Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework) John Sonchack, Adam J. Aviv, Eric Keller, and Jonathan M. Smith
Outline Introduction Overview of OFX Using OFX Benchmarks 2
Basic Networking: Forwarding and Routing Packet Forwarding Route Computation ? 3
SDNs: Networking in Two Planes Control Plane Route computation Data Plane Packet forwarding 4
OpenFlow: A Protocol to Manage Switches Control Plane Route computation Flow rules to implement routes Data Plane Packet forwarding 5
OpenFlow: A Protocol to Manage Switches Control Plane Route computation Flow rules to implement routes Assumption: Interactions between the control plane and data plane are infrequent . Data Plane Packet forwarding 6
SDNs for Network Security Access Control Control Plane Policy Access Control Flow rules to implement access control policy Data Plane Casado, Martin, et al. "Ethane: taking control of the enterprise." ACM SIGCOMM Computer Communication Review . Vol. 37. No. 4. ACM, 2007. 7
SDNs for Dynamic Network Security Control Plane Traffic Declassification Traffic Declassification Advanced Processing Access Control Route for flow DDoS Defense Bot Detection Data Plane Packet from new flow 8
SDNs for Dynamic Network Security: Flow Monitoring Control Plane Gu, Guofei, et al. " BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure- Independent Botnet Detection. " USENIX Security Symposium . Vol. 5. No. 2. 2008. Install byte Collect flow records counting rule without routing through a middlebox. Bot Detection Data Plane Packet from new TCP flow 9
SDNs for Dynamic Network Security: Traffic Declassification Control Plane Traffic Declassification Traffic Declassification declassification Check flow decision tags and user (Allow | Block) permissions Enforce access control on tagged data leaving the network. Mundada, Yogesh, Anirudh Ramachandran, and Nick Feamster. "SilverLine: preventing data leaks Data Plane Can this flow leave from compromised web applications. " Proceedings of the the network? 29th Annual Computer Security Applications Conference . ACM, 10 2013.
SDNs for Dynamic Network Security Control Plane Traffic Declassification Traffic Declassification Advanced Processing Access Control Route for flow DDoS Defense Bot Detection Data Plane Packet from new flow 11
SDNs for Dynamic Network Security Control Plane Traffic Declassification Traffic Declassification Advanced Processing Access Control Route for flow Assumption: Interactions between the control plane DDoS Defense and data plane are infrequent . Bot Detection Data Plane Packet from new flow 12
Obstacle: Low Throughput Control Path 130 million packets/second!!!!* *can only forward 500 pps to controller. Appelman, Michiel, and Maikel de Boer. "Performance analysis of OpenFlow hardware." University of Amsterdam, Tech. Rep (2012). Curtis, Andrew R., et al. "DevoFlow: scaling flow management for high-performance networks." ACM SIGCOMM Computer Communication Review . Vol. 41. No. 4. ACM, 2011. 13
Obstacle: Centralized Control Plane New Flow New Flow New Flow New Flow New Flow New Flow New Flow New Flow 14
Our question: How Can We Make SDNs More Practical? Control Plane Traffic Declassification Traffic Declassification Traffic Declassification Access Control DDoS Defense Bot Detection Data Plane 15
The General Approach: Switch Level Security Control Plane Traffic Declassification Access Control DDoS Defense Bot Detection Data Plane 16
Previous Work: Security Functionality in the Forwarding Engine Build new switch chips that support security applications Shin, Seungwon, et al. "Avant-guard: Scalable and vigilant switch flow management in software-defined networks." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security . ACM, 2013. 17
Our insight: Leverage Switch CPUs Run security logic on the switch CPUs 18
OFX: A Framework for Application- Specific Switch Extensions Each application can load custom functionality into switches. At runtime! Declassification Declassification 19
Outline Introduction Overview of OFX Using OFX Benchmarks 20
OFX at a High Level stack 21
OFX at a High Level OFX Controller Library OFX Switch Agents OFX Switch Agents OFX Switch Agents OFX stack stack 22
OFX at a High Level Controller interface OFX Extension Module OFX Switch Agents OFX Switch Agents Switch-level logic OFX stack stack 23
OFX at a High Level Permissions Database Declassifier Module Per-Flow Declassification Logic OFX Switch Agents OFX Switch Agents OFX stack stack 24
OFX at the Switch Level OFX modules use filters to OFX modules process select packets that they need packets with custom to process handler OFX installs OpenFlow OFX OFX Module corresponding Switch Agent Packet Handler rules onto OFX tables Software Hardware … Ingress Egress OFX Filtering Tables Controller-managed Packets Packets forwarding tables 25
Outline Introduction Overview of OFX Using OFX Benchmarks 26
Refactoring OpenFlow Applications to use OFX OFX Declassifier Module
Refactoring OpenFlow Applications to use OFX OFX Declassifier Module
Outline Introduction Overview of OFX Using OFX Benchmarks 29
Benchmarking OFX How much raw overhead is there for processing packets with OFX? How do OFX based security applications perform, compared with Middlebox and OpenFlow implementations? 30
OFX Benchmark: Packets Per Second Log 10 Packet handler in controller Scale Packet handler in OFX module 100,000 10,000 Packets per Second 1,000 100 10 1 64 128 256 512 1024 1500 Packet Size 100 PPS 45,000 PPS @ MTU @ MTU 31
Benchmarking OFX How much raw overhead is there for processing packets with OFX? How do OFX based security applications perform, compared with Middlebox and OpenFlow implementations? 32
Benchmark: Declassifier Packet Drop Rate Frequent arriving High bandwidth Implementation Median flows flows Middlebox Proxy 0.1% 0.1% 20.4% OpenFlow 97.5% 88.2% 0.1% 5.1% 3.2% 0.1% OFX OpenFlow implementation Proxy implementation limited limited by flow arrival rate by bit rate OFX implementation performed well in all workloads Workload Name Frequently arriving flows Median flows High bandwidth flows Flow Inter-arrival Period 0.0015 Seconds 0.015 Seconds 0.15 Seconds Average Transmission Bandwidth 19.75 Mbps 43.57 Mbps 970.99 Mbps . S. Kandula, S. Sengupta, A. Greenberg, P. Patel, and R. Chaiken, “ The nature of data center traffic: measurements & analysis,” in Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference . ACM, 2009, pp. 202–208. . L. Qian and B. E. Carpenter, “A flow-based performance analysis of tcp and tcp applications,” in Networks (ICON), 2012 18th IEEE International Conference on . IEEE, 2012, pp. 41–45. 33
In the Paper OFX API and Enhanced Application More Implementation Switch API Specific benchmarks Details Modules Modules OpenFlow Controller DDoS Defense TCP Handshake Validation Running on OFX Library Control unmodified New TCP Platform OpenFlow Flow Linux Kernel hardware! Push Based Alerts OpenFlow OpenFlow Switch OFX Agent Bot Detection Agent Linux Kernel Condition Forwarding Linux Network Reached Engine Firmware Stack OpenFlow Packet Path OFX Packet Path 34
Thank You OFX: The OpenFlow Extension Framework OFX lets OpenFlow security OFX applications push parts of their Extension Module control plane logic down to switch CPUs , which can greatly improve performance and scalability on existing hardware and software. 35
Recommend
More recommend