virtual trusted domain
DESCRIPTION
Garrett Drown Tianyi Xing Group #4. Virtual Trusted Domain. CSE548 – Advanced Computer Network Security. Virtual Trusted Domains. What are Virtual Trusted Domains? A virtual trusted domain (VTD) is a collection of machines , regardless of physical boundaries, that trust one another. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/1.jpg)
VIRTUAL TRUSTED DOMAIN
Garrett Drown
Tianyi Xing
Group #4
CSE548 – Advanced Computer Network Security
![Page 2: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/2.jpg)
Virtual Trusted Domains
What are Virtual Trusted Domains?
A virtual trusted domain (VTD) is a collection of machines, regardless of physical boundaries, that trust one another.
![Page 3: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/3.jpg)
What is NetFPGA? Low-cost platform, primarily designed as
a tool for teaching networking hardware and router design
![Page 4: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/4.jpg)
Project Goal Create and manage virtual trusted
domains for virtual machines through the use of a NetFPGA.
Provide the virtual machines with reliable, secure, and fast connections to others in their virtual trusted domain.
![Page 5: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/5.jpg)
Preliminary Setup
PC
PING
OpenFlowprotocol
NetFPGAController
controllerofprotocol
openflow_switch.bitofdatapath.ko
ofdatapath_netfpga.ko
UserspaceKernel / Hardware
192.168.1.1
192.168.2.1
![Page 6: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/6.jpg)
Technical DetailsRoadmap of project: By midterm:
Research how to program NetFPGAs. Research and design an implementation for Virtual Trusted Domains on
a NetFPGA. Research Path Splicing, which implements similar features that we
would like to use in our project. Setup environment and begin coding our program which creates and
manages Virtual Trusted Domains on a NetFPGA Find and (if time permitting) set up an existing similar solution (if there is
one) for VTDs as a basis for our work. By final:
Modify the existing solution which can or potentially can implement the VTD.
Deploy the program and setup a test-bed on a NetFPGA. Tested and debugged. Final documents completed.
![Page 7: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/7.jpg)
Research how to program NetFPGAs
NetFPGAs: Programming will be done in Verilog. Will be using the Xilinx ISE Design Suite. The NetFPGA Project primarily consists of
open source hardware. As a result, there is a lot of open source hardware available to us that we may use in our project.
Still to do: In depth exploration of the packet handling
code.
![Page 8: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/8.jpg)
Research & Design a VTD for NetFPGA
Virtual Trust Domains (VTDs): The concept of VTDs is slowly being
developed and is not a concrete idea. Some developers are designing VTDs in
such a way that all members must use the same security policies.
Other developers (such as IBM) believe that each computer should have a service which rates the computer’s security level. Based on this result, other computers in the VTD can choose whether or not to trust it.
![Page 9: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/9.jpg)
Research & Design a VTD for NetFPGA
Virtual Trust Domains (VTDs): The core idea is still the same.
A collection of machines, regardless of physical boundaries, that trust one another based on security policies that each utilize.
![Page 10: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/10.jpg)
Research & Design a VTD for NetFPGA
Idea so far: Have the controller maintain and utilize a
database which contains the list of approved “members” and other settings (required security policy strength, etc.)
The OpenFlow packet header will be modified to include a user’s security policy and the VTD he wishes to communicate with.
The flow table will maintain good performance by “caching” the controller’s database as needed.
![Page 11: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/11.jpg)
Flow Table Entry
VTD ID & Security Policy
![Page 12: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/12.jpg)
Identify different VMs using two labels
The label1 is for identifying different domain
The label2 is for identifying different machine in the domain
With this two level identifiers, we can identify the different VMs in different virtual domain.
![Page 13: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/13.jpg)
Research Path Splicing
The core functionality in path splicing is found in each router which has several routing tables, each with different possible paths.
In the packet header there is an added section for “forwarding bits.” These bits tell the router which routing table to choose.
Similar to our project, as we will be using added bits to our packet headers to represent which VTD the user is in and his security policies.
![Page 14: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/14.jpg)
Setup Hardware and Begin Coding
We have our computer and programming environment ready to go.
We have installed the MPLS OpenFlow switch.
![Page 15: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/15.jpg)
New Tasks
Research MPLS (Multiprotocol Label Switching).Used for creating virtual connections between
physically distant nodes.Will be used to connect/network distant VTDs
together. Implement and test the MPLS with the
OpenFlow MPLS switch on a NetFPGA.
![Page 16: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/16.jpg)
Why MPLS?
Delivers high speed L2 (really “Label”) switching at low cost vs. traditional L3 routing
Provides Traffic Engineering - allows the user to direct traffic based on network utilization and demand.
Ease of provisioning QoS Support for VPNs
http://snac.eas.asu.edu/snac.html
![Page 17: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/17.jpg)
MPLS ISO model
PPP
Physical (Optical - Electrical) 1
2
IP 3
4
Applications7to5
FrameRelay
ATM (*)
TCP UDP
PPP FR ATM (*)
MPLS
![Page 18: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/18.jpg)
Label
![Page 19: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/19.jpg)
Components (contd.)
Label Edge Router-LER Label Switching Router –LSR Forward Equivalence Class-FEC Label-Switched Paths -LSPs Set up an LSP
![Page 20: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/20.jpg)
The MPLS Network Architecture
![Page 21: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/21.jpg)
NetFPGA Preparation (contd.)
HardwarePre-build NetFPGA server
SoftwareCentOS 5NetFPGA base package (2.X)
![Page 22: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/22.jpg)
NetFPGA Preparation (contd.)
Compile driver and tools Load driver and tools Reboot and verify if the driver is loaded
Module NetFPGA interfaceReprogram the CPCI
Run Selftest
![Page 23: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/23.jpg)
Regression Test
The regression test suite is a set of tests that exercise the functionality of the released gateware and software
At least connect 2 interfaces Load bit file to NetFPGA board Run regression test (10 Mins)
![Page 24: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/24.jpg)
OpenFlow MPLS
Defined actionsPUSH: Packet entering MPLS cloud;
Merging MPLS FECs into one FEC.POP: Packets leaving MPLS cloud; FEC
DemultiplexingSWAP: Changing labels inside MPLS cloud.
![Page 25: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/25.jpg)
OpenFlow MPLS
PUSH and POP are not native OpenFlow actions
TTL/TOS operations are very specific to MPLS
Only Swap operation can be done using OpenFlow actions (rewrite action)
![Page 26: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/26.jpg)
OpenFlow MPLS
Ericsson have modified the OpenFlow Match on up to 2 top of the stack MPLS
tags. Rewrite Tag and Exp (in spirit of OF
0.89) Forward to virtual port to take care of
complex MPLS actions
![Page 27: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/27.jpg)
OpenFlow MPLS Installation (contd.) Make sure the NetFPGA is working fine
with right version Make the OpenFlow-MPLS kernel
moduleCompile the source code (probably have
compatibility issue with Linux kernel)Make, make install
Insmod the openflow kernel module and hardware table from datapath/linux-2.6*/
![Page 28: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/28.jpg)
OpenFlow MPLS Installation (contd.) Setup the OpenFlow switch with 4 ports
(nf2cX ports) (shell script) Verify the installation
Load the environment variablesRun testing script
○ Check the traffic between OF and controller
Run OpenFlow MPLS switchDownload the bit file into the NetFPGA
![Page 29: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/29.jpg)
OpenFlow MPLS Installation (contd.) Run the controller (either local or remote
is fine) (ask for the xml file) Run secchan from the secchan directory Real test or run simulated package
generator Run wireshark to capture the packages
![Page 30: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/30.jpg)
Installation Challenges
Compatibility issueWith NetFPGA
Different reference package was developed upon different NetFPGA base package version, please carefully refer to http://netfpga.org/foswiki/bin/view/NetFPGA/OneGig/ProjectTable
With Linux KernelConsult to the developer or carefully go through their
wiki
Official guide (wiki) has error/typoI contacted developers and corrected some
errors or typos on wiki (version, command)
![Page 31: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/31.jpg)
OpenFlow MPLS Scenario
PC
PING
OpenFlow MPLSNetFPGA
Controller
controllerofprotocol
openflow_switch.bitofdatapath.ko
ofdatapath_netfpga.ko
UserspaceKernel / Hardware
Localhost eth0
Localhost eth1
![Page 32: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/32.jpg)
Next Step - Deployment
![Page 33: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/33.jpg)
Next Step - Task
It is not recommended to deploy the tunnel on the NetFPGA, which makes the system slow.
Find a feasible tunneling implement to be deployed in our system to make different domain into one together.
Deploy the Openflow Switch upon that to build up the MPLS core network.
Implement security policy on the controller to make the domain be with security concern.
![Page 34: Virtual Trusted Domain](https://reader035.vdocuments.site/reader035/viewer/2022070414/56814dca550346895dbb1f19/html5/thumbnails/34.jpg)
Questions?