Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Published byTracey Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)"— Presentation transcript:

1 Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

2 Outline Introduction Status Report Proposed Solution Expected Results Progression Plan

3 Status Proposed Status Implement an Open flow switch on the NetFPGA platform Current Status Compilation, installation and the Configuration of Open flow switch on the NetFPGA platform and dependencies Tasks Completed : NetPFGA 2.1.9 configuration Open Flow switch 1.0.0 configuration Regression Test on the Openflow switch

4 Introduction Traffic Management Applications – To block or monitor the malicious traffic – To avoid VLan Hopping Attack

5 1. Monitoring Malicious Traffic Rules: Incoming packet’s Source IP will be verified with the Black listed IP list Outgoing packet’s Destination IP will be verified with the Black listed IP list Source of Black List IP address: – Verisign – Zeus Black Listed IP address – Bot hunter BlackList We will drop the packet if there is a match – This is achieved by leaving the Action field in the Flow table empty after processing the packet against the above specified rules

6 2.What is a VLAN hopping attack? This is computer security exploit, a method of attacking networked resources on a VLAN A double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.

7 Avoid VLan Hopping Attack Proposed Plan: Uniquely identify frame based on identifier and transmit it to the switch Identifier a. Fields to be used for hashing Timestamp, Source Mac address, Ether Type b. Hash Algorithm Squash Method to transfer the Identifier – 802.1Q Header

8 Generating Hash Below format is used to generate the hash value To prove the integrity of the Origin we can use Squash Hash [ Secrete Key, {TimeStamp  (Source Mac || Ether Type)} ] To prove the integrity of entire frame between the host and the switch we can use MD5 Hash [ Secrete Key, {TimeStamp  (Entire Frame)}

9 Normal Ethernet Header Format Destination MAC address Source Mac address 802.1Q Header EtherType Modified Ethernet Header Format We will be modifying the Ethernet Header into below format. We will use the 802.1Q Header to determine the length of the Ethernet frame Two more fields are introduce: Time Stamp Hash Value Frame Structure

10 To Transmit Hash Value We plan to use 802.1Q Header to include the hash value into the packet. This header defines the various fields. 802.1Q Header VLAN Identifier (VID): a 12-bit specifying the VLAN to which the frame belongs. If set to 0 then it is an untagged packet (no VLAN) Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC address is in non-canonical format. Priority Code Point (PCP) - prioritize different classes of traffic (voice, video, data) TPID define the type (how many bits are used) of 802.1Q Headers - for IPv4 packet the Ether Type field is set to 0x0800 - for Vlan packet the Ether Type field is set to 0x8100 Similarly we will be implementing procedure to incorporate a new Ether Type value which will intimate the switch about the various fields present in the Ethernet header

11 OpenFlow Spec Flowchart showing how header fields are parsed for matching.

12 FLOW TABLE ENTRIES Include new Field in the Flow table For each packet Hash Value will be generated using the Key in the flow table. Compare this value with the value in the packet If equal then the packet will be processed else will be dropped If there is a replay attack then all the fields in the Flow table will be matched including the Key which indicates that this is a false packet. hence the packet will be dropped If the Vlan ID in Ethernet frame is modified by an attacker the packet will be dropped as the hash value will not match key

13 Alternative Solution Key Chain Based Initially the source will generate the hash value using squash algorithm and the switch will verify the same. Hash [ Secrete Key, {(Destination|| Ether Type)  (Source Mac || Ether Type)} ] And for the rest of the packets this hash value will be used as the key to generate next hash value. Hash n [ Secrete Key, {(Hash n-1  (Source Mac || Ether Type)} ] Problem would occur when the packets are not transmitted in sequence. This can be addressed by using sequence number field in the TCP header to identify the packet. Since using H n we can derive H n+m, we can derive the hash value of all the following packets. Also markers can be used to reduce the load of computation.

14 Progression Plan To implement Open Flow Switch with basic Firewall functionality by March 26th Provide remediation to VLAN hopping attack by April 26th Expected Result Making a switch to act as a basic firewall Prevent VLAN hopping attack PLAN and EXPECTED RESULT

15 OpenFlowSwitch-NetFPGA- TrafficMgmt http://openflowswitch-netfpga-trafficmgmt.wikispaces.asu.edu/

Download ppt "Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
Communication Networks Recitation 3 Bridges & Spanning trees.

Communication Networks Recitation 3 Bridges & Spanning trees.
Programming Protocol-Independent Packet Processors

Programming Protocol-Independent Packet Processors
Delivery and Forwarding of

Delivery and Forwarding of
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IPv4 - The Internet Protocol Version 4

IPv4 - The Internet Protocol Version 4
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Fundamentals of Computer Networks ECE 478/578 Lecture #13: Packet Switching (2) Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #13: Packet Switching (2) Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Oct 12, 2004CS573: Network Protocols and Standards1 Virtual LANs Network Protocols and Standards Autumn 2004-2005.

Oct 12, 2004CS573: Network Protocols and Standards1 Virtual LANs Network Protocols and Standards Autumn
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.

Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.

ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.
Jan 10, 2008CS573: Network Protocols and Standards1 Virtual LANs Network Protocols and Standards Winter 2007-2008.

Jan 10, 2008CS573: Network Protocols and Standards1 Virtual LANs Network Protocols and Standards Winter
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Connecting LANs, Backbone Networks, and Virtual LANs

Connecting LANs, Backbone Networks, and Virtual LANs

Similar presentations

Ads by Google