Upload
vuonglien
View
218
Download
3
Embed Size (px)
Citation preview
AndreasSchmidt,[email protected],TelecommunicationsLab
State-of-the-Art(in2008)
Mostlyproprietaryhardwareandsoftwaresolutions(Cisco,Juniper,HP,...).Networkinnovationimpededbystandardizationprocess(IETF,ITU,etal.).FirstiPhonejustreleased!
State-of-the-Art(in2008)
Mostlyproprietaryhardwareandsoftwaresolutions(Cisco,Juniper,HP,...).Networkinnovationimpededbystandardizationprocess(IETF,ITU,etal.).FirstiPhonejustreleased!
Challenges
Increasingtrafficvolumeanddiversity(multimedia).Increasingmobileusageofthewebandonlineservices.Howtoserveallthesecatvideostosmartphones?
State-of-the-Art(in2008)
Mostlyproprietaryhardwareandsoftwaresolutions(Cisco,Juniper,HP,...).Networkinnovationimpededbystandardizationprocess(IETF,ITU,etal.).FirstiPhonejustreleased!
Challenges
Increasingtrafficvolumeanddiversity(multimedia).Increasingmobileusageofthewebandonlineservices.Howtoserveallthesecatvideostosmartphones?
Software-DefinedNetworking
FirstpaperonOpenFlowreleased[McKeown2008].Liberalizedthenetworkinghardwaremarket.Shortcutsstandardizationprocesses(accelerateinnovation).Savesrealmoney.RequiredfornetworkstonotbreakdownwhennewGameofThronesepisodeairs.
ControlPlane
DecidePacketRouting
Dictateswhocanconnecttowhom.
Implementspoliciesandaccesscontrol.
Storestateandinformationaboutthenetwork'scomposition.
DataPlane
ExecutePacketForwarding
Movepacketsfromporttoport.
Duplicatepackets(multicast).
Manipulatepacketheaderinformation(NAT,QoStagging).
Droppackets(firewall,IPS,...).
ControlPlane
DecidePacketRouting
Dictateswhocanconnecttowhom.
Implementspoliciesandaccesscontrol.
Storestateandinformationaboutthenetwork'scomposition.
DataPlane
ExecutePacketForwarding
Movepacketsfromporttoport.
Duplicatepackets(multicast).
Manipulatepacketheaderinformation(NAT,QoStagging).
Droppackets(firewall,IPS,...).
Separationmakeshardwaresimplerandgeneral-purpose.
Similargraphicto[Kreutz2013].
Flow:Sequenceofpacketswithsharedtraits,e.goneconnection,onesender,...
Match:Specificvalues,rangesorwildcardsforpacketheaderparameters.
Node:Networkdevice(virtualorphysical)withportsandaflowtable.(e.g.OpenvSwitchorCiscoCatalyst4500).
Flow:Sequenceofpacketswithsharedtraits,e.goneconnection,onesender,...
Match:Specificvalues,rangesorwildcardsforpacketheaderparameters.
Node:Networkdevice(virtualorphysical)withportsandaflowtable.(e.g.OpenvSwitchorCiscoCatalyst4500).
FlowTable:Realizationofswitchingunit'ssemantics.
FlowEntry:Match+Actions.Enteredintothenode'sflowtable.
Flow:Sequenceofpacketswithsharedtraits,e.goneconnection,onesender,...
Match:Specificvalues,rangesorwildcardsforpacketheaderparameters.
MatchCriteria:
Informationfromalllayers.
Ethernet:Addresses,Types
IP:Addresses,Protocol
TCP/UDP:Ports
Actions:
Outputpacketonswitchport.
Modifypacketheaders.
Droppacket.
Askcontrollerwhattodo.
Node:Networkdevice(virtualorphysical)withportsandaflowtable.(e.g.OpenvSwitchorCiscoCatalyst4500).
FlowTable:Realizationofswitchingunit'ssemantics.
FlowEntry:Match+Actions.Enteredintothenode'sflowtable.
Controller:Central(potentiallyreplicated)instancethatmanagesthenetwork.
Event:Canbehandledbythecontrollerwhensomethinghappens.
Message:Instructionsentbythecontrollertothenodetoadviseit.
Events:
PacketIn
FlowRemoved
PortStatus
Error
Messages:
PacketOut
FlowModification
TableModificaton
MeterModification
Controller:Central(potentiallyreplicated)instancethatmanagesthenetwork.
Event:Canbehandledbythecontrollerwhensomethinghappens.
Message:Instructionsentbythecontrollertothenodetoadviseit.
(Event)
Switchidentity(S)andphysicalportthepacketarrivedat.
Reasonwhyitwassenttothecontroller(nomatch).
PacketHeaderInformation:
Src:IP,Mac,PortDst:IP,Mac,PortIPProtocol,ToSfield,...
PacketPayload
(Message)
Command(e.g.Add)
Idle/HardTimeouts(default:10sec).
Out-Port:Sendthebufferedpackettoacertainport(determinedbyrouting).
Listofactions(e.g.forallpacketsfromSrcIP(P)toDstIP(P)outputpacketsoncertainport).
Scenario:AswitchSreceivesapacketP,notknowingwheretosendit.
Networksaremoreflexible:
DatacenterspurelyworkwithVMs,whichcanbeeasierintegratedandmigratedwhenusingSDN.(e.g.spinupmoreinstancesofavideo-distributionserviceforstreaming).
Networksaremoreresilientandcheapertocreateandoperate:
Indatacenters,somehardwareisalwaysbroken/offline.
Usecheaperhardwareinsteadofexpensivelimited-purposeequipment.
SDNisvendor-agnostic,allowingconfigurationtoworkeverywhere.
Networkscanbemademoresecure:
Notout-of-the-boxandnotconceptuallybetter.
Centralizationmitigatespracticalproblemswithsecurityimplementation.
Opportunitiestoimproveandoptimizeexistingapproaches.
Floodlight
Oneoftheolder,stillmaintainedsolutions.
Usedbyourlabforresearchanddevelopment.
Language:Java
ONOS
FocusonInternet-ServiceProviders(ISP)tomanageaccessnetworks,autonomoussystemsetc.
Language:Java
OpenDaylight
Focusondatacenterapplicationstomanageclouds.
Language:Java
Ryu
Agile,component-basedSDNframework.
Usedinthefollowing.
Language:Python
@set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)def _packet_in_handler(self, ev): msg = ev.msg; datapath = msg.datapath; ofproto = datapath.ofproto
pkt = packet.Packet(msg.data) eth = pkt.get_protocol(ethernet.ethernet)
dst = eth.dst src = eth.src
dpid = datapath.id self.mac_to_port.setdefault(dpid, {})
# learn a mac address to avoid FLOOD next time. self.mac_to_port[dpid][src] = msg.in_port
if dst in self.mac_to_port[dpid]: out_port = self.mac_to_port[dpid][dst] else: out_port = ofproto.OFPP_FLOOD
actions = [datapath.ofproto_parser.OFPActionOutput(out_port)]
# install a flow to avoid packet_in next time if out_port != ofproto.OFPP_FLOOD: self.add_flow(datapath, msg.in_port, dst, actions)
data = None if msg.buffer_id == ofproto.OFP_NO_BUFFER: data = msg.data
out = datapath.ofproto_parser.OFPPacketOut(datapath=datapath, buffer_id=msg.buffer_id, in_port=msg.in_port, actions=actions, data=data)
datapath.send_msg(out)
def add_flow(self, datapath, in_port, dst, actions): ofproto = datapath.ofproto
match = datapath.ofproto_parser.OFPMatch( in_port=in_port, dl_dst=haddr_to_bin(dst))
mod = datapath.ofproto_parser.OFPFlowMod( datapath=datapath, match=match, cookie=0, command=ofproto.OFPFC_ADD, idle_timeout=0, hard_timeout=0, priority=ofproto.OFP_DEFAULT_PRIORITY, flags=ofproto.OFPFF_SEND_FLOW_REM, actions=actions)
datapath.send_msg(mod)
Source:[Kreutz2013]
SpecifictoSDN
1. Forgedorfakedtrafficflows.
2. Attacksonvulnerabilitiesinswitches.
3. Attacksoncontrolplanecommunication.
4. Attacksonandvulnerabilitiesincontrollers.
5. Lackofmechanismstoensuretrustbetweencontrollerandmanagementapplications.
6. Attacksonandvulnerabilitiesinadministrativestations.
7. Lackoftrustedresourcesforforensicsandremediation.
Controltrafficissecured(TLS).
Encryptiontoensureconfidentiality.
Meta-datacanleakinformation.
Signaturestoensureauthenticity.
Controllersonlytalktolegitimateswitches.
Andvice-versa.
Controldataisreplicated.
NaiveApproach:Hot-standbycontrollertoavoidnetworkdowntime.
IntelligentApproach:Sharestateandloadbetweencontrollerinstances.
Moredetailsin[Kreutz2013].
Replication:
Multiplecontrollers.
Redundantcontrollerapplicationsandstate.
Dynamicdeviceassociation:
Managedswitchshouldhavebackupcontroller.
Multiplecontrollermakedecisions(majorityvote).
Fastandreliablesoftwareupdateandpatching:
Nosoftwarefreeofflaws.
Regularupdatesaremandatory.
Diversity:
Usedifferentvendors,controllers,switches.
Avoidonebugmakingcompletenetworkvulnerable.
Trust:
Controllerappsshouldnotbemalicious.
Switchandcontrollershouldhavemutualtrust.
Usee.g.atrustedcomputationbase(TCB).
andmore...
Benefits
Easierdeployment(nohardwareinvolved,lesssoftwareupdates).
Finertuningoftrafficcaptured(aggregatestatistics,noneedtodigthroughpackets).
Noneedforvendorsupport.
Additionalperspectives(e.g.placefunctionsclosetoend-hosts).
Examples
Firewall
Monitoring
Wiretap/PacketSniffer
Intrusion-DetectionSystem(IDS)
Intrusion-PreventionSystem(IPS)
HoneyPot/Net
Approach:Recreatesecurityapplicationsasvirtualnetworkfunctions(NFV).
Malicioususersattacknetworks,forinstanceby...
...reconnaisance(portscan,networkenumeration).
...accessingbackdoors(portknocking,accessinguncommonports).
...denial-of-service(malformedpackets,highnumberofrequests).
Byknowingpatternsoflegitimatetraffic,anomalydetectioncanbeapplied:
Portscans:Highnumberof(SrcHost,DstHost,DstPort)tuplesinshorttime.
Backdoors:Accesstouncommon(DstHost,DstPort).
DoS:Highnumberofincompleterequeststoalocation.
Requirements:
Efficiency:Legitimatetrafficshouldnotsuffer(nosignificantdelays).
Effectiveness:Flowsareproperlyclassified(falsepositive/negativeratelow).
Detection:
Uncommonpacketsaresenttothecontrollerfirst.
Installedflowsareautomaticallymonitored:
Statistics(bytessend/recv).
Numberofconnectionsperclient.
Trafficvolumecausedbyclient.
Serviceconsumed(HTTP,SMTP)andprotocolsused(TCP,UDP).
Prevention:
Onlyuseroutesthatareproactivelydefinedandlegimitate.
Establishroutesreactively,butinspectfirstpackets.
Rate-limitusersopeningtoomanyconnectionsorsendingtoomuchdata.
OpenNetworkingatSaarlandUniversity
Networking/telecommunicationsresearchusingSDNtechnologies.
Developmentofnewapproachestooptimizemultimediatransmissions.
Lectures
TelecommunicationsI:SignalProcessingandDigitalTransmission(WS2016/17)
TelecommunicationsII:Audio-VisualCommunicationsandNetworks(SS2017)
FutureMediaInternet:Video-&AudioTransport-ANewParadigm(WS2016/17)
TechnicalDocumentation
OpenFlow1.5Specification
RyuDocumentation
Publications
[McKeown2008]N.McKeown,etal.-"OpenFlow:enablinginnovationincampusnetworks",SIGCOMMReview'08
[Kreutz2013]D.Kreutz,F.Ramos,P.Verissimo-"TowardsSecureandDependableSoftware-DefinedNetworks",HotSDN'13
[He2016]L.He,C.XuandY.Luo-"vTC:MachineLearningBasedTrafficClassificationasaVirtualNetworkFunction",SDN-NFVSec'16