Sign in / up

back to article Software-defined networking is dangerously sniffable

Software-defined networking (SDN) controllers respond to network conditions by pushing new flow rules to switches. And that, say Italian researchers, creates an unexpected security problem. The researchers were able to persuade their SDN environment to leak information that sysadmins probably don't want out in public, …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. ecofeco Silver badge

    Oh joy

    So in order to secure against a breech you have to cripple performance?

    1 0 Reply
    1. Charles 9
      Reply Icon

      Re: Oh joy

      Unfortunately, yes. Efficient code by its very nature leaves tells. The only way to remove the tells is to drop fake tells, which ruins your efficiency. It's one reason privacy-oriented networks perform so poorly; there's simply no way around it.

      I'll give an analogue. How do you avoid being tracked if there's only one way in or out of your neighborhood (meaning disguises won't work)? The only way left is to use dupes to confuse your pursuers (that's what Harry Potter was forced to use in Deathly Hallows if you'll recall).

      1 0 Reply
  2. John Geek

    why does this not surprise me in the least ? all these reinventions of the wheel under the guise of software-defined-_____ seem to be designed by people without the first idea of security.

    5 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Well, it's a tradeoff. People demand BOTH performance AND security not realizing the two often CLASH. You have to pick your poison. You can either have (a) INsecure but efficient networking, (b) secure but INefficient networking, or (c) the worst of both worlds, INsecure INefficient networking. Sorry, no unicorns here.

      3 1 Reply
  3. Antitrust

    Leaving debug APi open is nothing to do with SDN

    Seems like a bit of a beat up. If you leave your debug API open to the world you can expect everyone to come take a look. Nothing about SDN says you have to make debug APIs globally accessible just like nothing about BGP says you have to peer with everyone.

    1 0 Reply
  4. DanPittPaloAlto

    A Walk-in is Not a Break-in

    As Executive Director of the Open Networking Foundation, I found the article and your posting drawing my considerable attention. (I am still learning to speak British.) We agree that the transmission of any data or control traffic across any open and unsecured communication path in any network is vulnerable; consequently, we recommend securing the control traffic in all SDN environments. Given that, we maintain that SDN brings notable benefits to network security. I have shared the article and your posting with our Security Working Group, and Vice Chair Dr. Sandra Scott-Hayward has published her response to it on our blog today. I encourage your readers to check it out: https://www.opennetworking.org/?p=2402&option=com_wordpress&Itemid=316.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon