multi-domainisolation
Systemsmustbeabletoisolatetenantsinmultiple
domains,suchastheresourceandtrafficdomains.
Thefollowingformsofisolationapply:
〉〉 resourceisolation–preventstenantsfromstealing
resources,likebandwidth,fromeachother,andis
requiredforsla fulfillment;and
〉〉 trafficisolation–requiredbymulti-tenant
deployments,soatenantcanseeitsowntrafficonly
(thisrequirementappliestobothdataplaneandcontrol
planetraffic).
Repudiation
Allactionscarriedoutbyallsystemactors–both
internalandexternal–mustbelogged,andtheall
logsneedtobesecured.
Transparency
Systemsshouldprovidevisibilityintooperations
andnetworkstatussotheycandeterminethemost
appropriateactionwhenissuesarise.Anactive
approachtosecurityrequirescorrectidentification
andclassificationofanissuesothemostappropriate
actiontomitigateitmaybechosen.Anyaction
shouldbeverifiedtoensurethatithasbeenenforced
effectively.
Thepotentialvulnerabilitiesofsdn architecture
areillustratedinFigure2,whichforthesakeof
simplicityshowsonlyasubsetofthepossiblemajor
attacks.
What’sdifferentaboutsdn security?
Manyofthesecurityissuesrelatedtosdn networks
aresimilartothosethatappearintraditional

6. ✱ WHAT DOES SDN EXPOSE?
6 ERICSSON TECHNOLOGY REVIEW ✱ AUGUST 31, 2015
Configuration Log
Control logic
Hardware Software
LogConfiguration
Net topologyControl logic
Hardware Software
Configuration Flow rules
Hardware Software
Tenant impersonation
Communication hijacking
API abuse
App manipulation
Communication
hijacking
Network
manipulation
Information leakage
Compromised
network
Compromised
system
Communication
hijacking
DoSattack
Admin
impersonation
Tenants
Network elements
Data plane
Control plane
Application plane
Management
module
Management
plane
SDN applications
SDN controllers
D-CPI
A-CPI
MM
MM
MM SDN
app
SDNc
NE NE
DoS attack
Network manipulation
Figure 2
Potential vulnerabilities of
sdn architecture

7. AUGUST 31, 2015 ✱ ERICSSON TECHNOLOGY REVIEW 7
networks.What’sinteresting,however,iswhatsets
sdn apartfromtraditionalnetworks.
Comparedwithtraditionalnetworks,the
separationofthecontrolanddataplanesenables
multi-tenancyandprogrammability,andintroduces
centralizedmanagementintothenetwork
architecture.Inthisnewmodel,tenantsrunsdn
appsthatinterfacewiththesdnc,whichsends
instructionstones.Fromasecurityperspective,
theabilitytoshareanddynamicallyoperatethe
samephysicalnetworkisoneofthekeysecurity-
relateddifferencesbetweensdn andtraditional
architectures.Assuch,sdn securityissuesrelateto
thenewcontrolplanemodel,andmorespecifically
tosecuringinter-componentcommunication,and
controllingthescopeofapplicationsandtenants
throughspecificapisandaccesspolicies.
Whileitmaysoundlikethereareanumberof
obstaclestoovercome,theprogrammabilityand
centralizedmanagementbroughtaboutbysdn
enablesamuchgreateralevelofautonomyto
mitigateanysecuritybreaches–outweighingthe
needforadditionaltechnology.
Centralizednetworkmanagement
Intraditionalnetworks,nestendtobemonitored
andmanagedindividually.However,without
theexistenceofstandardprotocolscapableof
interactingwithallnesirrespectiveoftheir
vendororgeneration,networkmanagement
hasbecomecumbersome.Thesdn approach
enablescoordinatedmonitoringandmanagement
offorwardingpoliciesamongdistributednes,
resultinginamoreflexiblemanagementprocess.
Whilethereisariskofthesdn controlplane
becomingabottleneck,thefactthatithasan
overviewoftheentirenetwork,makesitcapableof
mitigatinganyreportedincidentdynamically.For
example,addos attackcanbedetectedandquickly
mitigatedbyisolatingthesuspecttraffic,networksor
hosts.Unliketraditionalddos appliances–which
generallycarryonlyalocalviewofthenetwork–
centralizedelementspossessamuchbroaderviewof
networktopologyandperformance,makingthesdn
anidealcandidateforthedynamicenforcementofa
coherentsecurityposture.
However,whileitisclearthatcentralization
providessignificantbenefits,italsopresentsa
numberofchallenges,likethefactthatthesdnc
isahighlyattractiveattacksurface.Thankfully,
resiliency,authentication,andauthorizationaddress
thisrisk,reducingtheimpactofattack.
Resilientcontrolplane
Thethreemainelementsofsdn are:sdn apps,the
sdnc,andnes.Giventhatcontrolofthenetworkis
centralized,allcommunicationwithinthecontrol
planeneedstobetreatedascritical,asanoutage
resultingfromasuccessfulattackmayleadtoan
undesiredimpactonbusinesscontinuity.If,for
example,thesdnc ispreventedfromtakingcritical
actiontomitigateados attack,theentirenetwork
andallofitstenantsmaybeaffected.Toavoidthis,
thecontrolplaneneedsagreaterlevelofresiliency
builtintoit.
Tocommunicatewithtenantapplicationsand
nes,thesdnc exposesasetofinterfaces.Allthese
interfacesmayexperienceheavytrafficloads,
dependingonthetypeandnumberofrunning
applications.Trafficontheinterfacescanbefurther
impactedbynes,forexample,forwardingpackets
forwhichtheyhavenoforwardingrules.So,interms
ofdependenceonthesdnc,traditionalnetworks
appeartobemorerobust.
Aneffectivewaytoimprovetheresilienceofthe
centralizedcontrolplaneandpreventthespread
ofddos control-planeattackstotherestofthe
networkistorate-limitnesintermsofbandwidth
andresourceconsumption–suchascpu load,
memoryusage,andapi calls.
Resiliencecanbefurtherenhancedthrough
properresourcededication–wherethesdnc
authenticateseachresourcerequest,and
subsequentlychecksrequestsagainststrong
authorizationcontrolpolicies.
Strongauthenticationandauthorization
Authenticationandauthorizationaretheprocesses
usedtoidentifyanunknownsourceandthen
determineitsaccessprivileges.Implemented
correctly,theseprocessescanprotectnetworksfrom
certaintypesofattack,suchas:

8. ✱ WHAT DOES SDN EXPOSE?
8 ERICSSON TECHNOLOGY REVIEW ✱ AUGUST 31, 2015
〉〉 provisionoffalse(statistical)feedbacktothesystem
–forexample,foolingthesystemintobelievingitis
underattack,resultinginunnecessarydeployment
ofcountermeasures,whichconsumesresourcesand
inevitablyleadstosuboptimalusage;
〉〉 modificationofavalidon-pathrequest–whichresults
inadirectattackthataltersnetworkbehavior;
〉〉 forwardingtrafficthatisnotmeanttobeforwarded,
ornotforwardingtrafficthatshouldbe–subverting
networkisolation;and
〉〉 gainingcontrolaccesstoanycomponent–rendering
theentirenetworkuntrustworthy.
Thecriticalnatureofthesdnc dictatesthat
additionalsecuritymeasuresneedtobetakento
protectit.Attheveryleast,trafficmustbeintegrity
protectedtopreventtamperingofon-pathtraffic,
buteventhislevelofprotectiondoesnotsecure
controldata.
Encryptionisonewayofpreventingcontrol
datafrombeingleaked.But,eventogetherwith
integrityprotection,encryptionisnotsufficientto
protectagainstman-in-the-middle-typeattacks.
Andso,allcommunicationwithinthecontrolplane
mustbemutuallyauthenticated.Securityprotocols
liketls andipsec provideameansformutual
authenticationaswellasforreplayattackprotection,
confidentiality,andintegrityprotection.
Mutualauthenticationdoes,however,present
somedifficulties,suchashowtobootstrapsecurity
intothesystem.Onewaytosolvethisisbyusing
securitycertificates.Howthenthesecertificatesare
issued,installed,stored,andrevokedthenbecomes
thesignificantsecuritydifficulty.Encryptionand
integrityprotectionwithoutmutualauthentication
arelessusefulfromasecuritypointofview.
Theproblemwithmutualauthenticationis
thatitrequirespreviousknowledgeoftheremote
communicatingendpoint–unlessacommonly
trustedthirdpartyexists.
Onasmallscale,mutualauthenticationcanbe
implementedmanually–requiringadministrators
toinstallpropercertificatesorsharedsecretson
allendpoints.However,forcomplexandphysically
separatedsystems–andespeciallyinnetworks
wheremanysdn componentscanbecreated
dynamicallyandadministeredbymultipleparties–
manualimplementationmaynotbefeasible.
Thesdnc providesnetworkconfiguration
informationthroughAPI callstoitsservices,which
enablestenantstousesdn applicationstocontrol
networkbehavior.Thissituationissomewhat
alarming,giventhatphysicalhardwareresources
maybesharedamongrivaltenants.Whileordinary
securitymeasures–suchasargumentsanitization
andvalidation–mustbeinplace,thesdnc also
needsasolidauthentication,authorizationand
accountabilityinfrastructuretoprotectthenetwork
fromunauthorizedchanges.Strongauthentication
andauthorizationprovidesadditionalprotection,as
itpreventsanattackerfromimpersonatingansdn
component,especiallythesdnc.
Byenforcingstrictauthorizationand
accountabilityprocesses,damagescanbelimited,
andreliabletracesforforensicsprovided.Role-
basedaccesscontrol(rbac)isacommonlyused
approachforrestrictingtheactionspermittedby
anapplicationbyassigningaroletoit.Rolescanbe
definedonahost,userorapplicationbasis.
Ineffect,rbac isasecuritypolicyenforcing
system.Thefewerthenumberofpermittedactions,
themorelimitedtheexploitablefunctionality.When
implementedcorrectly,rbac canbeinvaluable.
Unfortunately,thisapproachisrathercumbersome
insystemswithverynarrowlydefinedroles
wherefrequentchangestakeplace.Attheother
endofthescale,rbac losesitsedgeifrolesaretoo
looselydefined.
Forthepurposesofsystemintegrityassurance,
everyeventthatoccursinthesystemshouldbe
recordedinalog.Howtheselogsarestoredand
securedagainstimproperaccessalsoneedstobe
considered,andanexternalhostisrecommended.
Multi-tenancy
Wherenetworksarebuiltusingsdn techniques,itis
possibleforthesamephysicalnetworktobeshared
amongseveraltenants,whichcaninturnmanage
theirownvirtualnetworks.Multi-tenancyallowsfor
betterutilizationofnetworkresources,loweringthe
totalcostofownership.Fortenants,sdn shortens
thetimetakentoreacttochangingsituations

9. WHAT DOES SDN EXPOSE? ✱
AUGUST 31, 2015 ✱ ERICSSON TECHNOLOGY REVIEW 9
through,forexample,automaticscalingofresources.
Tomaintainanacceptablelevelofsecurity,tenants
shouldnotbeabletointerferewitheachother’s
networks,andneednotevenbeawarethattheyare
sharingnetworkresourceswithothers.
Tenantisolation(theseparationofonetenant’s
resourcesandactionsfromanother)isanimportant
featureofsdn frameworksecurity.
Controlplaneisolation
Isolationisonewaytopreventtheactionsofone
tenantfromimpactingothers.Thisisacritical
businessaspectthatmustbestronglyenforced.
Tenantisolationisorchestratedbythesdnc,
andimplementedinsdn nesthroughspecific
forwardingrules.Whiletheburdenofproviding
secureisolationlieswiththesdnc,tenantsalsoplay
animportantroleinsharingthatburden.
Thenetworkprovidesisolationprimarilyonthe
linklayer.Ifatenanthasweaknetworksecurity
procedures,informationdisclosuremayoccur,
resultinginabreachofisolationathigherlayers.
Forexample,aroguesdn appwithprivilegesthat
spanbeyondisolationbordersmayimpactoverall
networksecuritybysteeringtraffictoathirdparty
(informationdisclosure)byover-orunder-billing
(theftofservice)orbydroppingtraffic(dos).
Thecentralizednatureofthesdn controlplane
furtheraccentuatestheimpactofsuchattacks.
Consequently,thetaskofprovidingisolationcannot
beentirelyoffloadedontothesdn network.
Dataplaneisolation
Tenantsrunningabusinessonvirtualnetworks
builtusingsdn maybesubjecttothesame
kindofnetwork-basedattacksasintraditional
networks.However,duetothesharednetworking
infrastructure,theimpactofsuchanattackmaybe
dividedamongsomeorevenallofthesetenants.
Thisisanewrisk,whichmayhaveacommercial
impact;nobodywantstoopenabusinessnexttoa
known(orperceived)troublemakeroronethatis
pronetoattack.
So,forthedataplane,flowsassociatedwith
eachparticulartenantmustremainisolatedatall
times.Isolationmaybeperformedlogicallythrough
overlaynetworks
andenforced
withinthenes.For
example,bytagging
theownershipof
trafficgenerated
byeachtenant,
thetrafficcanbe
carriedoverasharedinfrastructure–onceithas
beenencapsulated(tagged).Tunnelstaggedfor
agiventenantarethenforwardedtothevirtual
networkforthattenant.Manyalternative(and
complementary)techniquesareavailableforthis
typeofencapsulation,includinggre,mpls and
ipsec.
Taggingisonewaytoperformlogicalisolation,
butIP addressescanalsobeused,removingthe
needforspecifictaggingtechniques.Bearingin
mindthatseparatenetworkfunctioninstances
arenotrequiredtoservicedifferenttenants,some
networkfunctionalitycanbesharedbytenantsas
longasisolationispreservedandenforced.
Inadditiontologicalisolation,trafficmaybe
encryptedwithspecifictenantkeys.Thisguarantees
thatinthecaseoflogicalencapsulationviolation,the
datatrafficremainsisolatedandinformationcannot
beleaked.
Isolationissuesneedtoberesolvedwhilebearing
resourceconsumptioninmind.Whiletraffic
isolationcanhelpwithdataleakage,sharedresource
usagealsorequiresresourceisolation.Forexample,
theexistenceofaforwardingloopwithinonetenant
maypotentiallyimpactalltenants,astheproblem
overloadstheunderlyingnetworkequipment.To
counteractthisproblem,thesdnc mustenforce
resourceisolation,andusemeasureslikerate
limitingtominimizetheimpactthatatenantcan
haveonthenetwork.
Programmability
Oneofthesignificantbenefitsbroughtabout
throughsdn isprogrammability:theabilityto
configureanetworkefficiently,securely,andin
atimelymanner.sdn programmabilityexistsin
varyingdegreesofcomplexityandabstraction.At
oneendofthescale,programmabilityenablesnes
AS THE SDNC IS SO
CRITICAL,ADDITIONAL
SECURITY MEASURES ARE
NEEDED TO PROTECT IT

10. ✱ WHAT DOES SDN EXPOSE?
10 ERICSSON TECHNOLOGY REVIEW ✱ AUGUST 31, 2015
tobedynamicallyreprogrammedtoforwarddata
flowsaccordingtotheircapabilitiesandhigher-
levelpoliciesinthenetwork.Attheotherend,sdn
appsenabletenantstoprogrammaticallyissuerun-
timerequirementstothenetwork.Allrequestsare
consolidatedbythesdnc,whichfulfillshigher-level
requestsfromthecapabilitiesavailableatthelower
levels.Tomakethistasktrickier,sdn appsmay
issueorthogonal(mutuallyexclusive/contradicting)
requests.Theautomatedsolutionmaythenneedto
dynamicallyreconfigureachunkofthesdn network
–andallofthismusthappenwithinsecondsorless.
Theprimarybenefitthatprogrammabilitybrings
fornetworksbuiltusingthesdn architecture
approachisflexiblecontrol.Theabilitytocontrol
anetworkandapplychangesinatimelymanner
increasesthenetwork’slevelofagility.Suchflexibility
canmakethenetworkmoresecure,asitisconstantly
monitoredanddesignedtomitigatemalicious
behaviorinmoreorlessrealtime.Thedownsideof
theflexibilityprovidedbyprogrammabilityisthe
significantimpactithasonsecurity.
Configurationcoherency
Allowingtenantstoissueprogrammaticchangesto
thenetworkenablesnetworkstoadapttochanging
conditions–increasingnetworkagility.Inpractical
terms,programmabilitycan,forexample,reduce
thetimeittakestosetupacustomercollaboration
networkfromdaysormonthstominutesorhours.
Programmabilitymayalsoremovetheneedfor
manualconfiguration,whichispronetoerror.The
result:theautomaticreconfigurationofnetworksis
feasible,providingthesdnc withaglobalviewof
thenetwork,enablingittoperformsanitychecking
andregressiontestingsothatnewnetworkscanbe
rapidlydeployed.
Unfortunately,theflexibilityprovidedby
programmabilityallowstenantstomakechanges
tothesharedenvironment,whichcancripplethe
operationoftheentirenetwork–eitherintentionally
orunintentionallyasaresultofmisinformation.
Ensuringcoherencyamongtheactionsofthe
varioussdn appsonthenetworkalsoneedsto
beconsideredfromasecuritypointofview(as
describedin5
).Considerthecasewheresecurity
andload-balancingapplicationsareinstantiated
foragiventenant.Acoherencyconflictarises,for
example,whenthesecurityapplicationdecides
toquarantineaserver,whiletheload-balancing
applicationsimultaneouslydecidestoroutetraffic
tothequarantinedserver–becauseitappearsto
havelowload.Toavoidcoherencyissues,thesdnc
mustbeabletoassessandeliminatethepossibleside
effectsoftheacceptablenetworkchangesby
eachtenant,andtofeatureeffectiveconflict
resolutionheuristics.
Anothertypeofconflictarisesduetothe
complexityofvirtualnetworktopologies,andthe
difficultyofmaintainingacoherentsecuritypolicy
acrossanetwork.Specialcareisrequiredfortraffic
thatneedstobeforwardedtosecurityappliances
formonitoringpurposes.Asthetrafficorpartsofit
canberoutedoverdifferentpaths,methodsneed
tobeputinplacetoensurethatallthetrafficis
covered.Consequently,monitoringisnecessaryon
allpaths.Similarissuesariseintraditionalnetworks,
buttheincreasedservicevelocityofferedbysdn
architecturemayfuelthistypeofconflict.
Dynamicity
Thedynamicandreactivenatureofnetworksbuilt
usingthesdn approachopensupnewpossibilities
forfightingnetworkattacks.Automatednetwork
reconfigurations,forwardingtohoneypots,and
blackholeroutingarejustsomeofthetechniques
thatcanbeemployed.Servicechainingisyet
anothertechniquethatutilizessdn propertiesand
canbeusedtoscreenformaliciouspayloadand
triggermitigatingactions.
Anetworkbuiltusingsdn techniquescando
lower-layeranalysisbasedonparameterssuchas
datarate,source,andpacketsize,whilethetenant
canprovidehigher-layeranalysisbasedonprotocols,
transportports,andpayloadfingerprints.Once
suspiciousbehaviorhasbeendetected,thenetwork
canuseitsprogrammabilityfeaturestoanalyzethe
situationinmoredetailortriggermitigatingactions.
However,whilethefeedbacksystemprovides
someadvantagesintermsofsecurity,italsopresents
someissues.Theinteractionbetweenthedata
planeandthecontrolplanebreaksthefundamental

11. WHAT DOES SDN EXPOSE? ✱
AUGUST 31, 2015 ✱ ERICSSON TECHNOLOGY REVIEW 11
sdn concept:theseparationofthesetwoplanes.
Thisinturnmakesthedataplaneasteppingstone
forattackingthecontrolplane.Aswithother
feedbackloops,thisinteraction,unlessmanaged
appropriately,mayleadtoanoscillatingsituation
thatwilleventuallymakethenetworkunstable.
Conclusion
Thebeautyofsdn liesinitsabilityasatechnology
tomakenetworksflexible,ensureefficientuse
ofresources,andfacilitateamuchhigherlevelof
systemautonomy.Likeanynascenttechnology,sdn
shouldbehandledcautiouslytoavoiditbecoming
anattackvector.However,sdn opensupnew
possibilitiesfortheimplementationofimproved
securitymechanismsinthenetwork,offering
broadervisibility,programmability,aswellasa
centralizedapproachtonetworkmanagement.
Kristian Slavov
◆ Works at Ericsson
Security Research in
Jorvas, Finland. He
has a background in
programming and a keen
interest in security, with
more than 10 years of
experience in this field.
He holds an M.Sc. in
telecommunications
software from Helsinki
University of Technology.
He is also an avid canoe
polo player.
Daniel Migault
◆ Works at Ericsson
Security Research in
Montreal, Canada. He
works on standardization
at IETF and serves as a
liaison between IAB and
ICANN/RSSAC. He used
to work in the Security
Department at Orange
Labs for France Telecom
RD and holds a Ph.D.
in Telecom and Security
from Pierre and Marie
Curie University (UPMC)
and Institut National des
Telecommunications (INT),
France.
Makan Pourzandi
◆ Works at Ericsson
Security Research in
Montreal, Canada. He
has more than 15 years’
experience in security
for telecom systems,
cloud, and distributed
security and software
security. He holds a Ph.D.
in parallel computing and
distributed systems from
the Université Claude
Bernard Lyon 1, France,
and an M.Sc. in parallel
processing from École
Normale Supérieure (ENS)
de Lyon, France.
THEAUTHORS
References
1. Open Networking Foundation, 2014, sdn
Architecture Overview, available at:
http://www.opennetworking.org/images/stories/
downloads/sdn-resources/technical-reports/TR_
SDN-ARCH-Overview-1.1-11112014.02.pdf
2. ACM, 2013, Proceedings,Towards secure
and dependable software-defined networks,
abstract available at:
http://dl.acm.org/citation.cfm?id=2491199
3. Ericsson, 2013, Ericsson Review, Software-
defined networking: the service provider
perspective, available at:
http://www.ericsson.com/news/130221-software-
defined-networking-the-service-provider-
perspective_244129229_c
4. OpenDaylight project, available at:
http://www.opendaylight.org/
5. CSL, SRI International, 2015, Proceedings,
Securing the Software-Defined Network,
available at:
http://www.csl.sri.com/users/porras/SE-
Floodlight.pdf

12. ✱ WHAT DOES SDN EXPOSE?
12 ERICSSON TECHNOLOGY REVIEW ✱ AUGUST 31, 2015
ISSN 0014-0171
284 23-3259 | Uen
© Ericsson AB 2015
Ericsson
SE-164 83 Stockholm, Sweden
Phone: + 46 10 719 0000