Reference Guide
Table Of Contents
- 1 Introduction
- 2 Establishing Your Test and Development Environments
- 3 Developing Applications
- Introduction
- Authentication
- REST API
- Audit Logging
- Alert Logging
- Configuration
- High Availability
- OpenFlow
- Metrics Framework
- GUI
- SKI Framework - Overview
- SKI Framework - Navigation Tree
- SKI Framework - Hash Navigation
- SKI Framework - View Life-Cycle
- SKI Framework - Live Reference Application
- UI Extension
- Introduction
- Controller Teaming
- Distributed Coordination Service
- Persistence
- Backup and Restore
- Device Driver Framework
- 4 Application Security
- 5 Including Debian Packages with Applications
- 6 Sample Application
- Application Description
- Creating Application Development Workspace
- Application Generator (Automatic Workspace Creation)
- Creating Eclipse Projects
- Updating Project Dependencies
- Building the Application
- Installing the Application
- Application Code
- 7 Testing Applications
- 8 Built-In Applications
- Appendix A
- Appendix B
- Bibliography
an untested or corrupted module. (This is currently expected to be a future
REQUIREMENT.)
• External applications performing signature validation (e.g., on updates) SHOULD run with
low privilege but require high user privilege (e.g., root) to initiate installation or
modification.
Keys and credentials
There SHALL NOT be any default credentials. There SHALL NOT be any permanent credentials.
Keys used for management and authentication must not be transferable. Keys are to be generated
on the device and cannot be injected (configured) from another source. The private key must not
be transferable off the device, including configuration backup (Reinstallation requires new
credentials).
File/Encryption requirements
• Transfer of files to or from the system (once operational) SHOULD (future must) be over a
secure transport using FIPS140 approved algorithms.
• Access to all keys must be password protected. Password based keys must be generated
using NIST approved methods.
• All backup and restore operations must be logged, including the identity of the user
performing the action.
Management Interfaces
OF interface
An SDN application must not expose or present a OF interface.
SSH security
An SDN application can present a CLI via SSH for configuration and management of the
application.
WebUI
An SDN application can present its own web UI to configuration application policy and provide
status via a web browser. When a web UI is present, the follow requirements exist:
• HTTPS must be available.
• The device must be capable of configuring HTTPS certificates over the HTTPS interface.
To prevent a chicken and egg problem, initial configuration of Trust Anchor credentials
must be performed through CLI or HTTP.
• Basic Auth must not be used (i.e., no user or system data in URL’s).
• All Open Web Application Security Project (OWASP
) security recommendations must be
followed.
Southbound interface
An SDN application must not interact directly with a managed device. All device communication
must be through the controller.
128