2nd sdn interest group session2 (121218)
DESCRIPTION
지난 2012년 12월 18일 진행된 제2차 SDN Interest Group Seminar의 발표 자료 입니다.TRANSCRIPT
OpenFlow Applications -‐ Research View -‐
Seungwon Shin ECE Department, Texas A&M University A7o Research
Contents • OpenFlow Research projects
• Selected projects • Security • Home network management
• Summary
Research with OpenFlow • For OpenFlow itself • Controller • NOX, Maestro, Onix, HyperFlow
• High level language • FreneFc, NeGle
• Security • FortNOX, FRESCO
• Debugging • NICE, OpenFlow debugger, Veriflow
• Test • OFLOPS
Research with OpenFlow • With OpenFlow • Network management • OFRewind
• Network service • Cloud network: CloudNaaS, CloudWatcher, VM migraFon • Home network: Bismark • Wireless: OpenRoad, SoRware Defined Wireless
• Network monitoring • OpenSAFE, MeasuRouFng, OpenTM
• Middlebox • IntegraFon of SDN and middleboxes
Research with OpenFlow • With OpenFlow • Network virtualizaFon • FlowVisor
• Security • CloudPolice, CloudWatcher
• New architecture • DevoFlow
• Virtual switch • OpenVswitch
Research à Product • Research to commercial products • Some products are based on research projects • OpenVswitch + FlowVisor à Nicira’s NVP • Onix à Google’s OpenFlow project • CloudNaaS à IBM’s cloud management
• Some projects are close to commercial products • CloudWatcher à Varmour’s products • Bismark à Meraki’s products
Some selected applications • Security • Security for OpenFlow • Security with OpenFlow
• Home network management • Monitor home network • Manage home network • Make home network secure
Why? • Security • Requirements when deploying OpenFlow • Bank, Government, and etc.
• No notable companies
• Home network management • No need to replace exisFng H/W • Firmware download
• New service model • Meraki (not OpenFlow)
OpenFlow Security • Security for OpenFlow • FortNOX
• Security with OpenFlow • CloudPolice • CloudWatcher • FRESCO • Lightweight DDoS detecFon
CloudPolice • New access control for a cloud network environment • Features • Scalable (millions of tenants) • Flexible (easy to change) • Robust to DoS aGacks
• People • UCB and Princeton • Lucian Popa, Minlan Yu, Steven Y Ko, Sylvia Ratnasamy, and Ion Stoica
CloudPolice • Installed into each hypervisor • Overall operaFon • CloudPolice at a source sends a control packet before sending data flow • CloudPolice at a desFnaFon invesFgates access control policies for a source, and it
returns response message to a source • CloudPolice at a source performs some operaFons based on the received messages
From CloudPolice paper
CloudPolice • ImplementaFon • Modify OpenVswitch • Conduct access control funcFon with OpenFlow • Add a policy manager
CloudWatcher • A new framework for • Provide security monitoring services for large and dynamic cloud networks • Detour network packets to be inspected by pre-‐installed network security devices automaFcally • OpenFlow
• Provide a script to operate this framework
• People • Texas A&M University • Seungwon Shin and Guofei Gu
Operating Scenario
Register Security Devices
Create Security Policies
Parse Security Policies
Create Rou=ng Rules
Enforce Flow Rules into Routers
Translate Rou=ng Rules into OpenFow Rules
Administrator
Router (Device ID = 8)
{ID, TYPE, LOCATION, MODE, Func}
{1, NIDS, 8, PASSIVE, Detect HTTP}
NIDS (ID = 1)
{FLOW CONDITON, DEVICE SET}
{10.0.0.* à *:80, {1}}
How to Control Flows • 4 approaches • Mul=path naïve • Shortest through • Mul=path shortest • Shortest inline
-‐ Sample network -‐ S: start node, E: end node R: router, C: security device
Simple Shortest Path • Basic rouFng scheme (NOT CloudWatcher’s idea) • Find the shortest path between a start host and an end host • Path: S à R1 à R5 à R6 à E
• Problem • It does not pass through the security device C (R4)
Home network with OpenFlow • Home network management • Bismark
• Home network security • Outsourcing home network instrumentaFon
Bismark • BISmark • An SDN ApplicaFon Plagorm for the Home Network
• People • GIT • Nick Feamster, Joon Kim, Marshini CheGy, Srikanth Sundaresan, Steve Woodrow, Russ Clark, Abhishek Jain, Alfred Roberts
Bismark • OpenWrt firmware with custom measurement suite • Periodic acFve measurements of access link, home network • Metrics: Throughput, latency, jiGer
• Current hardware: Netgear 3700v2 router • Planned support for other hardware plagorms BISmark: An SDN Application Platform
for the Home Network
• OpenWrt firmware with custom measurement suite
• Periodic active measurements of access link, home network
• Metrics: Throughput, latency, jitter
• Current hardware: Netgear 3700v2 router
• Planned support for other hardware platforms
BISmark
Gateway
13
Last
Mile Internet
Nearby Server
From Bismark talk
Bismark • H/W and S/W • Firmware • OpenWrt, with luci web interface – IPv6-‐capable
• Netgear 3700v2 router • Atheros chipset • MIPS processor, 16 MB flash, 64 MB RAM – Gigabit ethernet
Bismark • User monitors behavior, sets policies with intuiFve user interface
• OpenFlow controller manages policies and router behavior
Control Framework
• User monitors
behavior, sets
policies with intuitive
user interface
• OpenFlow controller
manages policies
and router behavior
17
From Bismark talk
Summary • Some OpenFlow research projects have been translated into real products
• What is the next? • Security • Home network management