Traffic Management - OpenFlow
Switch on the NetFPGA platform
Chun-Jen Chung(1203584897)
SriramGopinath(1203800749)
Outline
•
•
•
•
•
OpenFlow Switch
NetFPGA
Require Software and Hardware
Applications
Expected Results
OpenFlow
• OpenFlowis an open standard to deploy new innovative protocols in
the real networking environment.
• OpenFlow is an open interface for remotely controlling the
forwarding tables in network switches, routers, and access points.
• OpenFlowprovides an open protocol to program the flow-table in
different switches and routers.
• An OpenFlow Switch consists of at least three parts:
(1) A Flow Table, with an action associated with each flow
entry, to tell the switch how to process the flow
(2) A Secure Channel that connects the switch to a remote
control process (called the controller), allowing commands and
packets to be sent between a controller and the switch
(3) The OpenFlow Protocol, which provides an open and
standard way for a controller to communicate with a switch.
IP Router vs. OpenFlow Switch
• In a classical router or switch, the fast packet forwarding (data
path) and the high level routing decisions (control path) occur on
the same device.
• An OpenFlow Switch separates these two functions. The data path
portion still resides on the switch, while high-level routing
decisions are moved to a separate controller, typically a standard
server.
Idealized OpenFlowSwitch
• The OpenFlow Switch and Controller communicate via the OpenFlow
protocol, which defines messages, such as packet-received, sendpacket-out, modify-forwarding-table, and get-stats.
How OpenFlow Switch works?
• When an OpenFlow Switch receives a packet it has never seen
before, for which it has no matching flow entries, it sends this
packet to the controller.
• The controller then makes a decision on how to handle this packet.
It can drop the packet, or it can add a flow entry directing the
switch on how to forward similar packets in the future.
OpenFlow Protocol
• The data path of an OpenFlow Switch presents a clean flow
table abstraction – each flow table entry contains a set of
packet fields to match, and an action.
• Open Flow Type 0 switch
– Three required actions:
• Forward to a specific set of output ports
• Encapsulate and send to the controller
• Drop
Advantages of OpenFlow
• OpenFlowallows you to easily deploy innovative routing and
switching protocols in your network.
• Amenable to high-performance and low-cost implementations.
• Capable of supporting a broad range of research.
• Assured to isolate experimental traffic from production traffic.
• Consistent with vendors’ need for closed platforms.
NetFPGA
• The NetFPGA is a low-cost platform, primarily designed as a
tool for teaching networking hardware and router design.
• NetFPGAconsist of three parts
– Hardware (Components of PCI card)
•
•
•
•
Xilinx Virtex-II Pro 50
4x 1 Gigabit Ethernet ports
2x 18MB Static RAM (SRAM)
64 MB DDR DRAM
– Gateware ( Hardware description source code)
• IPv4 router or 4-port NIC
– Software (Device drivers, utilities, router control
packages)
NetFPGA
Software and Hardware
• Software
– CentOS
– NetFPGA Package
– Openflow Package
• VLAN Tag Handler
• Traffic Monitor
– Packet Generator
• Hardware
– NetFPGA – PCI card
– Multiple PCs
Applications
• Traffic Management
– To block or monitor the malicious traffic
– To prevent VLan Hopping Attack
Monitoring Malicious Traffic
• In this application we will monitor the incoming traffic to take into
account the traffic information (Protocol Assign Number, source IP
address, and a packet counter of any packed dropped through).
• This data would be verified with the Black listed IP list
• Based upon the internal policies we can drop the traffic or generate
alerts
What is a VLAN hopping attack?
• This is computer security exploit, a method of attacking networked
resources on a VLAN
• A double tagging attack, an attacking host prepends two VLAN tags
to packets that it transmits. The first header (which corresponds to
the VLAN that the attacker is really a member of) is stripped off by a
first switch the packet encounters, and the packet is then
forwarded.
• The second, false, header is then visible to the second switch that
the packet encounters. This false VLAN header indicates that the
packet is destined for a host on a second, target VLAN. The packet is
then sent to the target host as though it were layer 2 traffic. By this
method, the attacking host can bypass layer 3 security measures
that are used to logically isolate hosts from one another.
VLAN HOPPING ATTACK
Prevent VLan Hopping Attack
The below schemes could be used to evade the VLAN hopping
attack.
• We would be using the fields captured in the flow table or
identify fields that would uniquely identify the hosts in the VLAN
•We could be using Squash Authentication scheme to
authenticate the source before initiating the VLAN connection
Prevent VLan Hopping Attack
Flow Header Entry
• We intend to configure a VLAN setup and analyze the packets that
flow between two hosts in the same VLAN
• Need to uniquely identify the host in a VLAN based upon the
packets transmitted
• Based upon the identifier drop packets if we discover any VLAN
hopping attack.
Squash Algorithm
ADDVANTAGE
•Lower Power consumption
•Good Security
•Speed
Result
• Making a switch to act as a basic firewall
• Prevent VLAN hopping attack
Wiki Link
OpenFlowSwitch-NetFPGA-TrafficMgmt
http://openflowswitch-netfpga-trafficmgmt.wikispaces.asu.edu/