1 / 20

Traffic Management - OpenFlow Switch on the NetFPGA platform

Traffic Management - OpenFlow Switch on the NetFPGA platform. Chun-Jen Chung(1203584897) SriramGopinath (1203800749). Outline. OpenFlow Switch NetFPGA Require Software and Hardware Applications Expected Results. OpenFlow.

maisie
Download Presentation

Traffic Management - OpenFlow Switch on the NetFPGA platform

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

  2. Outline • OpenFlow Switch • NetFPGA • Require Software and Hardware • Applications • Expected Results

  3. OpenFlow • OpenFlowis an open standard to deploy new innovative protocols in the real networking environment. • OpenFlow is an open interface for remotely controlling the forwarding tables in network switches, routers, and access points. • OpenFlowprovides an open protocol to program the flow-table in different switches and routers. • An OpenFlow Switch consists of at least three parts: (1) A Flow Table, with an action associated with each flow entry, to tell the switch how to process the flow (2) A Secure Channel that connects the switch to a remote control process (called the controller), allowing commands and packets to be sent between a controller and the switch (3) The OpenFlow Protocol, which provides an open and standard way for a controller to communicate with a switch.

  4. IP Router vs. OpenFlow Switch • In a classical router or switch, the fast packet forwarding (data path) and the high level routing decisions (control path) occur on the same device. • An OpenFlow Switch separates these two functions. The data path portion still resides on the switch, while high-level routing decisions are moved to a separate controller, typically a standard server.

  5. Idealized OpenFlowSwitch • The OpenFlow Switch and Controller communicate via the OpenFlow protocol, which defines messages, such as packet-received, send-packet-out, modify-forwarding-table, and get-stats.

  6. How OpenFlow Switch works? • When an OpenFlow Switch receives a packet it has never seen before, for which it has no matching flow entries, it sends this packet to the controller. • The controller then makes a decision on how to handle this packet. It can drop the packet, or it can add a flow entry directing the switch on how to forward similar packets in the future.

  7. OpenFlow Protocol • The data path of an OpenFlow Switch presents a clean flow table abstraction – each flow table entry contains a set of packet fields to match, and an action. • Open Flow Type 0 switch • Three required actions: • Forward to a specific set of output ports • Encapsulate and send to the controller • Drop

  8. Advantages of OpenFlow • OpenFlowallows you to easily deploy innovative routing and switching protocols in your network. • Amenable to high-performance and low-cost implementations. • Capable of supporting a broad range of research. • Assured to isolate experimental traffic from production traffic. • Consistent with vendors’ need for closed platforms.

  9. NetFPGA • The NetFPGA is a low-cost platform, primarily designed as a tool for teaching networking hardware and router design. • NetFPGAconsist of three parts • Hardware (Components of PCI card) • Xilinx Virtex-II Pro 50 • 4x 1 Gigabit Ethernet ports • 2x 18MB Static RAM (SRAM) • 64 MB DDR DRAM • Gateware ( Hardware description source code) • IPv4 router or 4-port NIC • Software (Device drivers, utilities, router control packages)

  10. NetFPGA

  11. Software and Hardware • Software • CentOS • NetFPGA Package • Openflow Package • VLAN Tag Handler • Traffic Monitor • Packet Generator • Hardware • NetFPGA – PCI card • Multiple PCs

  12. Applications • Traffic Management • To block or monitor the malicious traffic • To preventVLan Hopping Attack

  13. Monitoring Malicious Traffic • In this application we will monitor the incoming traffic to take into account the traffic information (Protocol Assign Number, source IP address, and a packet counter of any packed dropped through). • This data would be verified with the Black listed IP list • Based upon the internal policies we can drop the traffic or generate alerts

  14. What is a VLAN hopping attack? • This is computer security exploit, a method of attacking networked resources on a VLAN • A double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. • The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.

  15. VLAN HOPPING ATTACK

  16. Prevent VLan Hopping Attack • The below schemes could be used to evade the VLAN hopping attack. • We would be using the fields captured in the flow table or identify fields that would uniquely identify the hosts in the VLAN • We could be using Squash Authentication scheme to authenticate the source before initiating the VLAN connection

  17. PreventVLan Hopping Attack • We intend to configure a VLAN setup and analyze the packets that flow between two hosts in the same VLAN • Need to uniquely identify the host in a VLAN based upon the packets transmitted • Based upon the identifier drop packets if we discover any VLAN hopping attack. Flow Header Entry

  18. Squash Algorithm ADDVANTAGE • Lower Power consumption • Good Security • Speed

  19. Result • Making a switch to act as a basic firewall • Prevent VLAN hopping attack

  20. Wiki Link OpenFlowSwitch-NetFPGA-TrafficMgmt http://openflowswitch-netfpga-trafficmgmt.wikispaces.asu.edu/

More Related