Vulnerabilities and solutions for isolation in FlowVisor-based virtual network environments
In a virtualized environment, different virtual networks can operate over the same physical infrastructure. Each virtual network has its own protocols and shares the available resources, thus highlighting the need of resource isolation mechanisms. Investigating the isolation mechanisms provided by FlowVisor, the authors have discovered vulnerabilities previously unknown regarding addressing space isolation. They show that, in the presence of a malicious controller, FlowVisor’s isolation can be broken allowing different attacks. This paper addresses these vulnerabilities by proposing an Action Slicing mechanism, that allows FlowVisor to limit which actions can be used by each virtual network controller, thus extending the virtual network definition.