1 / 19

Traffic Management - OpenFlow Switch on the NetFPGA platform

Traffic Management - OpenFlow Switch on the NetFPGA platform. Chun-Jen Chung(1203584897) Sriram Gopinath (1203800749). Outline. Open Flow Switch Applications Open Flow Switch as a Basic Firewall Per Packet Authentication Possible attacks in a VLAN-based network

kato-fernandez
Télécharger la présentation

Traffic Management - OpenFlow Switch on the NetFPGA platform

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

  2. Outline • Open Flow Switch • Applications • Open Flow Switch as a Basic Firewall • Per Packet Authentication • Possible attacks in a VLAN-based network • Analysis on the possible attacks

  3. OpenFlow • OpenFlow is an open standard to deploy new innovative protocols in the real networking environment. • OpenFlow is an open interface for remotely controlling the forwarding tables in network switches, routers, and access points. • OpenFlow provides an open protocol to program the flow-table in different switches and routers. • An OpenFlow Switch consists of at least three parts: (1) A Flow Table, with an action associated with each flow entry, to tell the switch how to process the flow (2) A Secure Channel that connects the switch to a remote control process (called the controller), allowing commands and packets to be sent between a controller and the switch (3) The OpenFlow Protocol, which provides an open and standard way for a controller to communicate with a switch.

  4. Idealized OpenFlowSwitch • The OpenFlow Switch and Controller communicate via the OpenFlow protocol, which defines messages, such as packet-received, send-packet-out, modify-forwarding-table, and get-stats.

  5. Applications • Traffic Management • To block the malicious traffic • Per Packet Authentication • /*To prevent VLan Hopping Attack (Configuration Issue)*/

  6. To block the malicious traffic Implementation detail: • We have made use of the Linux kernel module to block the suspicious traffic. • Script is implemented to capture the Blacklisted IP address. • Then this list is used by the program – to block any traffic from/to these blacklisted sources. • This code is implemented in the Controller • We have used the kernel module to drop the packets from Blacklisted IP address so as to reduce the over load on the controller. Its better to drop the packet beforehand than to process it and drop.

  7. Sample Scenario

  8. Per Packet Authentication This application is to uniquely identify packets from the source. This involves three steps • Generate unique identification code at the source end • Transmit this code along with every packet • Evaluate the code at the destination end(Switch)

  9. Network Set up Simulated Network Xen Configuration

  10. Attack Scenario • Even if the ports are configured as Native trunk ports, this mechanism would prevent Vlan Hoping Attack • This mechanism can be extended to Physical Switch to ensure illegal traffic doesn’t pass through even if Dom0 is compromised

  11. Step 1: Generate unique identification code at the source end Unique identification code is generated by generating hash using the below parameters • Current Timestamp • Source Mac address • Ether Type • Secrete Key Hashing Technique: Hash [ Secrete Key , {TimeStamp (Source Mac || Ether Type)} ] Task Completed: Algorithm Implemented to generate the hash value. Tasks to be completed: Implementing Squash Algorithm

  12. Step 2: Transmit the identifier in every packet • Need to use Packet generation algorithm to modify the packets transmitted to include the Hash code generated and the time stamp used in step 1.

  13. Step 3: Evaluate the identifier at the Switch • The Hash code is again generated at the switch using the parameters in the packet. • This value is compared with the hash code in the packet. • If both the values are equal then the packets is processed else it is dropped. • This code is implemented in the switch and not in the controller so as to reduce the over load from the controller. • By this implementation packets those are not legitimate can be dropped before processing.

  14. Possible attacks in a VLAN-based network There are several different types of attack in layer 2, and most of attacks exploit the inability of a device to track the attacker. Therefore, the attacker can perform undetected malicious actions on the forwarding path to alter it and then exploit the change. • MAC Flooding Attack This is not properly a network “attack” but more a limitation of some switches and bridges. Some of these types of devices possess a finite hardware learning table to store the source addresses of all received packets, when this table becomes full, the traffic that is directed to addresses that cannot be learned anymore will be permanently flooded. This behavior can be exploited by a malicious user. Prevention: This attack can be prevented by limiting the number of MAC addresses that can be used by a single port: the identification of the traffic of a device is thereby directly tied to its port of origin.

  15. Possible attacks in a VLAN-based network • 802.1Q Tagging Attack Tagging attacks are malicious schemes that allow a user on a VLAN to get unauthorized access to another VLAN. There are 2 scenarios • If a switch port was configured as DTP auto and was to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN. • When simply receiving regular packets, a switch port may behave like a full-fledged trunk port. Prevention: • The first attack can be prevented very easily by setting DTP to off on all non-trusted ports. • The second attack can usually be addressed by following simple configuration guidelines.

  16. Possible attacks in a VLAN-based network • Double-Encapsulated 802.1Q/Nested VLAN Attack When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet’s only VLAN identifier. Therefore, by double-encapsulating packets with two different tags, traffic can be made to hop across VLANs. Prevention: The use of the native VLAN should be avoided. In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don’t use this VLAN for any other purpose.

  17. Possible attacks in a VLAN-based network • ARP Attacks An attacker can claim that his or her MAC address is associated to any IP address within a specific subnet. This is possible because ARP requests or replies carry the information about the L2 identity (MAC address) and the L3 identity (IP address) of a device and there is no verification mechanism of the correctness of these identities. Prevention: Using ARP Inspection the occurrence of this attack can be prevented. Most of attacks mentions above can be prevented by properly configuration or constraint for some resources. However, if we can apply our packet level message authentication code, we definitely can filter out the malicious traffic from the attacker and therefore to improve the security of VLAN-based network.

  18. Analysis • All these attacks were analyzed in our current network • It was identified that proper configuration would prevent the environment from these attacks • In the Virtual environment Dom0, which acts as the base platform should be protected. Only by compromising this instance an attacker can possibly launch an attack. • If Dom0 is protected, the possibility of an attack in virtual environment is minimal. • Per Packet Authentication enhances the security of Vlan enabled network by extending the security even when Dom0 instance is compromised.

  19. Result • Application 1 - basic firewall implementation and Application 2 – Per packet Authentication would help in improving the security of a VLan enabled network.

More Related