200 likes | 512 Views
Traffic Management - OpenFlow Switch on the NetFPGA platform. Chun-Jen Chung(1203584897) SriramGopinath (1203800749). Outline. OpenFlow Switch NetFPGA Require Software and Hardware Applications Expected Results. OpenFlow.
E N D
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)
Outline • OpenFlow Switch • NetFPGA • Require Software and Hardware • Applications • Expected Results
OpenFlow • OpenFlowis an open standard to deploy new innovative protocols in the real networking environment. • OpenFlow is an open interface for remotely controlling the forwarding tables in network switches, routers, and access points. • OpenFlowprovides an open protocol to program the flow-table in different switches and routers. • An OpenFlow Switch consists of at least three parts: (1) A Flow Table, with an action associated with each flow entry, to tell the switch how to process the flow (2) A Secure Channel that connects the switch to a remote control process (called the controller), allowing commands and packets to be sent between a controller and the switch (3) The OpenFlow Protocol, which provides an open and standard way for a controller to communicate with a switch.
IP Router vs. OpenFlow Switch • In a classical router or switch, the fast packet forwarding (data path) and the high level routing decisions (control path) occur on the same device. • An OpenFlow Switch separates these two functions. The data path portion still resides on the switch, while high-level routing decisions are moved to a separate controller, typically a standard server.
Idealized OpenFlowSwitch • The OpenFlow Switch and Controller communicate via the OpenFlow protocol, which defines messages, such as packet-received, send-packet-out, modify-forwarding-table, and get-stats.
How OpenFlow Switch works? • When an OpenFlow Switch receives a packet it has never seen before, for which it has no matching flow entries, it sends this packet to the controller. • The controller then makes a decision on how to handle this packet. It can drop the packet, or it can add a flow entry directing the switch on how to forward similar packets in the future.
OpenFlow Protocol • The data path of an OpenFlow Switch presents a clean flow table abstraction – each flow table entry contains a set of packet fields to match, and an action. • Open Flow Type 0 switch • Three required actions: • Forward to a specific set of output ports • Encapsulate and send to the controller • Drop
Advantages of OpenFlow • OpenFlowallows you to easily deploy innovative routing and switching protocols in your network. • Amenable to high-performance and low-cost implementations. • Capable of supporting a broad range of research. • Assured to isolate experimental traffic from production traffic. • Consistent with vendors’ need for closed platforms.
NetFPGA • The NetFPGA is a low-cost platform, primarily designed as a tool for teaching networking hardware and router design. • NetFPGAconsist of three parts • Hardware (Components of PCI card) • Xilinx Virtex-II Pro 50 • 4x 1 Gigabit Ethernet ports • 2x 18MB Static RAM (SRAM) • 64 MB DDR DRAM • Gateware ( Hardware description source code) • IPv4 router or 4-port NIC • Software (Device drivers, utilities, router control packages)
Software and Hardware • Software • CentOS • NetFPGA Package • Openflow Package • VLAN Tag Handler • Traffic Monitor • Packet Generator • Hardware • NetFPGA – PCI card • Multiple PCs
Applications • Traffic Management • To block or monitor the malicious traffic • To preventVLan Hopping Attack
Monitoring Malicious Traffic • In this application we will monitor the incoming traffic to take into account the traffic information (Protocol Assign Number, source IP address, and a packet counter of any packed dropped through). • This data would be verified with the Black listed IP list • Based upon the internal policies we can drop the traffic or generate alerts
What is a VLAN hopping attack? • This is computer security exploit, a method of attacking networked resources on a VLAN • A double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. • The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.
Prevent VLan Hopping Attack • The below schemes could be used to evade the VLAN hopping attack. • We would be using the fields captured in the flow table or identify fields that would uniquely identify the hosts in the VLAN • We could be using Squash Authentication scheme to authenticate the source before initiating the VLAN connection
PreventVLan Hopping Attack • We intend to configure a VLAN setup and analyze the packets that flow between two hosts in the same VLAN • Need to uniquely identify the host in a VLAN based upon the packets transmitted • Based upon the identifier drop packets if we discover any VLAN hopping attack. Flow Header Entry
Squash Algorithm ADDVANTAGE • Lower Power consumption • Good Security • Speed
Result • Making a switch to act as a basic firewall • Prevent VLAN hopping attack
Wiki Link OpenFlowSwitch-NetFPGA-TrafficMgmt http://openflowswitch-netfpga-trafficmgmt.wikispaces.asu.edu/