Enabling Practical SDN Security Applications with OFX (The ...
Transcript of Enabling Practical SDN Security Applications with OFX (The ...
![Page 1: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/1.jpg)
Enabling Practical SDN Security Applications with OFX (The
OpenFlow eXtension Framework)John Sonchack, Adam J. Aviv,
Eric Keller, and Jonathan M. Smith
![Page 2: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/2.jpg)
Outline
IntroductionOverview of OFXUsing OFXBenchmarks
2
![Page 3: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/3.jpg)
Basic Networking: Forwarding and Routing
3
Packet Forwarding Route Computation
?
![Page 4: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/4.jpg)
SDNs: Networking in Two Planes
4
Data Plane
Control Plane
Packet forwarding
Route computation
![Page 5: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/5.jpg)
OpenFlow: A Protocol to Manage Switches
5
Data Plane
Control Plane
Flow rules to implement routes
Packet forwarding
Route computation
![Page 6: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/6.jpg)
OpenFlow: A Protocol to Manage Switches
6
Data Plane
Control Plane
Flow rules to implement routes
Assumption: Interactions between the control plane and data plane are infrequent.
Packet forwarding
Route computation
![Page 7: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/7.jpg)
SDNs for Network Security
7
Data Plane
Control Plane
Flow rules to implement access control policy
Access Control
Casado, Martin, et al. "Ethane: taking control of the enterprise." ACM SIGCOMM Computer Communication Review. Vol. 37. No. 4. ACM, 2007.
Access Control Policy
![Page 8: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/8.jpg)
SDNs for Dynamic Network Security
8
Data Plane
Control PlaneTraffic Declassification
DDoS Defense
Bot Detection
Traffic Declassification
Access Control
Packet from new flow
Route for flow
Advanced Processing
![Page 9: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/9.jpg)
SDNs for Dynamic Network Security: Flow Monitoring
9
Data Plane
Control Plane
Bot Detection
Packet from new TCP flow
Install byte counting rule
Gu, Guofei, et al. "BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection." USENIX Security Symposium. Vol. 5. No. 2. 2008.
Collect flow records without routing through a
middlebox.
![Page 10: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/10.jpg)
SDNs for Dynamic Network Security: Traffic Declassification
10
Data Plane
Control PlaneTraffic DeclassificationTraffic Declassification
Can this flow leave the network?
declassification decision
(Allow | Block)
Mundada, Yogesh, Anirudh Ramachandran, and Nick Feamster. "SilverLine: preventing data leaks from compromised web applications." Proceedings of the 29th Annual Computer Security Applications Conference. ACM, 2013.
Check flow tags and user permissions
Enforce access control on tagged data leaving the
network.
![Page 11: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/11.jpg)
SDNs for Dynamic Network Security
11
Data Plane
Control PlaneTraffic Declassification
DDoS Defense
Bot Detection
Traffic Declassification
Access Control
Packet from new flow
Route for flow
Advanced Processing
![Page 12: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/12.jpg)
SDNs for Dynamic Network Security
12
Data Plane
Control PlaneTraffic Declassification
DDoS Defense
Bot Detection
Traffic Declassification
Access Control
Packet from new flow
Assumption: Interactions between the control plane and data plane are infrequent.
Route for flow
Advanced Processing
![Page 13: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/13.jpg)
Obstacle: Low Throughput Control Path
13
130 million packets/second!!!!*
*can only forward 500 pps to controller.
Appelman, Michiel, and Maikel de Boer. "Performance analysis of OpenFlow hardware." University of Amsterdam, Tech. Rep (2012).Curtis, Andrew R., et al. "DevoFlow: scaling flow management for high-performance networks." ACM SIGCOMM Computer Communication Review. Vol. 41. No. 4. ACM, 2011.
![Page 14: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/14.jpg)
Obstacle: Centralized Control Plane
14
New Flow
New FlowNew Flow
New Flow New Flow
New FlowNew Flow New Flow
![Page 15: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/15.jpg)
Our question: How Can We Make SDNs More Practical?
15
Traffic DeclassificationTraffic Declassification
Access Control
DDoS Defense
Bot Detection
Traffic Declassification
Data Plane
Control Plane
![Page 16: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/16.jpg)
16
The General Approach: Switch Level Security
Data Plane
Control Plane
Access Control
DDoS Defense
Bot Detection
Traffic Declassification
![Page 17: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/17.jpg)
17
Previous Work: Security Functionality in the Forwarding Engine
Build new switch chips that support security applications
Shin, Seungwon, et al. "Avant-guard: Scalable and vigilant switch flow management in software-defined networks." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013.
![Page 18: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/18.jpg)
18
Our insight: Leverage Switch CPUs
Run security logic on the switch CPUs
![Page 19: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/19.jpg)
19
OFX: A Framework for Application-Specific Switch Extensions
Declassification Declassification
Each application can load custom functionality into
switches. At runtime!
![Page 20: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/20.jpg)
Outline
IntroductionOverview of OFXUsing OFXBenchmarks
20
![Page 21: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/21.jpg)
OFX at a High Level
stack21
![Page 22: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/22.jpg)
stack
OFX Switch Agents
OFX Controller Library
OFX Switch AgentsOFX Switch Agents
stackOFX
22
OFX at a High Level
![Page 23: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/23.jpg)
stack
OFX Switch AgentsOFX Switch AgentsSwitch-level logic
stackOFX
23
OFX at a High Level
OFX Extension Module
Controller interface
![Page 24: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/24.jpg)
stack stackOFX
24
OFX at a High LevelPermissions Database
OFX Switch AgentsOFX Switch AgentsPer-Flow Declassification Logic
Declassifier Module
![Page 25: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/25.jpg)
…
Controller-managed forwarding tables
OFX Filtering Tables
OFX Agent
OFX at the Switch Level
Ingress Packets
Egress Packets
25
OFX modules use filters to select packets that they need
to process
SoftwareHardware
OpenFlow Switch
OFX installs corresponding rules onto OFX
tables
OFX Module
Packet Handler
OFX modules process packets with custom
handler
![Page 26: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/26.jpg)
Outline
IntroductionOverview of OFXUsing OFXBenchmarks
26
![Page 27: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/27.jpg)
Refactoring OpenFlow Applications to use OFX
OFX Declassifier
Module
![Page 28: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/28.jpg)
Refactoring OpenFlow Applications to use OFX
OFX Declassifier
Module
![Page 29: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/29.jpg)
Outline
IntroductionOverview of OFXUsing OFXBenchmarks
29
![Page 30: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/30.jpg)
Benchmarking OFXHow much raw overhead is there for processing packets with OFX?
How do OFX based security applications perform, compared with Middlebox and
OpenFlow implementations?
30
![Page 31: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/31.jpg)
OFX Benchmark: Packets Per Second
Pack
ets
per S
econ
d
1
10
100
1,000
10,000
100,000
Packet Size
64 128
256
512
1024
1500
Packet handler in controllerPacket handler in OFX module
31
Log10 Scale
100 PPS @ MTU
45,000 PPS @ MTU
![Page 32: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/32.jpg)
Benchmarking OFXHow much raw overhead is there for processing packets with OFX?
How do OFX based security applications perform, compared with Middlebox and
OpenFlow implementations?
32
![Page 33: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/33.jpg)
Benchmark: Declassifier Packet Drop Rate
Implementation Frequent arriving flows Median High bandwidth
flowsMiddlebox Proxy
OpenFlowOFX
33
Proxy implementation limited by bit rate
OFX implementation performed well in all workloads
0.1% 0.1% 20.4%97.5% 88.2% 0.1%5.1% 3.2% 0.1%
OpenFlow implementation limited by flow arrival rate
. S. Kandula, S. Sengupta, A. Greenberg, P. Patel, and R. Chaiken, “The nature of data center traffic: measurements & analysis,” in Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference. ACM, 2009, pp. 202–208.
. L. Qian and B. E. Carpenter, “A flow-based performance analysis of tcp and tcp applications,” in Networks (ICON), 2012 18th IEEE International Conference on. IEEE, 2012, pp. 41–45.
Workload Name Frequently arriving flows Median flows High bandwidth flowsFlow Inter-arrival Period 0.0015 Seconds 0.015 Seconds 0.15 SecondsAverage Transmission Bandwidth 19.75 Mbps 43.57 Mbps 970.99 Mbps
![Page 34: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/34.jpg)
Condition Reached
In the Paper
34
Application Specific Modules
Bot Detection
DDoS Defense
Enhanced Switch API Modules
TCP Handshake Validation
Push Based Alerts
New TCP Flow
More benchmarks
Running on unmodified OpenFlow hardware!
OpenFlow Packet Path OFX Packet Path
OpenFlow
Controller
OpenFlow
Switch
OFX Agent
Linux Network Stack
Forwarding Engine Firmware
OpenFlow Agent
Linux Kernel
Control Platform
Linux Kernel
OFX Library
OFX API and Implementation
Details
![Page 35: Enabling Practical SDN Security Applications with OFX (The ...](https://reader030.fdocuments.net/reader030/viewer/2022012812/61c3dc09aa4d6f392e16bc1b/html5/thumbnails/35.jpg)
35
Thank You
OFX Extension Module
OFX lets OpenFlow security applications push parts of their
control plane logic down to switch CPUs, which can greatly
improve performance and scalability on existing
hardware and software.
OFX: The OpenFlow Extension Framework