Fast NetServ Data Path: OpenFlow integration Emanuele Maccherani Visitor PhD Student DIEI - University of Perugia, Italy IRT - Columbia University, USA.

Slides:



Advertisements
Similar presentations
Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison, Matthew L. Meola, Michael J. Freedman, Jennifer Rexford, David Walker.
Advertisements

RIP V1 W.lilakiatsakun.
DOT – Distributed OpenFlow Testbed
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Precept 3 Host Configuration 1 Peng Sun. What TCP conn. running? Commands netstat [-n] [-p] [-c] (Linux) lsof -i -P (Mac) ss (newer version of netstat)
An Overview of Software-Defined Network Presenter: Xitao Wen.
Flow Space Virtualization on Shared Physical OpenFlow Networks Hiroaki Yamanaka, Shuji Ishii, Eiji Kawai (NICT), Masayoshi Shimamura, Katsuyoshi Iida (TITECH),
OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.
Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.
OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.
March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
SDN and Openflow.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
NetServ – Software- defined networking end- to-end Henning Schulzrinne & IRT Lab Columbia University.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
An Overview of Software-Defined Network
NSIS based NetServ Signalling Protocol Design and Implementation Roberto Francescangeli Visiting PhD student.
An Overview of Software-Defined Network Presenter: Xitao Wen.
NetServ Tutorial Quick and easy network service and packet processing using NetServ Jae Woo Lee and Roberto Francescangeli.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Chapter 17 Networking Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William Stallings.
PA3: Router Junxian (Jim) Huang EECS 489 W11 /
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
OpenFlow: Enabling Innovation in Campus Networks
Jon Turner, John DeHart, Fred Kuhns Computer Science & Engineering Washington University Wide Area OpenFlow Demonstration.
Sponsored by the National Science Foundation Tutorial: An Introduction to OpenFlow using POX GENI Engineering Conference 20 June 2014.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Objectives: Chapter 5: Network/Internet Layer  How Networks are connected Network/Internet Layer Routed Protocols Routing Protocols Autonomous Systems.
IP Forwarding.
Chapter Three Network Protocols By JD McGuire ARP Address Resolution Protocol Address Resolution Protocol The core protocol in the TCP/IP suite that.
CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.
Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Sponsored by the National Science Foundation 1 GEC16, March 21, 2013 Are you ready for the tutorial? 1.Did you do the pre-work? A.Are you able to login.
1 Connectivity with ARP and RARP. 2 There needs to be a mapping between the layer 2 and layer 3 addresses (i.e. IP to Ethernet). Mapping should be dynamic.
+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.
Introduction to Mininet, Open vSwitch, and POX
Software Defined Networking and OpenFlow Geddings Barrineau Ryan Izard.
Chapter 4: server services. The Complete Guide to Linux System Administration2 Objectives Configure network interfaces using command- line and graphical.
Atrium Router Project Proposal Subhas Mondal, Manoj Nair, Subhash Singh.
Network Processing Systems Design
Basic Edge Core switch Training for Summit Communication.
Ethernet Packet Filtering - Part1 Øyvind Holmeide Jean-Frédéric Gauvin 05/06/2014 by.
SDN basics and OpenFlow. Review some related concepts SDN overview OpenFlow.
Network Virtualization Ben Pfaff Nicira Networks, Inc.
Advanced Network Labs & Remote Network Agent
InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.
SDN controllers App Network elements has two components: OpenFlow client, forwarding hardware with flow tables. The SDN controller must implement the network.
Exploiting Layer 2 By Balwant Rathore.
Software Defined Networking for Wireless Networks
Programming Assignment
Network Data Plane Part 2
Virtual LANs.
Routing.
Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei.
The Stanford Clean Slate Program
Software Defined Networking
Setting Up Firewall using Netfilter and Iptables
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
Implementing an OpenFlow Switch on the NetFPGA platform
Virtual LAN VLAN Trunking Protocol and Inter-VLAN Routing
Routing.
Virtual Private Network
An Introduction to Software Defined Networking and OpenFlow
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Fast NetServ Data Path: OpenFlow integration Emanuele Maccherani Visitor PhD Student DIEI - University of Perugia, Italy IRT - Columbia University, USA 1

What is NetServ? In-network service container Active networking concept Java-programmable, signal-driven router Processing modules deployed on path 2

NetServ packet transport Virtual execution environment Building block layer Virtual execution environment Building block layer Virtual execution environment Building block layer Service modules NetServ controller Module download Module install Signaling message to install module Signaling message forwarded to next hop Data packets processed by service modules NetServ node architecture 3

NetServ current prototype NSLP daemon GIST daemon NetServ Controller Linux kernel Transport layer Service Container Service Container Service Container OSGi Packet processing modules Server modules OSGi control sockets Client- Server data packets Forwarded data packets Signaling packets iptables command Netfilter NFQUEUE #2NFQUEUE #1 Raw socket UNIX socket NetServ Control Protocol (TCP) 4

NetServ Data Path Currently: Linux Kernel – Pass packets to user-level service container processes – Use Netfilter queues Problem: Slow Performances compared to hardware routers 5

NetServ Data Path Currently: Linux Kernel – Pass packets to user-level service container processes – Use Netfilter queues Future: OpenFlow Switch – Packet forwarding hardware – Wire speed data path 6

What is OpenFlow? OpenFlow is an API Control how packets are forwarded Implemented on hardware switch PC Hardware Layer Software Layer Flow Table MAC src MAC dst IP Src IP Dst TCP sport TCP dport Action OpenFlow Firmware ** ***port 1 port 4 port 3 port 2 port PKT Controller OpenFlow Switch IP dst: OF Protocol PKT 1 st packet routing following packets routing 7

OpenFlow integration Openflow controller as a NetServ service module – Runs inside the OSGi Service Container – Modified version of the Beacon OF Controller (Java) – Listens for signaling commands through JSON-RPC (sent by NetServ Controller or external services) – Sends commands to OF-enabled hardware (OpenFlow protocol) 8

1 st step: NetServ/OpenFlow prototype UDPEcho used as a test service module – intercepts UDP packets in a specific port – sends them back to the sender, switching the src/dst IP/Port Topology: Single OF Switch – Attached: NetServ host, 2 normal host – OF Switch emulation: Open vSwitch – Topology emulation: Mininet 9

NetServ/OpenFlow prototype Flow Table MAC src MAC dst IP Src IP Dst UDP sport UDP dport Action OpenFlow Switch 2222*****port 1 port dd:ee:ffaa:bb:ccport 2 NetServ Host NetServ Controller OSGi Container OpenFlow Controller UDPEcho service port 3 port 1 Forwarded to next hop Signaling packet: Install UDPEcho service. Filter UDP Port 2222 Linux Kernel OF Protocol Filter Added PKT Host Host JSON RPC 10

2 nd step: expand NetServ/OpenFlow capabilities OpenFlow Controller OSGi NetServ Controller NetServ Node NetServ Controller Service Container OSGi NetServ Controller PU (NetServ Node) Service Container OSGi NetServ Controller PU (NetServ Node) Service Container OSGi Signaling packets OpenFlow Switch First packet of a flow Subsequent packets PU (NetServ Node) 11

Signaling flow inside a NetServ/OpenFlow node Data OF Protocol JSON-RPC PUOF SwitchOther networks NetServ starts OF Controller NetServ SETUP packet arrives Processing module installed Add_filter Hello 1° Packet arrives Packet_IN Flow Mod Packet_IN Flow Mod Packet processing time 1° Packet gets routed Following Packets path Packet processing time FlowMod Actions MAC address rewrite: PU NIC MAC address Output packet to port connected to PU 12 NetServ Controller NetServ Controller

OF Controller for the NetServ/OpenFlow Node Handle multiple switch – Controlled by the same OF controller (OFC) – Separate configuration parameters Routing module – OF switch acts as a router Forwarding to different subnet ARP table ARP request and replies Routing table Assign IPs to the OF switch port 13

OF Controller for the NetServ/OpenFlow Node Handle multiple Processing Units (WIP) – Control NetServ nodes attached to an OF switch as PUs (no OFC runs inside of it) – Parallel packet processing – Splitting packet flow through several PUs 14 OpenFlow-enabled NerServ Nodes (PUs) NetServ OpenFlow Controller PU1 PU2 PU3 OpenFlow Switch Other networks Flow Split method: -Not possible with the current OFPv1.1 (will be with v1.2) -Current implementation replicate the flow to all PUs. Every PU drops unwanted packets (using netfilter u32 matching module)

OF Controller for the NetServ/OpenFlow Node OF controller deployed as a NetServ service (WIP) – Deployable not only inside a PU, but in every reachable NetServ node – Can be dynamically installed/remove/moved through NetServ nodes Current implementation: – Beacon is statically deployed inside a NetServ node – NetServ-related modules can be installed with NSIS – Switch and PUs configuration specified inside the NSIS SETUP “properties” field 15

DoS experiment on GENI Autonomic network management – Self protecting from a SIP DoS attack (similar to NetServ Overload demo) – Use of IP flow-based IDS (netmonitor service) – Use of rate limiter (throttle service) 16

DoS experiment on GENI 17 Victim Server Attack Sources DoS Attack NetServ NS2 DoS Attack OpenFlow-enabled NerServ Nodes (PUs) NAME + OFC PU1PU2PU3 NetServ NS3 OpenFlow Controller OSGi NetServ Controller NetServ Node NAME OpenFlow Switch Net monitor OSGi NetServ Controller NetServ Node Net monitor OSGi NetServ Controller NetServ Node Net monitor OSGi NetServ Controller NetServ Node Throttle OSGi NetServ Controller NetServ Node (NS1) Linux Kernel DoS Attack SIP messages Replicated packets 1)SIP messages NS1 node OF switch 2)OF switch SIP server PU1 (replicating)

DoS experiment on GENI 18 Victim Server Attack Sources DoS Attack NetServ NS2 DoS Attack OpenFlow-enabled NerServ Nodes (PUs) NAME + OFC PU1PU2PU3 NetServ NS3 OpenFlow Controller OSGi NetServ Controller NetServ Node NAME OpenFlow Switch Net monitor OSGi NetServ Controller NetServ Node Net monitor OSGi NetServ Controller NetServ Node Net monitor OSGi NetServ Controller NetServ Node Throttle OSGi NetServ Controller NetServ Node (NS1) Linux Kernel DoS Attack SIP messages Replicated packets 3)Attack arrives 4)Net monitor NAME (attack detected) NS1

DoS experiment on GENI 19 Victim Server Attack Sources DoS Attack NetServ NS2 DoS Attack OpenFlow-enabled NerServ Nodes (PUs) NAME + OFC PU1PU2PU3 NetServ NS3 OpenFlow Controller OSGi NetServ Controller NetServ Node NAME OpenFlow Switch Net monitor OSGi NetServ Controller NetServ Node Net monitor OSGi NetServ Controller NetServ Node Net monitor OSGi NetServ Controller NetServ Node Throttle OSGi NetServ Controller NetServ Node (NS1) Linux Kernel DoS Attack Throttle SIP messages Replicated packets 5)Attack increases 6)NAME (to prevent PU1 overload) Net 7)NAME

DoS experiment on GENI - Results 20 The autonomic system takes few seconds to recognize and defeat it

DoS experiment on GENI - Results 21 Reaction time is insensitive to increasing values of traffic intensity Ir = additional traffic upon an attack beyond the background traffic 1 st attack = Ir 2 nd attack = 2 * Ir

Future improvements Processing optimized architecture Victim Server Attack Sources DoS Attack NetServ NS2 DoS Attack OpenFlow-enabled NerServ Nodes (PUs) NAME + OFC PU1PU2PU3 NetServ NS3 OpenFlow Controller OSGi NetServ Controller NetServ Node NAME OpenFlow Switch Flow based IDS OSGi NetServ Controller NetServ Node Flow based IDS OSGi NetServ Controller NetServ Node Flow based IDS OSGi NetServ Controller NetServ Node DPI OpenFlow Switch DPI OSGi NetServ Controller NetServ Node (NS1) Linux Kernel Packets inspected by DPI module deployed in NS1 Packets inspected by PU3 DoS Attack Packets forwarded only by NS1 and VLAN tagged

TODO / Future Work Create standard APIs for service modules that wants to interact with the data path (it can be either the linux kernel or an OF Switch) Extend NetServ signaling sintax in order to expose OF Switch features Utilize NetFPGA card as Hardware Processing Unit (so both the routing and the packet elaboration could be done at wire speed) 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.