2nd sdn interest group session2 (121218)

OpenFlow Applications -‐ Research View -‐

Seungwon Shin ECE Department, Texas A&M University A7o Research

Contents •  OpenFlow Research projects

•  Selected projects •  Security •  Home network management

•  Summary

Goal • What do you want to do with OpenFlow? •  Research •  Develop services •  Develop devices

Research with OpenFlow •  For OpenFlow itself •  Controller •  NOX, Maestro, Onix, HyperFlow

•  High level language •  FreneFc, NeGle

•  Security •  FortNOX, FRESCO

•  Debugging •  NICE, OpenFlow debugger, Veriflow

•  Test •  OFLOPS

Research with OpenFlow • With OpenFlow •  Network management •  OFRewind

•  Network service •  Cloud network: CloudNaaS, CloudWatcher, VM migraFon •  Home network: Bismark •  Wireless: OpenRoad, SoRware Defined Wireless

•  Network monitoring •  OpenSAFE, MeasuRouFng, OpenTM

•  Middlebox •  IntegraFon of SDN and middleboxes

Research with OpenFlow • With OpenFlow •  Network virtualizaFon •  FlowVisor

•  Security •  CloudPolice, CloudWatcher

•  New architecture •  DevoFlow

•  Virtual switch •  OpenVswitch

Research à Product •  Research to commercial products •  Some products are based on research projects •  OpenVswitch + FlowVisor à Nicira’s NVP •  Onix à Google’s OpenFlow project •  CloudNaaS à IBM’s cloud management

•  Some projects are close to commercial products •  CloudWatcher à Varmour’s products •  Bismark à Meraki’s products

Some selected applications •  Security •  Security for OpenFlow •  Security with OpenFlow

•  Home network management •  Monitor home network •  Manage home network •  Make home network secure

Why? •  Security •  Requirements when deploying OpenFlow •  Bank, Government, and etc.

•  No notable companies

•  Home network management •  No need to replace exisFng H/W •  Firmware download

•  New service model •  Meraki (not OpenFlow)

Security

OpenFlow Security •  Security for OpenFlow •  FortNOX

•  Security with OpenFlow •  CloudPolice •  CloudWatcher •  FRESCO •  Lightweight DDoS detecFon

CloudPolice •  New access control for a cloud network environment •  Features •  Scalable (millions of tenants) •  Flexible (easy to change) •  Robust to DoS aGacks

•  People •  UCB and Princeton •  Lucian Popa, Minlan Yu, Steven Y Ko, Sylvia Ratnasamy, and Ion Stoica

CloudPolice •  Installed into each hypervisor •  Overall operaFon •  CloudPolice at a source sends a control packet before sending data flow •  CloudPolice at a desFnaFon invesFgates access control policies for a source, and it

returns response message to a source •  CloudPolice at a source performs some operaFons based on the received messages

From CloudPolice paper

CloudPolice •  ImplementaFon •  Modify OpenVswitch •  Conduct access control funcFon with OpenFlow •  Add a policy manager

CloudWatcher •  A new framework for •  Provide security monitoring services for large and dynamic cloud networks •  Detour network packets to be inspected by pre-‐installed network security devices automaFcally •  OpenFlow

•  Provide a script to operate this framework

•  People •  Texas A&M University •  Seungwon Shin and Guofei Gu

Operating Scenario

Register Security Devices

Create Security Policies

Parse Security Policies

Create Rou=ng Rules

Enforce Flow Rules into Routers

Translate Rou=ng Rules into OpenFow Rules

Administrator

Router (Device ID = 8)

{ID, TYPE, LOCATION, MODE, Func}

{1, NIDS, 8, PASSIVE, Detect HTTP}

NIDS (ID = 1)

{FLOW CONDITON, DEVICE SET}

{10.0.0.* à *:80, {1}}

How to Control Flows •  4 approaches • Mul=path naïve •  Shortest through • Mul=path shortest •  Shortest inline

-‐ Sample network -‐ S: start node, E: end node R: router, C: security device

Simple Shortest Path •  Basic rouFng scheme (NOT CloudWatcher’s idea) •  Find the shortest path between a start host and an end host •  Path: S à R1 à R5 à R6 à E

•  Problem •  It does not pass through the security device C (R4)

Routing Algorithms

Mul=-‐path naive

Shortest through

Mul=-‐path shortest

Home Network Management

Home network with OpenFlow •  Home network management •  Bismark

•  Home network security •  Outsourcing home network instrumentaFon

Bismark •  BISmark •  An SDN ApplicaFon Plagorm for the Home Network

•  People •  GIT •  Nick Feamster, Joon Kim, Marshini CheGy, Srikanth Sundaresan, Steve Woodrow, Russ Clark, Abhishek Jain, Alfred Roberts

Bismark •  OpenWrt firmware with custom measurement suite •  Periodic acFve measurements of access link, home network •  Metrics: Throughput, latency, jiGer

•  Current hardware: Netgear 3700v2 router •  Planned support for other hardware plagorms BISmark: An SDN Application Platform

for the Home Network

•  OpenWrt firmware with custom measurement suite

•  Periodic active measurements of access link, home network

•  Metrics: Throughput, latency, jitter

•  Current hardware: Netgear 3700v2 router

•  Planned support for other hardware platforms

BISmark

Gateway

13

Last

Mile Internet

Nearby Server

From Bismark talk

Bismark •  H/W and S/W •  Firmware •  OpenWrt, with luci web interface – IPv6-‐capable

•  Netgear 3700v2 router •  Atheros chipset •  MIPS processor, 16 MB flash, 64 MB RAM – Gigabit ethernet

Bismark •  User monitors behavior, sets policies with intuiFve user interface

•  OpenFlow controller manages policies and router behavior

Control Framework

•  User monitors

behavior, sets

policies with intuitive

user interface

•  OpenFlow controller

manages policies

and router behavior

17

From Bismark talk

What else • Wireless •  SoRware Defined Wireless •  CellSDN

•  OpenRoad •  N-‐casFng

Summary •  Some OpenFlow research projects have been translated into real products

• What is the next? •  Security •  Home network management

2nd sdn interest group session2 (121218)

Technology

research

openflow

cloudwatcher