In order to retain confidentiality

In order to retain confidentiality and data integrity, the internal components of the SDN
devices need to be safeguarded individually. The research team suggests the use of a Trusted
Computing Base, a separated and secured hardware and software section of system. The
concept of Rosemary (see 4.3.7) fulfils this requirement as it separates the control software
from applications and requires access credentials. Moreover, the ONF extensively covers the
demand for data protection in their fifth principle, ”Protect Operational Reference Data”[99].
However, only sensitive data such as policies, credentials, and service descriptions are listed.
The ONF does not explicitly require a security mechanism for the NIB of the controller or
the forwarding tables of the switch. A disclosure attack on these databases could reveal an
ample amount of information about the network. As it can be assumed that TLS and SSH
have to be used to acquire this data due to the ONF security requirements, a two-factor
authentication measure might be superfluous. A second detriment is the negative impact of
an encrypted lookup table on flow latency and performance.
Consequently, this security principle might be redundant in the overall scheme. The individual benefits are covered by similar suggestions or the effective and secure implementation
of the OpenFlow protocol and the protocol itself can thus be considered a secure compo
nent of the system, if the requirements are fulfilled. Extending the principle, the control
topology of the controller and the flow tables of switches may be considered parts of the
network which have to be secured or securely assembled. Several tools to verify the network
policy, topology and overall correctness of the network system are already available. The
algorithms check and examine network configuration based on invariants and models and
alert the administrator if violations occur while providing concrete examples. [12], [59]
As evidenced by the Denial of Service threat, TCAM table sizes are a significant and exploitable issue in the current SDN design.
The application module SPHINX [123] is a comprehensive project to protect the controller
and the table size of switches. The framework operates as a intrusion detection system and
is able to detect a multitude of attack types, including TCAM exhaustion attacks, topology
spoofing, blackhole routing, and general DoS traffic targeting the controller. The application
is inserted as a proxy layer between the control and data plane and monitors incoming switch
packets. Based on the metadata of the packets, a network graph and traffic database are
constructed (see Figure 4.3). Any deviations in the trusted topology, attempts to exhaust
the limit of table entries in switches, or excessive traffic patterns are instantly reported to the
administrator. As it does not solve the raised alerts, SPHINX can not be considered a Self
Healing Mechanism. Nonetheless, its inherent and controller-agnostic intrusion detection
functionality aptly illustrates a general concept to protect the integrity of data stores in
SDN.