Presentation on theme: "FI Research in China Jun Bi Tsinghua Univ./CERNET Beijing China."— Presentation transcript:
FI Research in China Jun Bi Tsinghua Univ./CERNET Beijing China
Outline FI Research Overview in China –Domestic FI related Projects –International Collaborations Some FI Research in Tsinghua Univ. –OpenFlow Extension (Openflow+) for Intra-AS Source Address Validation –NDN Audio Conference Tool (Collabrating with PARC/UCLA), to see SIGCOMM11 ICN WS paper Caching, test-bed, Router, Gateway…..
Internet Development in China The largest Internet population in the world –2011 July: 485 million Internet users in China –Still growing fast (only 36.2 % of population) The largest Service Providers in the world –China Telecom (largest ISP) –China Mobile (616 million users) –China Unicom Giant Internet Venders –Huawei, ZTE,… Would like to try new tech –IPv6, 3G (TD, W, 2000)
Domestic FI-related Projects In the 11 th 5-years Plan Period (2006-2010) –MOST Trustworthy Internet IPv6 Source Address Vadldation Architecure (SAVA) Trustworthy ID based on SAVA Trustworthy Application Deployed in 100 univ campus network as testbed –MOST NGB Deployed in Shanghai region –CNGI IPv4/IPv6 Transiditon, ….. Largest test-bed –Smaller NSFC Projects –Mobile/Wireless 3G, 4G
Domestic FI-related Projects In the 12 th 5-year Plan Period (2011-2015) –MOST Triple-Play Network –MOST Future Internet (Planning) New Network Architecture New Network Equipment Testbed –CENI infrastructure (Planning) GENI-like –CNGI new phase (Planning) Mainly IPv6, and some FI –NSFC/973 New Network Architecture (CFP)
International Collaboration with the USA –GENI/Openflow CERNET signed MOU with GENI and Stanford for IPv6 Openflow, Source Address Validation CANS to collaborate on Openflow Research/Testbed –NDN collaboration Tsinghua Univ., CAS ICT, Huawei…. with the Europe –Onelab, other FP7 projects involvements with CJK –CJK projects on Network Security/FI –AsiaFI
OpenFlow Extension (Openflow+) for Intra-AS Source Address Validation Tsinghua University, China
Source Address Validation (SAV) Why SAV The current Internet Architecture: packet forwarding is only based on destination address SAV will be good for: anti-spoofing/network security network management/traceback network measurement network accounting/billing Why SAV is tough beyond the first hop Asymmetric Routing, Equal Cost Multiple Path. uRPF only make decision based on local FIB What we proposed for Intra-AS SAV –CPF (Calculation based forwarding)
Intra-AS Source Address Validation –A central control model that a Calculated Path Forwarding (CPF) controller collects the forwarding information of every router in an AS, and calculates all possible forwarding paths for every source address, and then issues filter rules (the result of the calculation) to the routers to verify the source address of packets.
CPF in Current Network Architecture –SNMP Polling forwarding information, interface information and subnet information from MIB for generating a global forwarding path. –xFlow Sample packets through xFlow (NetFlow/sFlow) for validating source address of sampling packets. –Telnet To log on the router and configure the ACL calculated by CPF.
Limitations of CPF in the current Internet Architecure The network device is not open and the interface is not standardized: -The ACL structure is not standardized, so we have to design for different vendors -The routing table/forwarding table are not open for modification from outside the router. -The communication between CPF controller and device is in-efficient -May cause false-negative when topology changes (because the routing table changes can not be reported to CPF in real-time) -Telnet scripts can not be smart enough -
What OpenFlow bring to us OpenFlow enables network innovation, by: - FlowTable and OpenFlow protocol between controller and device implment the standardization and open access of network device. - User-defined new technology can be easily added to the controller as new components. - The centralized mode in OpenFlow makes some functions based on global information possible.
What OpenFlow bring to us Flow Table Device Hardware OpenFlow ProtocolControl Protocol Hardware to OpenFlow Open and standard forwarding hardware Open and standard control interface Open and standard new protocol deployment
CPF and Openflow Central control architecture of OpenFlow matches CPF, which requires global information of an AS Using OpenFlow protocol to unify three protocols (SNMP, xFlow and Telnet) for communication between CPF controller and network device Efficient control from outside the network device
Challenges of Current OpenFlow To adapt all future protocols and different vendors, needs to make flow table more open If a new innovation is mature enough, needs to implemented the controller inside the device, to improve the efficiency It is hard to pre-define all the communication requirements between the controller and device, needs to make the openflow protocol more open Needs to run openflow in todays router, it will make deployment low-cost and deployable
Openflow+ Openflow+ is an extension to the fundamental architecture of OpenFlow to make it more open, efficient, and low-cost: - 1: Flow Table Extension - 2: Distribution Mode Extension - 3: Openflow Protocol Extension - 4: Low-cost Openflow for todays router (OpenRouter)
Extension 1: Flow Table Extension Flow Table Mand atory Optio nal Vendor- defined Device Hardware OpenFlow ProtocolControl Protocol Hardware to OpenFlow
Extension 2: Distribution Mode Extension Flow Table Device Hardware OpenFlow ProtocolControl Protocol Flow Table Hardware to OpenFlowProtocol to OpenFlowProtocol to Protocol
Extension 3: Openflow Protocol Extension In TLV format, each piece of data is organized by the triple of (Type, Length, Value) TLV can be used or arranged recursively TLV Type (Fixed length) TLV Length (Fixed length) TLV Value (TLV Length length)
Extension 4: Low-cost Openflow for todays router (OpenRouter) OpenFlow + in a commercial router DCRS 5980/5950, DigitalChina Company, RoutingSwitch
Extension 4: Low-cost Openflow for todays router
Architecture of CPF based on OpenFlow+ OpenRouter NOX CPF APP OpenFlow +
CPF Controller OR AOR B OR DOR COR E OR F OR G OR OpenRouter Filtering Rule Generator Validation Module Rule Adaptor NOX OpenFlow CPF APP Network State Processor Sharing Memory Socket Sampling Packet Processor