Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.

Slides:

Advertisements

Similar presentations

June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,

Advertisements

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Data-Oriented Network Architecture (DONA) Scott Shenker (M. Chowla, T. Koponen, K. Lakshminarayanan, A. Ramachandran, A. Tavakoli, I. Stoica)

An OpenFlow Extension for the OMNeT++ INET Framework

Toward Practical Integration of SDN and Middleboxes

Implementing Inter-VLAN Routing

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Applying NOX to the Datacenter Arsalan Tavakoli, Martin Casado, Teemu Koponen, and Scott Shenker 10/22/2009Hot Topics in Networks Workshop 2009.

An Overview of Software-Defined Network Presenter: Xitao Wen.

OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.

Leveraging SDN Layering to Systematically Troubleshoot Networks Brandon Heller ★ Colin Scott  Nick McKeown ⌘ Scott Shenker  Andreas Wundsam § Hongyi.

An OpenFlow based virtual network environment for Pragma Cloud virtual clusters Kohei Ichikawa, Taiki Tada, Susumu Date, Shinji Shimojo (Osaka U.), Yoshio.

Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.

OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.

May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University

Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.

June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

Gap Analysis of Simplified Use of Policy Abstractions (SUPA) Presenter: Jun Bi draft-bi-supa-gap-analysis-02 IETF 92 SUPA BoF Dallas, TX March 23, 2015.

Policy Based Routing using ACL & Route Map By Group 7 Nischal ( ) Pranali ( )

1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.

An Overview of Software-Defined Network

Towards a Flow-level Network Security System Tim Hinrichs University of Chicago.

Understanding Active Directory

An Overview of Software-Defined Network Presenter: Xitao Wen.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, Jonathan Turner, SIGCOM CCR, 2008 Presented.

Intranet, Extranet, Firewall. Intranet and Extranet.

A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir Das, Farooq Anjum Speaker: George Lapiotis

OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.

GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.

FSL: A Flow-based Security Language Tim Hinrichs Natasha Gude Martìn Casado John Mitchell Scott Shenker University of Chicago Nicira Networks Stanford.

SANE: A Protection Architecture for Enterprise Networks

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.

Chapter 8: Virtual LAN (VLAN)

Cloud Scale Performance & Diagnosability Comprehensive SDN Core Infrastructure Enhancements vRSS Remote Live Monitoring NIC Teaming Hyper-V Network.

June, 2006 Stanford 2006 Ethane. June, 2006 Stanford 2006 Security and You  What does security mean to you?  Data on personal PC?  Data on family PC?

OpenFlow：Enabling Innovation in Campus Network

INDIANAUNIVERSITYINDIANAUNIVERSITY Indiana University Update Tom Zeller

SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.

Natasha Gude, Teemu Koponen, Justin Pettit, Ben Pfaff, Martín Casado, Nick McKeown, Scott Shenker SIGCOMM CCR, 2008 Presented by Ye Tian for Course CS05112.

Network Virtualization in Multi-tenant Datacenters Author: VMware, UC Berkeley and ICSI Publisher: 11th USENIX Symposium on Networked Systems Design and.

Introduction to Active Directory

OpenFlow & NOX (& how the SDN era started) CCR 2008 Whitepapers Nick McKeown & Natasha Gude et al. Presented by: M. Asim Jamshed Some slides have been.

CSci8211: SDN Controller Design 1 Overview of SDN Controller Design  SDN Re-cap  SDN Controller Design: Case Studies  NOX Next Week:  ONIX  ONOS 

NetEgg: Scenario-based Programming for SDN Policies Yifei Yuan, Dong Lin, Rajeev Alur, Boon Thau Loo University of Pennsylvania 1.

ZoneDirector WISPr/Guest/Web Auth

Ethane: Taking Control of the Enterprise Presenter: KyoungSoo Park Department of Electrical Engineering KAIST.

SDN basics and OpenFlow. Review some related concepts SDN overview OpenFlow.

Network Virtualization Ben Pfaff Nicira Networks, Inc.

SDN challenges Deployment challenges

Chapter 1 Introduction to Networking

NAT、DHCP、Firewall、FTP、Proxy

Module 3: Enabling Access to Internet Resources

The DPIaaS Controller Prototype

Martin Casado, Nate Foster, and Arjun Guha CACM, October 2014

ETHANE: TAKING CONTROL OF THE ENTERPRISE

NOX: Towards an Operating System for Networks

Overview of SDN Controller Design

SDN basics and OpenFlow

The Stanford Clean Slate Program

Software Defined Networking

Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks.

Ethane: Addressing the Protection Problem in Enterprise Networks

Ethane: Addressing the Protection Problem in Enterprise Networks

An Introduction to Software Defined Networking and OpenFlow

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley

Network Configuration Today Distributed state VLANs, subnets, ACLs, NAT, routing policies… Problems Low-level, indirect mechanisms [Maltz04] Topology-dependent [Bellovin99] Connectivity is difficult to reason about [Xie04]

Our Goal Design a policy language to simplify network configuration without loss of todays expressiveness.

Language Goals Maintain Todays Expressiveness Support High-level Naming Guests must send all HTTP traffic via a proxy Single Point of Declaration Clear how traffic will be treated Support Composition and Exception Policy Models Performance Amenable to efficient implementation Extensibility Multiple Authorship

FML Overview Form of nonrecursive Datalog Flow-based An FML policy is a set of rules declared over a flow and its high-level attributes Attributes include src/dst access points, hosts, and users Rules that match a flow dictate its policy

Rule Definition action :- condition h :- [ ] b 1 … [ ] b n Guest users must send all HTTP traffic via a proxy allow(Flow) :- guest(U src ) http = Prot proxy(H dst )

NAC Actions allow waypoint rate-limit deny Variables access points hosts users protocol flow header tuple allow(Flow) :- guest(U src ) http = Prot proxy(H dst ) An FML policy is an unordered set of rules allow(Flow) :- guest(U src ) http = Prot proxy(H dst )

Example Rules # Require authentication http_redirect(Flow) :- unauthenticated = U src http = Prot # Define group behavior allow(Flow) :- (registered(H src ) | registered(H dst )) http = Prot waypoint(Flow, proxy) :- guest(U src ) http = Prot rate-limit(Flow, 1Mbps) :- students(U src ) | students(U dst ) # Quarantine hosts deny(Flow) :- blacklist(H src ) | blacklist(H dst ) # Isolate hosts deny(Flow) :- classified(H src ) unclassified(H dst )

Policy Model Goals Exception Model waypoint(Flow, proxy) :- guest(U src ) http = Prot deny(Flow) :- guest(U src ) Composition Model waypoint(Flow, proxy) :- guest(U src ) http = Prot rate-limit(Flow, 1Mbps) :- http = Prot

Conflict Resolution Action Reconciliation deny > [ waypoint, rate-limit ] > allow Ordering of Rule Sets Policy 1 > Policy 2 waypoint(Flow, proxy) :- guest(U src ) http = Prot cascade() deny(Flow) :- guest(U src )

Implementation Requirements At least per flow interposition Name-to-address bindings Any system providing these capabilities can support FML.

NOX Openflow Controller Maintains Global View of Topology Dictates Switch Behavior Provides Authentication Framework

Policy Engine + Flow Flow Actions Rule Lookup Policy Compiler Namespace Auth Bindings

Performance # FML Rules Flows/second

Deployment Experience Medical University Network in Japan 200 hosts In-use for 10 months 40 line policy NAC-focused http_redirect(Flow) :- unauthenticated = U src (workstation(H src ) | laptop(H src )) http = Prot

Ongoing Work Distribute Policy Enforcement Virtualized Datacenter Support in Progress Expand FML to Define Actions Conflict Resolution Scheme Administrator Debugging Tools

Questions?