Header Space Analysis: Static Checking for Networks Broadband Network Technology Integrated M.S. and Ph.D. Eun-Do Kim Network Standards Research Section.

Slides:



Advertisements
Similar presentations
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Advertisements

Path Splicing with Network Slicing
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Delivery and Forwarding of
RIP V1 W.lilakiatsakun.
Chapter 9: Access Control Lists
An Overview of Software-Defined Network Presenter: Xitao Wen.
OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.
Header Space Analysis: Static Checking For Networks Peyman Kazemian, Nick McKeown (Stanford University) and George Varghese (UCSD and Yahoo Labs). Presented.
Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
An Overview of Software-Defined Network
Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.
A Scalable, Commodity Data Center Network Architecture.
An Overview of Software-Defined Network Presenter: Xitao Wen.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.
Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE
Chapter 4: Managing LAN Traffic
Software-Defined Networks Jennifer Rexford Princeton University.
Common Devices Used In Computer Networks
VeriFlow: Verifying Network-Wide Invariants in Real Time
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
 Network Segments  NICs  Repeaters  Hubs  Bridges  Switches  Routers and Brouters  Gateways 2.
IP Forwarding.
Chapter 6 – Connectivity Devices
Company LOGO Networking Components Hysen Tmava LTEC 4550.
Chapter 6 Delivery and Forwarding of IP Packets
The Network Layer Introduction  functionality and service models Theory  link state and distance vector algorithms  broadcast algorithms  hierarchical.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 7 Internet Protocol (IP) Routing.
15.1 Chapter 15 Connecting LANs, Backbone Networks, and Virtual LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Static Routing Routing and Switching Essentials.
Networks and Protocols CE Week 7b. Routing an Overview.
SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
1 Data Link Layer Lecture 23 Imran Ahmed University of Management & Technology.
Star Topology Star Networks are one of the most common network topologies. consists of one central switch, hub or computer, which acts as a conduit to.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 3 EIGRP.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 3 EIGRP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Static Routing Routing and Switching Essentials.
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Programming Languages COS 597E: Software Defined Networking.
+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Data-Plane Verification COS 597E: Software Defined Networking.
Fabric: A Retrospective on Evolving SDN Presented by: Tarek Elgamal.
A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN, LONG TAN, RAWAD FELIMBAN and ABDELSHAKOUR ABUZNEID Department.
Preliminaries: EE807 Software-defined Networked Computing KyoungSoo Park Department of Electrical Engineering KAIST.
Chapter 3 Part 1 Switching and Bridging
InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.
SDN controllers App Network elements has two components: OpenFlow client, forwarding hardware with flow tables. The SDN controller must implement the network.
SDN Network Updates Minimum updates within a single switch
University of Maryland College Park
Martin Casado, Nate Foster, and Arjun Guha CACM, October 2014
IP (slides derived from past EE122 sections)
Chapter 4 Data Link Layer Switching
Chapter 6: Network Layer
Introduction to Networking
Virtual LANs.
Chapter 4: Access Control Lists (ACLs)
Software Defined Networking (SDN)
Chapter 2: Static Routing
Lecture 10, Computer Networks (198:552)
OpenSec:Policy-Based Security Using Software-Defined Networking
An Introduction to Software Defined Networking and OpenFlow
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Header Space Analysis: Static Checking for Networks Broadband Network Technology Integrated M.S. and Ph.D. Eun-Do Kim Network Standards Research Section Protocol Engineering Center Software-Defined Networked Computing

Contents 1. Introduction 2. Modeling of Header Space Analysis 3. Using Header Space Analysis 4. Evaluation 5. Conclusions Software-Defined Networked Computing 2

SDN Architectures Software-Defined Networked Computing 3 - Application Layer / Control Layer / Infrastructure Layer are separated. Reference [3], Software-Defined Networking: The New Norm for Networks, ONF, p. 7, Figure 1. Software-Defined Network Architecture. According to policies of the Application Layer, the Control Layer manages the Infrastructure Layer which is connected to the Control Layer own. Animation Slide -It may be shown as wrong in printouts.-

Software-Defined Networked Computing 4 Packet Processing - Reactive - If table-miss occurs, Controller OpenFlow Switch #1 Secure Channel Flow Tables - Flow Entries Host … OpenFlow Switch #2 Secure Channel Flow Tables - Flow Entries Host … Table- miss packet-in Message New Flow Entry New Packe t → then an incoming packet is processed by interacting with a controller. Animation Slide -It may be shown as wrong in printouts.-

Application Conflicts Software-Defined Networked Computing 5 - We assume that each application on OpenFlow controller works well. OpenFlow Switch OpenFlow Controller e.g., NOX, Floodlight, OpenDaylight, IRIS, etc. Application 1 e.g., Shortest Path Routing Application 2 e.g., Firewall Application 3 e.g., NAT OpenFlow Switch Works well! → Mixture of applications -> Network problems e.g., reachability problems, forwarding loops, traffic isolation, etc. Application Conflicts! Animation Slide -It may be shown as wrong in printouts.-

Historical Views of Problems (1/2) Software-Defined Networked Computing 6 - In the beginning, a switch or router was simple. → Simple forwarding task : Index into a forwarding table -> Output port - Today, however, → forwarding grew more complicated. → many protocols operate concurrently. : e.g., MPLS, NAT, ACLs, etc.

Historical Views of Problems (2/2) Software-Defined Networked Computing 7 - This complexity makes it hard to operate a large network today. → Network operators have to manage so many interacting protocols. → Trying new protocols is hard. → Hosts can be unable to communicate. Especially, debugging reachability problems is very time consuming.

Software-Defined Networked Computing 8 Reachability Problems - Simple Example → Simple, but hard to answer! Reference [4], Google Image Search. We need an easy way to solve these problems.

Previous Works Software-Defined Networked Computing 9 - There are very few existing network management tools. → However, the existing tools are protocol-dependent. : e.g., reachability only, IP connectivity only, firewall configuration only, or routing failures only

Header Space Analysis Software-Defined Networked Computing 10 - Header Space Analysis (HSA) → is a general framework. → provides a tool for checking networks. → provides a protocol-independent way. - HSA allows network operators to check several network failures. → e.g., reachability failures, forwarding loops, and traffic isolation and leakage problems

Goals of HSA Software-Defined Networked Computing 11 - To analyze networks. - To guarantee isolation. - To enable a analysis of networks slice. → HSA provides answers to solve failure conditions. → HSA runs regardless of protocols. → HSA can verify that slices have been correctly configured. → Each slice has its own control plane to decide a packet processing.

Contents 1. Introduction 2. Modeling of Header Space Analysis 3. Using Header Space Analysis 4. Evaluation 5. Conclusions Software-Defined Networked Computing 12

Software-Defined Networked Computing 13 - A header space is defined

Software-Defined Networked Computing 14 - For the HSA modeling, → Switches -> A set of boxes → Ports -> External interfaces Reference [1], Figure 1 (part).

Software-Defined Networked Computing 15

Software-Defined Networked Computing 16

Software-Defined Networked Computing 17 → To model bidirectional links, one rule should be added per direction.

Multi-hop Packet Traverse Software-Defined Networked Computing 18

Contents 1. Introduction 2. Modeling of Header Space Analysis 3. Using Header Space Analysis 4. Evaluation 5. Conclusions Software-Defined Networked Computing 19

Simple Example of an IPv4 Router Software-Defined Networked Computing 20 - A process of an IPv4 router is like this. 1) Rewrite source and destination MAC addresses. 2) Decrement TTL. 3) Update checksum. 4) Forward to outgoing port.

Reachability Analysis (1/2) Software-Defined Networked Computing 21 - HSA considers a space of all headers leaving a source, → then track this space along a path to a destination. - At the destination, if no header space remains, → then the two hosts cannot communicate.

Reachability Analysis (2/2) Software-Defined Networked Computing 22 - An example of the reachability analysis for a small example network

Loop Detection Software-Defined Networked Computing 23 - A loop occurs when a packet returns to a port that it has visited earlier. → HSA reports the loop when the test packet header returns to a port that it was injected from.

Slice Isolation & Leakage Detection Software-Defined Networked Computing 24 - A common requirement of isolation is that → a traffic stays within its slice. → a traffic not leaks to another slice. - HSA can detect when slices are leaking traffic.

Contents 1. Introduction 2. Modeling of Header Space Analysis 3. Using Header Space Analysis 4. Evaluation 5. Conclusions Software-Defined Networked Computing 25

Experiment Environments Software-Defined Networked Computing 26 - They benchmarked the performance on Stanford backbone network. → Reachability and loop detection on an enterprise network → Slice isolation on random slices - Details → Macbook Pro with : CPU: Intel core i7, 2.66Ghz quad core (only two cores were used) : RAM: 4GB → 14 operational zone routers, 10 switches, and 2 backbone routers → More than 757,000 forwarding rules with 1,500 ACL rules

Loop Detection Software-Defined Networked Computing 27 - The backbone network topology of Stanford University → 26 loops were found from 30 ports within 560 seconds. Reference [1], Figure 7. Topology of Stanford University’s backbone network and 3 types of loops detected using Hassel. Overall, we found 26 loops on 14 loop paths. 10 of these loops, caused by packets destined to 10 IP addresses, are infinite loops masked by bridge learning. 16 other loops are single round loops.

Checking Slice Isolation Software-Defined Networked Computing 28 - When creating a slice- Whenever a rewrite action is added (Left) Reference [1], Figure 8. The time it takes to check if a new slice is isolated from other slices at reservation time. (Right) Reference [1], Figure 9. The time it takes to determine whether a new rewrite action will cause packets to leak between slices. → HSA can be a feasible model to check slice isolation in real networks.

Contents 1. Introduction 2. Modeling of Header Space Analysis 3. Using Header Space Analysis 4. Evaluation 5. Conclusions Software-Defined Networked Computing 29

Conclusions Software-Defined Networked Computing 30 - Header Space Analysis is a general framework which can check network failures in a protocol-independent way. → e.g., reachability failures, forwarding loops, and traffic isolation and leakage problems - By parsing forwarding and configuration tables automatically, Header Space Analysis can be used in existing complex networks. → It can give network operators a confidence to adopt new protocols, or new slicing mechanisms.

VeriFlow Software-Defined Networked Computing 31 - VeriFlow is a tool for verifying network-wide invariants in real time. → It is focused on an extremely low latency. - VeriFlow is a layer between an SDN controller and OpenFlow switches. → It checks the network violations only when each flow entry rule is inserted, modified or deleted. - VeriFlow do not check the entire network on each change. → It only consider a new rule with existing overlapping rules.

Discussion Points Software-Defined Networked Computing 32 - While Header Space Analysis tells us network failures, it does not tell us where that flow entry came from. → Is there any idea? - Even if forwarding tables are consistent, Header Space Analysis offers no alternatives as to whether forwarding is efficient. → Is there any method for this? - An operation of Header Space Analysis is based on L2 and L3 layers only. → If it supports L4 or higher layers, what benefits can we take?

References [1] Peyman Kazemian, George Varghese, and Nick McKeown, “Header Space Analysis: Static Checking for Networks,” NSDI'12, [2] OpenFlow Switch Specification Version 1.4.0, ONF (Open Networking Foundation), Available: October [3] Software-Defined Networking: The New Norm for Networks, ONF (Open Networking Foundation), Available: April [4] Google. [Online]. Available: Software-Defined Networked Computing 33

Thanks for Attention! Q & A ? Eun-Do Kim Software-Defined Networked Computing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.