HEX Switch: Hardware-assisted security extensions of OpenFlow
|
|
- Berniece Phillips
- 5 years ago
- Views:
Transcription
1 HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST / taejune.park@kaist.ac.kr Zhaoyan Xu / StackRox Inc. / z@stackrox.com Seungwon Shin / KAIST / claude@kaist.ac.kr
2 Software-Defined Networking Centralized management Dynamic traffic engineering Programable network operation High-compatibility with virtualized environments 2 /36
3 Software-Defined Networking Centralized management Dynamic traffic engineering Security is still required Programable network operation High-compatibility with virtualized environments 3 /36
4 Security in Software-Defined Networking Control-Plane Layer Data-Plane Layer Network Control Apps. Security Apps. Security Application Standard Protocol (e.g., OpenFlow) Middle-box 4 /36
5 Security in Software-Defined Networking Control-Plane Layer Network Control Apps. Security Apps. Security Application Security applications on a control plane Applying security features network-widely Cheap price Standard Protocol (e.g., OpenFlow) Easy to manage Data-Plane Layer Middle-box 5 /36
6 Security in Software-Defined Networking Control-Plane Layer Network Control Apps. Security Apps. Security Application Security applications on a control plane Applying security features network-widely Cheap price Data-Plane Layer Standard Protocol (e.g., OpenFlow) Limitation Easy to manage Simple security only available Middle-box Slow-path for inspection Controller overhead 6 /36
7 Security in Software-Defined Networking Control-Plane Layer Network Control Apps. Security Apps. Security Application Data-Plane Layer Standard Protocol (e.g., OpenFlow) Middle-box Middle-boxes on a data plane Better performance Rich features such as payload inspection No controller overhead 7 /36
8 Security in Software-Defined Networking Control-Plane Layer Data-Plane Layer Network Control Apps. Security Apps. Security Application Standard Protocol (e.g., OpenFlow) Limitation Middle-box Middle-boxes on a data plane Better performance Network overhead by traffic detouring (Taking extra hops) Require flow steering for NFs Rich features such as payload inspection No controller overhead Additional control channels for NFs 8 /36
9 Summary Category SDN Applications Middle-boxes Flexibility Management Deployability Performance Functionality 9 /36
10 Related works: Extending SDN architecture to support security Mekky, Hesham, et al. "Network function virtualization enablement within SDN data plane. IEEE INFOCOM 2017 (Also, HotSDN 2014) Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS /36
11 Related works: Their security functions are not fully consolidated Extending SDN architecture to support security into a data plane Mekky, Hesham, et al. "Network function Application module, Tap-based interface virtualization enablement within SDN data plane. IEEE INFOCOM 2017 (Also, HotSDN 2014) Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS /36
12 Related works: Extending SDN architecture to support security In essence, they are NOT different from the middle-box structure! Mekky, Hesham, et al. "Network function It's just a scale down! virtualization enablement within SDN data plane. IEEE INFOCOM 2017 (Also, HotSDN 2014) Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS /36
13 Related works: UNISAFE: A union of security actions for software switches Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. ACM, 2016 Fully integrated security functions into a data plane, not modular one Security functions as a set of OpenFlow actions UNISAFE (based on Open vswitch) Flow table Execute actions MATCH Actions Lookup Flow table Security actions Flow_A Flow_B sec_dos(mbps=100), output:2 sec_dos(mbps=500),sec_scan( ),output:3 13/36
14 Security actions of UNISAFE High-compatibility with common OpenFlow actions - actions=sec_dos(mbps=1000),set_nw_src( ),output:2 Fine-grained security enforcement per a flow - in_port=1,nw_src= ,tp_dst=80,actions=sec_dos( ), - in_port=2,nw_dst= ,actions=sec_dpi( ), Easy configuration for a security service chaining - actions=sec_dos( ),sec_scan( ),sec_dpi( ), 14/36
15 Performance in UNISAFE Achieve line-rate latency for all security Throughput forwarding dos scan1 scan5 dpi100 dpi500 dpi1000 But, lack of throughput in some actions 80 Payload Inspection (DPI) throughput Throughput less than 100Mbps on 1Gbps Throughput(%) Bandwidth(Mbps) 15/36
16 Performance in UNISAFE Achieve line-rate latency for all security Throughput forwarding dos scan1 scan5 dpi100 dpi500 dpi1000 But, lack of throughput in some actions 80 Challenge 1: Payload Inspection (DPI) throughput Performance limitation Throughput less than 100Mbps on 1Gbps Throughput(%) Bandwidth(Mbps) 16/36
17 Security operation in UNISAFE Manual operation for security violations by an administrator? Manual Operation Controller 17/36
18 Security operation in UNISAFE Manual operation for security violations by an administrator Security operation Controller Manual Operation? Challenge 2: 18/36
19 HEX Switch: Hardware-assisted security extensions of OpenFlow Hardware-based approach for UNISAFE Using NetFPGA Providing line-rate performance with configurability Security Actions Security Policy Controller communication 19/36
20 Design Security Processor between the packet processing sequence. Six-stages pipeline: Mainly consist of data storage and inspection logic Flow table controller forwards flow keys, stats and action key after matching Input Alert Msg output Flow key Packet Flow key, stats & Action key Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 Packet buffer 20/36
21 Design Security Processor between the packet processing sequence. Six-stages pipeline: Mainly consist of data storage and inspection logic Flow table controller forwards flow keys, stats and action key after matching Input Alert Msg output Flow key Packet Flow key, stats & Action key Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 Packet buffer 21/36
22 Design Security Processor between the packet processing sequence. Six-stages pipeline: Mainly consist of data storage and inspection logic Flow table controller forwards flow keys, stats and action key after matching Input Flow key Packet Flow key, stats & Action key Stage 1 Stage 2 Stage 3 Stage 4-5 Packet buffer Stage 6 Alert Msg output 22/36
23 Design Security Processor between the packet processing sequence. Six-stages pipeline: Mainly consist of data storage and inspection logic Flow table controller forwards flow keys, stats and action key after matching Input Alert Msg output Flow key Packet Flow key, stats & Action key Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 Packet buffer 23/36
24 Security Action Processing All security actions are performed in parallel Forward the data storage data to inspection logic through the wide data bus. Data storage Wide Data Bus Challenge Pattern list for payload inspection requires width bandwidth => Transfer the address first and read directly memory Flow Key, Stats & Action Key Pattern list HEX Action Input Selector Address of large data 24/36
25 After Processing: Applying Policy Actions can handle violated packets according to a policy - e.g., actions=sec_dos(mbps=1000,policy=redirect:2) => If the current bps exceeds 1000 Mbps, redirect the flow to port 2. Four polices Alert - Neglect: Ignores the violation - Alert: Send an alert msg to a controller - Discard: Terminates the packet processing and drop the packet Inspection Logic Policy handler Redirect - Redirect: Forward packets to an alternative port Discard 25/36
26 Communication with a controller By the host device with its software The host device and the HEX switch are bound by the device driver To Controller Msg Handler Host device and software Device driver 26/36
27 Communication with a controller: Transferring an alert message The device driver reads the registers and the HEX handler transfers it to a controller through a OpenFlow channel A controller provides a handler API to process the alert message To Controller Msg Handler 27/36
28 Communication with a controller: Deploying security actions: The security actions are deployed by flow_mod messages Security actions are compatible with common OpenFlow actions To Controller Msg Handler 28/36
29 Challenge in flow-level security deployment The flow-level security cannot represent a security policy across multiple flows Simple example: Flow A 800Mbps Flow B 700Mbps Flow A Flow B The total incoming bandwidth from Flow A/B evidently exceeds 1000 Mbps, but the DoS detectors never trigger an alert! 29/36
30 Action Clustering Security actions have a cluster ID in their parameter The actions that use the same cluster ID are considered to belong to the same cluster The clustered action works as the integrated single action across different flow rules Implementing by sharing the data storage by the cluster map Match A B C Actions sec_xyz (id = 10, ) sec_xyz (id = 10, ) sec_xyz (id = 10, ) sec_xyz Action key & Cluster IDs Update Data Data storage Distributor Hash Hash DoS Action Cluster Map Address Data 0xAA 1111,2222 0xBB 3333,4444 0xCC 5555,6666 DPI Action Cluster Map Address Data Data Storage Build Bus Data DPI_10 Num Patterns Num Patterns 1Num vulnerable Patterns 1 vulnerable 2 1 patterns vulnerable 2 patterns 2 list patterns bbbb aaaa 30/36
31 Applying Action Clustering Applying the action clustering to the previous example Flow A 800Mbps Flow B 700Mbps Flow A Flow B Flow A 800Mbps Flow B 700Mbps DoS Data section ID Data DoS Inspection logic (Mbps > 1000)? true : false Detected DoS detector can successfully detect the bandwidth excess and alert this. 31/36
32 Implementation NetFPGA-1G-CML Based on Reference NIC and OpenFlow switch from the NetFPGA project ( JTAG via 5-pin USB Power switch Intf 3 Intf 2 Power cable Intf 1 Intf 0 Support DoS Detector and Deep Packet Inspector (Payload inspector) PCIe Gen2 x4 32/36
33 Evaluation Measure throughput and latency 1) Performance of the HEX switch 2) Performance of simple forwarding by the normal OpenFlow switch 3) Performance of OVS based implementation (i.e., UNISAFE) 1 GbE HEX Switch 1 GbE OpenFlow Switch ( 1 GbE 1 GbE OVS (UNISAFE) Reference NIC ( 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE h1 h2 h1 h2 h1 h2 33/36
34 Evaluation Result Throughput 100 HEX & Simple Fwd. Latency 1 UNISAFE Throughput (%) HEX (DoS+DPI) Native O.F. OVS simple OVS DoS OVS DPI UNISAFE Bandwidth (Mbps) CDF HEX (DoS+DPI) Native O.F. OVS simple OVS DoS OVS DPI HEX Latency (ms) & Simple Fwd. 34/36
35 Conclusion The HEX switch that embeds security functions Using NetFPGA As as a set of actions Support security policy and controller APIs Achieves line-rate performance without overhead. 35/36
36 Thank you! Questions?
Slicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)
Slicing a Network Advanced! Computer Networks Sherwood, R., et al., Can the Production Network Be the Testbed? Proc. of the 9 th USENIX Symposium on OSDI, 2010 Reference: [C+07] Cascado et al., Ethane:
More informationThe Power of Batching in the Click Modular Router
The Power of Batching in the Click Modular Router Joongi Kim, Seonggu Huh, Keon Jang, * KyoungSoo Park, Sue Moon Computer Science Dept., KAIST Microsoft Research Cambridge, UK * Electrical Engineering
More informationPerformance and Security Influence of Augmenting IDS using SDN and NFV
Performance and Security Influence of Augmenting IDS using SDN and NFV SSP 2017 2017/11/9 http://se.informatik.uni-wuerzburg.de/ Content Motivation Background Approach Evaluation Conclusion 1 MOTIVATION
More informationPacketShader: A GPU-Accelerated Software Router
PacketShader: A GPU-Accelerated Software Router Sangjin Han In collaboration with: Keon Jang, KyoungSoo Park, Sue Moon Advanced Networking Lab, CS, KAIST Networked and Distributed Computing Systems Lab,
More informationSoftRing: Taming the Reactive Model for Software Defined Networks
SoftRing: Taming the Reactive Model for Software Defined Networks Chengchen Hu, Kaiyu Hou, Hao Li, Ruilong Wang Peng Zheng, Peng Zhang, Huanzhao Wang MOE KLINNS Lab Xi an Jiaotong University Match-Action
More informationMC-SDN: Supporting Mixed-Criticality Scheduling on Switched-Ethernet Using Software-Defined Networking
MC-SDN: Supporting Mixed-Criticality Scheduling on Switched-Ethernet Using Software-Defined Networking Kilho Lee, Taejune Park, Minsu Kim, Hoon Sung Chwa, Jinkyu Lee* Seungwon Shin, and Insik Shin * 1
More informationTyphoon: An SDN Enhanced Real-Time Big Data Streaming Framework
Typhoon: An SDN Enhanced Real-Time Big Data Streaming Framework Junguk Cho, Hyunseok Chang, Sarit Mukherjee, T.V. Lakshman, and Jacobus Van der Merwe 1 Big Data Era Big data analysis is increasingly common
More informationDeep Packet Inspection of Next Generation Network Devices
Deep Packet Inspection of Next Generation Network Devices Prof. Anat Bremler-Barr IDC Herzliya, Israel www.deepness-lab.org This work was supported by European Research Council (ERC) Starting Grant no.
More informationBESS: A Virtual Switch Tailored for NFV
BESS: A Virtual Switch Tailored for NFV Sangjin Han, Aurojit Panda, Brian Kim, Keon Jang, Joshua Reich, Saikrishna Edupuganti, Christian Maciocco, Sylvia Ratnasamy, Scott Shenker https://github.com/netsys/bess
More informationDesign and Implementation of Virtual TAP for Software-Defined Networks
Design and Implementation of Virtual TAP for Software-Defined Networks - Master Thesis Defense - Seyeon Jeong Supervisor: Prof. James Won-Ki Hong Dept. of CSE, DPNM Lab., POSTECH, Korea jsy0906@postech.ac.kr
More informationBe Fast, Cheap and in Control with SwitchKV. Xiaozhou Li
Be Fast, Cheap and in Control with SwitchKV Xiaozhou Li Goal: fast and cost-efficient key-value store Store, retrieve, manage key-value objects Get(key)/Put(key,value)/Delete(key) Target: cluster-level
More informationFast packet processing in the cloud. Dániel Géhberger Ericsson Research
Fast packet processing in the cloud Dániel Géhberger Ericsson Research Outline Motivation Service chains Hardware related topics, acceleration Virtualization basics Software performance and acceleration
More informationNetwork Function Virtualization. CSU CS557, Spring 2018 Instructor: Lorenzo De Carli
Network Function Virtualization CSU CS557, Spring 2018 Instructor: Lorenzo De Carli Managing middleboxes Middlebox manifesto (ref. previous lecture) pointed out the need for automated middlebox management
More informationDetecting Suspicious Behavior of SDN Switches by Statistics Gathering with Time
Detecting Suspicious Behavior of SDN Switches by Statistics Gathering with Time Takahiro Shimizu, Naoya Kitagawa, Kohta Ohshima, Nariyoshi Yamai Tokyo University of Agriculture and Technology Tokyo University
More informationSoftware Defined Networking Security: Security for SDN and Security with SDN. Seungwon Shin Texas A&M University
Software Defined Networking Security: Security for SDN and Security with SDN Seungwon Shin Texas A&M University Contents SDN Basic Operation SDN Security Issues SDN Operation L2 Forwarding application
More informationDevoFlow: Scaling Flow Management for High Performance Networks
DevoFlow: Scaling Flow Management for High Performance Networks SDN Seminar David Sidler 08.04.2016 1 Smart, handles everything Controller Control plane Data plane Dump, forward based on rules Existing
More informationNaaS Network-as-a-Service in the Cloud
NaaS Network-as-a-Service in the Cloud joint work with Matteo Migliavacca, Peter Pietzuch, and Alexander L. Wolf costa@imperial.ac.uk Motivation Mismatch between app. abstractions & network How the programmers
More informationLeveraging SDN & NFV to Achieve Software-Defined Security
Leveraging SDN & NFV to Achieve Software-Defined Security Zonghua Zhang @imt-lille-douai.fr NEPS: NEtwork Performance and Security Group 2 Topics Anomaly detection, root cause analysis Security evaluation
More informationPIRE ExoGENI ENVRI preparation for Big Data science
System and Network Engineering MSc Research project PIRE ExoGENI ENVRI preparation for Big Data science Stavros Konstantaras, Ioannis Grafis February 5, 2014 Background Big Data science Huge amount of
More informationPEARL. Programmable Virtual Router Platform Enabling Future Internet Innovation
PEARL Programmable Virtual Router Platform Enabling Future Internet Innovation Hongtao Guan Ph.D., Assistant Professor Network Technology Research Center Institute of Computing Technology, Chinese Academy
More informationOTSDN What is it? Does it help?
OTSDN What is it? Does it help? Dennis Gammel Schweitzer Engineering Laboratories, Inc. Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security cred-c.org Important Aspects
More informationIQ for DNA. Interactive Query for Dynamic Network Analytics. Haoyu Song. HUAWEI TECHNOLOGIES Co., Ltd.
IQ for DNA Interactive Query for Dynamic Network Analytics Haoyu Song www.huawei.com Motivation Service Provider s pain point Lack of real-time and full visibility of networks, so the network monitoring
More informationLecture 11: Packet forwarding
Lecture 11: Packet forwarding Anirudh Sivaraman 2017/10/23 This week we ll talk about the data plane. Recall that the routing layer broadly consists of two parts: (1) the control plane that computes routes
More informationMessaging Overview. Introduction. Gen-Z Messaging
Page 1 of 6 Messaging Overview Introduction Gen-Z is a new data access technology that not only enhances memory and data storage solutions, but also provides a framework for both optimized and traditional
More informationComparing Open vswitch (OpenFlow) and P4 Dataplanes for Agilio SmartNICs
Comparing Open vswitch (OpenFlow) and P4 Dataplanes for Agilio SmartNICs Johann Tönsing May 24, 206 206 NETRONOME Agenda Contributions of OpenFlow, Open vswitch and P4 OpenFlow features missing in P4,
More information소프트웨어기반고성능침입탐지시스템설계및구현
소프트웨어기반고성능침입탐지시스템설계및구현 KyoungSoo Park Department of Electrical Engineering, KAIST M. Asim Jamshed *, Jihyung Lee*, Sangwoo Moon*, Insu Yun *, Deokjin Kim, Sungryoul Lee, Yung Yi* Department of Electrical
More informationPerformance Considerations of Network Functions Virtualization using Containers
Performance Considerations of Network Functions Virtualization using Containers Jason Anderson, et al. (Clemson University) 2016 International Conference on Computing, Networking and Communications, Internet
More informationFlexNIC: Rethinking Network DMA
FlexNIC: Rethinking Network DMA Antoine Kaufmann Simon Peter Tom Anderson Arvind Krishnamurthy University of Washington HotOS 2015 Networks: Fast and Growing Faster 1 T 400 GbE Ethernet Bandwidth [bits/s]
More informationHow DPI enables effective deployment of CloudNFV. David Le Goff / Director, Strategic & Product Marketing March 2014
How DPI enables effective deployment of CloudNFV David Le Goff / Director, Strategic & Product Marketing March 2014 Key messages of this presentation 1. DPI (Deep Packet Inspection) is critical for effective
More informationBuilding Security Services on top of SDN
Building Security Services on top of SDN Gregory Blanc Télécom SudParis, IMT 3rd FR-JP Meeting on Cybersecurity WG7 April 25th, 2017 Keio University Mita Campus, Tokyo Table of Contents 1 SDN and NFV as
More informationSupporting Fine-Grained Network Functions through Intel DPDK
Supporting Fine-Grained Network Functions through Intel DPDK Ivano Cerrato, Mauro Annarumma, Fulvio Risso - Politecnico di Torino, Italy EWSDN 2014, September 1st 2014 This project is co-funded by the
More informationHigh Performance Packet Processing with FlexNIC
High Performance Packet Processing with FlexNIC Antoine Kaufmann, Naveen Kr. Sharma Thomas Anderson, Arvind Krishnamurthy University of Washington Simon Peter The University of Texas at Austin Ethernet
More informationBuilding Efficient and Reliable Software-Defined Networks. Naga Katta
FPO Talk Building Efficient and Reliable Software-Defined Networks Naga Katta Jennifer Rexford (Advisor) Readers: Mike Freedman, David Walker Examiners: Nick Feamster, Aarti Gupta 1 Traditional Networking
More informationJStorm Based Network Analytics Platform. Alibaba Cloud Senior Technical Manager, Biao Lyu
JStorm Based Network Analytics Platform Alibaba Cloud Senior Technical Manager, Biao Lyu Overview of Alibaba Cloud 18 Regions 150+ Products 1Million+ Customers Comprehensive Networking Product Family 12
More informationDIBS: Just-in-time congestion mitigation for Data Centers
DIBS: Just-in-time congestion mitigation for Data Centers Kyriakos Zarifis, Rui Miao, Matt Calder, Ethan Katz-Bassett, Minlan Yu, Jitendra Padhye University of Southern California Microsoft Research Summary
More informationOpenFlow: What s it Good for?
OpenFlow: What s it Good for? Apricot 2016 Pete Moyer pmoyer@brocade.com Principal Solutions Architect Agenda SDN & OpenFlow Refresher How we got here SDN/OF Deployment Examples Other practical use cases
More informationSoftware Defined Networking
Software Defined Networking Daniel Zappala CS 460 Computer Networking Brigham Young University Proliferation of Middleboxes 2/16 a router that manipulatees traffic rather than just forwarding it NAT rewrite
More informationHierarchical Rate Limiting in an ODL Orchestrated Virtualized DC. Vishal Thapar, Ericsson Deepthi V V, Ericsson Faseela K, Ericsson
Hierarchical Rate Limiting in an ODL Orchestrated Virtualized DC Vishal Thapar, Ericsson Deepthi V V, Ericsson Faseela K, Ericsson How to Enforce Rate Limiting at admin specified levels of aggregation
More informationService Function Chaining (SFC)
Service Function Chaining (SFC) Release draft (534a1d1) OPNFV February 25, 2016 CONTENTS 1 Introduction 1 2 Definitions 3 3 Abbreviations 5 4 Use Cases 7 5 Architecture 9 5.1 Service Functions............................................
More informationAccelerating OpenFlow SDN Switches with Per-Port Cache
Accelerating OpenFlow SDN Switches with Per-Port Cache Cheng-Yi Lin Youn-Long Lin Department of Computer Science National Tsing Hua University 1 Outline 1. Introduction 2. Related Work 3. Per-Port Cache
More informationOSNT A Community-owned platform for high-performance and low-cost network testing
May, 14 2015 OSNT A Community-owned platform for high-performance and low-cost network testing Gianni Antichi gianni.antichi@cl.cam.ac.uk 1 Let s start with the context. We all know why we need network
More informationSOFTWARE DEFINED NETWORKS. Jonathan Chu Muhammad Salman Malik
SOFTWARE DEFINED NETWORKS Jonathan Chu Muhammad Salman Malik Credits Material Derived from: Rob Sherwood, Saurav Das, Yiannis Yiakoumis AT&T Tech Talks October 2010 (available at:www.openflow.org/wk/images/1/17/openflow_in_spnetworks.ppt)
More informationSimplify Container Networking With ican. Huawei Cloud Network Lab
Simplify Container Networking With ican Huawei Cloud Network Lab Container Network Defined By Application 2 What we face today Automation Deployment and Orchestration: Automate deploy resource for application
More informationL7 Application Visibility for NFV and Data Centers
L7 Application Visibility for NFV and Data Centers Creating Service-Awareness across Networks October 2015 Agenda 1. Who is Qosmos? 2. What is L7 visibility and application awareness? 3. Use cases L7 application
More informationDesign and Performance Evaluation of a New Spatial Reuse FireWire Protocol. Master s thesis defense by Vijay Chandramohan
Design and Performance Evaluation of a New Spatial Reuse FireWire Protocol Master s thesis defense by Vijay Chandramohan Committee Members: Dr. Christensen (Major Professor) Dr. Labrador Dr. Ranganathan
More informationP51: High Performance Networking
P51: High Performance Networking Lecture 6: Programmable network devices Dr Noa Zilberman noa.zilberman@cl.cam.ac.uk Lent 2017/18 High Throughput Interfaces Performance Limitations So far we discussed
More informationConfiguring Advanced Firewall Settings
Configuring Advanced Firewall Settings This section provides advanced firewall settings for configuring detection prevention, dynamic ports, source routed packets, connection selection, and access rule
More informationStreaming data Model is opposite Queries are usually fixed and data are flows through the system.
1 2 3 Main difference is: Static Data Model (For related database or Hadoop) Data is stored, and we just send some query. Streaming data Model is opposite Queries are usually fixed and data are flows through
More informationData Center Traffic and Measurements: SoNIC
Center Traffic and Measurements: SoNIC Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and ing November 12, 2014 Slides from USENIX symposium on ed Systems
More informationOpenFlow Software Switch & Intel DPDK. performance analysis
OpenFlow Software Switch & Intel DPDK performance analysis Agenda Background Intel DPDK OpenFlow 1.3 implementation sketch Prototype design and setup Results Future work, optimization ideas OF 1.3 prototype
More informationVendor: Cisco. Exam Code: Exam Name: Developing with Cisco Network Programmability (NPDEV) Version: Demo
Vendor: Cisco Exam Code: 600-502 Exam Name: Developing with Cisco Network Programmability (NPDEV) Version: Demo Question Set 1 QUESTION 1 A stock brokerage firm requires that all trades are executed quickly
More informationProfessor Yashar Ganjali Department of Computer Science University of Toronto
Professor Yashar Ganjali Department of Computer Science University of Toronto yganjali@cs.toronto.edu http://www.cs.toronto.edu/~yganjali Some slides courtesy of J. Rexford (Princeton), N. Foster (Cornell)
More informationChapter 4: network layer. Network service model. Two key network-layer functions. Network layer. Input port functions. Router architecture overview
Chapter 4: chapter goals: understand principles behind services service models forwarding versus routing how a router works generalized forwarding instantiation, implementation in the Internet 4- Network
More informationVNF Chain Allocation and Management at Data Center Scale
VNF Chain Allocation and Management at Data Center Scale Internet Cloud Provider Tenants Nodir Kodirov, Sam Bayless, Fabian Ruffy, Ivan Beschastnikh, Holger Hoos, Alan Hu Network Functions (NF) are useful
More informationEnd-to-End Adaptive Packet Aggregation for High-Throughput I/O Bus Network Using Ethernet
Hot Interconnects 2014 End-to-End Adaptive Packet Aggregation for High-Throughput I/O Bus Network Using Ethernet Green Platform Research Laboratories, NEC, Japan J. Suzuki, Y. Hayashi, M. Kan, S. Miyakawa,
More informationProgrammable Software Switches. Lecture 11, Computer Networks (198:552)
Programmable Software Switches Lecture 11, Computer Networks (198:552) Software-Defined Network (SDN) Centralized control plane Data plane Data plane Data plane Data plane Why software switching? Early
More informationBe Fast, Cheap and in Control with SwitchKV Xiaozhou Li
Be Fast, Cheap and in Control with SwitchKV Xiaozhou Li Raghav Sethi Michael Kaminsky David G. Andersen Michael J. Freedman Goal: fast and cost-effective key-value store Target: cluster-level storage for
More informationSecuring Network Application Deployment in Software Defined Networking 11/23/17
Securing Network Application Deployment in Software Defined Networking Yuchia Tseng, Farid Naıı t-abdesselam, and Ashfaq Khokhar 11/23/17 1 Outline Introduction to OpenFlow-based SDN Security issues of
More informationDr Hung Xuan Nguyen, Prof. Michael R Webb and Dr Sanjeev Naguleswaran
Centre for Defence Communications & Network Engineering Achieving Policy Defined Networking for Military Operations Dr Hung Xuan Nguyen, Prof. Michael R Webb and Dr Sanjeev Naguleswaran Military Communications
More informationNetFPGA Update at GEC4
NetFPGA Update at GEC4 http://netfpga.org/ NSF GENI Engineering Conference 4 (GEC4) March 31, 2009 John W. Lockwood http://stanford.edu/~jwlockwd/ jwlockwd@stanford.edu NSF GEC4 1 March 2009 What is the
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationVALE: a switched ethernet for virtual machines
L < > T H local VALE VALE -- Page 1/23 VALE: a switched ethernet for virtual machines Luigi Rizzo, Giuseppe Lettieri Università di Pisa http://info.iet.unipi.it/~luigi/vale/ Motivation Make sw packet processing
More informationOutline. Motivation. Our System. Conclusion
Outline Motivation Our System Evaluation Conclusion 1 Botnet A botnet is a collection of bots controlled by a botmaster via a command and control (C&C) channel Centralized C&C, P2P-based C&C Botnets serve
More informationAn Intelligent NIC Design Xin Song
2nd International Conference on Advances in Mechanical Engineering and Industrial Informatics (AMEII 2016) An Intelligent NIC Design Xin Song School of Electronic and Information Engineering Tianjin Vocational
More informationONOS Controller Performance Test Report
ONOS Controller Performance Test Report Global SDN Certified Testing Center,SDNCTC 216.7.4 w w w. s d n c t c. c o m ONOS Controller Performance Test Report CONTENTS 1. INTRODUCTION... 1 2. TEST ENVIRONMENT
More informationCisco HyperFlex Systems
White Paper Cisco HyperFlex Systems Install and Manage Cisco HyperFlex Systems in a Cisco ACI Environment Original Update: January 2017 Updated: March 2018 Note: This document contains material and data
More informationThomas Lin, Naif Tarafdar, Byungchul Park, Paul Chow, and Alberto Leon-Garcia
Thomas Lin, Naif Tarafdar, Byungchul Park, Paul Chow, and Alberto Leon-Garcia The Edward S. Rogers Sr. Department of Electrical and Computer Engineering University of Toronto, ON, Canada Motivation: IoT
More informationDPDK Summit China 2017
Summit China 2017 Embedded Network Architecture Optimization Based on Lin Hao T1 Networks Agenda Our History What is an embedded network device Challenge to us Requirements for device today Our solution
More informationNetwork Security: Network Flooding. Seungwon Shin GSIS, KAIST
Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way
More informationLecture 5: Active & Overlay Networks"
Lecture 5: Active & Overlay Networks" CSE 222A: Computer Communication Networks George Porter Thanks: Amin Vahdat and Alex Snoeren Lecture 5 Overview" Brief intro to overlay networking Active networking
More informationBit Index Explicit Replication (BIER) Multicasting in Transport Networks
Bit Index Explicit Replication (BIER) Multicasting in Transport Networks A. Giorgetti(1), A. Sgambelluri(1), F. Paolucci(1), N. Sambo(1), P. Castoldi(1), F. Cugini(2) (1) Scuola Superiore Sant Anna, Pisa,
More informationTopic & Scope. Content: The course gives
Topic & Scope Content: The course gives an overview of network processor cards (architectures and use) an introduction of how to program Intel IXP network processors some ideas of how to use network processors
More informationConfiguring OpenFlow 1
Contents Configuring OpenFlow 1 Overview 1 OpenFlow switch 1 OpenFlow port 1 OpenFlow instance 2 OpenFlow flow table 3 Group table 5 Meter table 5 OpenFlow channel 6 Protocols and standards 7 Configuration
More informationComparing the bandwidth and priority Commands of a QoS Service Policy
Comparing the and priority s of a QoS Service Policy Contents Introduction Prerequisites Requirements Components Used Conventions Summary of Differences Configuring the Configuring the priority Which Traffic
More informationDevoFlow: Scaling Flow Management for High-Performance Networks
DevoFlow: Scaling Flow Management for High-Performance Networks Andy Curtis Jeff Mogul Jean Tourrilhes Praveen Yalagandula Puneet Sharma Sujata Banerjee Software-defined networking Software-defined networking
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationTowards SDN-Defined Programmable BYOD (Bring Your Own Device) Security
Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security Sungmin Hong, Robert Baykov, Lei Xu, Srinath Nadimpalli, Guofei Gu SUCCESS Lab Texas A&M University Outline Introduction & Motivation
More informationSENSS Against Volumetric DDoS Attacks
SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1, Jelena Mirkovic 1, Minlan Yu 2 and Ying Zhang 3 1 University of Southern California/Information Sciences Institute 2 Harvard University 3 Facebook
More informationExperience with the NetFPGA Program
Experience with the NetFPGA Program John W. Lockwood Algo-Logic Systems Algo-Logic.com With input from the Stanford University NetFPGA Group & Xilinx XUP Program Sunday, February 21, 2010 FPGA-2010 Pre-Conference
More informationVeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH
VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. 1 Agenda 1. Overview and company presentation 2. Solution presentation 3. Main benefits to show to customers 4. Deployment models 2 VeloCloud Company
More informationSCALING SOFTWARE DEFINED NETWORKS. Chengyu Fan (edited by Lorenzo De Carli)
SCALING SOFTWARE DEFINED NETWORKS Chengyu Fan (edited by Lorenzo De Carli) Introduction Network management is driven by policy requirements Network Policy Guests must access Internet via web-proxy Web
More informationProgrammable NICs. Lecture 14, Computer Networks (198:552)
Programmable NICs Lecture 14, Computer Networks (198:552) Network Interface Cards (NICs) The physical interface between a machine and the wire Life of a transmitted packet Userspace application NIC Transport
More informationComputer Networks. Sándor Laki ELTE-Ericsson Communication Networks Laboratory
Computer Networks Sándor Laki ELTE-Ericsson Communication Networks Laboratory ELTE FI Department Of Information Systems lakis@elte.hu http://lakis.web.elte.hu Based on the slides of Laurent Vanbever. Further
More informationTowards High-performance Flow-level level Packet Processing on Multi-core Network Processors
Towards High-performance Flow-level level Packet Processing on Multi-core Network Processors Yaxuan Qi (presenter), Bo Xu, Fei He, Baohua Yang, Jianming Yu and Jun Li ANCS 2007, Orlando, USA Outline Introduction
More informationSnort: The World s Most Widely Deployed IPS Technology
Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,
More informationAccelerating Telco NFV Deployments with DPDK and SmartNICs
x Accelerating Telco NFV Deployments with and SmartNICs Kalimani Venkatesan G, Aricent Kalimani.Venkatesan@aricent.com Barak Perlman, Ethernity Networks Barak@Ethernitynet.com Summit North America 2018
More informationRouteBricks: Exploi2ng Parallelism to Scale So9ware Routers
RouteBricks: Exploi2ng Parallelism to Scale So9ware Routers Mihai Dobrescu and etc. SOSP 2009 Presented by Shuyi Chen Mo2va2on Router design Performance Extensibility They are compe2ng goals Hardware approach
More informationMicroboxes: High Performance NFV with Customizable, Asynchronous TCP Stacks and Dynamic Subscriptions
Microboxes: High Performance NFV with Customizable, Asynchronous TCP Stacks and Dynamic Subscriptions Guyue Liu, Yuxin Ren, Mykola Yurchenko, K.K. Ramakrishnan, Timothy Wood George Washington University,
More informationVirtual switching technologies and Linux bridge
Virtual switching technologies and Linux bridge Toshiaki Makita NTT Open Source Software Center Today's topics Virtual switching technologies in Linux Software switches (bridges) in Linux Switching technologies
More informationCS 4226: Internet Architecture
Software Defined Networking Richard T. B. Ma School of Computing National University of Singapore Material from: Scott Shenker (UC Berkeley), Nick McKeown (Stanford), Jennifer Rexford (Princeton) CS 4226:
More informationSwitchX Virtual Protocol Interconnect (VPI) Switch Architecture
SwitchX Virtual Protocol Interconnect (VPI) Switch Architecture 2012 MELLANOX TECHNOLOGIES 1 SwitchX - Virtual Protocol Interconnect Solutions Server / Compute Switch / Gateway Virtual Protocol Interconnect
More informationHybrid OpenFlow Switch
Hybrid OpenFlow Switch In This Chapter Alcatel-Lucent supports Hybrid OpenFlow Switch (H-OFS) functionality. The hybrid model allows operators to deploy Software Defined Network (SDN) traffic steering
More informationA Security Orchestration System for CDN Edge Servers
A Security Orchestration System for CDN Edge Servers ELAHEH JALALPOUR STERE PREDA MILAD GHAZNAVI MAKAN POURZANDI DANIEL MIGAULT RAOUF BOUTABA 1 Outline Introduction Edge Server Security Orchestration Implementation
More informationLS Example 5 3 C 5 A 1 D
Lecture 10 LS Example 5 2 B 3 C 5 1 A 1 D 2 3 1 1 E 2 F G Itrn M B Path C Path D Path E Path F Path G Path 1 {A} 2 A-B 5 A-C 1 A-D Inf. Inf. 1 A-G 2 {A,D} 2 A-B 4 A-D-C 1 A-D 2 A-D-E Inf. 1 A-G 3 {A,D,G}
More informationNext Gen Virtual Switch. CloudNetEngine Founder & CTO Jun Xiao
Next Gen Virtual Switch CloudNetEngine Founder & CTO Jun Xiao Agenda Thoughts on next generation virtual switch Technical deep dive on CloudNetEngine virtual switch Q & A 2 Major vswitches categorized
More informationCommercial Network Processors
Commercial Network Processors ECE 697J December 5 th, 2002 ECE 697J 1 AMCC np7250 Network Processor Presenter: Jinghua Hu ECE 697J 2 AMCC np7250 Released in April 2001 Packet and cell processing Full-duplex
More informationSweet Little Lies: Fake Topologies for Flexible Routing
Sweet Little Lies: Fake Topologies for Flexible Routing Stefano Vissicchio University of Louvain HotNets 27th October 2014 Joint work with Laurent Vanbever (Princeton) and Jennifer Rexford (Princeton)
More informationMultimedia Streaming. Mike Zink
Multimedia Streaming Mike Zink Technical Challenges Servers (and proxy caches) storage continuous media streams, e.g.: 4000 movies * 90 minutes * 10 Mbps (DVD) = 27.0 TB 15 Mbps = 40.5 TB 36 Mbps (BluRay)=
More informationWhat is SDN, Current SDN projects and future of SDN VAHID NAZAKTABAR
What is SDN, Current SDN projects and future of SDN VAHID NAZAKTABAR Index What is SDN? How does it work? Advantages and Disadvantages SDN s Application Example 1, Internet Service Providers SDN s Application
More informationPresented by: Fabián E. Bustamante
Presented by: Fabián E. Bustamante A. Nikravesh, H. Yao, S. Xu, D. Choffnes*, Z. Morley Mao Mobisys 2015 *Based on the authors slides Mobile apps are increasingly popular Mobile platforms is the dominant
More information