Limitations of openflow topology discovery protocol

Azzouni, Abdelhadi; Trang, Nguyễn Thị Mai; Boutaba, Raouf; Pujolle, Guy

doi:10.1109/medhocnet.2017.8001642

Cited by 41 publications

(19 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1) Security of OFDP: The authors of [21], [22], [23], and [24] show that OFDP is vulnerable to spoofing attacks. Injected LLDP control messages may create fake links that redirect traffic to the host of an attacker.…”

Section: Optimized Variants Of Ofdpmentioning

confidence: 99%

“…Injected LLDP control messages may create fake links that redirect traffic to the host of an attacker. The authors of [23] show that OFDP is additionally vulnerable to controller fingerprinting, switch fingerprinting, and LLDP flooding attacks. The authors of [24] show that OFDP is vulnerable to replay attacks of LLDP packets that result in incorrect link information of the topology.…”

Section: Optimized Variants Of Ofdpmentioning

confidence: 99%

See 1 more Smart Citation

P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN

et al. 2020

View full text Add to dashboard Cite

We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a twotier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.

show abstract

Section: Optimized Variants Of Ofdpmentioning

confidence: 99%

Section: Optimized Variants Of Ofdpmentioning

confidence: 99%

P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Such protocol is based on the exchange of Link Layer Discovery Protocol (LLDP) packets containing chassis‐ID and port‐ID identifiers in their payload, so that the controller can use this information, along with other metadata, to map the underlying links at the control level. In this regard, various analyses (see, eg, other related works) have remarked the vulnerabilities of using OFDP, proposing both enhancements to the current protocol and other methods for accomplishing link discovery in these types of networks. Specifically, the work of Pakzad et al presents an enhanced version of the protocol with less LLDP message exchanges (OFDPv2).…”

Section: Link Discovery In Sdn‐based Optical Networkmentioning

confidence: 99%

“…Specifically, the work of Pakzad et al 13 presents an enhanced version of the protocol with less LLDP message exchanges (OFDPv2). Then, the work of Azzouni et al 14 presents the secure OF topology discovery that adds security to the protocol by introducing minimal changes to the OF switch design. Finally, the one work reported by Alharbi et al 15 proposes to enhance the authentication of LLDP packets by using hash-based message authentication code.…”

Section: Link Discovery In Sdn-based Optical Networkmentioning

confidence: 99%

SDN‐based parallel link discovery in optical transport networks

Montero

Agraz

Pages

et al. 2018

Trans Emerging Tel Tech

View full text Add to dashboard Cite

The use of optical technologies in modern network scenarios has increased in the last decade, mostly due to their support in crucial networking topics (ie, bandwidth and scalability). In parallel, these scenarios have also experienced the emergence of a new paradigm recognized as software‐defined networking (SDN), which bases on the decoupling of forwarding and control functions, with aims to provide a more efficient way to manage network resources compared to legacy networking architectures. As both SDN and optical technologies are constantly being introduced in different networking scenarios (eg, data centers, metro, and access networks), their coexistence becomes a must. In this matter, it is important to notice that SDN was initially designed for electronic‐based networks; hence, its support for optical technologies is still at an early stage. Consequently, integration of both solutions still requires research efforts by the community. In this paper, we present a mechanism to address topology discovery in wavelength‐switching optical transport networks (OTNs). In particular, we discuss the importance of the topology discovery function and analyse the proposed mechanism, which bases itself on the use of wavelength‐specific signaling tones as link‐binding data to provide preservice parallel link discovery in OTNs. Furthermore, we validate the method experimentally against an emulated OTN testbed with two different setups and compare the results to our previous work on this subject, achieving substantial reductions in the total topology discovery time.

show abstract

“…One of the controller's duties is to perform an accurate, secure and near real time topology discovery to provide management applications with an up-to-date view of the network topology. However, all current SDN controllers perform topology discovery using OpenFlow Discovery Protocol (OFDP), which is far from being secure and efficient [3]. Figure 1 shows how OFDP works; To discover the unidirectional link s1 → s2, the controller encapsulates a LLDP packet in a packet-out message and sends it to s1.…”

Section: Introductionmentioning

confidence: 99%

sOFTDP: Secure and efficient OpenFlow topology discovery protocol

Azzouni¹,

Boutaba²,

Trang³

et al. 2018

NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium

Self Cite

View full text Add to dashboard Cite

Topology discovery is one of the most critical tasks of Software-Defined Network (SDN) controllers. Current SDN controllers use the OpenFlow Discovery Protocol (OFDP) as the de-facto protocol for discovering the underlying network topology. In a previous work, we have shown the functional, performance and security limitations of OFDP. In this paper, we introduce and detail a novel protocol called secure and efficient OpenFlow Discovery Protocol sOTDP. sOFTDP requires minimal changes to OpenFlow switch design, eliminates major vulnerabilities in the topology discovery process and improves its performance. We have implemented sOFTDP as a topology discovery module in Floodlight for evaluation. The results show that our implementation is more secure than OFDP and previous security workarounds. Also, sOFTDP reduces the topology discovery time several orders of magnitude compared to the original OFDP and existing OFDP improvements.

show abstract

Limitations of openflow topology discovery protocol

Cited by 41 publications

References 5 publications

P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN

P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN

SDN‐based parallel link discovery in optical transport networks

sOFTDP: Secure and efficient OpenFlow topology discovery protocol

Contact Info

Product

Resources

About