802 1x and faucet
play

802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz - PowerPoint PPT Presentation

Feb 01, 2023 •322 likes •678 views

802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz 19-10-2017 FAUCET Conference Outline Introductjon to 802.1X Design Implementatjon Example confjgs/demo Future work 2 Introduction IEEE 802.1X Port-Based

  1. 802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz 19-10-2017 FAUCET Conference

  2. Outline • Introductjon to 802.1X • Design • Implementatjon • Example confjgs/demo • Future work 2

  3. Introduction – IEEE 802.1X • Port-Based Network Access Control • Framework for EAP • Wired/WiFi Supplicant Client Authentjcator Switch Authentjcatjon RADIUS Server Server 3

  4. Design Goals • NFV-ed 802.1X • Switch doesn’t need to support 1X. • Any RADIUS server. • >25 EAP Methods • Fail secure 4

  5. Implementation 5

  6. Implementation 6

  7. Implementation 7

  8. Implementation Authentjcatjon Authentjcator Server Supplicants 8

  9. Implementation 9

  10. Implementation 10

  11. Implementation – Interprocess Communication hostapd Auth_App Faucet - UNIX Socket - Confjg File & SIGHUP - Same Machine - To Faucet - UDP Socket - Prometheus - Network - From Faucet - ACLs to apply - Receive Events on statjon state - MAC – Port Learning table changes (Success, Logofg, …) - Request client data (Username, ACL names, …) 11

  12. Implementation – 1X Redirect #1 (client initiates authentication) Eth_src: C Eth_src: C Eth_dst: H Eth_dst: 1X Eth_type: 1X Eth_type: 1X 12

  13. Implementation – 1X Redirect #2 (client implicit authentication request) Eth_src: C Eth_src: C Eth_dst: H Eth_dst: B Eth_type: DHCP Eth_type: DHCP 13

  14. Implementation – 1X Redirect #2 (client implicit authentication request) Eth_src: H Eth_dst: C Eth_type: 1X Eth_src: H Eth_dst: C Eth_type: 1X 14

  15. Implementation - ACLs faucet.yaml acls: - Matches: no_smtp: - rule: - Ethernet, VLAN, IP, TCP/UDP, … dl_src: 00:00:00:00:00:01 - Actjons: dl_type: 0x800 # ipv4 nw_proto: 6 # tcp - Drop, allow, output port, mirror, change VLAN, … tcp_dst: 25 # smtp actjons: allow: 0 # drop - rule: dl_src: 00:00:00:00:00:01 dl_type: 0x86dd # ipv6 nw_proto: 6 # tcp tcp_dst: 25 # smtp actjons: allow: 0 # drop 15

  16. Implementation - ACLs faucet.yaml … - Each port has unique ACL faucet-1 : - port_<dp name>_<port #> interfaces: 1: name: network natjve_vlan: 100 2: name: h0 natjve_vlan: 100 acl_in: port_faucet-1_3 3: name: h1 natjve_vlan: 100 acl_in: port_faucet-1_4 4: name: hostapd natjve_vlan: 100 16

  17. Implementation - ACLs Maps user radius to high level ACLs Statjc base- base- faucet- ACLs faucet acls.yaml acls.yaml acls.yaml + marker dynamic rules faucet updates + authentjcatjon openfmow tables Defjnes state rules.yaml high level + statjc ACLs ACLs 17

  18. Implementation - ACLs • RADIUS Aturibute Vendor-Specifjc “Faucet-ACL-Names” • List of ACL names • Limited to 255 characters • Applied in list order (fjrst = highest priority) • “No-SMTP, No-SSH, No-ICMP, Allow-All” • “Student” 18

  19. rules.yaml acls: Implementation - ACLs no-smtp: _auth-port_: - rule: _name_: _user-name_ - Matches: _mac_: _user-mac_ - Ethernet, VLAN. IP, TCP/UDP, … dl_src: _user-mac_ dl_type: 0x800 # ipv4 - Actjons: nw_proto: 6 # tcp - Drop, allow, output port, mirror, change VLAN, … tcp_dst: 25 # smtp actjons: - Runtjme insertjon of authentjcated clients username & allow: 0 # drop port_faucet-1_3: MAC address - rule: - Rulelist have two ‘types’: _name_: _user-name_ - Runtjme auth port – apply rules to ACL that belongs to _mac_: _user-mac_ dl_dst: _user-mac_ the port authentjcatjon occurred on. dl_type: 0x800 # ipv4 - ACL name – any other Faucet ACL. actjons: - YAML Anchors allow: 1 # allow 19

  20. rules.yaml acls: Implementation - ACLs no-smtp: _auth-port_: - rule: _name_: _user-name_ - Matches: _mac_: _user-mac_ - Ethernet, VLAN. IP, TCP/UDP, … dl_src: _user-mac_ dl_type: 0x800 # ipv4 - Actjons: nw_proto: 6 # tcp - Drop, allow, output port, mirror, change VLAN, … tcp_dst: 25 # smtp actjons: - Runtjme insertjon of authentjcated clients username & allow: 0 # drop port_faucet-1_3: MAC address - rule: - Rulelist have two ‘types’: _name_: _user-name_ - Runtjme auth port – apply rules to ACL that belongs to _mac_: _user-mac_ dl_dst: _user-mac_ the port authentjcatjon occurred on. dl_type: 0x800 # ipv4 - ACL name – any other Faucet ACL. actjons: - YAML Anchors allow: 1 # allow 20

  21. rules.yaml Implementation - ACLs acls: block-smtp: &block-smtp - rule: - Matches: _name_: _user-name_ _mac_: _user-mac_ - Ethernet, VLAN. IP, TCP/UDP, … dl_src: _user-mac_ - Actjons: dl_type: 0x800 # ipv4 - Drop, allow, output port, mirror, change VLAN, … nw_proto: 6 # tcp tcp_dst: 25 # smtp actjons: - Runtjme insertjon of authentjcated clients username & allow: 0 # drop MAC address - Rulelist have two ‘types’: … acls: - Runtjme auth port – apply rules to ACL that belongs to student: the port authentjcatjon occurred on. _auth-port_: - ACL name – any other Faucet ACL. *block-smtp *block-ssh - YAML Anchors *allow-all 21

  22. base-acls.yaml acls: Implementation - ACLs port_faucet-1_4: - rule: dl_type: 0x888e actjons: ‘Base-ACLs’ allow: 1 output: • Base-ACLs -> Faucet-ACLs dl_dst: '44:44:44:44:44:44' - authed-rules - rule: • Marker – where new rules (host authorisatjon) _name_: michael applied. _mac_: ’00:00:00:00:00:01’ • State of what rules belong to which user & MAC dl_dst: ’00:00:00:00:00:01’ dl_type: 0x800 # ipv4 • Allows YAML anchors actjons: allow: 1 # allow - rule: actjons: allow: 1 output: dl_dst: '44:44:44:44:44:44' 22

  23. Fail Secure • Faucet - network should stay the same. • auth_app - Either reset confjg or reload last good. • Switch – Faucet applies latest confjg. 23

  24. Example 24

  25. Demo • H1 windows for ping. • H1 windows for running logon and logofg. • Wireshark all switch interfaces. – showing mac rewrite. • Bring up the changed base acl/original 25

  31. Future Work • Link state events. • Flexibility • Single authentjcatjon server for many switches. • RADIUS Accountjng • Packetgence (dynamically allocate to vlans) • MACSEC (offmoad crypto to NFV host) • Richer ACLs (VUW policy language) 31

  32. Thanks 32

  33. References & Links Hostapd htups://github.com/Bairdo/hostapd-d1xf/tree/faucet-tests htups://w1.fj/hostapd/ Auth_App/Faucet htups://github.com/Bairdo/faucet/tree/radius-acls 33

  34. Extra Slides 34

  35. Link State Events • Listen for Ryu Link event Messages • Switch port goes down – all on that port should reauth 35

Recommend

Drip Automatic faucet dripper to prevent frozen pipes $400 million Yearly damages from frozen

Drip Automatic faucet dripper to prevent frozen pipes $400 million Yearly damages from frozen

Drip Automatic faucet dripper to prevent frozen pipes $400 million Yearly damages from frozen and burst pipes Standard faucet controls Solenoid Valve Hot Input Drip bypass Cold Input Customer Needs &amp; Specifications Prevents Saves

555 views • 9 slides
Crop-Wash Station: From Drain to Faucet Rujuta Munshi, Meg Slattery, Lilly Imani 1 Our Team 2

Crop-Wash Station: From Drain to Faucet Rujuta Munshi, Meg Slattery, Lilly Imani 1 Our Team 2

Crop-Wash Station: From Drain to Faucet Rujuta Munshi, Meg Slattery, Lilly Imani 1 Our Team 2 Final Project Statement Evaluate alternative methods to recycle water from a crop wash station while promoting food safety at the New Roots farm in

286 views • 15 slides
2015 Premier Collection New Additions 02 KRAUS INTRODUCES NEW BATHROOM FAUCET FAMILY Outfjt your

2015 Premier Collection New Additions 02 KRAUS INTRODUCES NEW BATHROOM FAUCET FAMILY Outfjt your

SEDA SERIES 2015 Premier Collection New Additions 02 KRAUS INTRODUCES NEW BATHROOM FAUCET FAMILY Outfjt your bathroom in style 5/2015 Port Washington, NY Kraus is introducing a bold new way to give your bathroom a modern makeover. The

733 views • 14 slides
Faucet: a user-level, modular technique for flow control in dataflow engines Andrea Lattuada

Faucet: a user-level, modular technique for flow control in dataflow engines Andrea Lattuada

Faucet: a user-level, modular technique for flow control in dataflow engines Andrea Lattuada Frank McSherry Zaheer Chothia Systems Group, Una ffi liated Systems Group, ETH Zrich ETH Zrich 1 Problem RAM exhaustion due to bu ff ered

638 views • 32 slides
BATH &amp; KITCHEN FAUCET IMPROVEMENTS April 2019 Strictly Confidential Strictly Confidential

BATH &amp; KITCHEN FAUCET IMPROVEMENTS April 2019 Strictly Confidential Strictly Confidential

BATH &amp; KITCHEN FAUCET IMPROVEMENTS April 2019 Strictly Confidential Strictly Confidential 1 BATH &amp; KITCHEN FAUCET IMPROVEMENTS AGENDA BATH SKU CHANGES BATH PRICING OVERVIEW KITCHEN SKU CHANGES KITCHEN PRICING OVERVIEW

351 views • 11 slides
gNMI gRPC Network Management Interface Samuel Ribeiro Fall 2017 - Faucet Conference Why gNMI?

gNMI gRPC Network Management Interface Samuel Ribeiro Fall 2017 - Faucet Conference Why gNMI?

gNMI gRPC Network Management Interface Samuel Ribeiro Fall 2017 - Faucet Conference Why gNMI? - And what about Openflow? CLI is not Programmable. gNMI vs Openflow lack of transaction management; Openflow -&gt; Forwarding Plane no

375 views • 22 slides
Phil Need Pot fillers are standard in full-service kitchens Demands constant attention

Phil Need Pot fillers are standard in full-service kitchens Demands constant attention

Phil Need Pot fillers are standard in full-service kitchens Demands constant attention Supported by executive chefs Meet Phil Faucet attachment Intelligently fills pot to desired height Leaves the chef free to

199 views • 8 slides
SDN IXP Marc Bruyere The University of Tokyo Agenda SDN momentum for IXPs - Umbrella

SDN IXP Marc Bruyere The University of Tokyo Agenda SDN momentum for IXPs - Umbrella

SDN IXP Marc Bruyere The University of Tokyo Agenda SDN momentum for IXPs - Umbrella Toulouse IXP - TouIX to TouSIX Tokyo IXP - DIX-IE to PIX-IE Osaka - NSPIXP-3 to FAUCET Umbrella Issues with today IXP switching fabric IXP

247 views • 24 slides
Hand-Wash Sink Problems Cross-Contamination Spreads infectious pathogens Excessive

Hand-Wash Sink Problems Cross-Contamination Spreads infectious pathogens Excessive

Hand-Wash Sink Problems Cross-Contamination Spreads infectious pathogens Excessive water usage Maintenance time and expense to fix drippy faucets Continues Cross-Contamination A Dangerous Cycle Faucet Handles

623 views • 14 slides
Kitchen &amp; Bath Solutions Globe Union Industrial Corp. 9934 2020/04 A Broad Portfolio of

Kitchen &amp; Bath Solutions Globe Union Industrial Corp. 9934 2020/04 A Broad Portfolio of

Global Excellence in Providing Kitchen &amp; Bath Solutions Globe Union Industrial Corp. 9934 2020/04 A Broad Portfolio of Premium Products Faucet Vitreous China Bath Accessories Showerheads 2 Sales Breakdown by Product Category 43 %

425 views • 19 slides
Demystifying Dispense Gas Bridget Gauntner Sales Quality Specialist Bells Brewery Ken Smith

Demystifying Dispense Gas Bridget Gauntner Sales Quality Specialist Bells Brewery Ken Smith

Demystifying Dispense Gas Bridget Gauntner Sales Quality Specialist Bells Brewery Ken Smith Beer Education The Boston Beer Company Purpose of Dispense Gas 1. Maintain carbonation of beer 2. Push beer from keg to faucet Pressure vs Beer

514 views • 39 slides

More recommend