SDN AND NFV SECURITY DR. SANDRA SCOTT-HAYWARD, QUEEN S UNIVERSITY BELFAST COINS SUMMER SCHOOL, 23 JULY 2018

Similar documents
ECIT Institute (Est.2003)

SDN Workshop. Contact: WSDN01_v0.1

SDN Workshop. Contact: TSDN01_v0.1. [xx] Revision:

A use-case based analysis of network managment functions in the ONF SDN model

Hands on SDN and BRO

OpenFlow: What s it Good for?

APNIC elearning: SDN Fundamentals

SDN An opportunity for security by design?

Software Defined Networking

CSC 401 Data and Computer Communications Networks

Enabling the Next Generation of SDN

Lesson 9 OpenFlow. Objectives :

How SDN Works Introduction of OpenFlow Protocol

CS 4226: Internet Architecture

Configuring OpenFlow 1

Software Defined Networks (SDN)

Huawei SX700 Switches. SDN Technology White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Stratum Project. Enabling era of next generation of SDN

Software Defined Networks

OpenFlow Ronald van der Pol

Software Defined Networking Data centre perspective: Open Flow

Production OpenFlow Switches Now Available -Building CORD Using OpenFlow Switches CORD Build

OPENFLOW & SOFTWARE DEFINED NETWORKING. Greg Ferro EtherealMind.com and PacketPushers.net

Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall

ONOS Support for P4. Carmelo Cascone MTS, ONF. December 6, 2018

Chapter 4 Network Layer: The Data Plane

Software Defined Networks and OpenFlow. Courtesy of: AT&T Tech Talks.

OpenFlow Performance Testing

Version 1.0. April 15, 2015 ONF TS-026

Programmable data planes, P4, and Trellis

COMP211 Chapter 4 Network Layer: The Data Plane

OpenFlow Switch Errata

CS 5114 Network Programming Languages Data Plane. Nate Foster Cornell University Spring 2013

Generic Network Functions. Daya Kamath (Ericsson) Prem Sankar G (Ericsson)

Lab 2: P4 Runtime. Copyright 2018 P4.org

H3C S10500 OpenFlow Configuration Examples

H3C S6800 Switch Series

SDN in TETRA Group Communication - Voice Switching

H3C S5130-EI Switch Series

Data Center Configuration. 1. Configuring VXLAN

P4 support in ONOS. Carmelo Cascone ONF

Overview of the Cisco OpenFlow Agent

Centec V350 Product Introduction. Centec Networks (Suzhou) Co. Ltd R

Cisco Virtual Networking Solution for OpenStack

OpenFlow 1.3: Protocol, Use Cases, And Building a Fault Tolerant Application

SD-Access Wireless: why would you care?

H3C S7500E Switch Series

These slides contain significant content contributions by

OpenFlow. Finding Feature Information. Prerequisites for OpenFlow

Software-Defined Networking (Continued)

OpenFlow. Finding Feature Information. Prerequisites for OpenFlow

Build a Promising Career in SDN Transition Criterion ONF Certified SDN Associate Weekend Program

Software-Defined Networking. Daphné Tuncer Department of Computing Imperial College London (UK)

Abstractions and Open APIs in Networking

CSC 4900 Computer Networks: Network Layer

Programming Netronome Agilio SmartNICs

New OVS instrumentation features aimed at real-time monitoring of virtual networks

H3C S9800 Switch Series

OpenFlow 1.3: Protocol, Use Cases, and Controller Writing. Ryan Izard

11/30/16. Game Plan. OpenFlow 1.3: Protocol, Use Cases, And Building a Fault Tolerant Application. Up Next. Before We Get Started

Software-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017

OpenState demo. Hands-on activity. NetSoft 15 - April 13, 2015 A.Capone & C. Cascone: OpenState Live Demo 1

Slicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)

A Crash Course in OpenFlow 1.1. Rob Sherwood August 2011

Cloud Native Security. OpenShift Commons Briefing

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

HP 5920 & 5900 Switch Series

Orchestration: Accelerate Deployments and Reduce Operational Risk. Nathan Pearce, Product Development SA Programmability & Orchestration Team

Software-Defined Networking:

DaoliNet A Simple and Smart Networking Technology for Docker Applications

Leveraging Stratum and Tofino Fast Refresh for Software Upgrades

Introduction to Software-Defined Networking UG3 Computer Communications & Networks (COMN)

Open vswitch DPDK Acceleration Using HW Classification

NWD IP8800/S3640. IP8800/S3640 Software Manual. OpenFlow Feature Guide (Version 11.1 Compatible) ISSUE DATE: MAY, 2010 (FIRST EDITION)

lecture 18: network virtualization platform (NVP) 5590: software defined networking anduo wang, Temple University TTLMAN 401B, R 17:30-20:00

Languages for SDN (Frenetic)

Configuring IPv6 First-Hop Security

Switching and Routing projects description

Network as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.

Network Security. Thierry Sans

Cisco Tetration Analytics

Huawei CloudEngine Series. VXLAN Technology White Paper. Issue 06 Date HUAWEI TECHNOLOGIES CO., LTD.

Typhoon: An SDN Enhanced Real-Time Big Data Streaming Framework

Taxonomy of SDN. Vara Varavithya 17 January 2018

Unlock the Benefits of Transport SDN OIF Transport SDN API Interop Demo

H3C S5130-EI Switch Series

What is ONOS? ONOS Framework (ONOSFW) is the OPNFV project focused on ONOS integration. It is targeted for inclusion in the Brahmaputra release.

OPENSDNCORE RELEASE 4. Use cases

Software Defined Networking 2015 BROCADE COMMUNICATIONS SYSTEMS, INC.

Chapter 5 Network Layer: The Control Plane

Cisco Nexus Data Broker

Xen*, SDN and Apache Cloudstack. Sebastien Goasguen, Apache CloudStack Citrix EMEA August 28 th 2012 Xen Summit

SmartNIC Programming Models

Accelerate Service Function Chaining Vertical Solution with DPDK

Colt Novitas: Bringing SDN & NFV in Production. Javier Benitez, Strategy & Architecture,

Web-Based User Interface for the Floodlight SDN Controller

James Won-Ki Hong. Distributed Processing & Network Management Lab. Dept. of Computer Science and Engineering POSTECH, Korea.

The following topics describe how to configure correlation policies and rules.

Host Dataplane Acceleration: SmartNIC Deployment Models

OPEN CONTRAIL ARCHITECTURE GEORGIA TECH SDN EVENT

Transcription:

SDN AND NFV SECURITY DR. SANDRA SCOTT-HAYWARD, QUEEN S UNIVERSITY BELFAST COINS SUMMER SCHOOL, 23 JULY 2018

Queen s University Belfast Lanyon Building Est. 1845

Centre for Secure Information Technologies (CSIT)

Centre for Secure Information Technologies (CSIT)

Research Area: Data Security

Research Area: Networked Systems Security

Research Area: Security Analytics and Event Mgmt.

SDNFV Security Research - Objectives Identifying, raising awareness, and recommending solutions to potential vulnerabilities in SDNFV network design and deployment. Exploring scalable, analyticsbased monitoring and forensics capabilities, and security solutions for these new network architectures

Agenda Morning Session: 9.30am 1pm 1. What is SDN? 2. What is OpenFlow/P4? Hands-On SDN Mininet/ONOS 3. Attacks and Vulnerabilities in SDN 4. Solutions to Security Issues in SDN Demo - AAA 5. SDN Controller Security evolution Demo- DELTA

Agenda Evening Session: 5pm 7pm 6. Network Security Enhancements using SDN 7. Stateful Security Mechanisms Demo OFMTL-SEC 7. Future Directions a.k.a. Buzzword Bingo

WHAT IS SDN?

Traditional Network Control and Data Planes combined in Network Elements: Control Packet Forwarding Hardware Control Packet Forwarding Hardware Control Packet Forwarding Hardware Control Packet Forwarding Hardware

SDN Evolution Driven by desire to provide usercontrolled management of forwarding in network nodes 1996 1998 2000 2004 2005 2006 2007 2008 Software-Defined Networking

SANE Architecture SANE = Secure Architecture for the Networked Enterprise 2006 M. Casado et al. Logically Centralized Server Trusted Domain Controller (DC) Providing routing and access control decisions Access Control Policies Authentication of Hosts and Policy Enforcement Principle of least privilege and least knowledge Casado, M. et al., SANE: A Protection Architecture for Enterprise Networks, Usenix Security, 2006.

SDN Separation of Control and Data Planes: Open API APP APP APP Controller Packet Forwarding Hardware Open API Packet Forwarding Hardware Packet Forwarding Hardware Packet Forwarding Hardware

SDN Architecture

SDN Characteristics

Network Functions Virtualization Network Functions Virtualisation Introductory White Paper, October 2012 - http://portal.etsi.org/nfv/nfv_white_paper.pdf

Hands-On

WHAT IS OPENFLOW/P4?

What is OpenFlow? OpenFlow = A protocol to control the forwarding behaviour of Ethernet switches in a Software Defined Network OpenFlow Controller OpenFlow Protocol OpenFlow Embedded OS implements OpenFlow Table-based (e.g. TCAM/CAM) highspeed forwarding engine

The origin of OpenFlow Clean Slate Program at Stanford Early work on SANE circa 2006 Inspired Ethane circa 2007, which lead to OpenFlow 2009 Stanford publishes OF 1.0.0 Specification 2009 Nicira Series A funding 2010 Big Switch seed funding 2011 Open Network Foundation is created 2012 Google announces migration to OpenFlow (migration started in 2009) Open Networking Foundation owns OpenFlow

Flow Table (OpenFlow v1.0) Header Fields Counters Actions Priority Ingress Port Ethernet Source Addr Ethernet Dest Addr Ethernet Type VLAN id VLAN priority IP Source Addr IP Dest Addr IP Protocol IP ToS ICMP type ICMP code Per Flow Counters Received Packets Received Bytes Duration seconds Duration nanoseconds Forward (All, Controller, Local, Table, IN_port, Port# Normal, Flood) Enqueue Drop Modify-Field if Eth Type == ARP forward Controller 32768

Flow Table Each Flow Table entry has two timers: idle_timeout hard_timeout seconds of no matching packets after which the flow is removed zero means never timeout seconds after which the flow is removed zero means never timeout If both idle_timeout and hard_timeout are set, then the flow is removed when the first of the two expires.

Proactive vs. Reactive Flows Populating the Flow Table Proactive Reactive Rules are relatively static, controller places rules in switch before they are required. Rules are dynamic. Packets which have no match are sent to the controller (packet in). Controller creates appropriate rule and sends packet back to switch (packet out) for processing.

Implementing OpenFlow Controller First Packet Flow Table 5-tuple SP DP Prot SA DA Hash # Execute Action Subsequent Packets Packet In Hdr Payload Hdr Payload Packet Out

Evolution of OpenFlow OpenFlow v1.0 Header Fields Counters Actions Priority Does packet match flow table entry? If so, perform action. OpenFlow v1.5 Match Fields Priority Counters Instructions Timeouts Cookie Flags Metadata Packet Action Set Group ID Type Counters Action Buckets Does packet match flow table entry? If so, look at instructions

Actions vs. Instructions OpenFlow v1.1 Flow entries contain instructions Instructions may be immediate action(s), or Instructions may set actions in the action set Instructions can also change pipeline processing: Goto table X Goto group table entry x

Statistics/Counters Counters maintained for each: Flow Table Required: Reference Count (active entries) Flow Entry Required: Duration (seconds) Port Required: Received Packets, Transmitted Packets, Duration (secs) Queue Required: Transmit Packets, Duration (seconds) Group Required: Duration (seconds) Group Bucket Optional Meter Required: Duration (seconds) Meter Band Optional

Evolution of OpenFlow Multiple Tables Controller Role Change Role Status, Error Codes D. Kreutz et al., Software-Defined Networking: A Comprehensive Survey, proceedings of the IEEE 103, no. 1 (2015): 14-76 v1.5 - Extensible Flow Entry 14 30 2 5 2 59 5 3 Egress Ports, Various Security Recommendations

Securing the OpenFlow Protocol ONF Security WG OpenFlow Switch Specification Analysis: Recommendations to Extensibility WG Updates to OF Switch Specification v1.3.5 Specify that a secure version of TLS is recommended (EXT-525) Clarify certificate configuration of the switch (EXT-304) Specify that malformed packet refer to those in the datapath (EXT-528) Specify how to deal with malformed OpenFlow messages (EXT-528) Specify that counters must use the full bit range (EXT-529)

Pipeline Processing Open Networking Foundation, OpenFlow Switch Specification Version 1.5.1, www.opennetworking.org L2-L3-ACL Pipeline

Packet flow through OF switch Test your packet pipeline using FlowSim: web-based OpenFlow data plane simulator designed to teach OF data plane abstractions https://flowsim.flowgrammable.org/ Open Networking Foundation, OpenFlow Switch Specification Version 1.5.1, www.opennetworking.org

OF-Config 1.2 OF-Config 1.2 OpenFlow Management and Configuration Protocol: OF-CONFIG defines an OpenFlow switch as an abstraction called an OpenFlow Logical Switch. The OF-CONFIG protocol enables configuration of essential artifacts of an OpenFlow Logical Switch so that an OpenFlow controller can communicate and control the OpenFlow Logical switch via the OpenFlow protocol. Open Networking Foundation, OF-CONFIG 1.2 OpenFlow Management and Configuration Protocol, www.opennetworking.org

OF-Config 1.2 OF-CONFIG uses NETCONF protocol as its transport (implies SSH/TLS)

OF-Config 1.2 OF-CONFIG 1.2 is focussed on the following functions to configure an OF1.3 logical switch: Assignment of one or more OF controllers to OF data planes Configuration of queues and ports Ability to remotely change some aspects of ports (e.g. up/down) Configuration of certificates for secure communication between the OF logical switches and OF controllers Discovery of capabilities of an OF logical switch Configuration of a set of specific tunnel types such as IP-in-GRE, NV-GRE, VxLAN

Improving on OpenFlow? Stratum Project Launch, Open Networking Foundation, March 2018 https://stratumproject.org/wp-content/uploads/2018/03/stratum-launch-announcement-final.pdf

Next-Generation SDN Interfaces Stratum Project Launch, Open Networking Foundation, March 2018 https://stratumproject.org/wp-content/uploads/2018/03/stratum-launch-announcement-final.pdf

P4 (P4.org) P4 language consortium becoming a project of the Open Networking Foundation and the Linux Foundation (March 2018) P4 target-independent, protocolindependent P4 runtime - extend P4 by adding the API to control/configure the device at the same time as deploying a P4 program to the device P4 Implementation issues identified by researchers limitations of the language and constraints imposed by interface between P4 program and s/w switch (P4 runtime ) Stratum Project Launch, Open Networking Foundation, March 2018 https://stratumproject.org/wp-content/uploads/2018/03/stratum-launch-announcement-final.pdf

P4 (P4.org) Google next-gen SDN switch to use P4 Runtime to programme it, OpenConfig to manage it, and to be based on the Open Network Linux (ONL) platform/stratum Stratum Project Launch, Open Networking Foundation, March 2018 https://stratumproject.org/wp-content/uploads/2018/03/stratum-launch-announcement-final.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback