A “Man-In-The-Middle” (MIM) attack on a Software Defined Network (SDN) can occur when a malicious impersonator inserts itself in the middle of a communication, acting as a relay or a proxy between the two hosts, thereby exploiting data in the communication without the communication parties being aware their communication has been intercepted. MIM attacks are often done by manipulating the ARP (Address Resolution Protocol) and/or Grat ARP (Gratuitous ARP) protocols by sending the attacker's MAC (Media Access Control) address with the victim's source IP address either in a Grat ARP packet or in a response to an ARP request, then poisoning the ARP cache of addresses on switches and hosts.
While data center networks have security around their network perimeter to protect their networks from out-of-network attacks, there is a growing concern about attacks launched from within a network by a disgruntled employee, where employees perform ARP spoofing, ARP cache poisoning of end hosts, or constructing data plane packets which emulate other hosts. Traditional prevention of such “inside” MIM attacks utilize solutions such as DAI (Dynamic ARP Inspection) and DHCP (Dynamic Host Configuration Protocol) snooping, such solutions utilize a Trusted Ports model which depends on DHCP servers residing behind trusted ports. Such solutions, however, cannot operate for overlay networks because all overlay communications happen over a NVE (Network Virtualization Endpoint), and therefore a traditional “Trust” model is not applicable for such deployments regardless of where a DHCP server is residing.