This vulnerability lies in the flaw within the cluster rejoining implementation. A candidate controller should only be able to join a cluster if it has the complete and correct cluster configuration including the addresses of all cluster members. However, I found that a controller cluster with OpenDaylight-v0.15.2 (may also include recent versions) accepts an incomplete configuration after the cluster has been formed and one peer went offline. Although the attacker only has an incomplete configuration including two members' addresses, it successfully joined the cluster to impersonate the previously offlined peer. I therefore name it a controller impersonation attack. The detailed steps are below:
Step 1, I created a 3-node ODL cluster.
Step 2, I shut down the ODL-3 to mimic node failure.
Step 3, I create ODL-mal with the same IP address as ODL-3 and an incomplete cluster configuration file. The incomplete configuration has the offline controller's IP address and only one of the other controller's IP addresses in the cluster.
Step 4, I reboot ODL-mal to make the cluster configuration effective. After that, the ODL-mal joins the cluster successfully.
The above is documented in the Appendix of the Marionette work[1].
[1] Chen, Mingming, Thomas La Porta, Teryl Taylor, Frederico Araujo, and Trent Jaeger. "Manipulating OpenFlow Link Discovery Packet Forwarding for Topology Poisoning." arXiv preprint arXiv:2408.16940 (2024).
P.S. ONOS also has this issue and the artifact for ONOS can be found here.
This vulnerability lies in the flaw within the cluster rejoining implementation. A candidate controller should only be able to join a cluster if it has the complete and correct cluster configuration including the addresses of all cluster members. However, I found that a controller cluster with OpenDaylight-v0.15.2 (may also include recent versions) accepts an incomplete configuration after the cluster has been formed and one peer went offline. Although the attacker only has an incomplete configuration including two members' addresses, it successfully joined the cluster to impersonate the previously offlined peer. I therefore name it a controller impersonation attack. The detailed steps are below:
Step 1, I created a 3-node ODL cluster.
Step 2, I shut down the ODL-3 to mimic node failure.
Step 3, I create ODL-mal with the same IP address as ODL-3 and an incomplete cluster configuration file. The incomplete configuration has the offline controller's IP address and only one of the other controller's IP addresses in the cluster.
Step 4, I reboot ODL-mal to make the cluster configuration effective. After that, the ODL-mal joins the cluster successfully.
The above is documented in the Appendix of the Marionette work[1].
[1] Chen, Mingming, Thomas La Porta, Teryl Taylor, Frederico Araujo, and Trent Jaeger. "Manipulating OpenFlow Link Discovery Packet Forwarding for Topology Poisoning." arXiv preprint arXiv:2408.16940 (2024).
P.S. ONOS also has this issue and the artifact for ONOS can be found here.