Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Similar presentations


Presentation on theme: "Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)"— Presentation transcript:

1 Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

2 Outline Introduction Status Report Proposed Solution Expected Results Progression Plan

3 Status Proposed Status Implement an Open flow switch on the NetFPGA platform Current Status Compilation, installation and the Configuration of Open flow switch on the NetFPGA platform and dependencies Tasks Completed : NetPFGA 2.1.9 configuration Open Flow switch 1.0.0 configuration Regression Test on the Openflow switch

4 Introduction Traffic Management Applications – To block or monitor the malicious traffic – To avoid VLan Hopping Attack

5 1. Monitoring Malicious Traffic Rules: Incoming packet’s Source IP will be verified with the Black listed IP list Outgoing packet’s Destination IP will be verified with the Black listed IP list Source of Black List IP address: – Verisign – Zeus Black Listed IP address – Bot hunter BlackList We will drop the packet if there is a match – This is achieved by leaving the Action field in the Flow table empty after processing the packet against the above specified rules

6 2.What is a VLAN hopping attack? This is computer security exploit, a method of attacking networked resources on a VLAN A double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.

7 Avoid VLan Hopping Attack Proposed Plan: Uniquely identify frame based on identifier and transmit it to the switch Identifier a. Fields to be used for hashing Timestamp, Source Mac address, Ether Type b. Hash Algorithm Squash Method to transfer the Identifier – 802.1Q Header

8 Generating Hash Below format is used to generate the hash value To prove the integrity of the Origin we can use Squash Hash [ Secrete Key, {TimeStamp  (Source Mac || Ether Type)} ] To prove the integrity of entire frame between the host and the switch we can use MD5 Hash [ Secrete Key, {TimeStamp  (Entire Frame)}

9 Normal Ethernet Header Format Destination MAC address Source Mac address 802.1Q Header EtherType Modified Ethernet Header Format We will be modifying the Ethernet Header into below format. We will use the 802.1Q Header to determine the length of the Ethernet frame Two more fields are introduce: Time Stamp Hash Value Frame Structure

10 To Transmit Hash Value We plan to use 802.1Q Header to include the hash value into the packet. This header defines the various fields. 802.1Q Header VLAN Identifier (VID): a 12-bit specifying the VLAN to which the frame belongs. If set to 0 then it is an untagged packet (no VLAN) Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC address is in non-canonical format. Priority Code Point (PCP) - prioritize different classes of traffic (voice, video, data) TPID define the type (how many bits are used) of 802.1Q Headers - for IPv4 packet the Ether Type field is set to 0x0800 - for Vlan packet the Ether Type field is set to 0x8100 Similarly we will be implementing procedure to incorporate a new Ether Type value which will intimate the switch about the various fields present in the Ethernet header

11 OpenFlow Spec Flowchart showing how header fields are parsed for matching.

12 FLOW TABLE ENTRIES Include new Field in the Flow table For each packet Hash Value will be generated using the Key in the flow table. Compare this value with the value in the packet If equal then the packet will be processed else will be dropped If there is a replay attack then all the fields in the Flow table will be matched including the Key which indicates that this is a false packet. hence the packet will be dropped If the Vlan ID in Ethernet frame is modified by an attacker the packet will be dropped as the hash value will not match key

13 Alternative Solution Key Chain Based Initially the source will generate the hash value using squash algorithm and the switch will verify the same. Hash [ Secrete Key, {(Destination|| Ether Type)  (Source Mac || Ether Type)} ] And for the rest of the packets this hash value will be used as the key to generate next hash value. Hash n [ Secrete Key, {(Hash n-1  (Source Mac || Ether Type)} ] Problem would occur when the packets are not transmitted in sequence. This can be addressed by using sequence number field in the TCP header to identify the packet. Since using H n we can derive H n+m, we can derive the hash value of all the following packets. Also markers can be used to reduce the load of computation.

14 Progression Plan To implement Open Flow Switch with basic Firewall functionality by March 26th Provide remediation to VLAN hopping attack by April 26th Expected Result Making a switch to act as a basic firewall Prevent VLAN hopping attack PLAN and EXPECTED RESULT

15 OpenFlowSwitch-NetFPGA- TrafficMgmt http://openflowswitch-netfpga-trafficmgmt.wikispaces.asu.edu/


Download ppt "Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)"

Similar presentations


Ads by Google