Assessment of vulnerabilities in rule-based decision sets as used in SDN controllers

Open Access
Cao, Jingxuan
Area of Honors:
Computer Science
Bachelor of Science
Document Type:
Thesis Supervisors:
  • Mark P Mahon, Thesis Supervisor
  • Rebecca Jane Passonneau, Honors Advisor
  • Software defined networking
  • OpenFlow
A reasonable argument can be made that the Internet has been a critical component leading to the creation of our digital society. The convenience of Internet, in conjunction with the development of lots of applications is the reason the Internet is now extremely prosperous. However, traditional network architectures are ill-suited to meet the requirements of today’s enterprises, carriers, and end users[1]. Software-defined networking (SDN) is an emerging paradigm that promises to change this state of affairs by breaking the horizontal integration of traditional networks (separating the network's control logic from the underlying routers and switches), promoting (logical) centralization of network control and introducing the ability to program the network[2]. With its potentiality, SDN has been seen as the future of the next- generation network. But its network programmability and control logic centralization also increase security risks[3]. In this thesis, I start by introducing the structure of traditional networks and SDN, and discuss their strengths and weaknesses. Because of the widespread adoption of traditional networks, the beginning build-out of SDN will be a combination of traditional networks and SDN architectures. The main contribution of this thesis is the identification of rule-based decision set vulnerabilities in the SDN architecture. In order to provide sufficient depth of understanding of the main thrust of this thesis, a discussion of flow table overflows in an SDN and the MAC address table overflow in traditional networks is used to highlight security issues in an SDN. An in-depth analysis of outcomes from these two vulnerabilities in SDN and traditional network is presented followed by proposed future work which would improve SDN security.