hex switch
play

HEX Switch: Hardware-assisted security extensions of OpenFlow - PowerPoint PPT Presentation

Aug 24, 2022 •297 likes •673 views

HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST / taejune.park@kaist.ac.kr Zhaoyan Xu / StackRox Inc. / z@stackrox.com Seungwon Shin / KAIST / claude@kaist.ac.kr Software-Defined Networking

  1. HEX Switch: 
 Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST / taejune.park@kaist.ac.kr Zhaoyan Xu / StackRox Inc. / z@stackrox.com Seungwon Shin / KAIST / claude@kaist.ac.kr

  2. Software-Defined Networking • Centralized management • Dynamic traffic engineering • Programable network operation • High-compatibility with virtualized environments 2 /36

  3. Software-Defined Networking • Centralized management • Dynamic traffic engineering • Programable network operation Security is still required • High-compatibility with virtualized environments 3 /36

  4. Security in Software-Defined Networking Control-Plane Network Control Apps. Security Apps. Layer Network Application Network Application Network Application Network Application Network Application Security Application Standard Protocol (e.g., OpenFlow) Data-Plane Layer Middle-box 4 /36

  5. Security in Software-Defined Networking •Security applications on a control plane Control-Plane Network Control Apps. Security Apps. • Applying security features network-widely Layer Network Application Network Application Network Application Network Application Network Application Security Application • Cheap price • Easy to manage Standard Protocol (e.g., OpenFlow) Data-Plane Layer Middle-box 5 /36

  6. Security in Software-Defined Networking •Security applications on a control plane Control-Plane Network Control Apps. Security Apps. • Applying security features network-widely Layer Network Application Network Application Network Application Network Application Network Application Security Application • Cheap price • Easy to manage Standard Protocol (e.g., OpenFlow) • Limitation Data-Plane Layer • Simple security only available • Slow-path for inspection Middle-box • Controller overhead 6 /36

  7. Security in Software-Defined Networking Control-Plane Network Control Apps. Security Apps. Layer Network Application Network Application Network Application Network Application Network Application Security Application Standard Protocol (e.g., OpenFlow) •Middle-boxes on a data plane Data-Plane Layer • Better performance • Rich features such as payload inspection • No controller overhead Middle-box 7 /36

  8. Security in Software-Defined Networking Control-Plane Network Control Apps. Security Apps. Layer Network Application Network Application Network Application Network Application Network Application Security Application Standard Protocol (e.g., OpenFlow) • Limitation •Middle-boxes on a data plane Data-Plane Layer • Better performance • Network overhead by traffic detouring (Taking extra hops) • Rich features such as payload inspection • Require flow steering for NFs • No controller overhead Middle-box • Additional control channels for NFs 8 /36

  9. Summary Category SDN Applications Middle-boxes Flexibility Management Deployability Performance Functionality 9 /36

  10. Related works: 
 Extending SDN architecture to support security • Mekky, Hesham, et al. "Network function virtualization enablement within SDN data plane.” IEEE INFOCOM 2017 (Also, HotSDN 2014) • Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS 2016. 10 /36

  11. Related works: 
 • Their security functions are not fully consolidated Extending SDN architecture to support security into a data plane • Mekky, Hesham, et al. "Network function • Application module, Tap-based interface… virtualization enablement within SDN data plane.” IEEE INFOCOM 2017 (Also, HotSDN 2014) • Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS 2016. 11 /36

  12. Related works: 
 Extending SDN architecture to support security • In essence, they are NOT different from the middle-box structure! • Mekky, Hesham, et al. "Network function • It's just a scale down! virtualization enablement within SDN data plane.” IEEE INFOCOM 2017 (Also, HotSDN 2014) • Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS 2016. 12 /36

  13. Related works: UNISAFE: A union of security actions for software switches Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. ACM, 2016 • Fully integrated security functions into a data plane, not modular one •Security functions as a set of OpenFlow actions UNISAFE (based on Open vSwitch) Flow table Execute actions MATCH Actions Flow_A sec_dos(mbps=100) , output:2 Lookup Flow table Security actions sec_dos(mbps=500),sec_scan(…) ,output:3 Flow_B 13 /36

  14. Security actions of UNISAFE • High-compatibility with common OpenFlow actions - actions=sec_dos(mbps=1000),set_nw_src(…),output:2 • Fine-grained security enforcement per a flow - in_port=1,nw_src=10.0.0.1,tp_dst=80,actions=sec_dos(…),… - in_port=2,nw_dst=10.0.1.2,actions=sec_dpi(…),… • Easy configuration for a security service chaining - actions=sec_dos(…),sec_scan(…),sec_dpi(…),… 14 /36

  15. Performance in UNISAFE • Achieve line-rate latency for all security Throughput 110 forwarding dos scan1 100 scan5 dpi100 dpi500 90 dpi1000 • But, lack of throughput in some actions 80 70 •Payload Inspection (DPI) throughput Throughput(%) 60 ⁃ Throughput less than 100Mbps on 1Gbps 50 40 30 20 10 0 1 10 50 100 500 1000 Bandwidth(Mbps) 15 /36

  16. Performance in UNISAFE • Achieve line-rate latency for all security Throughput 110 forwarding dos scan1 100 scan5 dpi100 dpi500 90 dpi1000 • But, lack of throughput in some actions 80 Challenge 1: 70 •Payload Inspection (DPI) throughput Throughput(%) 60 Performance limitation ⁃ Throughput less than 100Mbps on 1Gbps 50 40 30 20 10 0 1 10 50 100 500 1000 Bandwidth(Mbps) 16 /36

  17. Security operation in UNISAFE • Manual operation for security violations by an administrator ? Controller Manual Operation 17 /36

  18. Security operation in UNISAFE • Manual operation for security violations by an administrator ? Challenge 2: Security operation Controller Manual Operation 18 /36

  19. HEX Switch: 
 Hardware-assisted security extensions of OpenFlow • Hardware-based approach for UNISAFE • Using NetFPGA • Providing line-rate performance with configurability Controller 
 Security Actions Security Policy communication 19 /36

  20. Intf. 2 Buffering (BRAM) Input Arbiter + Output queue Action processor Host Intf. Intf. 3 Intf. 1 Intf. 0 Inspection Data Storage Update Data Storage Read (Input selection) < HEX Security Processor > Intf. 1 (Forwarding) Policy Decision Intf. 0 Packet preprocessor Intf. 2 Intf. 3 Host Intf. Flow Table Controller Data Storage Design • Security Processor between the packet processing sequence. • Six-stages pipeline: Mainly consist of data storage and inspection logic • Flow table controller forwards flow keys, stats and action key after matching g s M t r e l Input output A s t a y Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 t s e k , y y n e e o k k i t w w c o A o l l F F & Packet Packet bu ff er 20 /36

  21. Flow Table Controller (Input selection) Input Arbiter + Output queue Action processor Host Intf. Intf. 3 Intf. 2 Intf. 1 Intf. 0 Inspection Data Storage Data Storage Data Storage Read Update Buffering Intf. 0 < HEX Security Processor > (Forwarding) Policy Decision Packet preprocessor (BRAM) Intf. 1 Intf. 2 Intf. 3 Host Intf. Flow Table Controller Design • Security Processor between the packet processing sequence. • Six-stages pipeline: Mainly consist of data storage and inspection logic • Flow table controller forwards flow keys, stats and action key after matching g s M t r e l Input output A s t a y Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 t s e k , y y n e e o k k i t w w c o A o l l F F & Packet Packet bu ff er 21 /36

  22. (BRAM) Host Intf. Data Storage Inspection Intf. 0 Intf. 1 Intf. 2 Intf. 3 Action processor Data Storage Update Data Storage Read (Forwarding) Policy Decision Input Arbiter + Output queue Update Data Storage Read Intf. 1 Data Storage (Input selection) Packet preprocessor Intf. 0 Data Storage Intf. 2 Intf. 3 Host Intf. Flow Table Controller < HEX Security Processor > Buffering (BRAM) Design • Security Processor between the packet processing sequence. • Six-stages pipeline: Mainly consist of data storage and inspection logic • Flow table controller forwards flow keys, stats and action key after matching g s M t r e l Input output A s t a y Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 t s e k , y y n e e o k k i t w w c o A o l l F F & Packet Packet bu ff er 22 /36

Recommend

ETRA-SWITCH STUDY Switch to Etravirine from PI-Based Regimen ETRA-SWITCH: Design Study Design:

ETRA-SWITCH STUDY Switch to Etravirine from PI-Based Regimen ETRA-SWITCH: Design Study Design:

Switch to Etravirine from PI-Based Regimen ETRA-SWITCH STUDY Switch to Etravirine from PI-Based Regimen ETRA-SWITCH: Design Study Design: ETRA-SWITCH Background : Open label, randomized phase 3b trial that enrolled patients with suppressed

188 views • 7 slides
CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH

CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH

SWITCH DESIGN CHAPTER II CHAPTER II-1 SWITCH DESIGN CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH DESIGN SWITCH NETWORKS CHAPTER II-2 BASIC IDEAL SWITCH SWITCH DESIGN Simplest

348 views • 24 slides
SDG 12.1 Reporting for SWITCH-Asia Countries Connecting the dots between actions and

SDG 12.1 Reporting for SWITCH-Asia Countries Connecting the dots between actions and

SDG 12.1 Reporting for SWITCH-Asia Countries Connecting the dots between actions and reporting Luz Fernandez, PhD luz.fernandezgarcia@un.org Programme Officer, RPAC SWITCH Asia What is SWITCH-Asia? SWITCH Asia I - 2007-2014 SWITCH Asia II

125 views • 10 slides
A Genetic Toggle Switch Using DNA Recombinases Michigan Synthetic Biology Team 2012 Switch

A Genetic Toggle Switch Using DNA Recombinases Michigan Synthetic Biology Team 2012 Switch

A Genetic Toggle Switch Using DNA Recombinases Michigan Synthetic Biology Team 2012 Switch Design and Modeling Mike Contemporary Bistable Switch Disadvantages The state is actively maintained Sensitive Complexity Lou et al.,

792 views • 52 slides
Switch-a-roo: engineering a photoresponsive E.colight switch Team Macquarie University

Switch-a-roo: engineering a photoresponsive E.colight switch Team Macquarie University

Switch-a-roo: engineering a photoresponsive E.colight switch Team Macquarie University Sydney, Australia What are the elements of switch -a- roo? Phytochrome Protein that binds chromophore Chromophore PDB 1ZTU

422 views • 18 slides
So Trendy, So Smart, So Switch ON ! WHO ARE WE ? S ince 1995, Switch Vibration

So Trendy, So Smart, So Switch ON ! WHO ARE WE ? S ince 1995, Switch Vibration

So Trendy, So Smart, So Switch ON ! WHO ARE WE ? S ince 1995, Switch Vibration accompanies you in the organization and animation of your events. With these many years of experience, the company, in constant evolution, has developed

504 views • 12 slides
Switch of Anti-Platelets: for whom and how? Switch des AAP: pour qui et comment ? Prof. Emanuele

Switch of Anti-Platelets: for whom and how? Switch des AAP: pour qui et comment ? Prof. Emanuele

Switch of Anti-Platelets: for whom and how? Switch des AAP: pour qui et comment ? Prof. Emanuele Barbato, MD, PhD, FESC University Federico II, Italy 30-31 Janvier 1 er Fvrier 2019 CONFLICT OF INTERESTS Speakers fee from BSCI and Abbott

776 views • 25 slides
The recent switch lowering improvements Hans Wennborg hwennborg@google.com A Switch C: switch

The recent switch lowering improvements Hans Wennborg hwennborg@google.com A Switch C: switch

The recent switch lowering improvements Hans Wennborg hwennborg@google.com A Switch C: switch (x) { LLVM IR: case 0: // foo switch i32 %x, label %baz [ case 1: i32 0, label %foo // bar i32 1, label %bar ... ... default: ] // baz

248 views • 22 slides
Switch Energy Alliance A 501(c)(3) dedicated to inspiring an energy-educated future that is

Switch Energy Alliance A 501(c)(3) dedicated to inspiring an energy-educated future that is

Switch Energy Alliance A 501(c)(3) dedicated to inspiring an energy-educated future that is objective, nonpartisan, and sensible. Films: Switch and Switch On Videos : 300+ short energy videos Switch Classroom: Online energy education platform

178 views • 5 slides
Generic External Memory for Switch Data Planes Daehyeok Kim Yibo Zhu, Changhoon Kim, Jeongkeun

Generic External Memory for Switch Data Planes Daehyeok Kim Yibo Zhu, Changhoon Kim, Jeongkeun

Generic External Memory for Switch Data Planes Daehyeok Kim Yibo Zhu, Changhoon Kim, Jeongkeun Lee, Srinivasan Seshan Enabling Virtual Switching on ToR Switch Move virtual switch (Tenant, VM IP) Host IP Multi-million to ToR switch (1,

246 views • 20 slides
Chapter 4. Switch Realization 4.1. Switch applications Single-, two-, and four-quadrant switches.

Chapter 4. Switch Realization 4.1. Switch applications Single-, two-, and four-quadrant switches.

Chapter 4. Switch Realization 4.1. Switch applications Single-, two-, and four-quadrant switches. Synchronous rectifiers 4.2. A brief survey of power semiconductor devices Power diodes, MOSFETs, BJTs, IGBTs, and thyristors 4.3. Switching loss

783 views • 77 slides
Switch-mode converters as feedback systems A B m e v o v d

Switch-mode converters as feedback systems A B m e v o v d

Mor M. Peretz, Switch-Mode Power Supplies [8-1] Control of switch-mode converters [8-2] Mor M. Peretz, Switch-Mode Power Supplies Control objectives Produce control command to Regulate the output voltage Obtain zero or small

600 views • 17 slides
CPSC 213 Switch Statements, Understanding Pointers - 2nd ed: 3.6.7, 3.10 - 1st ed: 3.6.6,

CPSC 213 Switch Statements, Understanding Pointers - 2nd ed: 3.6.7, 3.10 - 1st ed: 3.6.6,

Readings for Next Two Lectures Text CPSC 213 Switch Statements, Understanding Pointers - 2nd ed: 3.6.7, 3.10 - 1st ed: 3.6.6, 3.11 Introduction to Computer Systems Unit 1f Dynamic Control Flow Polymorphism and Switch Statements 1 2

266 views • 7 slides
875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank

875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank

875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank you for purchasing this product. For optimum performance and safety, please read these instructions carefully before connecting, operating or

363 views • 20 slides
875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank

875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank

875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank you for purchasing this product. For optimum performance and safety, please read these instructions carefully before connecting, operating or

699 views • 18 slides
CS 457 Lecture 9 ATM and Switch Implementations Fall 2011 Recall: Introduced Switches

CS 457 Lecture 9 ATM and Switch Implementations Fall 2011 Recall: Introduced Switches

CS 457 Lecture 9 ATM and Switch Implementations Fall 2011 Recall: Introduced Switches Switch breaks subnet into LAN segments Switch filters packets Frame only forwarded to the necessary segments Segments become separate

783 views • 30 slides
Frame- -Aggregated Concurrent Aggregated Concurrent Frame Matching Switch Matching Switch Bill

Frame- -Aggregated Concurrent Aggregated Concurrent Frame Matching Switch Matching Switch Bill

Frame- -Aggregated Concurrent Aggregated Concurrent Frame Matching Switch Matching Switch Bill Lin (University of California, San Diego) Isaac Keslassy (Technion, Israel) Background Background The Concurrent Matching Switch (CMS)

493 views • 38 slides
N outputs N inputs Switch ... ... A

N outputs N inputs Switch ... ... A

N outputs N inputs Switch ... ... A switch moves a packet from an input port to an output port Forwarding -- output port selection Switching -- actually transferring the

428 views • 11 slides
Study 109 Switch to Elvitegravir-Cobicistat-TAF-FTC Study 109: Design Study Design: Study 109

Study 109 Switch to Elvitegravir-Cobicistat-TAF-FTC Study 109: Design Study Design: Study 109

Switch from TDF-based to Elvitegravir-Cobicistat-TAF-FTC Study 109 Switch to Elvitegravir-Cobicistat-TAF-FTC Study 109: Design Study Design: Study 109 Background : Open-label, randomized study, Phase 3 trial comparing switch to

247 views • 8 slides
1 Mor M. Peretz, Switch-Mode Power Supplies [8-4] Control of PWM converters disturbances in

1 Mor M. Peretz, Switch-Mode Power Supplies [8-4] Control of PWM converters disturbances in

Mor M. Peretz, Switch-Mode Power Supplies [8-1] Control of switch-mode converters Mor M. Peretz, Switch-Mode Power Supplies [8-2] Control objectives Produce control command to Regulate the output voltage Obtain zero or small

715 views • 12 slides
Learn with Enfocus Basic Use Cases in Switch 10 November 18 &amp; 21, 2011 Bert van Rooijen,

Learn with Enfocus Basic Use Cases in Switch 10 November 18 &amp; 21, 2011 Bert van Rooijen,

Learn with Enfocus Basic Use Cases in Switch 10 November 18 &amp; 21, 2011 Bert van Rooijen, Solution Architect EnfocusSW @EnfocusSW Enfocus, an EskoArtwork Company Session topics What is Switch? Live Use Cases in Switch 10

249 views • 12 slides
Switch Closed x = 1 A switch has two states Open Closed/On x = 0 Open/Off Symbol S

Switch Closed x = 1 A switch has two states Open Closed/On x = 0 Open/Off Symbol S

Switch Closed x = 1 A switch has two states Open Closed/On x = 0 Open/Off Symbol S x William Sandqvist william@kth.se Implementation of logic functions The switchen can be used to implement logic functions S Power Light x

1.37k views • 67 slides
MOBILE COMPUTING CSE 40814/60814 Fall 2015 Public Switched Telephone Network - PSTN Transit

MOBILE COMPUTING CSE 40814/60814 Fall 2015 Public Switched Telephone Network - PSTN Transit

10/11/15 MOBILE COMPUTING CSE 40814/60814 Fall 2015 Public Switched Telephone Network - PSTN Transit switch Transit Transit switch switch Long distance network Local Local switch switch Incoming Outgoing call call - Transfer mode:

709 views • 40 slides
1 [2-4] Mor M. Peretz, Switch-Mode Power Supplies Capacitor types Polarized (electrolytic) Non

1 [2-4] Mor M. Peretz, Switch-Mode Power Supplies Capacitor types Polarized (electrolytic) Non

[2-1] Mor M. Peretz, Switch-Mode Power Supplies DCM rev. IL Vx Ton Toff T Ts Vx Vin VL Vin-Vo Vo -Vo [2-2] Mor M. Peretz, Switch-Mode Power Supplies Synchronous rectifier No DCM ! IL Ton Toff Mor M. Peretz, Switch-Mode

239 views • 11 slides

More recommend