180 likes | 401 Views
Traffic Management - OpenFlow Switch on the NetFPGA platform. Chun-Jen Chung(1203584897) Sriram Gopinath (1203800749). OpenFlow. OpenFlow is an open standard that enables researchers to run experimental protocols in the campus networks we use every day.
E N D
Traffic Management - OpenFlowSwitch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)
OpenFlow • OpenFlowis an open standard that enables researchers to run experimental protocols in the campus networks we use every day. • OpenFlow is an open interface for remotely controlling the forwarding tables in network switches, routers, and access points. It provides an open protocol to program the flow-table in different switches and routers. • An OpenFlow Switch consists of at least three parts: (1) A Flow Table, with an action associated with each flow entry, to tell the switch how to process the flow (2) A Secure Channel that connects the switch to a remote control process (called the controller), allowing commands and packets to be sent between a controller and the switch (3) The OpenFlow Protocol, which provides an open and standard way for a controller to communicate with a switch.
How OpenFlow works? • In a classical router or switch, the fast packet forwarding (data path) and the high level routing decisions (control path) occur on the same device. • An OpenFlow Switch separates these two functions. The data path portion still resides on the switch, while high-level routing decisions are moved to a separate controller, typically a standard server. • The OpenFlow Switch and Controller communicate via the OpenFlow protocol, which defines messages, such as packet-received, send-packet-out, modify-forwarding-table, and get-stats. • The data path of an OpenFlow Switch presents a clean flow table abstraction – each flow table entry contains a set of packet fields to match, and an action (such as send-out-port, modify-field, or drop). • When an OpenFlow Switch receives a packet it has never seen before, for which it has no matching flow entries, it sends this packet to the controller. • The controller then makes a decision on how to handle this packet. It can drop the packet, or it can add a flow entry directing the switch on how to forward similar packets in the future.
Advantages of OPEN FLOW • OpenFlowallows you to easily deploy innovative routing and switching protocols in your network. • Amenable to high-performance and low-cost implementations. • Capable of supporting a broad range of research. • Assured to isolate experimental traffic from production traffic. • Consistent with vendors’ need for closed platforms.
OpenFlow Switch Implementation for NetFPGA platform • NetFPGA is a platform that enables students and researchers to experiment with Gigabit rate networking hardware • The NetFPGA is a PCI card that contains a large Xilinx FPGA, 4 Gigabit Ethernet ports, Static RAM (SRAM), Double-Date Rate (DDR2) Dynamic RAM (DRAM). • The card design is open-source and the hardware is available at very low cost . • A complete network hardware platform implemented with Field Programmable Gate Array (FPGA) logic • Put a NetFPGA into a PC to build your own hardware-accelerated, gigabit-speed: Any-protocol router Cycle-accurate measurement device Firewall / IDS / IDP Network appliance
NetFPGA • NetFPGA consist of three parts • Hardware (Components of PCI card) • Gateware ( Hardware description source code) • Software (Device drivers, utilities, router control packages)
Software and Hardware • Software • CentOS • NetFPGA Package • OpenflowPackage • VLAN Tag Handler • Traffic Monitor • Packet Generator • Hardware • NetFPGA – PCI card • PCs
Applications • Traffic Management • To block or monitor the malicious traffic • To avoid VLan Hopping Attack
Monitoring Malicious Traffic • In this application we will monitor the incoming traffic to take into account the traffic information (Protocol Assign Number, source IP address, and a packet counter of any packed dropped through). • This data would be verifiedwith the Black listed IP list • Based upon the internal policies we can drop the traffic or generate alerts
What is a VLAN hopping attack? • This is computer security exploit, a method of attacking networked resources on a VLAN • A double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. • The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.
Avoid VLan Hopping Attack • We intend to configure a VLAN setup and analyze the packets that flow between two hosts in the same VLAN • Need to uniquely identify the host that are communicating based upon the packets transmitted • Based upon the identifier drop packets if we discover any VLAN hopping attack.
FLOW TABLE ENTRIES • The below schemes could be used to evade the VLAN hopping attack. • We would be using the fields captured in the flow table or identify fields that would uniquely identify the hosts • We could be using Squash Authentication scheme to authenticate the source before initiating the VLAN connection avoid hopping.
Result • Making a switch to act as a basic firewall • Prevent VLAN hopping attack
Ref-Flow Entry • 1. Forward this flow’s packets to a given port (or ports). This allows packets to be routed through the network. In most switches this is expected to take place at line rate. • 2. Encapsulate and forward this flow’s packets to a controller. Packet is delivered to Secure Channel, where it is encapsulated and sent to a controller. Typically used for the first packet in a new flow, so a controller can decide if the flow should be added to the Flow Table. Or in some experiments, it could be used to forward all packets to a controller for processing. • 3. Drop this flow’s packets. Can be used for security, to curb denial of service attacks, or to reduce spurious broadcast discovery traffic from end-hosts. • 4. Forward this flow’s packets through the switch’s normal processing pipeline.
OpenFlowSwitch-NetFPGA-TrafficMgmt http://openflowswitch-netfpga-trafficmgmt.wikispaces.asu.edu/