Garrett Drown Tianyi Xing Group #4 CSE548 – Advanced Computer Network Security.

Slides:

Advertisements

Similar presentations

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Advertisements

MULTIPROTOCOL LABEL SWITCHING Muhammad Abdullah Shafiq.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

Restoration by Path Concatenation: Fast Recovery of MPLS Paths Anat Bremler-Barr Yehuda Afek Haim Kaplan Tel-Aviv University Edith Cohen Michael Merritt.

1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.

Garrett Drown Tianyi Xing Group #4 CSE548 – Advanced Computer Network Security.

Introducing MPLS Labels and Label Stacks

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

5: DataLink Layer5-1 Cerf & Kahn’s Internetwork Architecture What is virtualized? r two layers of addressing: internetwork and local network r new layer.

MPLS H/W update Brief description of the lab What it is? Why do we need it? Mechanisms and Protocols.

MPLS Multiple Protocol Label Switching 2003/2/19.

MPLS and Traffic Engineering

Special Session PDCS’2000 Interworking of Diffserv, RSVP and MPLS for achieving QoS in the Internet Junaid Ahmed Zubairi Department of Mathematics and.

OpenFlow on top of NetFPGA Part I: Introduction to OpenFlow NetFPGA Spring School 2010 Some slides with permission from Prof. Nick McKeown. OpenFlow was.

Inside the Internet. INTERNET ARCHITECTURE The Internet system consists of a number of interconnected packet networks supporting communication among host.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.

MPLS-based Virtual Private Networks Khalid Siddiqui CS 843 Research Paper Department of Computer Science Wichita State University Wichita, KS

COS 420 Day 16. Agenda Assignment 3 Corrected Poor results 1 C and 2 Ds Spring Break?? Assignment 4 Posted Chap Due April 6 Individual Project Presentations.

A Study of MPLS Department of Computing Science & Engineering DE MONTFORT UNIVERSITY, LEICESTER, U.K. By PARMINDER SINGH KANG

Class 3: SDN Stack Theophilus Benson. Outline Background – Routing in ISP – Cloud Computing SDN application stack revisited Evolution of SDN – The end.

Connecting Devices and Multi-Homed Machines. Layer 1 (Physical) Devices Repeater: Extends distances by repeating a signal Extends distances by repeating.

MPLS Evan Roggenkamp. Introduction Multiprotocol Label Switching High-performance Found in telecommunications networks Directs data from one network node.

1 Multi-Protocol Label Switching (MPLS) presented by: chitralekha tamrakar (B.S.E.) divya krit tamrakar (B.S.E.) Rashmi shrivastava(B.S.E.) prakriti.

Simulation and Emulation with NCTUns

Aug 20 th, 2002 Sigcomm Education Workshop 1 Teaching tools for a network infrastructure teaching lab The Virtual Router and NetFPGA Sigcomm Education.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Wave Relay System and General Project Details. Wave Relay System Provides seamless multi-hop connectivity Operates at layer 2 of networking stack Seamless.

1 Multi Protocol Label Switching Presented by: Petros Ioannou Dept. of Electrical and Computer Engineering, UCY.

Presentation on Osi & TCP/IP MODEL

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.

1 Multiprotocol Label Switching. 2 “ ” It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching.

MPLS MultiProtocol Label Switching.

MultiProtocol Label Switching (MPLS) July 29, 2000TECON 2000 Pramoda Nallur Alcatel Internetworking Division.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Multi-protocol Label Switching Jiang Wu Computer Science Seminar 5400.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Windows 7 Firewall.

MPLS Forwarder Preliminary 1 Outline MPLS Overview MPLS Overview MPLS MRD MPLS Data Path HLD 48K MPLS Fwder HLD IPE MPLS Fwder HLD Issues Summary.

Lab MPLS Basic Configuration Last Update Copyright 2011 Kenneth M. Chipps Ph.D. 1.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

Emerging Technologies. Emerging Technology Overview  Emerging technologies are those which are just beginning to be adopted or are at the initial acceptance.

Brief Introduction to Juniper and its TE features Huang Jie [CSD-Team19]

RTL8192C USB Linux Driver Quick Installation Guide

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Garrett Drown Tianyi Xing Group #4 CSE548 – Advanced Computer Network Security.

MPLS Label Last Update Copyright 2011 Kenneth M. Chipps Ph.D. 1.

MPLS Some notations: LSP: Label Switched Path

An Application of VoIP and MPLS Advisor: Dr. Kevin Ryan

EXPOSING OVS STATISTICS FOR Q UANTUM USERS Tomer Shani Advanced Topics in Storage Systems Spring 2013.

MULTI-PROTOCOL LABEL SWITCHING Brandon Wagner. Lecture Outline  Precursor to MPLS  MPLS Definitions  The Forwarding Process  MPLS VPN  MPLS Traffic.

1 Version 3.1 Module 6 Routed & Routing Protocols.

Network Computing Services, Inc. Real-Time Visualization of IP Streams over Switched WANs Real-Time Visualization of IP Streams Over Switched WANs Timothy.

Introducing a New Concept in Networking Fluid Networking S. Wood Nov Copyright 2006 Modern Systems Research.

OpenFlow MPLS and the Open Source Label Switched Router Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,

Multiple Protocol Support: Multiprotocol Level Switching.

J. Liebeher (modified by M. Veeraraghavan) 1 Introduction Complexity of networking: An example Layered communications The TCP/IP protocol suite.

MULTI-PROTOCOL LABEL SWITCHING By: By: YASHWANT.V YASHWANT.V ROLL NO:20 ROLL NO:20.

Multi-protocol Label Switching

MPLS Introduction How MPLS Works ?? MPLS - The Motivation MPLS Application MPLS Advantages Conclusion.

Multiprotocol Label Switching (MPLS) Routing algorithms provide support for performance goals – Distributed and dynamic React to congestion Load balance.

Multi-protocol Label Switching (MPLS) RFC 3031 MPLS provides new capabilities: QoS support Traffic engineering VPN Multiprotocol support.

Advanced Computer Networks

Planning and Troubleshooting Routing and Switching

Configuration of Cisco Routers in GNS3

Virtual Local Area Network

The Stanford Clean Slate Program

Chapter 2: The Linux System Part 1

Implementing an OpenFlow Switch on the NetFPGA platform

1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.

Presentation transcript:

Garrett Drown Tianyi Xing Group #4 CSE548 – Advanced Computer Network Security

What are Virtual Trusted Domains? A virtual trusted domain (VTD) is a collection of machines, regardless of physical boundaries, that trust one another.

 Low-cost platform, primarily designed as a tool for teaching networking hardware and router design

 Create and manage virtual trusted domains for virtual machines through the use of a NetFPGA.  Provide the virtual machines with reliable, secure, and fast connections to others in their virtual trusted domain.

PC PING OpenFlow protocol NetFPGA Controller controller ofprotocol openflow_switch.bit ofdatapath.ko ofdatapath_netfpga.ko UserspaceKernel / Hardware

Roadmap of project:  By midterm:  Research how to program NetFPGAs.  Research and design an implementation for Virtual Trusted Domains on a NetFPGA.  Research Path Splicing, which implements similar features that we would like to use in our project.  Setup environment and begin coding our program which creates and manages Virtual Trusted Domains on a NetFPGA  Find and (if time permitting) set up an existing similar solution (if there is one) for VTDs as a basis for our work.  By final:  Modify the existing solution which can or potentially can implement the VTD.  Deploy the program and setup a test-bed on a NetFPGA.  Tested and debugged.  Final documents completed.

NetFPGAs:  Programming will be done in Verilog.  Will be using the Xilinx ISE Design Suite.  The NetFPGA Project primarily consists of open source hardware. As a result, there is a lot of open source hardware available to us that we may use in our project. Still to do:  In depth exploration of the packet handling code.

Virtual Trust Domains (VTDs):  The concept of VTDs is slowly being developed and is not a concrete idea.  Some developers are designing VTDs in such a way that all members must use the same security policies.  Other developers (such as IBM) believe that each computer should have a service which rates the computer’s security level. Based on this result, other computers in the VTD can choose whether or not to trust it.

Virtual Trust Domains (VTDs):  The core idea is still the same. A collection of machines, regardless of physical boundaries, that trust one another based on security policies that each utilize.

Idea so far:  Have the controller maintain and utilize a database which contains the list of approved “members” and other settings (required security policy strength, etc.)  The OpenFlow packet header will be modified to include a user’s security policy and the VTD he wishes to communicate with.  The flow table will maintain good performance by “caching” the controller’s database as needed.

VTD ID & Security Policy

 The label1 is for identifying different domain  The label2 is for identifying different machine in the domain  With this two level identifiers, we can identify the different VMs in different virtual domain.

 The core functionality in path splicing is found in each router which has several routing tables, each with different possible paths.  In the packet header there is an added section for “forwarding bits.” These bits tell the router which routing table to choose.  Similar to our project, as we will be using added bits to our packet headers to represent which VTD the user is in and his security policies.

 We have our computer and programming environment ready to go.  We have installed the MPLS OpenFlow switch.

 Research MPLS (Multiprotocol Label Switching). Used for creating virtual connections between physically distant nodes. Will be used to connect/network distant VTDs together.  Implement and test the MPLS with the OpenFlow MPLS switch on a NetFPGA.

 Delivers high speed L2 (really “Label”) switching at low cost vs. traditional L3 routing  Provides Traffic Engineering - allows the user to direct traffic based on network utilization and demand.  Ease of provisioning QoS  Support for VPNs

PPP Physical (Optical - Electrical)1 2 IP3 4 Applications 7 to 5 Frame Relay ATM (*) TCPUDP PPPFRATM (*) MPLS

 Label Edge Router-LER  Label Switching Router –LSR  Forward Equivalence Class-FEC  Label-Switched Paths -LSPs  Set up an LSP

 Hardware Pre-build NetFPGA server  Software CentOS 5 NetFPGA base package (2.X)

 Compile driver and tools  Load driver and tools  Reboot and verify if the driver is loaded Module NetFPGA interface Reprogram the CPCI  Run Selftest

 The regression test suite is a set of tests that exercise the functionality of the released gateware and software  At least connect 2 interfaces  Load bit file to NetFPGA board  Run regression test (10 Mins)

 Defined actions PUSH: Packet entering MPLS cloud; Merging MPLS FECs into one FEC. POP: Packets leaving MPLS cloud; FEC Demultiplexing SWAP: Changing labels inside MPLS cloud.

 PUSH and POP are not native OpenFlow actions  TTL/TOS operations are very specific to MPLS  Only Swap operation can be done using OpenFlow actions (rewrite action)

 Ericsson have modified the OpenFlow  Match on up to 2 top of the stack MPLS tags.  Rewrite Tag and Exp (in spirit of OF 0.89)  Forward to virtual port to take care of complex MPLS actions

 Make sure the NetFPGA is working fine with right version  Make the OpenFlow-MPLS kernel module Compile the source code (probably have compatibility issue with Linux kernel) Make, make install  Insmod the openflow kernel module and hardware table from datapath/linux-2.6*/

 Setup the OpenFlow switch with 4 ports (nf2cX ports) (shell script)  Verify the installation Load the environment variables Run testing script ○ Check the traffic between OF and controller  Run OpenFlow MPLS switch Download the bit file into the NetFPGA

 Run the controller (either local or remote is fine) (ask for the xml file)  Run secchan from the secchan directory  Real test or run simulated package generator  Run wireshark to capture the packages

 Compatibility issue With NetFPGA Different reference package was developed upon different NetFPGA base package version, please carefully refer to ojectTable ojectTable With Linux Kernel Consult to the developer or carefully go through their wiki  Official guide (wiki) has error/typo I contacted developers and corrected some errors or typos on wiki (version, command)

PC PING OpenFlow MPLS NetFPGA Controller controller ofprotocol openflow_switch.bit ofdatapath.ko ofdatapath_netfpga.ko UserspaceKernel / Hardware Localhost eth0 Localhost eth1

 It is not recommended to deploy the tunnel on the NetFPGA, which makes the system slow.  Find a feasible tunneling implement to be deployed in our system to make different domain into one together.  Deploy the Openflow Switch upon that to build up the MPLS core network.  Implement security policy on the controller to make the domain be with security concern.