Traffic Management - OpenFlow Switch on the NetFPGA platform

Chun-Jen Chung(1203584897)Sriram Gopinath(1203800749)

• Open Flow Switch• Applications• Open Flow Switch as a Basic Firewall• Per Packet Authentication • Possible attacks in a VLAN-based network• Analysis on the possible attacks• Result

Outline

OpenFlow• Open Flow is an open standard to deploy new innovative protocols in the

real networking environment. • Open Flow is an open interface for remotely controlling the forwarding

tables in network switches, routers, and access points.• Open Flow provides an open protocol to program the flow-table in

different switches and routers. • An Open Flow Switch consists of at least three parts:

(1) A Flow Table, with an action associated with each flow entry, to tell the switch how to process the flow

(2) A Secure Channel that connects the switch to a remote control process (called the controller), allowing commands and packets to be sent between a controller and the switch

(3) The OpenFlow Protocol, which provides an open and standard way for a controller to communicate with a switch.

Idealized OpenFlowSwitch• The OpenFlow Switch and Controller communicate via the

OpenFlow protocol, which defines messages, such as packet-received, send-packet-out, modify-forwarding-table, and get-stats.

Applications

• Traffic Management– To block the malicious traffic – Per Packet Authentication– /*To prevent VLan Hopping Attack (Configuration Issue)*/

PROJECT STATUS

Initial Status: (March 8th)• Initial set up (Installing OpenFlow and NOX controller)• Solution for Application 1 and Application 2

Current Status: (April 21st)• Implementing Application 1• Completing Phase 1 and 2 of Application 2

Pending Activity• Phase 3 of Application 2

To block the malicious traffic

Implementation detail:

• We a packet in a new flow arrives at the open flow switch, it is sent to Controller to make appropriate decision.

• Controller decides whether to block this packet or to deliver it to the destination specified in the packet

• Script has been written to generate the list of Blacklisted IPs.• Then this list is used by the Open flow switch – to block any traffic from/to

these blacklisted sources.• Code is implemented in the Controller to drop packets which are from the

Blacklisted IPs• IP in the packet --match-- IP in the Blacklist IP address-- Drop the packet

Sample Scenario

Per Packet AuthenticationThis application is to uniquely identify packets from the source. This involves three steps• Generate unique identification code at the source end • Transmit this code along with every packet• Evaluate the code at the destination end(Switch)

Network Set up

Xen Configuration

Simulated Network

Step 1: Generate unique identification code at the source end

Unique identification code is generated by generating hash usingthe below parameters• Current Timestamp (48 BITS)• Source Mac address (48 BITS)• Secrete Key (48 BITS)

Hashing Technique:Hash [ Secrete Key , {TimeStamp Source Mac} ]

Task Completed:HMAC SHA2-Algorithm Implemented to generate the hash value (48 BITS).

Step 2: Transmit the identifier in every packet

• We have used the Packet generation algorithm to modify the transmitted packets to include the Hash code generated and the time stamp used in step 1.

• We have used the QinQ mechanism available in the 802.1Q packet header format to include these additional values into the packet

Step 3: Evaluate the identifier at the Switch

• The Hash code is again generated at the switch using the parameters in the packet.

• SHA-1 algorithm used in step 1 is used to generate the Hash value• This value is compared with the hash code in the packet.• If both the values are equal then the packets is processed else it is

dropped.• This code is implemented in the switch and not in the controller so as to

reduce the over load from the controller. • By this implementation packets those are not legitimate can be dropped

before processing.

Possible attacks in a VLAN-based network

There are several different types of attack in layer 2, and most of attacks exploit the inability of a device to track the attacker. Therefore, the attacker can performundetected malicious actions on the forwarding path to alter it and then exploit theChange.• MAC Flooding Attack

This is not properly a network “attack” but more a limitation of some switches and bridges. Some of these types of devices possess a finite hardware learning table to store the source addresses of all received packets, when this table becomes full, the traffic that is directed to addresses that cannot be learned anymore will be permanently flooded.

802.1Q Tagging AttackTagging attacks are malicious schemes that allow a user on a VLAN to get unauthorized access to another VLAN.– If a switch port was configured as DTP auto and was to receive a fake DTP packet, it

might become a trunk port and it might start accepting traffic destined for any VLAN.

– When simply receiving regular packets, a switch port may behave like a full-fledged trunk port.

Possible attacks in a VLAN-based network

• ARP AttacksAn attacker can claim that his or her MAC address is associated to any IP address within a specific subnet. This is possible because ARP requests or replies carry the information about the L2 identity (MAC address) and the L3 identity (IP address) of a device and there is no verification mechanism of the correctness of these identities.

• Double-Encapsulated 802.1Q/Nested VLAN Attack When double-encapsulated 802.1Q packets are injected into the network

from a device whose VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet’s only VLAN identifier. Therefore, by double-encapsulating packets with two different tags, traffic can be made to hop across VLANs.

Analysis of Attacks

• All these attacks were analyzed in our current network • It was identified that proper configuration would prevent the

environment from most of these attacks• Using ARP Inspection the occurrence of few of these attack

can be prevented.

• Why Per Packet Authentication?

Attack ScenarioNormal Scenario

When Compromised

Analysis• In the Virtual environment Dom0, which acts as the base platform should

be protected. Only by compromising this instance an attacker can possibly launch an attack.

• If Dom0 is protected, the possibility of an attack in virtual environment is minimal.

• Per Packet Authentication enhances the security of Vlan enabled network by extending the security even when Dom0 instance is compromised.

• Even if the ports are configured as Native trunk ports, this mechanism would prevent Vlan Hoping Attack

• This mechanism can be extended to Physical Switch to ensure illegal traffic doesn’t pass through even if Dom0 is compromised

Result

• Application 1 - basic firewall implementation has been implemented completely and Application 2 – Per packet Authentication which is yet to be completed would help in improving the security of a VLan enabled network.

DEMO