
Fingerprinting SDN controllers - hadiazz
https://arxiv.org/abs/1611.02370
======
hueving
This isn't fingerprinting specific SDN controllers, it's really just detecting
if the network is setup in a 'reactive' SDN configuration.

This means that certain network packets will be sent to a controller for a
decision before a rule is installed in the switch describing what to do with
future packets related to the same flow.

ODL, ONOS, or any other openflow controller can setup packet pipelines in both
reactive and proactive modes. The latter would be completely unidentifiable
from the data plane. Correlating the former to a specific SDN platform isn't
really possible because the behavior is entirely dependent on the application
running on top of the controller.

~~~
hadiazz
Most openflow controllers in their default setup are in reactive mode. The
thesis of the paper is that the probability of an admin keeping the default
setup is quite high (as it is for operating systems for example) and hence
proposes a few techniques to reveal the controller. The logic is similar to
that of nmap, no technique is individually sufficient, but combining all the
techniques gives a good intuition about the controller

