I think a naming convention may work but in the case of plaintext CN it
totaly forbids the operator of using self-signed certificates. Regarding
secret HMAC based naming i think it may work even with self-signed
certificates but then the security depends on more factors for example
whether one switch can gain access to HMACs transmitted by other switches
and how hard it is to correlate them with the switches IDs (e.g., by
bruteforce or some heuristic on ids allocation).
So I think the original solution is more easy regarding its requirements
from the operator.
On Fri, May 18, 2018, 01:26 William Fisher <william.w.fis...@gmail.com>
wrote:
> It sounds like a single compromised switch peer certificate can be used to
> impersonate other datapath_id's.
>
> From the advisory, it appears the controller-side fix is to verify the
> datapath_id received in the FeaturesReply against the peer cert before
> trusting it.
>
> Is it possible to use a naming convention that encodes the datapath_id in
> the switch certificate's subject CN? This could be plaintext (exposing the
> datapath_id in the clear during TLS handshake) or an HMAC of the
> datapath_id using a secret that only the controller knows.
>
> Or, does the controller have to maintain the complete datapath_id to peer
> cert blob mapping? (Assume that the controller already does whitelist by
> datapath_id.)
>
> On Thu, May 17, 2018 at 2:54 AM Kashyap Thimmaraju <
> kashyap.thimmar...@sect.tu-berlin.de> wrote:
>
> > Dear Ryu Developers,
>
> > I hope that you are aware of the OpenFlow CVE that was recently made
> > public [1]. Have there been any discussions on this? Do you plan to
> > provide a fix or announce a security advisory on this matter? We believe
> > it is important to spread the awareness to people using OpenFlow
> > controllers that such an attack is possible.
>
> > [1] http://www.openwall.com/lists/oss-security/2018/05/09/4
>
> > --
> > Thanks,
>
> > Kashyap Thimmaraju <kashyap.thimmar...@sect.tu-berlin.de>
> > Security in Telecommunications <sect.tu-berlin.de>
> > Technische Universität Berlin
> > Ernst-Reuter-Platz 7, Sekr TEL 17
> > 10587 Berlin, Germany
> > Phone: +49 30 8353 58351
>
>
>
>
> ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Ryu-devel mailing list
> > Ryu-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/ryu-devel
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel
