The follower controller in a cluster can still set up flow entries.

In the experiment, I found that a controller with a follower role can still configure flow entries in an OpenDaylight clustering deployment. The follower controller can configure the network regardless of having a direct OpenFlow connection with mininet or not. After capturing OpenFlow packets, I found the reason. Because the leader controller accepts the follower controller’s flow entry update in the clustering communication without any checks, the leader controller helps the follower controller send out flow entries. This design is insecure and violates the OpenFlow specification such that the follower controller should only not be able to configure flow entries:

“A controller can request its role to be changed to OFPCR_ROLE_SLAVE. In this role, the controller has read-only access to the switch. By default, the controller does not receive switch asynchronous messages, apart from Port-status messages. The controller is denied the ability to execute all controller-to-switch commands that send packets or modify the state of the switch.”[1]

[1] OpenFlowSwitchSpecification Version1.3.5 (Protocol version0x04), https://opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.3.5.pdf

P.S. ONOS also has this issue and the artifact for ONOS can be found here.