SDN Applications and Use Cases Copyright 20 ITRI
Bachelor B Ph.D (IR) (ITRI) Engineer 20 Copyright 20 ITRI 2
Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration Concluding Remarks Copyright 20 ITRI
Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration Concluding Remarks Copyright 20 ITRI
What is SDN? Copyright 20 ITRI
OpenFlow.0 Flow Entry Matching Fields Actions Stats SDN = OpenFlow? Packet counters, byte counters, and etc OpenFlow-Enabled Switch OpenFlow Client Flow Table OpenFlow protocol Not Exactly SDN Controller (software) Forward packet to a port list Add/remove/modify VLAN Tag Drop packet Send packet to the controller Ingress Port MAC DA MAC SA EtherType VLAN ID P-bits IP Src IP Dst IP Protocol IP DSCP TCP/UDP TCP/UDP src port dst port Copyright 20 ITRI
SDN = Still Don t know? Copyright 20 ITRI
SDN is All about Network Programmability API interaction with network elements Separated Control Plane and Forwarding Plane Forwarding Plane can be Software or Hardware Control Plane agnostic to the underlying hardware Network topology derived from the application This is how SDN is different from switched networks. Vendor Independence Open and standardized interface Copyright 20 ITRI
How does SDN work? Copyright 20 ITRI
TM LIN K 0 / 0 0/ 0 0 0 A CT Network Command & Control Traditional Interaction Model Configuration, Command & Control uses a communication channel between the Network Administrator and the Intelligence Entity on-board the Network Device. Brocade ICX 0-2P XL2- XL RESET XL- 0 0+ X X2 X X X X X X 2 0 2 20 2 22 2 2 Every Network Device can be understood to have an INDEPENDENT Intelligence Entity and a Functional Engine source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI 0
IC X 0-2P X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 XL- 0 XL2- XL ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 Network Command & Control What s the Problem with the Traditional Model? The larger the network the more INDEPENDENT devices you need to manage. source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI
IC X 0-2P X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 XL2- XL XL- 0 0+ X X2 X X X X X X IC X 0-2P LI NK0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 Network Command & Control What s the Problem with the Traditional Model? The larger the network the more INDEPENDENT devices you need to manage. - they make their switching & routing decisions independently - they make their fowarding & filtering decsions independently - they treat security policies, VLANs, QoS policies, port policies, etc.. INDEPENDENTLY How Can We Make this Easier? Is there a way to make them all operate as a cohesive group? source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI 2
IC X 0-2P X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 XL2- XL XL- 0 0+ X X2 X X X X X X IC X 0-2P LI NK0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 Network Command & Control What s the Solution? Software Defined Networking Separates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control proxy in the form of a Controller. SDN Controller source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI
IC X 0-2P X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 XL2- XL XL- 0 0+ X X2 X X X X X X IC X 0-2P LI NK0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 Network Command & Control What s the Solution? Software Defined Networking Separates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control proxy in the form of a Controller. SDN Controller source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI
Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration Concluding Remarks Copyright 20 ITRI
Google B WAN Copyright 20 ITRI
Motivation: WAN Cost Components Hardware Routers Transport gear Fiber Standard practice: overprovisioning Shortest path routing Slow convergence time Maintain SLAs despite failures No traffic differentiation Operational expenses/human costs Box-centric versus fabric-centric views Copyright 20 ITRI
Google s WAN: B Google inter-datacenter traffic: a. User data copy b. Remote storage access c. large-scale data push for state synchronizing Volume: a b c Latency sensitivity: a b c Priority: a b c B characteristics Elastic bandwidth demands Moderate number of sites End application control Cost sensitivity Copyright 20 ITRI
B Overview B Operations Simultaneously support standard routing protocols and centralized traffic engineering. Control at network edge to adjudicate among competing bandwidth demands. Use multiple forwarding paths to leverage available network capacity. Dynamically reallocate bandwidth in the face of link/switch failures or shifting application demands Source: B (SIGCOMM ) Link utilization: Traditional 0-0% B around % Copyright 20 ITRI
B Usage & TE Example Source: OpenFlow @ Google (ONS 202) Flow Group (FG) Site-to-site flow aggregation Multipath forwarding Tunnel Group (TG) A fraction of FG forwarded along each tunnel Source: B (SIGCOMM ) Copyright 20 ITRI 20
NEC ProgrammableFlow VTN Copyright 20 ITRI 2
VTN Information Model Source: NEC s ProgrammableFlow NBI: VTN Model & Use-cases Copyright 20 ITRI 22
VTN Example Source: NEC s ProgrammableFlow NBI: VTN Model & Use-cases Copyright 20 ITRI 2
VTN Feature Sets & Policies Virtual Network Provisioning VTN design (Add/Delete/Change) VTN model operation (Add/Delete/Change) vfilter: Flow Control in VTN 2-tuple based Flow filter QoS Control in Virtual Network ACL (e.g. drop) Redirect (service chaining) Apply to whole VTN or Virtual Network Monitoring VTN information collection (Traffic /port/link statistics, Failure Events & Alarms, Controller status) Port/VLAN/MAC mapping Copyright 20 ITRI 2
ProgrammableFlow VTN Use Case VTN for Kanazawa University Hospital Copyright 20 ITRI 2
OpenDefenseFlow (DefenseAll in OpenDaylight) Copyright 20 ITRI 2
DDoS Impact on Business zombie zombie zombie zombie zombie Copyright 20 ITRI 2
DDoS Overview Distributed denial-of-service (DDoS) attacks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources. Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served Addressing DDoS attacks Detection Detect incoming fake requests Mitigation Diversion Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets Return Send back the clean traffic to the server Copyright 20 ITRI 2
OpenDefenseFlow Overview SDN Applications OpenDefenseFlow Application (DefenseAll) The SDN Application That Programs Networks for DDoS Protection API SDN Controller SDN Controller Controller OpenFlow API SDN Data Plane DefensePro (mitigation devices) Source: OpenDefenseFlow proposal overview for OpenDaylight 2 Copyright 20 ITRI
OpenDefenseFlow Anti-DDoS SDN Security Service provisioning Programmable Probe Collect Detection Analyze & Decide Flow Diversion - Control Security Application Configure DefensePro with learned baselines DefenseFlow SDN Controller Attack!!! Create baselines per: IP Address, Protocol & Service (Port) servers servers Internet DefensePro (or equivalent) servers Source: OpenDefenseFlow proposal overview for OpenDaylight Slide 0 Copyright 20 ITRI 0
OpenDefenseFlow on OpenDaylight Copyright 20 ITRI
OpenDefenseFlow Architecture Statistics Service addcounter(selector) readcounter(selector) removecounter(selector) resetcounter(selector) Flow Entry in OpenFlow v.0 Match Fields Priority Counters Copyright 20 ITRI 2
Statistics Service Counter Smart Placement Copyright 20 ITRI
OpenDefenseFlow Architecture Redirection Service redirecttraffic(selector, devices[]) mirrortraffic(selector, devices[]) (a) Redirection (b) Mirroring Copyright 20 ITRI
Traffic Redirection for Attack Mitigation PO Copyright 20 ITRI
OpenDefenseFlow Architecture Anomaly Detection Builds peace time (normal) traffic baselines Identifies deviations from normal traffic baselines Pluggable system to support: Multiple vendors Different detection techniques Extensibility (detect new attacks) etc. Copyright 20 ITRI
OpenDefenseFlow Architecture Mitigation Driver Configures external mitigation device(s) E.g., pass to device baseline to expedite detection Configuring the network such that the suspicious traffic (and only the suspicious traffic) is diverted to suitable mitigation device Monitoring of external mitigation device(s) e.g., attack ended After attacks, restores the network to original configuration Vendor Independent Interested vendors can connect to the system by written a Mitigator Driver (think device drivers in OS) Copyright 20 ITRI
OpenDefenseFlow Unique Value Proposition Scalable, precise and fast attack/anomaly detection Utilize native SDN programming for attack traffic diversion Lower solution costs Statistical collection without costly specialized hardware detectors Simple attack diversion (no need to use BGP injection, GRE tunnel) Centralized control allows efficient management of mitigation resources, monitoring and reporting Extensible Add detection algorithms Add mitigation devices Copyright 20 ITRI
Flow Information Collection in Conventional Network NetFlow record (extended as IETF IPFIX) Input interface index used by SNMP Output interface index Timestamps for the flow start and finish time Number of bytes and packets observed Layer headers: Source & destination IP addresses Source and destination port numbers for TCP, UDP, SCTP ICMP Type and Code. IP protocol Type of Service (ToS) value The union of all TCP flags observed over the life of the flow. Layer Routing information: IP address of the immediate next-hop along the route to the destination Source & destination IP masks (prefix lengths in the CIDR notation) Copyright 20 ITRI
Conventional DDoS Mitigation with Netflow Records of all flows passing through specific router interface Copyright 20 ITRI 0
Conventional DDoS Mitigation with Netflow Copyright 20 ITRI
Conventional DDoS Mitigation with Netflow Copyright 20 ITRI 2
Netflow vs. OpenDefenseFlow Capability Netflow based Mitigation Open- DefenseFlow Detection Network DDoS flood attacks Full coverage Full Coverage Mitigation Mitigation response time Slow Min Network Operation Requires BGP announcement, GRE tunneling and several detectors Slow Complicated Complicated Diversion Traffic granularity Low Inaccurate Granularity Cost Effective Requires hardware detectors Requires scrubbing center Consumes routers CPU and ports Expensive Expensive Immediate seconds Simple - diversion is a network service High Granularity divert only suspicious traffic (Conventional network vs. SDN) Low cost Copyright 20 ITRI
OpenDefenseFlow Scope The OpenDefenseFlow (DefenseAll) will provide the following: An implementation of the Anomaly Detection subsystem including a vendor independent framework for plugging different detection algorithms and a reference implementation of such a detection plug-in. This sample detector will be able to handle common DoS attacks, and it will serve as an example for developers of more sophisticated detectors. An implementation of the Mitigation Driver subsystem including a vendor independent framework for plugging different mitigation devices and a reference implementation of such mitigator plugin. An OSGI bundle for the Statistics Service subsystem including a REST API An OSGI bundle for the Traffic Redirection Service subsystem including a REST API The OpenDefenseFlow API. Copyright 20 ITRI
Firewall Migration Copyright 20 ITRI
Firewall and Firewall Migration Firewall (FW) Comprehensive powerful functions: packet-filtering, NAT, routing, proxy, VPN etc Product-dependent configuration/management Firewall migration A challenging task where the devil is in the details Challenges come from: Many and many rules Different policy definition manner Ex: zone-based vs. single zone policies Interpretation errors of migration tool Human errors Manual rule translation & validation Unfamiliar with the firewall default behavior Copyright 20 ITRI
Conventional Firewall Migration Big bang strategy Strategies A new firewall completely replaces the old one. Higher risk Finished progress = 0% or 00% Lower complexity Unpredictable migration time Due to high risk Re-addressing strategy The new firewall coexists with the old one. Lower risk Migrating services step by step Higher complexity Require topology re-design and IP re-addressing Time-consuming Is there a novel strategy with lower risk and lower complexity? Copyright 20 ITRI
A Simple Network Conventional network with a firewall Rule subset of the firewall Firewall Rules SRC IP DEST IP DST Port Action... 2.2.2.2 0 Drop...2 2.2.2.2 0 Drop... 2.2.2.2 0 Permit Target Flow Source: Ethereal.com Copyright 20 ITRI
Goal of Firewall Migration How to divert target flow to the new path? Most routers do not support policy-based routing (PBR) with line-rate forwarding. Idea: firewalls and SDN are both about flows Source: Ethereal.com Copyright 20 ITRI
OpenFlow for Firewall Migration Introduce SDN-enabled switches & controller Source: Ethereal.com Copyright 20 ITRI 0
SDN-based Firewall Migration Build FW Migration App. App reads the configuration from the old firewall, and parses the configuration into rules. Manual selection 2. App translates the rules then loads the firewall rules into the new firewall. Manual checking and validation. Flow cutover: the OpenFlow forwarding rules are sent to the OpenFlow switches Manual testing (OF2) (OF) Example Flow entry in OF Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst Copyright 20 ITRI IP Prot TCP sport TCP dport * * * * * * 2.2.2.2 * * 0 port2 Action Source: Ethereal.com
ITRI VLAN Migration Copyright 20 ITRI 2
Motivation of VLAN Migration Rich services/departments WiFi, U-bike, surveillance system, access control system, Legacy L2 switch generally supports (only) port-based VLAN Managing port-based VLAN is complex and time-consuming Copyright 20 ITRI
VLAN Migration ITRI ITSC Goal: to reduce operational expense (OPEX) Flexible VLAN partition rule port, MAC address, IP address, One-shot configuration Replacing access switches Copyright 20 ITRI
Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration Concluding Remarks Copyright 20 ITRI
Potential Innovative Issues Wired/Wireless network resource management IEEE tutorial wireless SDN in access and backhaul Application-aware traffic engineering Efficient/scalable network state monitoring Device, application, switch/link loading, flow table usage Protocol independent forwarding P: programming protocol-independent packet processors Security applications Unified access control, IDS, DDoS protection Security of SDN OpenFlow: A Security Analysis Copyright 20 ITRI
SDN Brings Network Programmability, Flexibility and Agility Copyright 20 ITRI
There will be much more SDN/NFV innovations!! Copyright 20 ITRI
Thank You! Copyright 20 ITRI