It sounds like a single compromised switch peer certificate can be used to
impersonate other datapath_id's.

 From the advisory, it appears the controller-side fix is to verify the
datapath_id received in the FeaturesReply against the peer cert before
trusting it.

Is it possible to use a naming convention that encodes the datapath_id in
the switch certificate's subject CN? This could be plaintext (exposing the
datapath_id in the clear during TLS handshake) or an HMAC of the
datapath_id using a secret that only the controller knows.

Or, does the controller have to maintain the complete datapath_id to peer
cert blob mapping? (Assume that the controller already does whitelist by
datapath_id.)

On Thu, May 17, 2018 at 2:54 AM Kashyap Thimmaraju <
kashyap.thimmar...@sect.tu-berlin.de> wrote:

> Dear Ryu Developers,

> I hope that you are aware of the OpenFlow CVE that was recently made
> public [1]. Have there been any discussions on this? Do you plan to
> provide a fix or announce a security advisory on this matter? We believe
> it is important to spread the awareness to people using OpenFlow
> controllers that such an attack is possible.

> [1] http://www.openwall.com/lists/oss-security/2018/05/09/4

> --
> Thanks,

> Kashyap Thimmaraju <kashyap.thimmar...@sect.tu-berlin.de>
> Security in Telecommunications <sect.tu-berlin.de>
> Technische Universit├Ąt Berlin
> Ernst-Reuter-Platz 7, Sekr TEL 17
> 10587 Berlin, Germany
> Phone: +49 30 8353 58351



------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Ryu-devel mailing list
> Ryu-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ryu-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel

Reply via email to