Presentation is loading. Please wait.

Presentation is loading. Please wait.

FreeSurf: Application-centric Wireless Access with SDN

Published by정수 노 Modified over 6 years ago

Similar presentations

Presentation on theme: "FreeSurf: Application-centric Wireless Access with SDN"— Presentation transcript:

1 FreeSurf: Application-centric Wireless Access with SDN
IRTF SDNRG Prague, July 2015 Zhen Cao, Jürgen Fitschen, Panagiotis Papadimitriou Leibniz Universität Hannover

2 Public Wi-Fi with a Traditional setup
Network highly underutilized Only ONE connection per user per month* 10% active customers No way to provide ubiquitous connectivity for customers Operator Service Providers Poor user satisfaction Always reluctant to pay, and impatient 12 clicks are required for a captive portal authentication 25% of users abandon access after 4 seconds # 50% of users abandon access after 10 seconds

3 Application-centric Wireless Access
Authentication AuthFlow FreeSurf Controller Access control DataFlow Operator FreeSurf SPs Access Authentication Authentication: users authenticate to the network using their SP accounts, e.g., Amazon Access: users are allowed to access the SP domain after a successful authentication Billing: SP is accountable for their customers’ access, and users are left to FreeSurf

4 FreeSurf Authentication
FreeSurf Controller AuthFlow Amazon AAA 1.EAP Identity Request Authentication forwarding table 2. EAP Identity Response ID FreeSurf SP @amazon.com Amazon AAA IP @ebay.com ebay AAA * Operator AAA EAP-TTLS Start Radius EAP-TTLS Start Server authentication and TLS tunnel setup EAP-TTLS Phase 2 (e.g., MSCHAP ), user authenticates using the SP account

5 FreeSurf Access Control
FreeSurf Controller Amazon Authentication CDN, Multihoming, Cloud Openflow tablle Tablesize Lookup efficiency Flows towards SP domain Bloom Filter Flows towards outside of SP domain Tablesize Lookup efficiency BF assisted

6 Operation Modes Direct mode: Broker mode:
SPs take over the authentication procedure and provide Internet access to their clients Direct control of clients’ credentials Better suited to large SPs Broker mode: A broker takes over the client authentication on behalf of multiple SPs Better suited to small SPs

7 FreeSurf Prototype Flow 1: FreeSurf authflow In AWS
FreeSurf SP AAA Server FreeSurf Controller (POX) Authenticator (hostapd) Data Plane (ovs) AuthFlow DataFlow Operator 1 2 Linux Internet Client: an IOS device In AWS Within same LAN Flow 2: non-FreeSurf authflow FreeSurf AP: Linux Laptop + USB Wireless Dongle + Hostapd

8 FreeSurf Evaluation Minimal increase in authentication delay with FreeSurf 1.7% additional delay with EAP-TTLS 2.4% additional delay with EAP-PEAP BF promotes lookup efficiency The larger the flow table is , the more BF helps Lookup with the BF is constant irrespective of flow table size

9 Thank you For more information, checkout our paper and code at https://github.com/freesurf

10 BF-assisted Access Control in FreeSurf
Initialization Construction Lookup & Decision i B[i] i B[i] i B[i] mHash(pkt_m.hdr) 1 2 K-3 K-2 K-1 1 2 K-3 K-2 K-1 1 2 K-3 K-2 K-1 pkt_i drop iHash(pkt_i.hdr) iHash(pkt_i.hdr) collision forward False positive kHash(pkt_k.hdr) Complexity: Size K irrespective of the number of flows; Lookup O(number of hash functions) False positive can be tuned by use of larger bit vector and more hash computations

11 Existence of false positives:
BF False Positives No false negatives: Discarded packets are absolutely not permitted Existence of false positives: Impact: allowing some traffic from authenticated users to unallowed addresses Rescue: twisting the false positive rate as small as possible by a choice of larger bit vector and use of more hash functions

Download ppt "FreeSurf: Application-centric Wireless Access with SDN"

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
LAN Devices 5.3 IT Essentials.

LAN Devices 5.3 IT Essentials.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
Networking Components

Networking Components
Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.

Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking
Mobile and Wireless Communication Security By Jason Gratto.

Mobile and Wireless Communication Security By Jason Gratto.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
End-to-end resource management in DiffServ Networks –DiffServ focuses on singal domain –Users want end-to-end services –No consensus at this time –Two.

End-to-end resource management in DiffServ Networks –DiffServ focuses on singal domain –Users want end-to-end services –No consensus at this time –Two.
Altai Certification Training Backend Network Planning

Altai Certification Training Backend Network Planning
1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.

1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.

Similar presentations

Ads by Google