SDN-enabled routers and switches must provide link state information to the SDN controller to create new forwarding decisions for the network elements.

From SDN Using NV Security Technical Implementation Guide

Part of NET-SDN-011

Associated with: CCI-000366

SV-87745r1_rule SDN-enabled routers and switches must provide link state information to the SDN controller to create new forwarding decisions for the network elements.

Vulnerability discussion

Southbound APIs such as OpenFlow provide the forwarding tables to network devices such as switches and routers. SDN controllers have an abstraction of the network topology based on discovery and provisioning information provided by management and orchestration systems. The SDN controllers use the concept of flows to identify network traffic based on predefined rules that can be statically or dynamically programmed by the SDN control software. With the network topology abstraction, they are able to determine how traffic should flow through network devices based on application data, business policy, bandwidth, and path availability. If the SDN-enabled network elements do not provide updated link state information, the SDN controller is not able to reconverge the network to verify there is reachability to all destinations.

Check content

Review the configurations for all SDN-enabled routers and switches and verify that link state information is provided to the SDN controllers. If the SDN-enabled routers and switches do not provide link state information to the SDN controllers, this is a finding. Note: This requirement is not applicable if the SDN deployment model does not rely on the controller for network forwarding or convergence.

Fix text

Configure all SDN-enabled routers and switches to send link state information to the SDN controllers.

Pro Tips

Powered by sagemincer