On Tue, Sep 6, 2011 at 00:45, Victor T. <[email protected]> wrote: > -But i was wondering about the switch, and that if the attacker keep > creating flows at high packet rate, even if i could stop packet-in events > from going to the controller, it would still consume switching resources > that could affect normal user (like searching the tables for the discard > rule). Do you believe this is a real threat to other users? Is there some > way to avoid it? >
If your attacker is in a position to overwhelm the switch ASIC, they could do so whether that switch was openflow-enabled or not - openflow doesn't change the hardware datapath forwarding mechanism. Most modern switch ASICs are capable of forwarding faster than the line rate of their interfaces, so an attack merely devolves into a "generating a lot of traffic" denial-of-service (unless your attacker knows how to exploit a flaw in a given ASIC, but that also doesn't make openflow different, as the ASICs are the same). -- Nick
_______________________________________________ openflow-discuss mailing list [email protected] https://mailman.stanford.edu/mailman/listinfo/openflow-discuss
