OpenFlow Research on the Georgia Tech Campus Network
-
Upload
constantine-artemis -
Category
Documents
-
view
23 -
download
1
description
Transcript of OpenFlow Research on the Georgia Tech Campus Network
![Page 1: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/1.jpg)
1
OpenFlow Research on the Georgia Tech Campus Network
Russ ClarkNick Feamster
Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh
Ramachandran, Umayr Hassan
![Page 2: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/2.jpg)
2
Summary of Research Projects
• Campus Network Deployment– Resonance: Dynamic Access Control for Campus Networks – Pedigree: Traffic Tainting for Securing Enterprise Networks
• Home Network Deployments– User-Proof Networking (with Prof. Keith Edwards)
• Class Projects: Network Management/Network Security– OpenFlow Traffic Classification– SNMP MIB for OpenFlow– Home-Network Management using OpenFlow– OpenFlow for High Availability/Service Migration– OpenFlow and Virtualization – Access Control for Home Networks– Automated Intrusion Detection with OpenFlow
![Page 3: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/3.jpg)
3
Dynamic Access Control
• Enterprise and campus networks are dynamic– Hosts continually coming and leaving
– Hosts may become infected
• Today, access control is static, and poorly integrated with the network layer itself
• Resonance: Dynamic access control– Track state of each host on the network
– Update forwarding state of switches per host as these states change
![Page 4: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/4.jpg)
4
Authentication at GT: “START”
3. VLAN with Private IP
6. VLAN with Public IP
.1. New MAC Addr 2. VQP
7. REBOOT
Web Portal
4. Web Authentication 5. Authentication
Result
VMPS
Switch
New Host
![Page 5: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/5.jpg)
5
Problems with Current Approach
• Access Control is too coarse-grained– Static, inflexible and prone to misconfigurations– Need to rely on VLANs to isolate infected machines
• Cannot dynamically remap hosts to different portions of the network– Needs a DHCP request which for a windows user
would mean a reboot
• Monitoring is not continuous
Idea: Access control policies should reflect network dynamics.
![Page 6: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/6.jpg)
6
Resonance Approach
• Step 1: Controller associates each host with generic states and security classes.
• Step 2: Specify a state machine for moving machines from one state to the other.
• Step 3: Control forwarding state in switches based on the current state of each host.
![Page 7: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/7.jpg)
7
Applying resonance to START
Registration
AuthenticatedOperation
Quarantined
SuccessfulAuthentication
Vulnerability detected
Clean after update
Failed Authentication
Infection removed or manually fixed
Still Infected afte
r an update
![Page 8: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/8.jpg)
8
Challenges
• Scale– How many forwarding entries
per switch?– How much traffic at the
controller?
• Performance– Responsiveness
• Security– MAC address spoofing– Securing the controller (and
control framework)
![Page 9: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/9.jpg)
9
![Page 10: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/10.jpg)
10
Enterprise Information Flow Control• Goal: Control how information flows between different
hosts in the network– Control the spread of malware– Prevent data leaks
• Challenges– Heterogeneous devices– Hosts may not be trusted
• Solution: Pedigree– Classify traffic based on
• What process generated the traffic• Where that process has taken inputs
– Implement control policies in the network
![Page 11: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/11.jpg)
11
Pedigree Design• Trusted tagging
component resides on host.
• Traffic carries taints that reflect provenance of network traffic.
• Switch one hop from hosts makes access control decisions.
![Page 12: OpenFlow Research on the Georgia Tech Campus Network](https://reader036.fdocuments.in/reader036/viewer/2022062422/568132b9550346895d99759a/html5/thumbnails/12.jpg)
12
Current FunctionInternet
1. Host sends request over control channel toopen with flow with taint set.
2. Traffic diverted to controller,which checks policy.
3. Controller inserts flowtable entry, if policy compliant.