The follower controller in a cluster can still set up flow entries

In the experiment, I found that a controller with a follower role can still configure flow entries in an OpenDaylight clustering deployment. The follower controller does not even need to have a direct OpenFlow connection with mininet. After capturing the OpenFlow packets, I found the reason:

Because the leader controller accepts the follower controller’s flow entry update in the clustering communication and saves it to its data store without any role checks, the leader controller helps the follower controller send flow entries to the mininet after this update.

This design is insecure and violates OpenFlow Specifications [1] such that a follower controller is not allowed to configure flow entries:

“A controller can request its role to be changed to OFPCR_ROLE_SLAVE. In this role, the controller has read-only access to the switch. By default, the controller does not receive switch asynchronous messages, apart from Port-status messages.”[1]

This vulnerability facilitates the Marionette attack [2].

References:

[1] ONF TS-009. Openflow switch specification version 1.3.3. https://opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.3.5.pdf

[2] Chen, Mingming, Thomas La Porta, Teryl Taylor, Frederico Araujo, and Trent Jaeger. "Manipulating OpenFlow Link Discovery Packet Forwarding for Topology Poisoning." arXiv preprint arXiv:2408.16940 (2024)

P.S. ONOS also has this issue and the artifact for ONOS can be found here.