OpenFlowPlugin Project

Major Features

odl-openflowplugin-app-config-pusher

odl-openflowplugin-app-forwardingrules-manager

odl-openflowplugin-app-forwardingrules-sync

Documentation

Security Considerations

  • Do you have any external interfaces other than RESTCONF? Yes, OpenFlow devices
  • Other security issues?
    • Insecure OpenFlowPlugin <–> OpenFlow device connections
    • Topology spoofing: non authenticated LLDP packets to detect links between switches which makes it vulnerable to a number of attacks, one of which is topology spoofing The problem is that all controllers we have tested set chassisSubtype value to the MAC address of the local port of the switch, which makes it easy for an adversary to spoof that switch since controllers use that MAC address as a unique identifier of the switch. By intercepting clear LLDP packets containing MAC addresses, a malicious switch can spoof other switches to falsify the controller’s topology graph.
    • DoS: an adversary switch could generate LLDP flood resulting in bringing down the openflow network
    • DoS attack when the switch rejects to receive packets from the controller

Quality Assurance

Migration

Compatibility

  • Is this release compatible with the previous release? Yes
  • Any API changes? No changes in the yang models from previous release
  • Any configuration changes? Other than addition of single-layer-serialization configuration parameter there were no changes.

Known Issues

End-of-life

  • List of features/APIs which are EOLed, deprecated, and/or removed in this release:

    Beryllium design (a.k.a. Helium design) was deprecated in Boron and projects were moved to the Boron (a.k.a. Lithium) design. All new Boron development in Carbon was on the Boron design only - and future development will only be on the Boron design going forward. Helium design is planned to be removed in Nitrogen release.

Standards

OpenFlow versions:

Release Mechanics