1 / 18

Traffic Management - OpenFlow Switch on the NetFPGA platform

Traffic Management - OpenFlow Switch on the NetFPGA platform. Chun-Jen Chung(1203584897) Sriram Gopinath (1203800749). OpenFlow. OpenFlow is an open standard that enables researchers to run experimental protocols in the campus networks we use every day.

adonai
Download Presentation

Traffic Management - OpenFlow Switch on the NetFPGA platform

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Traffic Management - OpenFlowSwitch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

  2. OpenFlow • OpenFlowis an open standard that enables researchers to run experimental protocols in the campus networks we use every day. • OpenFlow is an open interface for remotely controlling the forwarding tables in network switches, routers, and access points. It provides an open protocol to program the flow-table in different switches and routers. • An OpenFlow Switch consists of at least three parts: (1) A Flow Table, with an action associated with each flow entry, to tell the switch how to process the flow (2) A Secure Channel that connects the switch to a remote control process (called the controller), allowing commands and packets to be sent between a controller and the switch (3) The OpenFlow Protocol, which provides an open and standard way for a controller to communicate with a switch.

  3. How OpenFlow works? • In a classical router or switch, the fast packet forwarding (data path) and the high level routing decisions (control path) occur on the same device. • An OpenFlow Switch separates these two functions. The data path portion still resides on the switch, while high-level routing decisions are moved to a separate controller, typically a standard server. • The OpenFlow Switch and Controller communicate via the OpenFlow protocol, which defines messages, such as packet-received, send-packet-out, modify-forwarding-table, and get-stats. • The data path of an OpenFlow Switch presents a clean flow table abstraction – each flow table entry contains a set of packet fields to match, and an action (such as send-out-port, modify-field, or drop). • When an OpenFlow Switch receives a packet it has never seen before, for which it has no matching flow entries, it sends this packet to the controller. • The controller then makes a decision on how to handle this packet. It can drop the packet, or it can add a flow entry directing the switch on how to forward similar packets in the future.

  4. Idealized OpenFlowSwitch diagram

  5. Advantages of OPEN FLOW • OpenFlowallows you to easily deploy innovative routing and switching protocols in your network. • Amenable to high-performance and low-cost implementations. • Capable of supporting a broad range of research. • Assured to isolate experimental traffic from production traffic. • Consistent with vendors’ need for closed platforms.

  6. OpenFlow Switch Implementation for NetFPGA platform • NetFPGA is a platform that enables students and researchers to experiment with Gigabit rate networking hardware • The NetFPGA is a PCI card that contains a large Xilinx FPGA, 4 Gigabit Ethernet ports, Static RAM (SRAM), Double-Date Rate (DDR2) Dynamic RAM (DRAM). • The card design is open-source and the hardware is available at very low cost . • A complete network hardware platform implemented with Field Programmable Gate Array (FPGA) logic • Put a NetFPGA into a PC to build your own hardware-accelerated, gigabit-speed: Any-protocol router Cycle-accurate measurement device Firewall / IDS / IDP Network appliance

  7. NetFPGA • NetFPGA consist of three parts • Hardware (Components of PCI card) • Gateware ( Hardware description source code) • Software (Device drivers, utilities, router control packages)

  8. NetFPGA

  9. Software and Hardware • Software • CentOS • NetFPGA Package • OpenflowPackage • VLAN Tag Handler • Traffic Monitor • Packet Generator • Hardware • NetFPGA – PCI card • PCs

  10. Applications • Traffic Management • To block or monitor the malicious traffic • To avoid VLan Hopping Attack

  11. Monitoring Malicious Traffic • In this application we will monitor the incoming traffic to take into account the traffic information (Protocol Assign Number, source IP address, and a packet counter of any packed dropped through). • This data would be verifiedwith the Black listed IP list • Based upon the internal policies we can drop the traffic or generate alerts

  12. What is a VLAN hopping attack? • This is computer security exploit, a method of attacking networked resources on a VLAN • A double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. • The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.

  13. VLAN HOPPING ATTACK

  14. Avoid VLan Hopping Attack • We intend to configure a VLAN setup and analyze the packets that flow between two hosts in the same VLAN • Need to uniquely identify the host that are communicating based upon the packets transmitted • Based upon the identifier drop packets if we discover any VLAN hopping attack.

  15. FLOW TABLE ENTRIES • The below schemes could be used to evade the VLAN hopping attack. • We would be using the fields captured in the flow table or identify fields that would uniquely identify the hosts • We could be using Squash Authentication scheme to authenticate the source before initiating the VLAN connection avoid hopping.

  16. Result • Making a switch to act as a basic firewall • Prevent VLAN hopping attack

  17. Ref-Flow Entry • 1. Forward this flow’s packets to a given port (or ports). This allows packets to be routed through the network. In most switches this is expected to take place at line rate. • 2. Encapsulate and forward this flow’s packets to a controller. Packet is delivered to Secure Channel, where it is encapsulated and sent to a controller. Typically used for the first packet in a new flow, so a controller can decide if the flow should be added to the Flow Table. Or in some experiments, it could be used to forward all packets to a controller for processing. • 3. Drop this flow’s packets. Can be used for security, to curb denial of service attacks, or to reduce spurious broadcast discovery traffic from end-hosts. • 4. Forward this flow’s packets through the switch’s normal processing pipeline.

  18. OpenFlowSwitch-NetFPGA-TrafficMgmt http://openflowswitch-netfpga-trafficmgmt.wikispaces.asu.edu/

More Related