Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Slides:



Advertisements
Similar presentations
Access Control List (ACL)
Advertisements

Communication Networks Recitation 3 Bridges & Spanning trees.
Programming Protocol-Independent Packet Processors
Delivery and Forwarding of
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IPv4 - The Internet Protocol Version 4
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Chapter 9: Access Control Lists
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Fundamentals of Computer Networks ECE 478/578 Lecture #13: Packet Switching (2) Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Oct 12, 2004CS573: Network Protocols and Standards1 Virtual LANs Network Protocols and Standards Autumn
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.
Jan 10, 2008CS573: Network Protocols and Standards1 Virtual LANs Network Protocols and Standards Winter
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Connecting LANs, Backbone Networks, and Virtual LANs
Chapter 4: Managing LAN Traffic
IEEE 802.1q - VLANs Nick Poorman.
Page 19/13/2015 Chapter 8 Some conditions that must be met for host to host communication over an internetwork: a default gateway must be properly configured.
1 LAN switching and Bridges. 2 Outline Interconnection devices Bridges/LAN switches vs. Routers Bridges Learning Bridges Transparent bridges.
– Chapter 5 – Secure LAN Switching
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
IP Forwarding.
Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
Lecture2 Secured Network Design W.Lilakiatsakun.  ARP  Problems with ARP / Countermeasures  VLAN  Attacking on VLAN / Countermeasures Topics.
COP 4930 Computer Network Projects Summer C 2004 Prof. Roy B. Levow Lecture 3.
Network Security David Lazăr.
Computer Networks 15-1 Chapter 15. Connecting LANs, Backbone Networks, and Virtual LANs 15.1 Connecting devices 15.2 Backbone networks 15.3 Virtual LANs.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
STORE AND FORWARD & CUT THROUGH FORWARD Switches can use different forwarding techniques— two of these are store-and-forward switching and cut-through.
1 Data Link Layer Lecture 23 Imran Ahmed University of Management & Technology.
Switching Topic 2 VLANs.
PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.
Virtual Local Area Networks (VLANs) Part II
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
VLANs Last Update Copyright Kenneth M. Chipps Ph.D.
1 VLANs Relates to Lab 6. Short module on basics of VLAN switching.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
OpenFlow MPLS and the Open Source Label Switched Router Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,
Network Router Security Packeting Filtering. OSI Model 1.It is the most commonly refrenced protocol model. It provides common ground when describing any.
Ethernet Basics – 6 Quality of Service/Class of Service (QOS/COS)
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
K. Salah1 Security Protocols in the Internet IPSec.
Coping with Link Failures in Centralized Control Plane Architecture Maulik Desai, Thyagarajan Nandagopal.
Virtual Local Area Networks In Security By Mark Reed.
Instructor Materials Chapter 7: Access Control Lists
Link Layer 5.1 Introduction and services
Heitor Moraes, Marcos Vieira, Italo Cunha, Dorgival Guedes
Networking Devices.
Chapter 4 Data Link Layer Switching
VLANs: Virtual Local Area Networks
Introduction to Networking
Virtual LANs.
Chapter 4: Access Control Lists (ACLs)
Routing and Switching Essentials v6.0
Implementing an OpenFlow Switch on the NetFPGA platform
Net 323 D: Networks Protocols
ITIS 6167/8167: Network and Information Security
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Outline Introduction Status Report Proposed Solution Expected Results Progression Plan

Status Proposed Status Implement an Open flow switch on the NetFPGA platform Current Status Compilation, installation and the Configuration of Open flow switch on the NetFPGA platform and dependencies Tasks Completed : NetPFGA configuration Open Flow switch configuration Regression Test on the Openflow switch

Introduction Traffic Management Applications – To block or monitor the malicious traffic – To avoid VLan Hopping Attack

1. Monitoring Malicious Traffic Rules: Incoming packet’s Source IP will be verified with the Black listed IP list Outgoing packet’s Destination IP will be verified with the Black listed IP list Source of Black List IP address: – Verisign – Zeus Black Listed IP address – Bot hunter BlackList We will drop the packet if there is a match – This is achieved by leaving the Action field in the Flow table empty after processing the packet against the above specified rules

2.What is a VLAN hopping attack? This is computer security exploit, a method of attacking networked resources on a VLAN A double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.

Avoid VLan Hopping Attack Proposed Plan: Uniquely identify frame based on identifier and transmit it to the switch Identifier a. Fields to be used for hashing Timestamp, Source Mac address, Ether Type b. Hash Algorithm Squash Method to transfer the Identifier – 802.1Q Header

Generating Hash Below format is used to generate the hash value To prove the integrity of the Origin we can use Squash Hash [ Secrete Key, {TimeStamp  (Source Mac || Ether Type)} ] To prove the integrity of entire frame between the host and the switch we can use MD5 Hash [ Secrete Key, {TimeStamp  (Entire Frame)}

Normal Ethernet Header Format Destination MAC address Source Mac address 802.1Q Header EtherType Modified Ethernet Header Format We will be modifying the Ethernet Header into below format. We will use the 802.1Q Header to determine the length of the Ethernet frame Two more fields are introduce: Time Stamp Hash Value Frame Structure

To Transmit Hash Value We plan to use 802.1Q Header to include the hash value into the packet. This header defines the various fields Q Header VLAN Identifier (VID): a 12-bit specifying the VLAN to which the frame belongs. If set to 0 then it is an untagged packet (no VLAN) Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC address is in non-canonical format. Priority Code Point (PCP) - prioritize different classes of traffic (voice, video, data) TPID define the type (how many bits are used) of 802.1Q Headers - for IPv4 packet the Ether Type field is set to 0x for Vlan packet the Ether Type field is set to 0x8100 Similarly we will be implementing procedure to incorporate a new Ether Type value which will intimate the switch about the various fields present in the Ethernet header

OpenFlow Spec Flowchart showing how header fields are parsed for matching.

FLOW TABLE ENTRIES Include new Field in the Flow table For each packet Hash Value will be generated using the Key in the flow table. Compare this value with the value in the packet If equal then the packet will be processed else will be dropped If there is a replay attack then all the fields in the Flow table will be matched including the Key which indicates that this is a false packet. hence the packet will be dropped If the Vlan ID in Ethernet frame is modified by an attacker the packet will be dropped as the hash value will not match key

Alternative Solution Key Chain Based Initially the source will generate the hash value using squash algorithm and the switch will verify the same. Hash [ Secrete Key, {(Destination|| Ether Type)  (Source Mac || Ether Type)} ] And for the rest of the packets this hash value will be used as the key to generate next hash value. Hash n [ Secrete Key, {(Hash n-1  (Source Mac || Ether Type)} ] Problem would occur when the packets are not transmitted in sequence. This can be addressed by using sequence number field in the TCP header to identify the packet. Since using H n we can derive H n+m, we can derive the hash value of all the following packets. Also markers can be used to reduce the load of computation.

Progression Plan To implement Open Flow Switch with basic Firewall functionality by March 26th Provide remediation to VLAN hopping attack by April 26th Expected Result Making a switch to act as a basic firewall Prevent VLAN hopping attack PLAN and EXPECTED RESULT

OpenFlowSwitch-NetFPGA- TrafficMgmt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.