Fleet: Defending SDNs from Misbehaving Administrators

1  

Stephanos  Matsumoto  Samuel  Hitz  Adrian  Perrig  

Motivation §  The  Misbehaving  Administrator  Problem  

•  Administrator  affects  SDN  rou?ng  by  misconfiguring  a  correctly  func,oning  controller  

§  Human  error  is  responsible  for  50-­‐80%  of  all  network  outages  [1]  

§ Misconfigura?ons  that  do  not  cause  outages  can  be  difficult  to  detect  

[1]  Juniper  Networks.  What’s  behind  network  down?me?  2008.    

Fleet's Approach §  The  Fleet  controller  contributes:  

•  Threshold  signature  func?onality  to  switches  •  Resilience  by  vo?ng  on  configura?ons  

§  Orthogonal  Approaches  •  Diversity  of  hardware/soXware  [2]  •  Policy-­‐based  flow  rules  [3,  4]  

[2]  Diego  Kreutz,  Fernando  Ramos,  and  Paulo  Verissimo.  Towards  secure  and  dependable  soXware-­‐defined  networks.  HotSDN  '13.  [3]  Philip  Porras  et  al.  A  security  enforcement  kernel  for  OpenFlow  networks.  HotSDN  '12.  [4]  Ahmed  Khurshid,  et  al.  VeriFlow:  Verifying  network-­‐wide  invariants  in  real  ?me.  HotSDN  '12.    

Adversary Model §  k  misbehaving  administrators  (out  of  n  total)  

•  Network  configured  to  desired  level  of  resilience  •  In  prac?ce,  k  will  be  small  (1  or  2)  

§ May  create  policies  selec?ng  undesired  paths  §  Cannot  otherwise  affect  controller  opera?on  

Assumptions §  Switches  pre-­‐configured  with  necessary  keys  §  Administrators:  

•  See  the  same  network  topology  •  Are  loosely  ?me-­‐synchronized  •  Securely  communicate  out-­‐of-­‐band  •  Share  the  same  rou?ng  policy  if  not  malicious  

Fleet Controller Architecture

Admin 1 Admin 3Admin 2

Switch Intelligence Layer

Administrator Layer

Fleet Controller

Data Plane(Switches/Links)

Shared Data Storage

Intra-Controller Link

Controller-Switch Link

Routing with the Fleet Controller §  Single-­‐configura?on  

•  Vo?ng  protocol  using  threshold  signatures  § Mul?-­‐configura?on  (details  in  paper)  

•  Sources  or  ingress  switches  can  select  per-­‐flow  routes  

Single-Configuration Approach

Admin 1 Admin 3Admin 2

Switch Intelligence Layer

Administrator Layer

Fleet Controller

Data Plane(Switches/Links)

Shared Data Storage

Intra-Controller Link

Controller-Switch Link

Proposal  

S2   S2   S2   S2   S2   S2  S3  S3  S3  S3  S3  S3   C  C  C  C  C  C  

KS1   KS2   KS3  

Evaluation §  Prototype  implementa?on  in  Python-­‐based  POX  controller  and  Mininet  SDN  framework  

§  Tested  on  random  topologies  of  20  switches  and  50  hosts  

§ Main  ques?on:  what  dominates  recovery  ?me?  

Evaluation §  Key  size  affects  vo?ng  protocol  length  §  Successful  vote  takes  less  than  1s  

4 5 6 7 8 9 10150

200

250

300

350

400

450

500

550

Number of Administrators

Tim

e [m

s]

1024 bit key2048 bit key

Evaluation §  Link  failure  detec?on  ?me  dominates  recovery  

1 2 3 4 51

1.52

2.53

3.54

4.55

5.56

6.57

7.58

Link Failure Detection Time [s]

Rec

over

y Ti

me

[s]

1 out of 4 admins malicious2 out of 6 admins malicious3 out of 8 admins malicious4 out of 10 admins malicious

Conclusions §  Fleet  protects  against  misconfigura?ons  with  ligle  overhead  

§  Switch  intelligence  enables  useful  switch  func?onality,  such  as  threshold  signatures  

§  Companies  can  expand  their  networks  to  loca?ons  where  admins  may  not  be  as  trusted  

Thank  you!  Ques.ons?