SDN abstraction and security: a database perspective
|
|
- Denis Norris
- 6 years ago
- Views:
Transcription
1 June 17, 2016 SoSSDN SDN abstraction and security: a database perspective Anduo Wang * Jason Croft Xueyuan Mei Matthew Caesar Brighten Godfrey * Temple University University of Illinois Urbana-Champaign
2 software-defined network control applications of disparate nature forwarding service chain stateful middlebox controller OpenFlow network switch switch switch switch 1
3 software-defined network control applications of disparate nature forwarding service chain stateful middlebox controller controller (abstraction runtime) an insertion point for network abstractions OpenFlow network switch switch switch switch 1
4 abstractions what is the right abstraction? forwarding service chain stateful middlebox abstraction runtime OpenFlow rules 2
5 abstractions what is the right abstraction? functions routing service chain stateful middlebox abstraction Frenetic / Pyretic runtime [NSDI 13] [PLDI 13] OpenFlow rules 2
6 abstractions what is the right abstraction? functions routing graphs stateful middlebox abstraction PGAruntime [SIGCOMM 15] OpenFlow rules 2
7 abstractions what is the right abstraction? functions routing graphs automata abstraction Kinetic runtime [NSDI 15] OpenFlow rules 2
8 abstractions diverse abstractions functions graphs automata abstraction runtime OpenFlow rules 2
9 but network keeps evolving functions graphs automata new/changing requirements abstraction runtime OpenFlow rules 3
10 but network keeps evolving functions graphs automata new/changing new requirement structure add / re-engineer runtime OpenFlow rules 3
11 and applications (components) interact policies graphs automata PGA Kinetic functions Pyretic OpenFlow rules network 4
12 and applications (components) interact policies graphs automata language-level orchestration restricted to each abstraction PGA Kinetic composing (+) policy graph +PGA graph function +Pyretic function functions Pyretic OpenFlow rules network 4
13 and applications (components) interact policies graphs automata language-level orchestration restricted to each abstraction PGA Kinetic composing (+) policy graph +? automata functions how to integrate the runtime? hard-wire internals? Pyretic OpenFlow rules network 4
14 and applications (components) interact policies graphs automata language-level orchestration restricted to each abstraction PGA Kinetic functions Pyretic OpenFlow rules network abstraction-agonistic coordination often low-level Co-visor [NSDI 15] statesman [SIGCOMM 14] 4
15 current state of abstraction research structure structure runtime runtime structure runtime OpenFlow rules network 4
16 current state of abstraction research structure structure new structure enlarging body of abstractions runtime runtime new runtime structure runtime OpenFlow rules network 4
17 current state of abstraction research structure structure new structure enlarging body of abstractions runtime runtime new runtime structure fragmented orchestration runtime OpenFlow rules network 4
18 our perspective operator and/or application SDN control revolves around data representation high-level representation data new data -discard specialized, pre-compiled, fixed structures -adopt a plain data representation data low-level representation data data OpenFlow rules network 5
19 our perspective operator and/or application SDN control revolves around data representation high-level representation data new data -discard specialized, pre-compiled, fixed structures -adopt a plain data representation data -use a universal data language low-level representation data data OpenFlow rules network 5
20 a database-defined network high-level app s operator and/or application new -relation the plain data representation - stored relation - virtual relation low-level inventory s OpenFlow rules network 6
21 a database-defined network high-level app s operator and/or application new -relation the plain data representation - stored relation - virtual relation -SQL the universal data language - query, update, trigger, rule low-level inventory s OpenFlow rules network 6
22 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6
23 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6
24 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6
25 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6
26 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6
27 Ravel: a realization with SQL database operator and/or application attractive features + new -abstraction -orchestration database runtime -SQL OpenFlow rules network 6
28 abstraction: network s reachability matrix fid src dst vol 1 h1 h4 5 2 h2 h3 9 topology sid nid S1 S1 S1 S2 S3 h1 configuration fid sid nid 1 S1 S4 1 S4 h4 flow 1 h1 S1 S4 h4 E flow 2 h2 S2 S3 h3 7
29 abstraction: application firewall : monitoring unsafe flows violating acl policy CREATE VIEW acl_violation AS ( SELECT fid FROM rm WHERE FW = 1 AND (src, dst) NOT IN (SELECT end1, end2 FROM acl WHERE allow = 1) ); firewall control: repairing violation CREATE RULE acl_repair AS ON DELETE TO acl_violation DO INSTEAD DELETE FROM rm WHERE fid = OLD.fid; CREATE TABLE acl ( end1 integer, end2 integer, allow integer ); 8
30 abstraction: application firewall : monitoring unsafe flows violating acl policy CREATE VIEW acl_violation AS ( SELECT fid FROM rm WHERE FW = 1 AND (src, dst) NOT IN (SELECT end1, end2 FROM acl WHERE allow = 1) ); firewall control: repairing violation CREATE RULE acl_repair AS ON DELETE TO acl_violation DO INSTEAD DELETE FROM rm WHERE fid = OLD.fid; CREATE TABLE acl ( end1 integer, end2 integer, allow integer ); many more - routing, stateful firewall, service chain policy between subdomains 8
31 orchestration across representations routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology shortest path configuration orchestrated Ravel runtime topology shortest path configuration Mininet 9
32 orchestration across representations app routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology shortest path configuration orchestrated Ravel runtime topology sid nid active shortest path configuration link down Mininet Mininet link (172,39) down 9
33 orchestration across representations app routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology shortest path configuration orchestrated Ravel runtime shortest path path - {,172,39,156, } topology configuration sid nid active link down Mininet Mininet link (172,39) down 9
34 orchestration across representations app routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology shortest path configuration orchestrated Ravel runtime topology sid nid active shortest path path - {,172,39,156, } + {,172,38,148, } configuration link down Mininet Mininet link (172,39) down 9
35 orchestration across representations app routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology link down shortest path configuration Mininet orchestrated Ravel runtime topology sid nid active shortest path path - {,172,39,156, } + {,172,38,148, } Mininet link (172,39) down 9 configuration fid sid nid
36 orchestration across representations apps routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology link down shortest path configuration Mininet add_flow del_flow orchestrated Ravel runtime topology sid nid active shortest path path - {,172,39,156, } + {,172,38,148, } Mininet link (172,39) down 9 configuration fid sid nid orchestrated updates: re-route via (172, 38)
37 orchestration across applications apps priority: low high firewall balance load maintain path load balancer access control shortest path network app load balancer reachability matrix access control tenant virtual net shortest path configuration orchestrated database runtime reachability matrix tenant virtual net configuration Mininet 10
38 orchestration across applications apps priority: low high firewall balance load maintain path load balancer access control shortest path network app tenant request load balancer reachability matrix access control tenant virtual net shortest path configuration orchestrated database runtime tenant request host 1238 to server 1003 reachability matrix tenant virtual policy net host server configuration Mininet 10
39 orchestration across applications app network app tenant request priority: low high firewall balance load load balancer reachability matrix access control tenant virtual net maintain path shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability matrix access control tenant virtual policy net host server configuration shortest path Mininet 10
40 orchestration across applications app network app tenant request priority: low high re-load firewall maintain path load balancer reachability matrix access control tenant virtual net shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability matrix access control tenant virtual policy net host server configuration shortest path Mininet 10
41 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability matrix access control src dst allow tenant virtual policy net host server configuration shortest path Mininet 10
42 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net Mininet shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability traffic matrix matrix fid sid nid access control src dst allow tenant policy tenant virtual net host server configuration shortest path 10
43 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net Mininet shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability traffic matrix matrix fid sid nid access control src dst allow tenant virtual policy net host server configuration shortest path path + {1238,,1034} 10
44 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net Mininet shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability traffic matrix matrix fid sid nid access control src dst allow tenant virtual policy net host server shortest path path + {1238,,1034} configuration fid sid nid
45 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net Mininet shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability traffic matrix matrix fid sid nid access control src dst allow tenant virtual policy net host server configuration fid sid nid shortest path path + {1238,,1034} orchestrated updates: install alternative route that is load-balanced and safe
46 achieving Ravel advantages operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 11
47 runtime maintenance notification operation via SQL interface optimizer ad-hoc programmable abstraction via s - challenge: inefficient user - solution: optimizer - materialize user with fast maintenance algorithm - one order of magnitude faster access with small maintenance overhead 0.01~10ms network 11
48 runtime update maintenance notification orchestration operation via SQL interface optimizer orchestration across applications - challenge: database lacking inter- support - solution: mediation protocol - translate app priority into updates that dynamically merge into a coherent data plane network 11
49 runtime update maintenance notification orchestration operation via SQL interface optimizer PostgreSQL Ravel runtime SDN control via SQL - challenge: database lacks connection to network data plane - solution: SQL trigger + OF manager control events SQL trigger OpenFlow manager network 11
50 runtime update maintenance notification orchestration operation via SQL interface optimizer PostgreSQL Ravel runtime a high-performance runtime - PostgreSQL - orchestration - optimizer - SQL trigger and OF manager control events SQL trigger OpenFlow manager network 11
51 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12
52 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12
53 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12
54 evaluation deletion (ms) insertion (ms) 4 10 text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12
55 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12
56 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text similar profile on fat-tree topology (fewer nodes, more links) - total delay < 30ms for fat-tree with 5120 switches and links 12
57 evaluation CDF orchestration delay (ms) normalized per-rule for 3 scenarios: access control and routing (acl+rt), load balancing and routing (lb+rt), access control, load balancing, and routing (acl+lb+rt) 13
58 evaluation CDF 10 orchestration delay (ms) normalized per-rule for 3 scenarios: access control and routing (acl+rt), load balancing and routing (lb+rt), access control, load balancing, and routing (acl+lb+rt) 13
59 evaluation CDF 10 orchestration delay (ms) normalized per-rule for 3 scenarios: access control and routing (acl+rt), load balancing and routing (lb+rt), access control, load balancing, and routing (acl+lb+rt) orchestration also scales gracefully on fat-tree - < 30ms for fat-tree with 5120 switches and links 13
60 demo 15
61 demo 15
62 towards a secure Ravel improper modification of data -unauthorized modification -one-directional information flow 14
63 towards a secure Ravel expectation of data quality improper medication of data -unauthorized modification access control (ACL) -one-directional information flow 14
64 ACL in Ravel notification operation via SQL interface update maintenance control events orchestration optimizer SQL trigger OpenFlow manager PostgreSQL Ravel runtime network 15
65 ACL in Ravel notification operation via SQL interface update maintenance control events orchestration optimizer SQL trigger OpenFlow manager PostgreSQL Ravel runtime network 15
66 ACL in Ravel alice bob carol??? Ravel runtime PostgreSQL orchestration optimizer SQL trigger OpenFlow manager network 15
67 example scenario a SDN network and multiple tenants -admin can see/modify all resources, see/modify the network -tenants can only see the resources they pay -tenants can only manage their portions of network under contract SLA (service level agreement) tenant switches rate limit connectivity alice {1,2,3,4} 20 {alice} bob {51,52,53, } 50 {bob, alice} carol {100,101, } 10 {carol, alice} 16
68 explicit access control list (ACL) <principal, subject, operation> ACL on topology users switches privilege alice 1 read alice 2 read alice read bob read carol read admin read,write users ACL on configuration flows (source, destination, rate) privilege alice (1,2,<20) read,write alice (2,3,<20) read,write alice bob -very low-level -update ACL as tenant contract evolves 17
69 ACL in Ravel alice bob carol authenticate at database login Ravel runtime PostgreSQL orchestration optimizer higher-level finer-grained authorization via SQL authorization s SQL trigger OpenFlow manager network 18
70 ACL in Ravel Ravel runtime secure PostgreSQL orchestration SQL trigger authori zation s optimizer OpenFlow manager network 18
71 authorization s: a strawman solution associate each with an ACL -<principal, allowed operation> create a separate -if only a portion of a is granted to a principal -benefit: dynamic, content-based 19
72 authorization s: a strawman solution -- admin policy GRANT SELECT, UPDATE, INSERT, DELETE ON topology TO admin; GRANT SELECT, UPDATE, INSERT, DELETE ON configuration TO admin; -- alice policy CREATE OR REPLACE VIEW topology_alice AS ( SELECT sid, nid FROM topology WHERE (topology.sid = 1 OR topology.sid = 2 OR ); CREATE OR REPLACE VIEW configuration_alice AS ( SELECT fid, sid, nid FROM configuration WHERE ((topology.sid = 1 AND topology.nid = 2) OR (topology.sid = 1 AND topology.nid = 2) OR ) AND rate < 20); GRANT SELECT ON topology_alice TO alice; GRANT SELECT, INSERT, DELETE, UPDATE ON configuration_alice TO alice; -- bob policy, carol policy... 20
73 limitations many tenants -for each tenant, create a separate? dynamic tenant membership -add/remove s? SLAs evolving -update tenant s? more examples: -tenants can only access the resources the pay -raise tenant rate limit to100 21
74 finer-grained, higher-level ACL capture the intent rather than extent dynamic, context-based a network of arity n p(_,_,,_) SQL query over data in p and other parts of the network database access control of n+1 arity p_acl (principal, _,_,,_) 22
75 finer-grained, higher-level ACL - a tenant can only access the leased network topology - admin can access the whole topology CREATE VIEW topology_acl AS ( -- admin policy (SELECT 'admin' as principal, sid, nid FROM topology) UNION CREATE VIEW topology_public AS ( SELECT sid, nid FROM topology_acl WHERE principal = current_user') GRANT SELECT ON topology_public TO public; -- tenant policy (SELECT tenant as principal, sid, nid FROM topology, SLA WHERE topology.sid IN SLA.switches AND topology.nid IN SLA.switches)); 23
76 looking forward data integration as a networking service app s authorization s integrator (orchestration, optimization) coherent network states processing traffic 24
77 looking forward data integration as a networking service app s authorization s power load balancer conflict (cyclic update dependency) by formal analysis coherent network states processing traffic 24
78 looking forward data integration as a networking service app s authorization s server back-up cross-layer independent failure by multiple- constraint coherent network states processing traffic 24
79 looking forward data integration as a networking service app s untrusted authorization s automatic security enforcement by query rewrite coherent network states processing traffic 24
80 conclusion Ravel runtime secure PostgreSQL orchestration authori zation s optimizer this talk: via SQL - orchestra abstraction - finer-grained access control looking forward - data integration as a networking service SQL trigger OpenFlow manager network 25
81 playtime download Ravel ravel-net.org/download start playing: tutorials, add your own app ravel-net.org explore more github.com/ravel-net 26
Software Defined Networking Security: Security for SDN and Security with SDN. Seungwon Shin Texas A&M University
Software Defined Networking Security: Security for SDN and Security with SDN Seungwon Shin Texas A&M University Contents SDN Basic Operation SDN Security Issues SDN Operation L2 Forwarding application
More informationA Hypothesis Testing Framework for Network Security
A Hypothesis Testing Framework for Network Security P. Brighten Godfrey University of Illinois at Urbana-Champaign TSS Seminar, September 15, 2015 Part of the SoS Lablet with David Nicol Kevin Jin Matthew
More informationCOCONUT: Seamless Scale-out of Network Elements
COCONUT: Seamless Scale-out of Network Elements Soudeh Ghorbani P. Brighten Godfrey University of Illinois at Urbana-Champaign Simple abstractions Firewall Loadbalancer Router Network operating system
More informationNetworked Systems. Boon Thau Loo. University of Pennsylvania. NSF ExCAPE Meeting 20 Aug 2013
Networked Systems Boon Thau Loo University of Pennsylvania NSF ExCAPE Meeting 20 Aug 2013 Outline Summary (activities over past year) Research highlights Conclusion Year 1 in Retrospect Original proposal
More informationEnforcing Customizable Consistency Properties in Software-Defined Networks. Wenxuan Zhou, Dong Jin, Jason Croft, Matthew Caesar, Brighten Godfrey
Enforcing Customizable Consistency Properties in Software-Defined Networks Wenxuan Zhou, Dong Jin, Jason Croft, Matthew Caesar, Brighten Godfrey 1 Network changes control applications, changes in traffic
More informationSoftware Defined Networking
Software Defined Networking Daniel Zappala CS 460 Computer Networking Brigham Young University Proliferation of Middleboxes 2/16 a router that manipulatees traffic rather than just forwarding it NAT rewrite
More informationLecture 10.1 A real SDN implementation: the Google B4 case. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it
Lecture 10.1 A real SDN implementation: the Google B4 case Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it WAN WAN = Wide Area Network WAN features: Very expensive (specialized high-end
More informationLanguages for SDN (Frenetic)
Languages for SDN (Frenetic) Software Defined Networking: The Data Centre Perspective Seminar Informatikdienste A. Pantelopoulos 20.05.2016 1 SDN is useful Direct network control. Enables new applications,
More informationSlicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)
Slicing a Network Advanced! Computer Networks Sherwood, R., et al., Can the Production Network Be the Testbed? Proc. of the 9 th USENIX Symposium on OSDI, 2010 Reference: [C+07] Cascado et al., Ethane:
More informationMaking Network Functions Software-Defined
Making Network Functions Software-Defined Yotam Harchol VMware Research / The Hebrew University of Jerusalem Joint work with Anat Bremler-Barr and David Hay Appeared in ACM SIGCOMM 2016 THE HEBREW UNIVERSITY
More informationSweet Little Lies: Fake Topologies for Flexible Routing
Sweet Little Lies: Fake Topologies for Flexible Routing Stefano Vissicchio University of Louvain HotNets 27th October 2014 Joint work with Laurent Vanbever (Princeton) and Jennifer Rexford (Princeton)
More informationCSC 4900 Computer Networks: Network Layer
CSC 4900 Computer Networks: Network Layer Professor Henry Carter Fall 2017 Chapter 4: Network Layer 4. 1 Introduction 4.2 What s inside a router 4.3 IP: Internet Protocol Datagram format 4.4 Generalized
More informationand controller independence with NetIDE
Supporting composed SDN applications and controller independence with NetIDE Alec Leckey Intel Labs SDN Application Development Java Python C/C++ Javascript Beacon Iris Pox Nox NodeFlow Jaxon Floodlight
More informationPresented by: Fabián E. Bustamante
Presented by: Fabián E. Bustamante A. Nikravesh, H. Yao, S. Xu, D. Choffnes*, Z. Morley Mao Mobisys 2015 *Based on the authors slides Mobile apps are increasingly popular Mobile platforms is the dominant
More informationProgramming Network Policies by Examples: Platform, Abstraction and User Studies
Programming Network Policies by Examples: Platform, Abstraction and User Studies Boon Thau Loo University of Pennsylvania NetPL workshop @ SIGCOMM 2017 Joint work with Yifei Yuan, Dong Lin, Siri Anil,
More informationDistributed Network Service Policy Enforcement
Distributed Network Service Policy Enforcement Jun Li Contributions from my students, Xiang Wang and Xiaohe Hu June 17, 2016 Outline Background Related Work Policy Space Analysis Policy Enforcement with
More informationVeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real Time Ahmed Khurshid, Xuan Zou, Wenxuan Zhou, Matthew Caesar, P. Brighten Godfrey University of Illinois at Urbana-Champaign {khurshi1, xuanzou2, wzhou10,
More informationInterdomain Routing Design for MobilityFirst
Interdomain Routing Design for MobilityFirst October 6, 2011 Z. Morley Mao, University of Michigan In collaboration with Mike Reiter s group 1 Interdomain routing design requirements Mobility support Network
More informationSummary of Networked Systems Breakout Group
Summary of Networked Systems Breakout Group Boon Thau Loo NSF ExCAPE PI Meeting 10/11 June 2013 Outline Summary (activities over past year) Research highlights Plans for next year Year 1 in Retrospect
More informationEnforcing Customizable Consistency Properties in Software-Defined Networks
Enforcing Customizable Consistency Properties in Software-Defined Networks Wenxuan Zhou, University of Illinois at Urbana-Champaign; Dong Jin, Illinois Institute of Technology; Jason Croft, Matthew Caesar,
More informationFOUNDATIONS OF INTENT- BASED NETWORKING
FOUNDATIONS OF INTENT- BASED NETWORKING Loris D Antoni Aditya Akella Aaron Gember Jacobson Network Policies Enterprise Network Cloud Network Enterprise Network 2 3 Tenant Network Policies Enterprise Network
More informationData Plane Verification and Anteater
Data Plane Verification and Anteater Brighten Godfrey University of Illinois Work with Haohui Mai, Ahmed Khurshid, Rachit Agarwal, Matthew Caesar, and Sam King Summer School on Formal Methods and Networks
More informationSDN-based Network Obfuscation. Roland Meier PhD Student ETH Zürich
SDN-based Network Obfuscation Roland Meier PhD Student ETH Zürich This Talk This thesis vs. existing solutions Alice Bob source: Alice destination: Bob Hi Bob, Hi Bob, Payload encryption ǾǼōĦ
More informationSDX: A Software Defined Internet Exchange
SDX: A Software Defined Internet Exchange @SIGCOMM 2014 Laurent Vanbever Princeton University FGRE Workshop (Ghent, iminds) July, 8 2014 The Internet is a network of networks, referred to as Autonomous
More informationProfessor Yashar Ganjali Department of Computer Science University of Toronto
Professor Yashar Ganjali Department of Computer Science University of Toronto yganjali@cs.toronto.edu http://www.cs.toronto.edu/~yganjali Some slides courtesy of J. Rexford (Princeton), N. Foster (Cornell)
More informationNetwork Security: Network Flooding. Seungwon Shin GSIS, KAIST
Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way
More informationCA Automation Capabilities A Technical Look at Process and Runbook Automation. Tom Kouhsari and AJ Dennis
CA Automation Capabilities A Technical Look at Process and Runbook Automation Tom Kouhsari and AJ Dennis Terms of This Presentation This presentation was based on current information and resource allocations
More informationHY436: Modular Network Programming with Pyretic
HY436: Modular Network Programming with Pyretic Xenofontas Dimitropoulos 27/10/2014 Credits: Slides modified from Joshua Reich s (Princeton) NSDI 13 talk on Composing Software Defined Networks Running
More informationSecuring the Software-Defined Network Control Layer
Securing the Software-Defined Network Control Layer Speaker: Yuyan Lin 2017/5/9 P. Porras, S. Cheung, M. Fong, K. Skinner, and V. Yegneswaran, Securing the Software Defined Network Control Layer, In NDSS,
More informationChapter 4: network layer. Network service model. Two key network-layer functions. Network layer. Input port functions. Router architecture overview
Chapter 4: chapter goals: understand principles behind services service models forwarding versus routing how a router works generalized forwarding instantiation, implementation in the Internet 4- Network
More informationSoftware-Defined Networking (Continued)
Software-Defined Networking (Continued) CS640, 2015-04-23 Announcements Assign #5 released due Thursday, May 7 at 11pm Outline Recap SDN Stack Layer 2 Learning Switch Control Application Design Considerations
More informationSDN SEMINAR 2017 ARCHITECTING A CONTROL PLANE
SDN SEMINAR 2017 ARCHITECTING A CONTROL PLANE NETWORKS ` 2 COMPUTER NETWORKS 3 COMPUTER NETWORKS EVOLUTION Applications evolve become heterogeneous increase in traffic volume change dynamically traffic
More information15-744: Computer Networking. Middleboxes and NFV
15-744: Computer Networking Middleboxes and NFV Middleboxes and NFV Overview of NFV Challenge of middleboxes Middlebox consolidation Outsourcing middlebox functionality Readings: Network Functions Virtualization
More informationChapter 5 Network Layer: The Control Plane
Chapter 5 Network Layer: The Control Plane A note on the use of these Powerpoint slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you
More informationA Routing Infrastructure for XIA
A Routing Infrastructure for XIA Aditya Akella and Peter Steenkiste Dave Andersen, John Byers, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang FIA PI Meeting,
More informationDebugging the Data Plane with Anteater
Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar P. Brighten Godfrey, Samuel T. King University of Illinois at Urbana-Champaign Network debugging is challenging
More informationDissemination of Paths in Path-Aware Networks
Dissemination of Paths in Path-Aware Networks Christos Pappas Network Security Group, ETH Zurich IETF, November 16, 2017 PANRG Motivation How does path-awareness extend to the edge? 2 PANRG Motivation
More informationMOC 6232A: Implementing a Microsoft SQL Server 2008 Database
MOC 6232A: Implementing a Microsoft SQL Server 2008 Database Course Number: 6232A Course Length: 5 Days Course Overview This course provides students with the knowledge and skills to implement a Microsoft
More informationVeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real Time Ahmed Khurshid, Wenxuan Zhou, Matthew Caesar, P. Brighten Godfrey Department of Computer Science University of Illinois at Urbana-Champaign 201
More informationWeb-Based User Interface for the Floodlight SDN Controller
3175 Web-Based User Interface for the Floodlight SDN Controller Hakan Akcay Department of Computer Engineering, Istanbul University, Istanbul Email: hknakcay@gmail.com Derya Yiltas-Kaplan Department of
More informationApplying Operating System Principles to SDN Controller Design
Applying Operating System Principles to SDN Controller Design Oliver Michel, Matthew Monaco, Eric Keller Invited Talk University of Illinois at Urbana-Champaign April 11th, 2014. 2 What we clearly need
More informationDevoFlow: Scaling Flow Management for High-Performance Networks
DevoFlow: Scaling Flow Management for High-Performance Networks Andy Curtis Jeff Mogul Jean Tourrilhes Praveen Yalagandula Puneet Sharma Sujata Banerjee Software-defined networking Software-defined networking
More informationOn the Complexity of Verifying Stateful Networks. A. Panda S. Shenker Y. Velner K. Alpernas A. Rabinovich M. Sagiv
On the Complexity of Verifying Stateful Networks A. Panda S. Shenker Y. Velner K. Alpernas A. Rabinovich M. Sagiv Alice Classical Networking Ted Stevens was right Bob Mallory Trent Networks provide end-to-end
More informationCentralization of Network using Openflow Protocol
Indian Journal of Science and Technology, Vol 8(S2), 165 170, January 2015 ISSN (Print) : 0974-6846 ISSN (Online) : 0974-5645 DOI : 10.17485/ijst/2015/v8iS2/61217 Centralization of Network using Openflow
More informationTowards a Universal Stream Processing System Robert Soulé Cornell University
1 Towards a Universal Stream Processing System Robert Soulé Cornell University 2 Data Crisis 2.5 quintillion bytes every day 90% of the world s data was created in the last 2 years 3 How Big is Your Data?
More informationA framework to evaluate 5G networks for smart and fail-safe communications
A framework to evaluate 5G networks for smart and fail-safe communications in ERTMS/ETCS Roberto Canonico (*), Stefano Marrone (**), Roberto Nardone (*), and Valeria Vittorini (*) (*) Università degli
More informationNETWORK LAYER DATA PLANE
NETWORK LAYER DATA PLANE 1 GOALS Understand principles behind network layer services, focusing on the data plane: Network layer service models Forwarding versus routing How a router works Generalized forwarding
More informationLab 3: Simple Firewall using OpenFlow
Lab 3: Simple Firewall using OpenFlow This lab builds on the knowledge acquired through Lab 1 where you were first introduced to the Mininet environment. It will also help you prepare for the class project.
More informationSTRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview
STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking
More informationBringing SDN to the Internet, one exchange point at the time
Bringing SDN to the Internet, one exchange point at the time Joint work with: Arpit Gupta, Muhammad Shahbaz, Sean P. Donovan, Russ Clark, Brandon Schlinker, E. Katz-Bassett, Nick Feamster, Jennifer Rexford
More informationNetwork Wide Policy Enforcement. Michael K. Reiter (joint work with V. Sekar, R. Krishnaswamy, A. Gupta)
Network Wide Policy Enforcement Michael K. Reiter (joint work with V. Sekar, R. Krishnaswamy, A. Gupta) 1 Enforcing Policy in Future Networks MF vision includes enforcement of rich policies in the network
More informationProvenance-aware Secure Networks
Provenance-aware Secure Networks Wenchao Zhou Eric Cronin Boon Thau Loo University of Pennsylvania Motivation Network accountability Real-time monitoring and anomaly detection Identifying and tracing malicious
More informationlecture 18: network virtualization platform (NVP) 5590: software defined networking anduo wang, Temple University TTLMAN 401B, R 17:30-20:00
lecture 18: network virtualization platform (NVP) 5590: software defined networking anduo wang, Temple University TTLMAN 401B, R 17:30-20:00 Network Virtualization in multi-tenant Datacenters Teemu Koponen.,
More informationIntrusion Recovery for Database-backed Web Applications
Intrusion Recovery for Database-backed Web Applications Ramesh Chandra, Taesoo Kim, Meelap Shah, Neha Narula, Nickolai Zeldovich MIT CSAIL Web applications routinely compromised Web applications routinely
More informationConfiguring the Catena Solution
This chapter describes how to configure Catena on a Cisco NX-OS device. This chapter includes the following sections: About the Catena Solution, page 1 Licensing Requirements for Catena, page 2 Guidelines
More informationExploiting ICN for Flexible Management of Software-Defined Networks
Exploiting ICN for Flexible Management of Software-Defined Networks Mayutan Arumaithurai, Jiachen Chen, Edo Monticelli, Xiaoming Fu and K. K. Ramakrishnan * University of Goettingen, Germany * University
More informationLanguages for Software-Defined Networks
Languages for Software-Defined Networks Nate Foster, Michael J. Freedman, Arjun Guha, Rob Harrison, Naga Praveen Katta, Christopher Monsanto, Joshua Reich, Mark Reitblatt, Jennifer Rexford, Cole Schlesinger,
More informationChapter 4 Network Layer: The Data Plane
Chapter 4 Network Layer: The Data Plane Chapter 4: outline 4.1 Overview of Network layer data plane control plane 4.2 What s inside a router 4.3 IP: Internet Protocol datagram format fragmentation IPv4
More informationMicrosoft Architecting Microsoft Azure Solutions.
Microsoft 70-535 Architecting Microsoft Azure Solutions https://killexams.com/pass4sure/exam-detail/70-535 QUESTION: 106 Your organization has developed and deployed several Azure App Service Web and API
More informationA Framework for Fine-Grained Inter-Domain Routing Diversity Via SDN
A Framework for Fine-Grained Inter-Domain Routing Diversity Via SDN Yangyang Wang, Jun Bi, Keyao Zhang Institute for Network Sciences and Cyberspace, Tsinghua University Department of Computer Science,
More informationSoftware Defined Networking
Software Defined Networking Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101 http://www.cs.princeton.edu/courses/archive/spr12/cos461/ The Internet: A Remarkable
More informationExtending Dijkstra s Shortest Path Algorithm for Software Defined Networking
Extending Dijkstra s Shortest Path Algorithm for Software Defined Networking Jehn-Ruey Jiang, Hsin-Wen Huang, Ji-Hau Liao, and Szu-Yuan Chen Department of Computer Science and Information Engineering National
More informationBit Index Explicit Replication (BIER) Multicasting in Transport Networks
Bit Index Explicit Replication (BIER) Multicasting in Transport Networks A. Giorgetti(1), A. Sgambelluri(1), F. Paolucci(1), N. Sambo(1), P. Castoldi(1), F. Cugini(2) (1) Scuola Superiore Sant Anna, Pisa,
More informationIncremental Update for a Compositional SDN Hypervisor
Incremental Update for a Compositional SDN Hypervisor Xin Jin Princeton University xinjin@cs.princeton.edu Jennifer Rexford Princeton University jrex@cs.princeton.edu David Walker Princeton University
More informationEnhanced Malware Monitor in SDN using Kinetic Controller
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727 PP 46-52 www.iosrjournals.org Enhanced Malware Monitor in SDN using Kinetic Controller Jiphi T S, Simi Krishna K R Department
More informationComposing Software-Defined Networks
Composing Software-Defined Networks Chris Monsanto*, Joshua Reich* Nate Foster^, Jen Rexford*, David Walker* www.frenetic- lang.org/pyretic Princeton* Cornell^ Software Defined Networks (SDN) Enable network
More informationA Hybrid Hierarchical Control Plane for Software-Defined Network
A Hybrid Hierarchical Control Plane for Software-Defined Network Arpitha T 1, Usha K Patil 2 1* MTech Student, Computer Science & Engineering, GSSSIETW, Mysuru, India 2* Assistant Professor, Dept of CSE,
More informationCompiling Path Queries
Compiling Path Queries Princeton University Srinivas Narayana Mina Tahmasbi Jen Rexford David Walker Management = Measure + Control Network Controller Measure Control Software-Defined Networking (SDN)
More informationPacket-Optical SDN Field Trial for Multi-Layer Network Optimization. Jim Theodoras May 2016
Packet-Optical SDN Field Trial for Multi-Layer Network Optimization Jim Theodoras May 2016 OSI Stack Top of Stack 7 6 5 Application Presentation Session Data 4 Transport Layer TCP, UDP Segments SDN 3 Network
More informationSecure Science DMZ using Event-Driven SDN. Technical Solutions Cisco
Secure Science DMZ using Event-Driven SDN Tae Hwang Technical Solutions Architect @ Cisco Typical Science DMZ Architecture 1.0 What is the biggest challenge with this architecture? Internet Firewall I2
More informationArchitectural Principles
Architectural Principles Brighten Godfrey CS 538 January 29 2018 slides 2010-2017 by Brighten Godfrey unless otherwise noted Cerf and Kahn: TCP/IP Clark: TCP / IP design philosophy Goals of the architecture
More informationRobust validation of network designs under uncertain demands and failures
Robust validation of network designs under uncertain demands and failures Yiyang Chang, Sanjay Rao, and Mohit Tawarmalani Purdue University USENIX NSDI 2017 Validating network design Network design today
More informationCOMP211 Chapter 5 Network Layer: The Control Plane
COMP211 Chapter 5 Network Layer: The Control Plane All material copyright 1996-2016 J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking: A Top Down Approach 7 th edition Jim Kurose, Keith
More informationLecture 16: Network Layer Overview, Internet Protocol
Lecture 16: Network Layer Overview, Internet Protocol COMP 332, Spring 2018 Victoria Manfredi Acknowledgements: materials adapted from Computer Networking: A Top Down Approach 7 th edition: 1996-2016,
More informationConfiguring IP SLAs LSP Health Monitor Operations
Configuring IP SLAs LSP Health Monitor Operations This module describes how to configure an IP Service Level Agreements (SLAs) label switched path (LSP) Health Monitor. LSP health monitors enable you to
More informationOpenADN: A Case for Open Application Delivery Networking
OpenADN: A Case for Open Application Delivery Networking Subharthi Paul, Raj Jain, Jianli Pan Washington University in Saint Louis {Pauls, jain, jp10}@cse.wustl.edu International Conference on Computer
More informationParticipatory Networking: An API for Application Control of SDNS SIGCOMM 13
Participatory Networking: An API for Application Control of SDNS SIGCOMM 13 Ferguson, Guha, Liang, Fonseca, Krishnamurthi MAURICIO DE OLIVEIRA 1 The idea behind participatory networking There is a lot
More informationCOMP211 Chapter 4 Network Layer: The Data Plane
COMP211 Chapter 4 Network Layer: The Data Plane All material copyright 1996-2016 J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking: A Top Down Approach 7 th edition Jim Kurose, Keith Ross
More informationExploring Cloud Security, Operational Visibility & Elastic Datacenters. Kiran Mohandas Consulting Engineer
Exploring Cloud Security, Operational Visibility & Elastic Datacenters Kiran Mohandas Consulting Engineer The Ideal Goal of Network Access Policies People (Developers, Net Ops, CISO, ) V I S I O N Provide
More informationResolving the Predicament of Android Custom Permissions
Resolving the Predicament of Android Custom Permissions Güliz Seray Tuncay, Soteris Demetriou, Karan Ganju, Carl A. Gunter University of Illinois at Urbana - Champaign #NDSS18 Install-time Permissions
More informationBlock Chain Real-Time Analytics & Alerts using TriggerWare. Deborah Taylor, CEO Dr. Swamy Narayanaswamy, CTO Contact:
Block Chain Real-Time Analytics & Alerts using TriggerWare Deborah Taylor, CEO Dr. Swamy Narayanaswamy, CTO Contact: swamy@calqlogic.com Origins in Federal R&D projects, SBIR and BAA competitions; Logic-based
More informationEnd to End SLA for Enterprise Multi-Tenant Applications
End to End SLA for Enterprise Multi-Tenant Applications Girish Moodalbail, Principal Engineer, Oracle Inc. Venugopal Iyer, Principal Engineer, Oracle Inc. The following is intended to outline our general
More informationUNIVERSITY OF CAGLIARI
UNIVERSITY OF CAGLIARI DIEE - Department of Electrical and Electronic Engineering Infrastrutture ed Applicazioni Avanzate nell Internet SDN: Control Plane ACK: content taken from Foundations of Modern
More informationUsing SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Institute of Computer Science Chair of Communication Networks Prof. Dr.-Ing. P. Tran-Gia Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall comnet.informatik.uni-wuerzburg.de SarDiNe
More informationLecture 14 SDN and NFV. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it
Lecture 14 SDN and NFV Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it Traditional network vs SDN TRADITIONAL Closed equipment Software + hardware Cost Vendor-specific management.
More informationArchitectural Approaches to Multi-Homing for IPv6
Architectural Approaches to Multi-Homing for IPv6 A Walk-Through of draft-huston-multi6-architectures-00 Geoff Huston June 2004 Recap Multi-Homing in IPv4 Either: Or: Obtain a local AS Obtain PI space
More informationPGA: Using Graphs to Express and Automatically Reconcile Network Policies
PGA: Using Graphs to Express and Automatically Reconcile Network Policies Chaithan Prakash Jeongkeun Lee Yoshio Turner Joon-Myung Kang Aditya Akella Sujata Banerjee Charles Clark Yadi Ma Puneet Sharma
More informationCoVisor: A Compositional Hypervisor for Software-Defined Networks
CoVisor: A Compositional Hypervisor for Software-Defined Networks Xin Jin, Jennifer Gossels, Jennifer Rexford, and David Walker, Princeton University https://www.usenix.org/conference/nsdi5/technical-sessions/presentation/jin
More informationNetwork Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013
Network Security: Firewalls Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2013 2 Firewalls: Stateless packet filter Firewall Perimeter defence: Divide the world into the good/safe inside
More informationNetworking: Network layer
control Networking: Network layer Comp Sci 3600 Security Outline control 1 2 control 3 4 5 Network layer control Outline control 1 2 control 3 4 5 Network layer purpose: control Role of the network layer
More informationOperationCheckpoint: SDN Application Control
OperationCheckpoint: SDN Application Control Scott-Hayward, S., Kane, C., & Sezer, S. (2014). OperationCheckpoint: SDN Application Control. In The 22nd IEEE International Conference on Network Protocols
More informationVulcan: Hardware Support for Detecting Sequential Consistency Violations Dynamically
Vulcan: Hardware Support for Detecting Sequential Consistency Violations Dynamically Abdullah Muzahid, Shanxiang Qi, and University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu MICRO December
More informationSUPC: SDN enabled Universal Policy Checking in Cloud Network
SUPC: SDN enabled Universal Policy Checking in Cloud Network Ankur Chowdhary, Adel Alshamrani, and Dijiang Huang Arizona State University {achaud16, aalsham4, dijiang}@asu.edu arxiv:1811.00657v1 [cs.cr]
More informationCPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:
CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME: There are 6 questions on this quiz. Each question is individually weighted. If you do not understand the question, please ask for clarification. 1 I. (24
More informationAssignment 5. 2 Assignment: Emulate a Data Center and Manage it via a Cloud Network Controller
University of Crete Computer Science Department Lecturer: Prof. Dr. X. Dimitropoulos TAs: Dimitrios Gkounis, George Nomikos Manos Lakiotakis, George Vardakis HY436 - Software Defined Networks Tasks of
More informationBoon Thau Loo University of Pennsylvania
Summary of Networked Systems Breakout Boon Thau Loo University of Pennsylvania Networked Systems Breakout Series of 15-20 minute talks: Challenges in safe routing (Alex Gurney) Compositional network services
More informationA Characterization of IPv6 Network Security Policy
Don t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy Jakub (Jake) Czyz, University of Michigan & QuadMetrics, Inc. Matthew Luckie, University of Waikato Mark Allman, International
More informationUnderstanding Perimeter Security
Understanding Perimeter Security In Amazon Web Services Aaron C. Newman Founder, CloudCheckr Aaron.Newman@CloudCheckr.com Changing Your Perspective How do I securing my business applications in AWS? Moving
More informationRaj Jain (Washington University in Saint Louis) Mohammed Samaka (Qatar University)
APPLICATION DEPLOYMENT IN FUTURE GLOBAL MULTI-CLOUD ENVIRONMENT Raj Jain (Washington University in Saint Louis) Mohammed Samaka (Qatar University) GITMA 2015 Conference, St. Louis, June 23, 2015 These
More informationIntroduction to Segment Routing
Segment Routing (SR) is a flexible, scalable way of doing source routing. Overview of Segment Routing, page 1 How Segment Routing Works, page 2 Examples for Segment Routing, page 3 Benefits of Segment
More information