HEX Switch: Hardware-assisted security extensions of OpenFlow

Transcription

1 HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST / taejune.park@kaist.ac.kr Zhaoyan Xu / StackRox Inc. / z@stackrox.com Seungwon Shin / KAIST / claude@kaist.ac.kr

2 Software-Defined Networking Centralized management Dynamic traffic engineering Programable network operation High-compatibility with virtualized environments 2 /36

3 Software-Defined Networking Centralized management Dynamic traffic engineering Security is still required Programable network operation High-compatibility with virtualized environments 3 /36

4 Security in Software-Defined Networking Control-Plane Layer Data-Plane Layer Network Control Apps. Security Apps. Security Application Standard Protocol (e.g., OpenFlow) Middle-box 4 /36

5 Security in Software-Defined Networking Control-Plane Layer Network Control Apps. Security Apps. Security Application Security applications on a control plane Applying security features network-widely Cheap price Standard Protocol (e.g., OpenFlow) Easy to manage Data-Plane Layer Middle-box 5 /36

6 Security in Software-Defined Networking Control-Plane Layer Network Control Apps. Security Apps. Security Application Security applications on a control plane Applying security features network-widely Cheap price Data-Plane Layer Standard Protocol (e.g., OpenFlow) Limitation Easy to manage Simple security only available Middle-box Slow-path for inspection Controller overhead 6 /36

7 Security in Software-Defined Networking Control-Plane Layer Network Control Apps. Security Apps. Security Application Data-Plane Layer Standard Protocol (e.g., OpenFlow) Middle-box Middle-boxes on a data plane Better performance Rich features such as payload inspection No controller overhead 7 /36

8 Security in Software-Defined Networking Control-Plane Layer Data-Plane Layer Network Control Apps. Security Apps. Security Application Standard Protocol (e.g., OpenFlow) Limitation Middle-box Middle-boxes on a data plane Better performance Network overhead by traffic detouring (Taking extra hops) Require flow steering for NFs Rich features such as payload inspection No controller overhead Additional control channels for NFs 8 /36

9 Summary Category SDN Applications Middle-boxes Flexibility Management Deployability Performance Functionality 9 /36

10 Related works: Extending SDN architecture to support security Mekky, Hesham, et al. "Network function virtualization enablement within SDN data plane. IEEE INFOCOM 2017 (Also, HotSDN 2014) Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS /36

11 Related works: Their security functions are not fully consolidated Extending SDN architecture to support security into a data plane Mekky, Hesham, et al. "Network function Application module, Tap-based interface virtualization enablement within SDN data plane. IEEE INFOCOM 2017 (Also, HotSDN 2014) Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS /36

12 Related works: Extending SDN architecture to support security In essence, they are NOT different from the middle-box structure! Mekky, Hesham, et al. "Network function It's just a scale down! virtualization enablement within SDN data plane. IEEE INFOCOM 2017 (Also, HotSDN 2014) Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS /36

13 Related works: UNISAFE: A union of security actions for software switches Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. ACM, 2016 Fully integrated security functions into a data plane, not modular one Security functions as a set of OpenFlow actions UNISAFE (based on Open vswitch) Flow table Execute actions MATCH Actions Lookup Flow table Security actions Flow_A Flow_B sec_dos(mbps=100), output:2 sec_dos(mbps=500),sec_scan( ),output:3 13/36

14 Security actions of UNISAFE High-compatibility with common OpenFlow actions - actions=sec_dos(mbps=1000),set_nw_src( ),output:2 Fine-grained security enforcement per a flow - in_port=1,nw_src= ,tp_dst=80,actions=sec_dos( ), - in_port=2,nw_dst= ,actions=sec_dpi( ), Easy configuration for a security service chaining - actions=sec_dos( ),sec_scan( ),sec_dpi( ), 14/36

15 Performance in UNISAFE Achieve line-rate latency for all security Throughput forwarding dos scan1 scan5 dpi100 dpi500 dpi1000 But, lack of throughput in some actions 80 Payload Inspection (DPI) throughput Throughput less than 100Mbps on 1Gbps Throughput(%) Bandwidth(Mbps) 15/36

16 Performance in UNISAFE Achieve line-rate latency for all security Throughput forwarding dos scan1 scan5 dpi100 dpi500 dpi1000 But, lack of throughput in some actions 80 Challenge 1: Payload Inspection (DPI) throughput Performance limitation Throughput less than 100Mbps on 1Gbps Throughput(%) Bandwidth(Mbps) 16/36

17 Security operation in UNISAFE Manual operation for security violations by an administrator? Manual Operation Controller 17/36

18 Security operation in UNISAFE Manual operation for security violations by an administrator Security operation Controller Manual Operation? Challenge 2: 18/36

19 HEX Switch: Hardware-assisted security extensions of OpenFlow Hardware-based approach for UNISAFE Using NetFPGA Providing line-rate performance with configurability Security Actions Security Policy Controller communication 19/36

20 Design Security Processor between the packet processing sequence. Six-stages pipeline: Mainly consist of data storage and inspection logic Flow table controller forwards flow keys, stats and action key after matching Input Alert Msg output Flow key Packet Flow key, stats & Action key Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 Packet buffer 20/36

21 Design Security Processor between the packet processing sequence. Six-stages pipeline: Mainly consist of data storage and inspection logic Flow table controller forwards flow keys, stats and action key after matching Input Alert Msg output Flow key Packet Flow key, stats & Action key Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 Packet buffer 21/36

22 Design Security Processor between the packet processing sequence. Six-stages pipeline: Mainly consist of data storage and inspection logic Flow table controller forwards flow keys, stats and action key after matching Input Flow key Packet Flow key, stats & Action key Stage 1 Stage 2 Stage 3 Stage 4-5 Packet buffer Stage 6 Alert Msg output 22/36

23 Design Security Processor between the packet processing sequence. Six-stages pipeline: Mainly consist of data storage and inspection logic Flow table controller forwards flow keys, stats and action key after matching Input Alert Msg output Flow key Packet Flow key, stats & Action key Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 Packet buffer 23/36

24 Security Action Processing All security actions are performed in parallel Forward the data storage data to inspection logic through the wide data bus. Data storage Wide Data Bus Challenge Pattern list for payload inspection requires width bandwidth => Transfer the address first and read directly memory Flow Key, Stats & Action Key Pattern list HEX Action Input Selector Address of large data 24/36

25 After Processing: Applying Policy Actions can handle violated packets according to a policy - e.g., actions=sec_dos(mbps=1000,policy=redirect:2) => If the current bps exceeds 1000 Mbps, redirect the flow to port 2. Four polices Alert - Neglect: Ignores the violation - Alert: Send an alert msg to a controller - Discard: Terminates the packet processing and drop the packet Inspection Logic Policy handler Redirect - Redirect: Forward packets to an alternative port Discard 25/36

26 Communication with a controller By the host device with its software The host device and the HEX switch are bound by the device driver To Controller Msg Handler Host device and software Device driver 26/36

27 Communication with a controller: Transferring an alert message The device driver reads the registers and the HEX handler transfers it to a controller through a OpenFlow channel A controller provides a handler API to process the alert message To Controller Msg Handler 27/36

28 Communication with a controller: Deploying security actions: The security actions are deployed by flow_mod messages Security actions are compatible with common OpenFlow actions To Controller Msg Handler 28/36

29 Challenge in flow-level security deployment The flow-level security cannot represent a security policy across multiple flows Simple example: Flow A 800Mbps Flow B 700Mbps Flow A Flow B The total incoming bandwidth from Flow A/B evidently exceeds 1000 Mbps, but the DoS detectors never trigger an alert! 29/36

30 Action Clustering Security actions have a cluster ID in their parameter The actions that use the same cluster ID are considered to belong to the same cluster The clustered action works as the integrated single action across different flow rules Implementing by sharing the data storage by the cluster map Match A B C Actions sec_xyz (id = 10, ) sec_xyz (id = 10, ) sec_xyz (id = 10, ) sec_xyz Action key & Cluster IDs Update Data Data storage Distributor Hash Hash DoS Action Cluster Map Address Data 0xAA 1111,2222 0xBB 3333,4444 0xCC 5555,6666 DPI Action Cluster Map Address Data Data Storage Build Bus Data DPI_10 Num Patterns Num Patterns 1Num vulnerable Patterns 1 vulnerable 2 1 patterns vulnerable 2 patterns 2 list patterns bbbb aaaa 30/36

31 Applying Action Clustering Applying the action clustering to the previous example Flow A 800Mbps Flow B 700Mbps Flow A Flow B Flow A 800Mbps Flow B 700Mbps DoS Data section ID Data DoS Inspection logic (Mbps > 1000)? true : false Detected DoS detector can successfully detect the bandwidth excess and alert this. 31/36

32 Implementation NetFPGA-1G-CML Based on Reference NIC and OpenFlow switch from the NetFPGA project ( JTAG via 5-pin USB Power switch Intf 3 Intf 2 Power cable Intf 1 Intf 0 Support DoS Detector and Deep Packet Inspector (Payload inspector) PCIe Gen2 x4 32/36

33 Evaluation Measure throughput and latency 1) Performance of the HEX switch 2) Performance of simple forwarding by the normal OpenFlow switch 3) Performance of OVS based implementation (i.e., UNISAFE) 1 GbE HEX Switch 1 GbE OpenFlow Switch ( 1 GbE 1 GbE OVS (UNISAFE) Reference NIC ( 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE h1 h2 h1 h2 h1 h2 33/36

34 Evaluation Result Throughput 100 HEX & Simple Fwd. Latency 1 UNISAFE Throughput (%) HEX (DoS+DPI) Native O.F. OVS simple OVS DoS OVS DPI UNISAFE Bandwidth (Mbps) CDF HEX (DoS+DPI) Native O.F. OVS simple OVS DoS OVS DPI HEX Latency (ms) & Simple Fwd. 34/36

35 Conclusion The HEX switch that embeds security functions Using NetFPGA As as a set of actions Support security policy and controller APIs Achieves line-rate performance without overhead. 35/36

36 Thank you! Questions?