The present disclosure relates generally to operation of a software defined networking (SDN) controller and, more particularly, to security features of an SDN controller.
In a computer network, network switching devices (switches) interconnect to form a path for transmitting information between an originator and a recipient. A routing mechanism, or protocol, defines switching logic that forwards the transmitted information in the form of packets between the switches as a series of “hops” along a path. At each switch, the switching logic identifies the next switch, or hop, in the path using an identifier such as a Media Access Control (MAC) address. Shortest Path Bridging (SPB) is a routing mechanism having switching logic such that each switch advertises the nodes it knows about to all the other switches, and eventually all the switches in the network have the same picture of the network and therefore can forward frames to the next hop along a shortest path.
In a conventional router or switch, the fast packet forwarding (data path) and the high level routing decisions (control path) occur on the same device. An OpenFlow Switch separates these two functions. The data path portion still resides on the switch, while high-level routing decisions are moved to a separate controller, typically a standard server. The OpenFlow Switch and Controller communicate via the OpenFlow protocol, which defines messages, such as packet-received, send-packet-out, modify-forwarding-table, and get-stats.
The data path of an OpenFlow Switch presents a clean flow table abstraction; each flow table entry contains a set of packet fields to match, and an action (such as send-out-port, modify-field, or drop). When an OpenFlow Switch receives a packet it has never seen before, for which it has no matching flow entries, it sends this packet to the controller. The controller then makes a decision on how to handle this packet. It can drop the packet, or it can add a flow entry directing the switch on how to forward similar packets in the future.
In simpler terms, OpenFlow allows the path of network packets through the network of switches to be determined by software running on multiple routers (minimum two of them—primary and secondary—has a role of observers). This separation of the control from the forwarding allows for more sophisticated traffic management than is feasible using access control lists (ACLs) and routing protocols.
The OpenFlow protocol can also be referred to as a software-defined networking (SDN) protocol. As alluded to above, an SDN protocol differs in at least one respect from a more traditional protocol in that the switching devices can be relatively low cost and so-called “dumb” switching devices that do not have much if any built-in routing logic. Instead, the switching devices are programmed and controlled by an external network fabric controller device over a programming path different than the data path and/or the control path of the network. The OpenFlow protocol is maintained by the Open Networking Foundation of Palo Alto, Calif., such that a corresponding network fabric controller device is referred to as an OpenFlow network controller. Switching and other network devices are likewise referred to as OpenFlow network devices.
A disadvantage of the OpenFlow protocol in particular is that any OpenFlow network device can join an OpenFlow network. This is problematic, because malicious such devices may easily join existing OpenFlow networks by communicating with the OpenFlow network controllers controlling these OpenFlow networks. The OpenFlow protocol provides little protection against untrusted OpenFlow network devices becoming part of an OpenFlow network.