Presentation is loading. Please wait.

Presentation is loading. Please wait.

June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,

Published byMaria McIntyre Modified over 10 years ago

Similar presentations

Presentation on theme: "June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,"— Presentation transcript:

1 June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude, David Goubad, Aditya Akella, Dan Boneh, Scott Shenker, Nick McKeown

2 June 2007NSF Find Ethane Overview Centralized, Flow-based architecture Connectivity dictated by global policy file For the Enterprise Single administration domain (someone everyone has to trust) Known principle roles (users, hosts) Bounded in size

3 June 2007NSF Find Ethane Operation Nancy Payroll Host:b IP:y MAC:n Host: a IP: x MAC: m controller Credentials Payroll XXXX Nancy YYYY Authenticate Bindings Payroll x m sw4 Nancy y n sw4 Bindings Payroll x m sw4 Nancy y n sw4 Assumptions Physical ingress port of all packets is known Controller knows network topology

4 June 2007NSF Find Ethane: First Packet = Path Setup Payroll POLICY FILE POLICY FILE Controller Nancy

5 June 2007NSF Find Forwarding in Ethane Check flow-table If entry exists, apply corresponding action Forward (or drop) Rate limit Outbound initiated only (NAT-like) Swap MAC header (Source obfuscation) Place in specific queue (isolation) If no entry, send to Controller

6 June 2007NSF Find Ethane Switch = Flow Tables Flow ID = Hash over relevant header fields Ethernet = H( inport,ethsrc|ethdst|ethprot) IP = H(eth,ipsrc|ipdst|ipproto) TCP/UDP = H(ip|srcport|dstport) Flow-Table & Lookup Flow ID Action 0xcf32 0xdf32 Header Values 0xef32 Fwd port1 Fwd port1, Swap MAC 01|ffee|… 01|ddee|… 02|ddef|…Fwd port2, Rate limit

7 June 2007NSF Find Preventing Address Forging Principles bound to addresses/physical port at authentication time Packet addresses checked against bindings at Controller (e.g. MAC/port pair matches known bindings) Flow definition includes ingress port Forged packets will never match a flow and will be dropped at first hop switch

8 June 2007NSF Find Forensic Support User host Host IP IP MAC MAC switch port Switch port switch port User Login Host Join Switch Join Link Change Replay Log All bindings logged Current bindings + packet + timestamp + log = bindings at time packet was sent Controller Bindings

9 June 2007NSF Find Forensics Given a packet can determine Which user/host sent and received it Physical port it was sent/received from What the topology looked like when it was sent Access control bind state and log (only admin access)

10 June 2007NSF Find Anonymity IP addresses allocated dynamically Source MAC can be swapped by switches (use IP during forensics) End-hosts perform encryption

11 June 2007NSF Find Source Address? Doesnt matter Addresses are virtual and multiplexed among physical ports Address allocations are enforced by network Address + bind log = source

12 June 2007NSF Find Mechanism Issues Requires bind state and log Function assumes global trust Minor compared to flow state Encryption off datapath = good Simple switches at Gig speeds

13 June 2007NSF Find Questions?

Download ppt "June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,"

Similar presentations

Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.

Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA 2011. 04. 11 Presented.

OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.
Ethane: Taking Control of the Enterprise

Ethane: Taking Control of the Enterprise
May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University

May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University
SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,

SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,
June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.

June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.
Lab 4: Simple Router CS144 Lab 4 Screencast May 2, 2008 Ben Nham Based on slides by Clay Collier and Martin Casado.

Lab 4: Simple Router CS144 Lab 4 Screencast May 2, 2008 Ben Nham Based on slides by Clay Collier and Martin Casado.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.

4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.
10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.

10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.
August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.

August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
A Scalable, Commodity Data Center Network Architecture.

A Scalable, Commodity Data Center Network Architecture.
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Similar presentations

Ads by Google