policy routing using process level identifiers
play

Policy Routing using Process-Level Identifiers IEEE International - PowerPoint PPT Presentation

May 03, 2023 •482 likes •1.3k views

Policy Routing using Process-Level Identifiers IEEE International Symposium on Software Defined Systems April 4th, 2016, Berlin, Germany Oliver Michel, Eric Keller Networking and Security Research Group Network Policies 2 Network Policies

  1. Policy Routing using Process-Level Identifiers IEEE International Symposium on Software Defined Systems April 4th, 2016, Berlin, Germany Oliver Michel, Eric Keller Networking and Security Research Group

  2. Network Policies 2

  3. Network Policies Load Balancing 2

  4. Network Policies Address Translation 2

  5. Network Policies Intrusion Detection 2

  6. Network Policies Firewalling 2

  7. Limited Identifiers Ethernet IP TCP/UDP 3

  8. Limited Identifiers Ethernet Source Destination EtherType IP TCP/UDP 3

  9. Limited Identifiers Ethernet Source Destination EtherType IP Source Destination Protocol DSCP ECN TCP/UDP 3

  10. Limited Identifiers Ethernet Source Destination EtherType IP Source Destination Protocol DSCP ECN TCP/UDP Source Destination 3

  11. Why fine-grained identifiers? • Uniquely identifying user sessions BLOCK LDAP User Peter cn=Peter Pan, ou=CS, o=UColorado 4

  12. Why fine-grained identifiers? • Uniquely identifying user sessions BLOCK LDAP User Peter cn=Peter Pan, ou=CS, o=UColorado MAC IP 4

  13. Why fine-grained identifiers? • Uniquely identifying user sessions BLOCK LDAP User Peter cn=Peter Pan, ou=CS, o=UColorado UID MAC IP 4

  14. Why fine-grained identifiers? • Uniquely identifying user sessions BLOCK LDAP User Peter cn=Peter Pan, ou=CS, o=UColorado Controller UID MAC IP LDAP 4

  15. Why fine-grained identifiers? • Isolating vulnerable software 5

  16. Why fine-grained identifiers? • Isolating vulnerable software 6

  17. Why fine-grained identifiers? • Isolating vulnerable software $ openssl sha1 /usr/sbin/httpd SHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7 6

  18. Why fine-grained identifiers? • Isolating vulnerable software $ openssl sha1 /usr/sbin/httpd SHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7 Executable Fingerprint 6

  19. Why fine-grained identifiers? • Isolating vulnerable software $ openssl sha1 /usr/sbin/httpd SHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7 Executable Fingerprint Controller 6

  20. Fine-Grained Information user space Process Process operating system Network Interface IP/MAC 7

  21. Fine-Grained Information user space Process Process Port operating system Network Interface IP/MAC 7

  22. Fine-Grained Information user space Process Process PID Port operating system Network Interface IP/MAC 7

  23. Fine-Grained Information user space Process Process PID GID Port operating system Network Interface IP/MAC 7

  24. Fine-Grained Information user space Process Process PID GID UID Port operating system Network Interface IP/MAC 7

  25. Fine-Grained Information user space Process Process PID GID UID Port operating cgroups system Network Interface IP/MAC 7

  26. Fine-Grained Information user space Process Process PID GID UID Port operating cgroups system open files Network Interface IP/MAC 7

  27. Fine-Grained Information user space Process Process PID GID UID Port operating cgroups system open files exe fingerprint Network Interface IP/MAC 7

  28. Fine-Grained Information user space Process Process operating PID GID UID cgroups open files exe fingerprint system Network Interface IP/MAC MAC Destination MAC Source EtherType IP Source IP Destination Protocol network TCP/UDP Source TCP/UDP Destination 8

  29. Fine-Grained Information user space Process Process operating system Network Interface IP/MAC MAC Destination MAC Source EtherType IP Source IP Destination Protocol network TCP/UDP Source TCP/UDP Destination PID GID UID cgroups open files exe fingerprint 8

  30. Benefiting Scenarios • Uniquely identifying user sessions • Isolating vulnerable software 9

  31. Benefiting Scenarios • Uniquely identifying user sessions • Isolating vulnerable software • Identifying services 9

  32. Benefiting Scenarios • Uniquely identifying user sessions • Isolating vulnerable software • Identifying services • Quality of Service 9

  33. Benefiting Scenarios • Uniquely identifying user sessions • Isolating vulnerable software • Identifying services • Quality of Service • Forensic Analysis 9

  34. PRPL \ ˈ p ə r-p ə l\ Policy Routing using Process-Level Identifiers

  35. PRPL Overview 11

  36. PRPL Overview controller 11

  37. PRPL Overview Distributing and configuring Policy controller 11

  38. PRPL Overview Distributing and configuring Policy controller 11

  39. PRPL Overview Tagging Packets Distributing and configuring Policy controller 11

  40. PRPL Overview Tagging Packets Forwarding Distributing and configuring Policy controller 11

  41. Tagging • Insert a custom header containing a token associated with some policy Ethernet IP TCP/UDP 12

  42. Tagging • Insert a custom header containing a token associated with some policy Ethernet IP TCP/UDP 12

  43. Tagging • Insert a custom header containing a token associated with some policy Ethernet PRPL IP TCP/UDP 12

  44. Tagging • Insert a custom header containing a token associated with some policy 3 2 b i t s Ethernet 0x12d4f7e3 PRPL IP TCP/UDP 12

  45. Tagging user domain Process Host admin domain Policy Controller 13

  46. Tagging user domain Process Host admin domain PRPL Agent Policy Controller 13

  47. Tagging user domain Process Host admin domain PRPL Agent request communication stream Policy Controller 13

  48. Tagging user domain Process Host admin domain PRPL Agent request communication obtain token stream Policy Controller 13

  49. Tagging user domain Process Host classify/mark tag/forward configure admin domain PRPL Agent request communication obtain token stream Policy Controller 13

  50. Forwarding • Programmable Hardware 
 [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon] • Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014] 14

  51. Forwarding PRPL token action drop 0x a4..23 reroute 0x d3..42 • Programmable Hardware 
 [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon] • Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014] 14

  52. Forwarding PRPL token action drop 0x a4..23 reroute 0x d3..42 • Programmable Hardware 
 [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon] • Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014] 14

  53. Implementation 15

  54. Implementation • Linux on-board tools: iptables, custom routing, tunnel devices 15

  55. Implementation • Linux on-board tools: iptables, custom routing, tunnel devices • P4: Matching on token 15

  56. Implementation • Linux on-board tools: iptables, custom routing, tunnel devices • P4: Matching on token • Prototype • P4 behavioral model • tag based on uid • forward or drop 15

  57. Implementation 200 TCP throughput [ Mbit / s ] 150 100 direct transmission 50 using PRPL 0 200 400 600 800 1000 1200 1400 packet size [ Bytes ] • No performance penalty for packets < 200 Bytes 16

  58. Future Work and Conclusion 17

  59. Future Work and Conclusion • Network Management can greatly benefit from fine- grained process-level information 17

  60. Future Work and Conclusion • Network Management can greatly benefit from fine- grained process-level information • System Architecture and Prototype enabling packet processing based on such information 
 17

  61. Future Work and Conclusion • Network Management can greatly benefit from fine- grained process-level information • System Architecture and Prototype enabling packet processing based on such information 
 • Future work: expansion beyond current examples, more complex policies 17

  62. Source Code https://github.com/nsr-colorado/prpl 18

  63. Backup Slides

  64. Future Work • Study feasibility of more complex policy scenarios • Granularity of Tokens • Controller - Agent Interface • Proactive vs. reactive configuration • Trust in tagging process 20

  65. Tagging 25 minimum token size [ bits ] 20 15 500 servers 2000 servers 10 10000 servers 5 1 5 10 50 100 number of policy rules per host ( log. ) • Token sizes between 16 bits and 32 bits sufficient even for large networks 21

  66. Programmable Hardware • new custom ASICs can achieve such flexibility at terabit speeds [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon] • some switches are more programmable than others: • FPGA (Xilinx, Altera, Corsa) • NPU (Ezchip, Netronome) • CPU (OVS, …) 22

  67. P4 Language • P4 program configures forwarding behavior (abstract forwarding model) • express serial dependencies (e.g. ARP/L3 Routing) • P4 compiler translates into a target-specific representation • OF can still be used to install and query rules once forwarding model is defined 23

  68. P4 Forwarding Model / Runtime Switch Parser Match/Action Tables Egress Queues Packet Metadata 24

  69. P4 Forwarding Model / Runtime L2L3.p4 Switch Parser Match/Action Tables Egress Queues Packet Metadata 24

Recommend

Address Family Identifiers Assignment Policy Bill Fenner &lt;fenner@research.att.com&gt; Who

Address Family Identifiers Assignment Policy Bill Fenner &lt;fenner@research.att.com&gt; Who

Address Family Identifiers Assignment Policy Bill Fenner &lt;fenner@research.att.com&gt; Who uses AFI? Routing Who else? Sample AFI value that was not registered for routing: 16 DNS (Domain Name System) What should the policy

300 views • 3 slides
IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | ICANN 54 | 21

IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | ICANN 54 | 21

IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | ICANN 54 | 21 October 2015 Agenda 1 2 3 3 Backgrou ground nd on Prese sentat ntation on Discus cussion sion of Policy cy and of Approac oach h

587 views • 22 slides
Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | 9 March 2016

IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | 9 March 2016

IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | 9 March 2016 Agenda 2 3 1 3 Background on Discussion of Policy and Implementation Next Steps Current ICANN Deliverables Work on IGO/INGO Protections 5 min

385 views • 17 slides
Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing forwarding: to select an output port based on destination address and routing table routing: process by which routing table is built

543 views • 13 slides
Online Regulation Policy Introduction Overview of High level review of the old policy

Online Regulation Policy Introduction Overview of High level review of the old policy

Online Regulation Policy Introduction Overview of High level review of the old policy versus the updated policy changes Discussion of significant changes Understanding UGC and show it should be dealt with Complaints process for

379 views • 16 slides
How to Sell Process Improvement Second level Third level Fourth level Fifth

How to Sell Process Improvement Second level Third level Fourth level Fifth

Click to edit Master text styles How to Sell Process Improvement Second level Third level Fourth level Fifth level Molly Levy Manager, Developmental Quality Engineering DRS Technologies A Finmeccanica Company DRS

439 views • 20 slides
NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security Required: authenticity and integrity of routing information o Link state routing: LSAs are originated by the routing process authorized to do so

345 views • 10 slides
Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to

Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to

Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to Locators Oleg Ponomarev 24 March 2009 IETF74, San Francisco OUTLINE OUTLINE Current situation Storage conventions Usage HOST IDENTITY

225 views • 18 slides
CS 557 Inter-Domain Routing Introduction to BGP Routing Tutorial slides from Tim Griffin, 2001

CS 557 Inter-Domain Routing Introduction to BGP Routing Tutorial slides from Tim Griffin, 2001

CS 557 Inter-Domain Routing Introduction to BGP Routing Tutorial slides from Tim Griffin, 2001 Spring 2013 Inter-domain Routing 2153 11537 1706 52 FRGP Level 3 ARIZONA ColoState Autonomous Systems (AS) Border Gateway Protocol

566 views • 30 slides
CENG 342 Digital Systems Routing with a Process Larry Pyeatt SDSM&amp;T Process Statements

CENG 342 Digital Systems Routing with a Process Larry Pyeatt SDSM&amp;T Process Statements

CENG 342 Digital Systems Routing with a Process Larry Pyeatt SDSM&amp;T Process Statements inside a process are written as if they will be executed sequentially . The process is actually a concurrent statement (or set of concurrent

520 views • 11 slides
COMPLETE STREETS Complete Streets Elements Complete Streets Policy Best Practices MDOT

COMPLETE STREETS Complete Streets Elements Complete Streets Policy Best Practices MDOT

State-Level Overview COMPLETE STREETS Complete Streets Elements Complete Streets Policy Best Practices MDOT Process and Approach Agenda Local Examples Lessons Learned Resources Terminology Policy vs. Process Policy: plan

660 views • 19 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
Keeping Your Process at the Centre of Everything We Do 1 op optimAl pr process ss technology

Keeping Your Process at the Centre of Everything We Do 1 op optimAl pr process ss technology

Keeping Your Process at the Centre of Everything We Do 1 op optimAl pr process ss technology ltd ltd. Process Automation Specialists DRIVING PERFORMANCE Process Engineering Level 1 Process Services Control Systems Level 2 / 3

571 views • 20 slides
Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing Routing

748 views • 37 slides
Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing [Kleinberg04] J. Kleinberg, A. Slivkins, T. Wexler. Triangulation and Embedding using Small Sets of Beacons. Proc. 45th IEEE Symposium on Foundations of

450 views • 32 slides
Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

February 2019 Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Lets understand the problem.. What is the connection between routing security

346 views • 19 slides
Algebraic metalanguages for routing policy specification Alexander Gurney Computer Laboratory,

Algebraic metalanguages for routing policy specification Alexander Gurney Computer Laboratory,

Algebraic metalanguages for routing policy specification Alexander Gurney Computer Laboratory, University of Cambridge Multi-Service Networks 2006 Coseners House, Abingdon, UK The Metarouting Idea A language for policy Build up

434 views • 39 slides
SEA LEVEL RISE IN NORTH CAROLINA IMPLICATIONS FOR COASTAL POLICY Relative Sea Level Rise

SEA LEVEL RISE IN NORTH CAROLINA IMPLICATIONS FOR COASTAL POLICY Relative Sea Level Rise

SEA LEVEL RISE IN NORTH CAROLINA IMPLICATIONS FOR COASTAL POLICY Relative Sea Level Rise Average Yearly Sea Level, Key West Florida, 1950-2006 1.2 1 0.8 Sea Level (ft) 0.6 0.4 0.2 0 Year 1952 1956 1959 1962 1965 1968 1971 1974

591 views • 18 slides
1 Routing Table Routing Table Destination network Next router

1 Routing Table Routing Table Destination network Next router

Lecture 12. Lecture 12. Introduction to Introduction to IP Routing IP Routing Giuseppe Bianchi Why introduction? Why introduction? Routing: very complex issue need in-depth study entire books on routing our scope: give a

552 views • 19 slides
Towards a Next- Generation Inter-domain Routing Protocol L. Subramanian, M. Caesar, C.T. Ee, M.

Towards a Next- Generation Inter-domain Routing Protocol L. Subramanian, M. Caesar, C.T. Ee, M.

Towards a Next- Generation Inter-domain Routing Protocol L. Subramanian, M. Caesar, C.T. Ee, M. Handley , Z. Mao, S. Shenker, and I. Stoica Routing 1999 Internet Map Coloured by ISP Source: Bill Cheswick, Lumeta AS-level Topology 2003

946 views • 37 slides
Routing Process of distributing information through network so routers can build forwarding

Routing Process of distributing information through network so routers can build forwarding

Routing Process of distributing information through network so routers can build forwarding tables Forwarding vs. routing tables Forwarding table maps network number to interface, data link address Routing table maps network

330 views • 12 slides
The Internet and Identifiers Paul V. Mockapetris Sigcomm 2005 8/23/2005 What are Todays

The Internet and Identifiers Paul V. Mockapetris Sigcomm 2005 8/23/2005 What are Todays

The Internet and Identifiers Paul V. Mockapetris Sigcomm 2005 8/23/2005 What are Todays Digital Identifiers? Conventions associating one piece of data to another www.nominum.com to see web page Anna Kournikova into

718 views • 49 slides
Normalizing Resource Identifiers using Lexicons in the Global Change Information System Linking

Normalizing Resource Identifiers using Lexicons in the Global Change Information System Linking

Normalizing Resource Identifiers using Lexicons in the Global Change Information System Linking Earth Science Identifiers, Concepts, and Communities Brian Duggan 13 , Curt Tilmes 2 , Steven Aulenbach 13 , Robert E. Wolfe 12 , Justin C. Goldstein

480 views • 28 slides

More recommend