Visible to the public AIM-SDN: Attacking Information Mismanagement in SDN-Datastores

TitleAIM-SDN: Attacking Information Mismanagement in SDN-Datastores
Publication TypeConference Paper
Year of Publication2018
AuthorsDixit, Vaibhav Hemant, Doupé, Adam, Shoshitaishvili, Yan, Zhao, Ziming, Ahn, Gail-Joon
Conference NameProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
PublisherACM
ISBN Number978-1-4503-5693-0
Keywordscloud computing security, data center architecture, network management datastore architecture, NMDA design, protocol security, pubcrawl, resilience, Resiliency, Scalability, SDN, SDN controllers, SDN security, software defined networking
Abstract

Network Management is a critical process for an enterprise to configure and monitor the network devices using cost effective methods. It is imperative for it to be robust and free from adversarial or accidental security flaws. With the advent of cloud computing and increasing demands for centralized network control, conventional management protocols like SNMP appear inadequate and newer techniques like NMDA and NETCONF have been invented. However, unlike SNMP which underwent improvements concentrating on security, the new data management and storage techniques have not been scrutinized for the inherent security flaws. In this paper, we identify several vulnerabilities in the widely used critical infrastructures which leverage the Network Management Datastore Architecture design (NMDA). Software Defined Networking (SDN), a proponent of NMDA, heavily relies on its datastores to program and manage the network. We base our research on the security challenges put forth by the existing datastore's design as implemented by the SDN controllers. The vulnerabilities identified in this work have a direct impact on the controllers like OpenDayLight, Open Network Operating System and their proprietary implementations (by CISCO, Ericsson, RedHat, Brocade, Juniper, etc). Using our threat detection methodology, we demonstrate how the NMDA-based implementations are vulnerable to attacks which compromise availability, integrity, and confidentiality of the network. We finally propose defense measures to address the security threats in the existing design and discuss the challenges faced while employing these countermeasures.

URLhttps://dl.acm.org/citation.cfm?doid=3243734.3243799
DOI10.1145/3243734.3243799
Citation Keydixit_aim-sdn:_2018