Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Published byPaul Washington Modified over 9 years ago

Similar presentations

Presentation on theme: "Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)"— Presentation transcript:

1 Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

2 Open Flow Switch Applications Open Flow Switch as a Basic Firewall Per Packet Authentication Possible attacks in a VLAN-based network Analysis on the possible attacks Result Outline

3 OpenFlow Open Flow is an open standard to deploy new innovative protocols in the real networking environment. Open Flow is an open interface for remotely controlling the forwarding tables in network switches, routers, and access points. Open Flow provides an open protocol to program the flow-table in different switches and routers. An Open Flow Switch consists of at least three parts: (1) A Flow Table, with an action associated with each flow entry, to tell the switch how to process the flow (2) A Secure Channel that connects the switch to a remote control process (called the controller), allowing commands and packets to be sent between a controller and the switch (3) The OpenFlow Protocol, which provides an open and standard way for a controller to communicate with a switch.

4 Idealized OpenFlowSwitch The OpenFlow Switch and Controller communicate via the OpenFlow protocol, which defines messages, such as packet- received, send-packet-out, modify-forwarding-table, and get-stats.

5 Applications Traffic Management – To block the malicious traffic – Per Packet Authentication – /*To prevent VLan Hopping Attack (Configuration Issue)*/

6 PROJECT STATUS Initial Status: (March 8 th ) Initial set up (Installing OpenFlow and NOX controller) Solution for Application 1 and Application 2 Current Status: (April 21 st ) Implementing Application 1 Completing Phase 1 and 2 of Application 2 Pending Activity Phase 3 of Application 2

7 To block the malicious traffic Implementation detail: We a packet in a new flow arrives at the open flow switch, it is sent to Controller to make appropriate decision. Controller decides whether to block this packet or to deliver it to the destination specified in the packet Script has been written to generate the list of Blacklisted IPs. Then this list is used by the Open flow switch – to block any traffic from/to these blacklisted sources. Code is implemented in the Controller to drop packets which are from the Blacklisted IPs IP in the packet --match--  IP in the Blacklist IP address--  Drop the packet

8 Sample Scenario

9 Per Packet Authentication This application is to uniquely identify packets from the source. This involves three steps Generate unique identification code at the source end Transmit this code along with every packet Evaluate the code at the destination end(Switch)

10 Network Set up Xen Configuration Simulated Network

11 Step 1: Generate unique identification code at the source end Unique identification code is generated by generating hash using the below parameters Current Timestamp (48 BITS) Source Mac address (48 BITS) Secrete Key (48 BITS) Hashing Technique: Hash [ Secrete Key, {TimeStamp  Source Mac} ] Task Completed: HMAC SHA2-Algorithm Implemented to generate the hash value (48 BITS).

12 Step 2: Transmit the identifier in every packet We have used the Packet generation algorithm to modify the transmitted packets to include the Hash code generated and the time stamp used in step 1. We have used the QinQ mechanism available in the 802.1Q packet header format to include these additional values into the packet

13

14 Step 3: Evaluate the identifier at the Switch The Hash code is again generated at the switch using the parameters in the packet. SHA-1 algorithm used in step 1 is used to generate the Hash value This value is compared with the hash code in the packet. If both the values are equal then the packets is processed else it is dropped. This code is implemented in the switch and not in the controller so as to reduce the over load from the controller. By this implementation packets those are not legitimate can be dropped before processing.

15

16 Possible attacks in a VLAN-based network There are several different types of attack in layer 2, and most of attacks exploit the inability of a device to track the attacker. Therefore, the attacker can perform undetected malicious actions on the forwarding path to alter it and then exploit the Change. MAC Flooding Attack This is not properly a network “attack” but more a limitation of some switches and bridges. Some of these types of devices possess a finite hardware learning table to store the source addresses of all received packets, when this table becomes full, the traffic that is directed to addresses that cannot be learned anymore will be permanently flooded. 802.1Q Tagging Attack Tagging attacks are malicious schemes that allow a user on a VLAN to get unauthorized access to another VLAN. – If a switch port was configured as DTP auto and was to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN. – When simply receiving regular packets, a switch port may behave like a full-fledged trunk port.

17 Possible attacks in a VLAN-based network ARP Attacks An attacker can claim that his or her MAC address is associated to any IP address within a specific subnet. This is possible because ARP requests or replies carry the information about the L2 identity (MAC address) and the L3 identity (IP address) of a device and there is no verification mechanism of the correctness of these identities. Double-Encapsulated 802.1Q/Nested VLAN Attack When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet’s only VLAN identifier. Therefore, by double- encapsulating packets with two different tags, traffic can be made to hop across VLANs.

18 Analysis of Attacks All these attacks were analyzed in our current network It was identified that proper configuration would prevent the environment from most of these attacks Using ARP Inspection the occurrence of few of these attack can be prevented. Why Per Packet Authentication?

19 Attack Scenario Normal Scenario When Compromised

20 Analysis In the Virtual environment Dom0, which acts as the base platform should be protected. Only by compromising this instance an attacker can possibly launch an attack. If Dom0 is protected, the possibility of an attack in virtual environment is minimal. Per Packet Authentication enhances the security of Vlan enabled network by extending the security even when Dom0 instance is compromised. Even if the ports are configured as Native trunk ports, this mechanism would prevent Vlan Hoping Attack This mechanism can be extended to Physical Switch to ensure illegal traffic doesn’t pass through even if Dom0 is compromised

21 Result Application 1 - basic firewall implementation has been implemented completely and Application 2 – Per packet Authentication which is yet to be completed would help in improving the security of a VLan enabled network.

22 DEMO

Download ppt "Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
RIP V1 W.lilakiatsakun.

RIP V1 W.lilakiatsakun.
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.

We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Information-Centric Networks10b-1 Week 13 / Paper 1 OpenFlow: enabling innovation in campus networks –Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru.

Information-Centric Networks10b-1 Week 13 / Paper 1 OpenFlow: enabling innovation in campus networks –Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru.
Chapter 4: Managing LAN Traffic

Chapter 4: Managing LAN Traffic
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.

Similar presentations

Ads by Google