SlideShare a Scribd company logo
1 of 23
Download to read offline
Fourteenforty Research Institute, Inc.
Fourteenforty Research Institute, Inc.
Fourteenforty Research Institute, Inc.
http://www.fourteenforty.jp
OpenFlow Security
ver2.00.02
Junichi Murakami
Executive Officer, Director of Advanced Development Division
Fourteenforty Research Institute, Inc.
1. Introduction
2. OpenFlow Overview
– Software Defined Network(SDN) and OpenFlow
– Background and circumstances
– Technical basics
– Controllers and Switches
– Example of network design and traffic
3. Threat of OpenFlow
– Threat analysis
– Flow entry / Network capability / Switch / Controller
– Conclusions
– Further research
4. References
Agenda
2
Fourteenforty Research Institute, Inc.
• This slide describes an overview of OpenFlow technology and its threat analysis
under the current specification
• This research focuses on the specification of OpenFlow 1.0
• Threats described in this slide does not always mean the feasibility of attacks
on the threats is proven
Introduction
3
Fourteenforty Research Institute, Inc.
• SDN
– Usual networks are fixed system, which are defined by each network
device’s deployment, connections and configurations
– Virtualizations for servers and storages are in progress in a data center in
recent years.
– A network is not so flexible yet, so it needs to be re-designed and re-
configured every time (operation cost is highly increasing)
– SDN is general concept to define network as software for making it more
flexible in terms of its design, control and management
• OpenFlow
– A kind of technology specifications to realize the SDN
Software Defined Network(SDN) and OpenFlow
4
Fourteenforty Research Institute, Inc.
• Open Networking Foundation(ONF) draws up the specification
– https://www.opennetworking.org/
• Board member of ONF is shown as below(4/15/2013)
– Deutsche Telekom, Facebook, Goldman Sachs, Google, Microsoft,
NTT Communications, Verizon, Yahoo!
• Currently most implementations are based on version 1.0
Background and circumstances
5
Date Occurrence
12/31/2009 Version 1.0 published(mainly worked by Stanford University)
2/28/2011 Version 1.1 published
3/21/2011 Open Networking Foundation Founded
12/5/2011 Version 1.2 published
5/25/2012 Version 1.3 published
9/6/2012 Version 1.3.1 published
Fourteenforty Research Institute, Inc.
• Basic concept
– Separate control plane from network devices
– Build up network with OpenFlow Controllers and OpenFlow Switches
– The specification mainly defines switch spec. and communication interface
between OpenFlow Controllers and OpenFlow Switches
Technical basis (1/5)
6
Data plane
(frame transfer)
Control plane
(routing, etc.)
Application
(QoS, redundant, etc.)
Data plane
Control plane
Application
usual network device OpenFlow Switch
OpenFlow Controller
OpenFlow spec.
Interface
Switch spec.
Fourteenforty Research Institute, Inc.
• Flow
– A unit of traffic handled by OpenFlow
• Flow Entry: management structure of Flow consists of 3 elements below
– Header Fields:conditions to determine a target flow
– Instructions: a set of actions which describes how the matched flow being
processed
– Counter:statistics information of the matched flow
Technical Basis (2/5)
7
Header Fields
Ingress port IP src
Ether src IP dst
Ether dst IP proto
Ether type IP ToS bits
VLAN id TCP/UDP src port
VLAN priority TCP/UDP dst port
Actions (partial)
Forward output the flow to specified port
DROP discard the flow
Modify-Field modify specified fields of the
flow
Fourteenforty Research Institute, Inc.
• Controller
– Write a flow entry to a switch
– Respond to a switch’s query (shown as below)
• Switch
– Keep flow entries on a flow table
– Process each flow based on a flow table
– Query to controller if appropriate entry does not exist
Technical Basis (3/5)
8
Controller
Switch
- output flow to port3 if IP_DST == 192.168.1.4
- drop all UDP flow
- modify IP_SRC to 192.168.1.5 and output the
flow to port5 if IP_DST == 10.1.3.51
Flow
Entry
query
Flow Table
* Flow Entry (eg.)
Fourteenforty Research Institute, Inc.
• Can control switch behavior based on flow entry
– repeater, switch, router, load balancer and so on
• Doesn’t need to change physical connections and each device configurations
• Retrieve counters from each switch’s flow table
– Can manipulate routing appropriately according to flow type and load
• Each flow entry on a flow table has a timeout
– hard timeout
– idle timeout
Technical Basis (4/5)
9
Fourteenforty Research Institute, Inc.
• Secure-Channel:communication interface between switches and controllers
– following messages are exchanged over TCP or TLS connections
a. Controller to Switch
• Features:to request the capability of a switch
• Configuration:to set and query configuration parameter in a switch
• Modify-State: to add or delete entry in a flow table and modify port configuration
• Read-State:to collect statistics from a switch
b. Switch to Controller (asynchronous)
• Packet-in:to notify an incoming packet which is not matched to any flow entry
• Flow-Removed:to notify a flow has expired and is deleted from a table
• Port-Status:to notify switch’s port configuration states has changed (eg. link-
down)
c. bidirectional (asynchronous)
• HELLO: messages exchanged when establishing a connection
• ECHO(Request/Reply):ping/pong over the secure-channel
Technical Basis (5/5)
10
Fourteenforty Research Institute, Inc.
Controllers and Switches
11
Software Hardware
Switch • Open vSwitch(OSS)
• Indigo(OSS)
• LINC(OSS)
• UNIVERGE PF1000(NEC)
• UNIVERGE PF5220/PF5240/
PF5248/PF5820(NEC)
• RackSwitch G8264/G8264T(IBM)
• Pronto 3290/3780(Pica8)
• AS4600-54T/L3(Riava)
• HP2920-24G(HP)
Controller • NOX(OSS)
• POX(OSS)
• Trema(OSS)
• Floodlight(OSS)
• Virtual Network Controller
Version 2.0 (NTT data)
• Ryu(OSS)
• UNIVERGE PF6800(NEC)
• Both software and hardware implantations are available
• Hardware based switch is a bit expensive yet
Fourteenforty Research Institute, Inc.
• Install Open vSwitch and Trema on Linux box
• Create a bridge device as br0 and activate it
• Run Trema on localhost:6633/tcp, and specify the controller’s address in the switch
parameter
• Run the controller code below on Trema which makes the switch act like an repeater
Example of network design and traffic(1/4)
12
eth2eth1
host-1 host-2
trema
0.0.0.00.0.0.0
192.168.1.2/24192.168.1.1/24
127.0.0.1:6633/tcp
src: http://www.trema.info/2012/09/repeater-hub/
class RepeaterHub < Controller
def packet_in datapath_id, message
send_flow_mod_add(
datapath_id,
:match => ExactMatch.from( message ),
:actions => ActionOutput.new( OFPP_FLOOD )
)
send_packet_out(
datapath_id,
:packet_in => message,
:actions => ActionOutput.new( OFPP_FLOOD )
)
end
end
Open vSwitch
br0
secure-channel
Fourteenforty Research Institute, Inc.
• Both controller and switch run on same Linux box
• TCP based Secure-Channel (not TLS)
• Red background on screen is the switch’s traffic
Example of network design and traffic(2/4)
13
struct ofp_header {
uint8_t version;
uint8_t type;
uint16_t length;
uint32_t xid;
};
enum ofp_type {
OFTP_HELLO, // 0x0
OFTP_ERROR, // 0x1
OFTP_ECHO_REQUEST, // 0x2
OFTP_ECHO_REPLY, // 0x3
OFTP_VENDOR, // 0x4
OFTP_FEATURES_REQUEST // 0x5
OFTP_FEATURES_REPLY, // 0x6
...
OFTP_SET_CONFIG, // 0x9
OFTP_PACKET_IN, // 0xa
...
OFTP_FLOW_MOD, // 0xe
■Exchanging HELLO messages between the switch and the controller
Fourteenforty Research Institute, Inc.
Example of network design and traffic (3/4)
14
OFTP_FEATURES_REQUESTOFTP_FEATURES_REPLY
replying port configurations
■Features request and reply
Fourteenforty Research Institute, Inc.
Example of network design and traffic (4/4)
15
OFTP_PACKET_IN
OFTP_FLOW_MOD
■Initial configuration and writing flow entry from controller /
PACKET_IN message from switch
12 bytes
OFTP_SET_CONFIG
Fourteenforty Research Institute, Inc.
Threat analysis
16
[premises]
• Assets: a)Flow entry in switch, b)Network capability offered by OpenFlow
• Information system: c)Switch, d)Controller
• Analyze assets’ threat against CIA and the others are against CIAAAR
– CIAAAR: ISO/IEC TR 13335(GMITS)
Assets Information system
Flow entry Network capability Switch Controller
Confidentiality
Integrity
Availability
Authenticity
Accountability
Reliability
region for analysis
Fourteenforty Research Institute, Inc.
Flow entry
17
Assumed threat Countermeasure and comment
C Information leaking on the network Using TLS for Secure-Channel
Information leaking from switches Hardening switches
Information leaking from controllers Hardening controllers
I Tampering on the network Using TLS for Secure-Channel
Tampering in switches Hardening switches
Tampering from controllers Hardening controllers
A Flooding a table using spoofed packet Applying flow entry to prohibit address spoofing
(References 2.c)
Flushing a flow table in switches Hardening switches
Fourteenforty Research Institute, Inc.
Network capability
18
Assumed threat Countermeasure and comment
C Information leaking by corrupted flow entry Hardening switches and controllers
I Traffic tampering by corrupted flow entry Hardening switches and controllers
Integrity loss by secure channel disconnection making secure-channel redundant
A Denial of service by corrupted flow entry Hardening switches and controllers
Denial of service by switches and controllers failure Hardening switches and controllers
Network failure by secure channel disconnection making secure-channel redundant
Fourteenforty Research Institute, Inc.
Switch
19
Assumed threat Countermeasure and comment
Co Hacking a system
(eg. exploiting, password cracking)
Hardening switches
In Hacking a system
(eg. exploiting, password cracking)
Hardening switches
Av Hacking a system
(eg. exploiting, password cracking)
Hardening switches
DoS attack from controllers Hardening controllers
(premise: controllers compromise)
Dos attack from others Applying the flow entry considered such attack
Hardware/Software failure Making a system redundant
Au Hacking a system
(eg. password cracking, identity theft)
Hardening switches
Redirection to fake controllers
(eg. ARP Poisoning)
Authenticating controllers using TLS based on certifications
Ac Tampering logs by hacking Hardening switches
Re Hacking a system
(eg. exploiting, password cracking)
Hardening switches
Fourteenforty Research Institute, Inc.
Controller
20
Assumed threat Countermeasure and comment
Co Hacking a system
(eg. exploiting, password cracking)
Hardening controllers
In Hacking a system
(eg. exploiting, password cracking)
Hardening controllers
Av Hacking a system
(eg. exploiting, password cracking)
Hardening controllers
DoS attack from switches Hardening switches
(premise: switches compromise)
DoS attack from others Applying the flow entry considered such attack
Hardware/Software failure Making a system redundant
Au Hacking a system
(eg. password cracking, identity theft)
Hardening controllers
Redirection to fake switches
(eg. ARP Poisoning)
Authenticating switches using TLS based on certifications
Ac Tampering logs by system hacking Hardening controllers
Re Hacking a system
(eg. exploiting, password cracking)
Hardening controllers
Fourteenforty Research Institute, Inc.
Threat sources
Conclusions
21
• Hardening switches and controllers and TLS for Secure-Channel are required
(depends on where both devices be deployed)
• Both switches and controllers have software component in the system
– usual countermeasures are important technically and operationally
• Especially, should be careful about controllers as it might be an SPOF
Controller breach
Switch breach
Hijacking the
Secure-Channel
Flow entry corruption Taking over the network
Fourteenforty Research Institute, Inc.
• Any way to make a DoS situation to a controller by sending special crafted
packet like smurf(#1) attack and DNS Amp(#2) attack?
– Packet-in flood
– Flow-Removed flood
– Port-Status flood
• remote flow entry detection by various probing packets
• Auditing each individual device’s design and implementation
• Security problem from actual environment and operations
– Logic error in flow entry
Further research
22
#1 http://www.ipa.go.jp/security/ciadr/crword.html#S
#2 http://www.ipa.go.jp/security/vuln/documents/2008/200812_DNS.html
Fourteenforty Research Institute, Inc.
1. Books (Japanese)
a. クラウド時代のネットワーク技術 OpenFlow実践入門
(ISBN-10: 4774154652)
2. Online resources
a. Openflow Networking Foundation
https://www.opennetworking.org/
b. OpenFlow Switch Specifications version 1.0.0
http://www.openflow.org/documents/openflow-spec-v1.0.0.pdf
c. SDNのセキュリティ / Inter-Domain Routing Security 23 (Japanese)
http://irs.ietf.to/wiki.cgi?page=IRS23
References
23

More Related Content

What's hot

Sevana VQM Administration Manual
Sevana VQM Administration ManualSevana VQM Administration Manual
Sevana VQM Administration ManualSevana Oü
 
Vulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMVulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMKurra Gopi
 
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...VLSICS Design
 
Device drivers and interrupt service mechanism
Device drivers and interrupt service mechanismDevice drivers and interrupt service mechanism
Device drivers and interrupt service mechanismVijay Kumar
 
Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2Gaditek
 
Lte power management
Lte power managementLte power management
Lte power managementVu Nguyen
 
ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15Aritra Sarkar
 
8251
82518251
8251Aisu
 
RFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information ProtocolRFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information ProtocolHoàng Hải Nguyễn
 
Pipelining of Processors
Pipelining of ProcessorsPipelining of Processors
Pipelining of ProcessorsGaditek
 

What's hot (20)

Rfc1723
Rfc1723Rfc1723
Rfc1723
 
Sevana VQM Administration Manual
Sevana VQM Administration ManualSevana VQM Administration Manual
Sevana VQM Administration Manual
 
Central processing unit i
Central processing unit iCentral processing unit i
Central processing unit i
 
H344250
H344250H344250
H344250
 
Vulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMVulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSM
 
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
 
Device drivers and interrupt service mechanism
Device drivers and interrupt service mechanismDevice drivers and interrupt service mechanism
Device drivers and interrupt service mechanism
 
Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2
 
Lte power management
Lte power managementLte power management
Lte power management
 
Profibus programming-guide
Profibus programming-guideProfibus programming-guide
Profibus programming-guide
 
Pci
PciPci
Pci
 
CCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukarCCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukar
 
VLAN
VLANVLAN
VLAN
 
ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15
 
Presentation_Final
Presentation_FinalPresentation_Final
Presentation_Final
 
8251
82518251
8251
 
RFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information ProtocolRFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information Protocol
 
Ccna2 ass
Ccna2 assCcna2 ass
Ccna2 ass
 
Pipelining of Processors
Pipelining of ProcessorsPipelining of Processors
Pipelining of Processors
 
Pheripheral interface
Pheripheral interfacePheripheral interface
Pheripheral interface
 

Viewers also liked

Enhancing Security in OpenFlow
Enhancing Security in OpenFlowEnhancing Security in OpenFlow
Enhancing Security in OpenFlowNiketa Chellani
 
OpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesOpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesEswar Publications
 
Mr201307 investigation into_emet4.0_jpn
Mr201307 investigation into_emet4.0_jpnMr201307 investigation into_emet4.0_jpn
Mr201307 investigation into_emet4.0_jpnFFRI, Inc.
 
Architecture of OpenFlow SDNs
Architecture of OpenFlow SDNsArchitecture of OpenFlow SDNs
Architecture of OpenFlow SDNsUS-Ignite
 
Software Define Network
Software Define NetworkSoftware Define Network
Software Define NetworkSubith Babu
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorialopenflow
 
OpenFlow 1.5.1
OpenFlow 1.5.1OpenFlow 1.5.1
OpenFlow 1.5.1jungbh
 

Viewers also liked (8)

Enhancing Security in OpenFlow
Enhancing Security in OpenFlowEnhancing Security in OpenFlow
Enhancing Security in OpenFlow
 
OpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesOpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense Services
 
Mr201307 investigation into_emet4.0_jpn
Mr201307 investigation into_emet4.0_jpnMr201307 investigation into_emet4.0_jpn
Mr201307 investigation into_emet4.0_jpn
 
Openflow Protocol
Openflow ProtocolOpenflow Protocol
Openflow Protocol
 
Architecture of OpenFlow SDNs
Architecture of OpenFlow SDNsArchitecture of OpenFlow SDNs
Architecture of OpenFlow SDNs
 
Software Define Network
Software Define NetworkSoftware Define Network
Software Define Network
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorial
 
OpenFlow 1.5.1
OpenFlow 1.5.1OpenFlow 1.5.1
OpenFlow 1.5.1
 

Similar to Mr201304 open flow_security_eng

btNOG 5: Network Automation
btNOG 5: Network AutomationbtNOG 5: Network Automation
btNOG 5: Network AutomationAPNIC
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlowJoel W. King
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 
Pros And Disadvantages Of Routing
Pros And Disadvantages Of RoutingPros And Disadvantages Of Routing
Pros And Disadvantages Of RoutingSheri Toriz
 
Analytical Modeling of End-to-End Delay in OpenFlow Based Networks
Analytical Modeling of End-to-End Delay in OpenFlow Based NetworksAnalytical Modeling of End-to-End Delay in OpenFlow Based Networks
Analytical Modeling of End-to-End Delay in OpenFlow Based NetworksAzeem Iqbal
 
SDN Fundamentals - short presentation
SDN Fundamentals -  short presentationSDN Fundamentals -  short presentation
SDN Fundamentals - short presentationAzhar Khuwaja
 
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...APNIC
 
EC8551 COMMUNICATION NETWORKS
EC8551 COMMUNICATION NETWORKSEC8551 COMMUNICATION NETWORKS
EC8551 COMMUNICATION NETWORKSGOWTHAMMS6
 
sdnppt-140325015756-phpapp01.pptx
sdnppt-140325015756-phpapp01.pptxsdnppt-140325015756-phpapp01.pptx
sdnppt-140325015756-phpapp01.pptxAamirMaqsood8
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Brandon DeVault
 
SDN - OpenFlow protocol
SDN - OpenFlow protocolSDN - OpenFlow protocol
SDN - OpenFlow protocolUlf Marxen
 

Similar to Mr201304 open flow_security_eng (20)

btNOG 5: Network Automation
btNOG 5: Network AutomationbtNOG 5: Network Automation
btNOG 5: Network Automation
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
Pros And Disadvantages Of Routing
Pros And Disadvantages Of RoutingPros And Disadvantages Of Routing
Pros And Disadvantages Of Routing
 
PROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control SpecialistsPROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control Specialists
 
Analytical Modeling of End-to-End Delay in OpenFlow Based Networks
Analytical Modeling of End-to-End Delay in OpenFlow Based NetworksAnalytical Modeling of End-to-End Delay in OpenFlow Based Networks
Analytical Modeling of End-to-End Delay in OpenFlow Based Networks
 
SDN Fundamentals - short presentation
SDN Fundamentals -  short presentationSDN Fundamentals -  short presentation
SDN Fundamentals - short presentation
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
 
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
W4 profinet frame analysis, peter thomas
W4 profinet frame analysis, peter thomasW4 profinet frame analysis, peter thomas
W4 profinet frame analysis, peter thomas
 
SDN approach.pptx
SDN approach.pptxSDN approach.pptx
SDN approach.pptx
 
Lecture14 1
Lecture14 1Lecture14 1
Lecture14 1
 
EC8551 COMMUNICATION NETWORKS
EC8551 COMMUNICATION NETWORKSEC8551 COMMUNICATION NETWORKS
EC8551 COMMUNICATION NETWORKS
 
Sdn ppt
Sdn pptSdn ppt
Sdn ppt
 
sdnppt-140325015756-phpapp01.pptx
sdnppt-140325015756-phpapp01.pptxsdnppt-140325015756-phpapp01.pptx
sdnppt-140325015756-phpapp01.pptx
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
 
SDN - OpenFlow protocol
SDN - OpenFlow protocolSDN - OpenFlow protocol
SDN - OpenFlow protocol
 
SDN Introduction
SDN IntroductionSDN Introduction
SDN Introduction
 
OpenFlow Tutorial
OpenFlow TutorialOpenFlow Tutorial
OpenFlow Tutorial
 

More from FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016  Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016  Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 

More from FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016  Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016  Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 

Recently uploaded

UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Recently uploaded (20)

UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Mr201304 open flow_security_eng

  • 1. Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp OpenFlow Security ver2.00.02 Junichi Murakami Executive Officer, Director of Advanced Development Division
  • 2. Fourteenforty Research Institute, Inc. 1. Introduction 2. OpenFlow Overview – Software Defined Network(SDN) and OpenFlow – Background and circumstances – Technical basics – Controllers and Switches – Example of network design and traffic 3. Threat of OpenFlow – Threat analysis – Flow entry / Network capability / Switch / Controller – Conclusions – Further research 4. References Agenda 2
  • 3. Fourteenforty Research Institute, Inc. • This slide describes an overview of OpenFlow technology and its threat analysis under the current specification • This research focuses on the specification of OpenFlow 1.0 • Threats described in this slide does not always mean the feasibility of attacks on the threats is proven Introduction 3
  • 4. Fourteenforty Research Institute, Inc. • SDN – Usual networks are fixed system, which are defined by each network device’s deployment, connections and configurations – Virtualizations for servers and storages are in progress in a data center in recent years. – A network is not so flexible yet, so it needs to be re-designed and re- configured every time (operation cost is highly increasing) – SDN is general concept to define network as software for making it more flexible in terms of its design, control and management • OpenFlow – A kind of technology specifications to realize the SDN Software Defined Network(SDN) and OpenFlow 4
  • 5. Fourteenforty Research Institute, Inc. • Open Networking Foundation(ONF) draws up the specification – https://www.opennetworking.org/ • Board member of ONF is shown as below(4/15/2013) – Deutsche Telekom, Facebook, Goldman Sachs, Google, Microsoft, NTT Communications, Verizon, Yahoo! • Currently most implementations are based on version 1.0 Background and circumstances 5 Date Occurrence 12/31/2009 Version 1.0 published(mainly worked by Stanford University) 2/28/2011 Version 1.1 published 3/21/2011 Open Networking Foundation Founded 12/5/2011 Version 1.2 published 5/25/2012 Version 1.3 published 9/6/2012 Version 1.3.1 published
  • 6. Fourteenforty Research Institute, Inc. • Basic concept – Separate control plane from network devices – Build up network with OpenFlow Controllers and OpenFlow Switches – The specification mainly defines switch spec. and communication interface between OpenFlow Controllers and OpenFlow Switches Technical basis (1/5) 6 Data plane (frame transfer) Control plane (routing, etc.) Application (QoS, redundant, etc.) Data plane Control plane Application usual network device OpenFlow Switch OpenFlow Controller OpenFlow spec. Interface Switch spec.
  • 7. Fourteenforty Research Institute, Inc. • Flow – A unit of traffic handled by OpenFlow • Flow Entry: management structure of Flow consists of 3 elements below – Header Fields:conditions to determine a target flow – Instructions: a set of actions which describes how the matched flow being processed – Counter:statistics information of the matched flow Technical Basis (2/5) 7 Header Fields Ingress port IP src Ether src IP dst Ether dst IP proto Ether type IP ToS bits VLAN id TCP/UDP src port VLAN priority TCP/UDP dst port Actions (partial) Forward output the flow to specified port DROP discard the flow Modify-Field modify specified fields of the flow
  • 8. Fourteenforty Research Institute, Inc. • Controller – Write a flow entry to a switch – Respond to a switch’s query (shown as below) • Switch – Keep flow entries on a flow table – Process each flow based on a flow table – Query to controller if appropriate entry does not exist Technical Basis (3/5) 8 Controller Switch - output flow to port3 if IP_DST == 192.168.1.4 - drop all UDP flow - modify IP_SRC to 192.168.1.5 and output the flow to port5 if IP_DST == 10.1.3.51 Flow Entry query Flow Table * Flow Entry (eg.)
  • 9. Fourteenforty Research Institute, Inc. • Can control switch behavior based on flow entry – repeater, switch, router, load balancer and so on • Doesn’t need to change physical connections and each device configurations • Retrieve counters from each switch’s flow table – Can manipulate routing appropriately according to flow type and load • Each flow entry on a flow table has a timeout – hard timeout – idle timeout Technical Basis (4/5) 9
  • 10. Fourteenforty Research Institute, Inc. • Secure-Channel:communication interface between switches and controllers – following messages are exchanged over TCP or TLS connections a. Controller to Switch • Features:to request the capability of a switch • Configuration:to set and query configuration parameter in a switch • Modify-State: to add or delete entry in a flow table and modify port configuration • Read-State:to collect statistics from a switch b. Switch to Controller (asynchronous) • Packet-in:to notify an incoming packet which is not matched to any flow entry • Flow-Removed:to notify a flow has expired and is deleted from a table • Port-Status:to notify switch’s port configuration states has changed (eg. link- down) c. bidirectional (asynchronous) • HELLO: messages exchanged when establishing a connection • ECHO(Request/Reply):ping/pong over the secure-channel Technical Basis (5/5) 10
  • 11. Fourteenforty Research Institute, Inc. Controllers and Switches 11 Software Hardware Switch • Open vSwitch(OSS) • Indigo(OSS) • LINC(OSS) • UNIVERGE PF1000(NEC) • UNIVERGE PF5220/PF5240/ PF5248/PF5820(NEC) • RackSwitch G8264/G8264T(IBM) • Pronto 3290/3780(Pica8) • AS4600-54T/L3(Riava) • HP2920-24G(HP) Controller • NOX(OSS) • POX(OSS) • Trema(OSS) • Floodlight(OSS) • Virtual Network Controller Version 2.0 (NTT data) • Ryu(OSS) • UNIVERGE PF6800(NEC) • Both software and hardware implantations are available • Hardware based switch is a bit expensive yet
  • 12. Fourteenforty Research Institute, Inc. • Install Open vSwitch and Trema on Linux box • Create a bridge device as br0 and activate it • Run Trema on localhost:6633/tcp, and specify the controller’s address in the switch parameter • Run the controller code below on Trema which makes the switch act like an repeater Example of network design and traffic(1/4) 12 eth2eth1 host-1 host-2 trema 0.0.0.00.0.0.0 192.168.1.2/24192.168.1.1/24 127.0.0.1:6633/tcp src: http://www.trema.info/2012/09/repeater-hub/ class RepeaterHub < Controller def packet_in datapath_id, message send_flow_mod_add( datapath_id, :match => ExactMatch.from( message ), :actions => ActionOutput.new( OFPP_FLOOD ) ) send_packet_out( datapath_id, :packet_in => message, :actions => ActionOutput.new( OFPP_FLOOD ) ) end end Open vSwitch br0 secure-channel
  • 13. Fourteenforty Research Institute, Inc. • Both controller and switch run on same Linux box • TCP based Secure-Channel (not TLS) • Red background on screen is the switch’s traffic Example of network design and traffic(2/4) 13 struct ofp_header { uint8_t version; uint8_t type; uint16_t length; uint32_t xid; }; enum ofp_type { OFTP_HELLO, // 0x0 OFTP_ERROR, // 0x1 OFTP_ECHO_REQUEST, // 0x2 OFTP_ECHO_REPLY, // 0x3 OFTP_VENDOR, // 0x4 OFTP_FEATURES_REQUEST // 0x5 OFTP_FEATURES_REPLY, // 0x6 ... OFTP_SET_CONFIG, // 0x9 OFTP_PACKET_IN, // 0xa ... OFTP_FLOW_MOD, // 0xe ■Exchanging HELLO messages between the switch and the controller
  • 14. Fourteenforty Research Institute, Inc. Example of network design and traffic (3/4) 14 OFTP_FEATURES_REQUESTOFTP_FEATURES_REPLY replying port configurations ■Features request and reply
  • 15. Fourteenforty Research Institute, Inc. Example of network design and traffic (4/4) 15 OFTP_PACKET_IN OFTP_FLOW_MOD ■Initial configuration and writing flow entry from controller / PACKET_IN message from switch 12 bytes OFTP_SET_CONFIG
  • 16. Fourteenforty Research Institute, Inc. Threat analysis 16 [premises] • Assets: a)Flow entry in switch, b)Network capability offered by OpenFlow • Information system: c)Switch, d)Controller • Analyze assets’ threat against CIA and the others are against CIAAAR – CIAAAR: ISO/IEC TR 13335(GMITS) Assets Information system Flow entry Network capability Switch Controller Confidentiality Integrity Availability Authenticity Accountability Reliability region for analysis
  • 17. Fourteenforty Research Institute, Inc. Flow entry 17 Assumed threat Countermeasure and comment C Information leaking on the network Using TLS for Secure-Channel Information leaking from switches Hardening switches Information leaking from controllers Hardening controllers I Tampering on the network Using TLS for Secure-Channel Tampering in switches Hardening switches Tampering from controllers Hardening controllers A Flooding a table using spoofed packet Applying flow entry to prohibit address spoofing (References 2.c) Flushing a flow table in switches Hardening switches
  • 18. Fourteenforty Research Institute, Inc. Network capability 18 Assumed threat Countermeasure and comment C Information leaking by corrupted flow entry Hardening switches and controllers I Traffic tampering by corrupted flow entry Hardening switches and controllers Integrity loss by secure channel disconnection making secure-channel redundant A Denial of service by corrupted flow entry Hardening switches and controllers Denial of service by switches and controllers failure Hardening switches and controllers Network failure by secure channel disconnection making secure-channel redundant
  • 19. Fourteenforty Research Institute, Inc. Switch 19 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening switches In Hacking a system (eg. exploiting, password cracking) Hardening switches Av Hacking a system (eg. exploiting, password cracking) Hardening switches DoS attack from controllers Hardening controllers (premise: controllers compromise) Dos attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening switches Redirection to fake controllers (eg. ARP Poisoning) Authenticating controllers using TLS based on certifications Ac Tampering logs by hacking Hardening switches Re Hacking a system (eg. exploiting, password cracking) Hardening switches
  • 20. Fourteenforty Research Institute, Inc. Controller 20 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening controllers In Hacking a system (eg. exploiting, password cracking) Hardening controllers Av Hacking a system (eg. exploiting, password cracking) Hardening controllers DoS attack from switches Hardening switches (premise: switches compromise) DoS attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening controllers Redirection to fake switches (eg. ARP Poisoning) Authenticating switches using TLS based on certifications Ac Tampering logs by system hacking Hardening controllers Re Hacking a system (eg. exploiting, password cracking) Hardening controllers
  • 21. Fourteenforty Research Institute, Inc. Threat sources Conclusions 21 • Hardening switches and controllers and TLS for Secure-Channel are required (depends on where both devices be deployed) • Both switches and controllers have software component in the system – usual countermeasures are important technically and operationally • Especially, should be careful about controllers as it might be an SPOF Controller breach Switch breach Hijacking the Secure-Channel Flow entry corruption Taking over the network
  • 22. Fourteenforty Research Institute, Inc. • Any way to make a DoS situation to a controller by sending special crafted packet like smurf(#1) attack and DNS Amp(#2) attack? – Packet-in flood – Flow-Removed flood – Port-Status flood • remote flow entry detection by various probing packets • Auditing each individual device’s design and implementation • Security problem from actual environment and operations – Logic error in flow entry Further research 22 #1 http://www.ipa.go.jp/security/ciadr/crword.html#S #2 http://www.ipa.go.jp/security/vuln/documents/2008/200812_DNS.html
  • 23. Fourteenforty Research Institute, Inc. 1. Books (Japanese) a. クラウド時代のネットワーク技術 OpenFlow実践入門 (ISBN-10: 4774154652) 2. Online resources a. Openflow Networking Foundation https://www.opennetworking.org/ b. OpenFlow Switch Specifications version 1.0.0 http://www.openflow.org/documents/openflow-spec-v1.0.0.pdf c. SDNのセキュリティ / Inter-Domain Routing Security 23 (Japanese) http://irs.ietf.to/wiki.cgi?page=IRS23 References 23