Affects Version/s: Nitrogen, Carbon
Fix Version/s: None
As a part of node reconciliation process in OpenDayLight, all the flows in the config datastore are installed back in switch upon reconnection. This includes the flows which are active and also which have expired.
This is also due to fact that flows are persistent in config datastore, regardless of being active or dead.
- Advanced Persistent Threat from an app leading to table overflow attack on switch.
- A malicious switch circumventing controller's control: allowing communication for indefinite period.
Northbound Attack( Advanced persistent threat [APT]):
Attacker: Application with covert threat
- An application with covert intentions keeps installing legitimate timed(with idle/hard timeout) flows for a switch with varying parameters/priorities.
- At any point in time during the active cycle of switch, the switch may disconnect and reconnect with the controller.
- At every such status change of switch, all the flows stored in config datastore will be installed in the switch as part of reconciliation process of plugin.
- The installed flows include the active flows(new) and expired flows(old). Basically, every single flow that had ever come for this switch will be installed back again.
- The less severe problem is that unexpected and unwanted communication will be allowed in the network.
- Security-critical issue is that this Advanced Persistent Threat would be at some point successful in switch table overflow attack.
Table overflow attack has its own consequences - DoS to authorized hosts is one of them.
Moreover, security application on controller can fail to detect this as it takes into account active flows and not expired flows.
South Bound Attack(Uncontrolled communication):
Attacker: Malicious switch with host A
- First packet of a traffic flow from host A to any host B will go to controller.
- Controller installs a flow rule allowing traffic between hosts for only X minutes.
- However, the malicious switch reconnects with controller at every X-Y minute.
- For every reconnection, the controller installs same old flow flow allowing communication for X minutes.
- The process goes in an infinite loop and the first packet of an otherwise new flow will never go to controller.
- In an ideal scenario, the controller should not install the same expired flow. But the flaw with reconciliation workflow becomes a vulnerability.
This would mean malicious host A can have communication with another host B for indefinite amount of time circumventing any present and future security mechanisms with controller ( like new ACLs).
Controller would believe that communication lasts only for X minutes which however happens for the entire life cycle.
- Change/Fix the workflow of node reconciliation.
- Do not leave that task of deletion of old and expired flows from config datastore to an app. Instead, openflowplugin or MDSAL should do this.