authorizing network control at software defined exchange
play

Authorizing Network Control at Software Defined Exchange Points - PowerPoint PPT Presentation

Oct 22, 2023 •151 likes •363 views

Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University http://sdx.cs.princeton.edu Nick Feamster, Laurent Vanbever Internet Exchange Points (IXPs) Route Server BGP Session IXP Switching Fabric AS

  1. Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University http://sdx.cs.princeton.edu Nick Feamster, Laurent Vanbever

  2. Internet Exchange Points (IXPs) Route Server BGP Session IXP Switching Fabric AS A Router AS B Router AS C Router 2

  3. Software Defined IXPs (SDXs) SDX Controller SDX BGP Session SDN Switch AS A Router AS B Router AS C Router 3

  4. SDX Opens Up New Possibilities • More flexible business relationships – Make peering decisions based on time of day, volume of traffic & nature of application • More direct & flexible traffic control – Define fine-grained traffic engineering policies • Better security – Block or redirect attack traffic at finer level of granularity 4

  5. SDX for DDoS Attack Mitigation Attacker SDX 1 SDX 2 AS 88 Attack traffic traverses two different SDXs 5

  6. Remotely Block Attack Traffic Attacker SDX 1 SDX 2 SDN Policies AS 88 Victim remotely pushes block rules to SDX 6

  7. Subscribe to Third Party Services Attacker Verisign SDX 1 SDX 2 SDN Policies DOTS AS 88 Victim Subscribes to Verisign for DDoS Protection 7

  8. SDX vs. Traditional DDoS Defense • Remote influence Physical connectivity to SDX not required • More specific Drop rules based on multiple header fields, source address, destination address, port number … • Coordinated Drop rules can be coordinated across multiple IXPs 8

  9. Spider-Man Dilemma With Great Power Comes Great Responsibility • Authorize Remote Requests – Is AS 88 owner of flow space under attack? • Authorize Third Party Requests – Is Verisign authorized by AS 88 to block or redirect attack traffic? – Is AS 88 owner of flow space under attack? 9

  10. Authorization Logic • Conventional Authorization Logic – Applied over discrete resources – Limited allowable actions (read/write etc.) • Authorization Logic for Network Control – Resources à Set of packets within some flow space – Actions à Transformations on the packet’s metadata 10

  11. FLANC Authorization Logic • Resource Ownership – Principals that own the resource under consideration • Allowed Actions – Set of allowed transformations for resource owners, T:{sIP, sPort, dIP, dPort, phyPort} à {sIP, sPort, dIP, dPort, phyPort} – e.g. Drop Telnet traffic from 10.0.0.1 and 20.0.0.1 T :{{10.0.0.1,20.0.0.1}, *,*, {23},*} à {*,*,*,*,{}} • Delegations – Mechanisms by which one principal gives other permission to operate on their resources 11

  12. FLANC Authorization Logic at SDX SDX Controller … Participant 1 Participant 2 Participant N Request Handler Reference Monitor Event Credential Credentials Network Events Handler Handler Southbound APIs Switching Fabric

  13. AS 88 sends Delegation Credentials Attacker Verisign SDX 1 SDX 2 AS 88 AS 88 says, Verisign speaks for AS 88 for T, where T:{*,*,{128.112.0.0/16},{80,443},*} à {*,*,*,*,*} 13

  14. AS 88’s HTTP Server under Attack Attacker Verisign SDX 1 SDX 2 AS 88 (HTTP, 128.112.136.35) 14

  15. AS 88 sends DOTS Message Attacker Verisign SDX 1 SDX 2 {128.112.136.35,80,TCP} AS 88 15

  16. Verisign sends SDN Policies Attacker Verisign dIP=128.112.136.80, dPort=80 à fwd(V) SDX 1 SDX 2 AS 88 16

  17. Checking Authorization at SDX • Request Handler – Associate request with the principal (Verisign) – Extract request transformation • T req :{*, *, 128.112.136.80, 80, *} à {*,*,*,*,V} • Credential Handler – CA says, “ AS 88 owns {*, *, 128.112.0.0/16, *, * } ” – Delegation credentials from AS 88 • Reference Monitor – Generate a proof, “ Verisign can say T req ” 17

  18. Evaluation Results Remote Requests Third Party Requests Cumulative Distribution of Time 1 . 0 0 . 8 0 . 6 0 . 4 0 . 2 0 . 0 0 20 40 60 80 100 120 140 Time (us) Dataset: AS 88 IPS logs for 1 week, 550K alert events 18

  19. Evaluation Results Remote Requests Third Party Requests Cumulative Distribution of Time 1 . 0 0 . 8 0 . 6 0 . 4 0 . 2 0 . 0 0 20 40 60 80 100 120 140 Time (us) FLANC incurs minimal performance overhead 19

  20. Takeaways • Authorizing Network Control at SDX is critical • FLANC is the first step – Associates requests with principal – Considers flow space abstraction – Considers conditional delegations • FLANC’s scope is broader than SDX – Campus Network – Mitigating Route Hijacks 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Layering, dynamics, optimization & control in software defined networks Nikolai Matni

Layering, dynamics, optimization & control in software defined networks Nikolai Matni

Layering, dynamics, optimization & control in software defined networks Nikolai Matni Computing and Mathematical Sciences joint work with John Doyle (Caltech) and Kevin Tang (Cornell) Distributed optimal control & software defined

591 views • 21 slides
Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing

Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing

Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing local network and Internet access for IoT devices Cloud-managed network-access authoriza=on Bootstrapping security between device and cloud

328 views • 20 slides
Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe Mambretti, Director, (j-mambretti@northwestern.edu) International Center for Advanced Internet Research (www.icair.org) Northwestern University Director,

442 views • 23 slides
Software Defined Networking : A Security Perspective Dr. Sarker Tanveer Ahmed Rumee Dept. of

Software Defined Networking : A Security Perspective Dr. Sarker Tanveer Ahmed Rumee Dept. of

Software Defined Networking : A Security Perspective Dr. Sarker Tanveer Ahmed Rumee Dept. of CSE, University of Dhaka Traditional Network Infrastructure Two Main Tasks Control of information flow (control plane) Calculation of routing

539 views • 26 slides
Computer Networks Project 2 & HW 1 By Qian Yan (qiany7@) 1 Software Defined Network (SDN)

Computer Networks Project 2 & HW 1 By Qian Yan (qiany7@) 1 Software Defined Network (SDN)

Computer Networks Project 2 & HW 1 By Qian Yan (qiany7@) 1 Software Defined Network (SDN) Controller Switch OpenFlow Control Data Plane Plane Making decisions Perform actions How to forward data Forward Order to

106 views • 9 slides
EXCHANGE CONTROL EXCHANGE CONTROL MEANS OFFICIAL INTERFERENCE IN THE FOREIGN EXCHANGE DEALINGS

EXCHANGE CONTROL EXCHANGE CONTROL MEANS OFFICIAL INTERFERENCE IN THE FOREIGN EXCHANGE DEALINGS

Chapter No. Page No. 4 72 International Finance EXCHANGE CONTROL IN INDIA EXCHANGE CONTROL EXCHANGE CONTROL MEANS OFFICIAL INTERFERENCE IN THE FOREIGN EXCHANGE DEALINGS OF A COUNTRY. THE CONTROL MAY EXTEND A WIDE AREA COVERING:

922 views • 23 slides
Software-Defined Networks Jennifer Rexford Princeton University Traditional Networks 2 control

Software-Defined Networks Jennifer Rexford Princeton University Traditional Networks 2 control

Software-Defined Networks Jennifer Rexford Princeton University Traditional Networks 2 control plane: distributed algorithms data plane: packet processing decouple control and data planes Software Defined Networks 3 decouple control and

370 views • 20 slides
Revisiting Routing Control Platforms with the Eyes and Muscles of Software-Defined Networking

Revisiting Routing Control Platforms with the Eyes and Muscles of Software-Defined Networking

Revisiting Routing Control Platforms with the Eyes and Muscles of Software-Defined Networking ACM SIGCOMM HotSDN' 12 Workshop Helsinki, Finland, 13 August 2012 Agenda Research in scope and contribution RouteFlow Control Platform

709 views • 26 slides
Revisiting Routing Control Platforms with the Eyes and Muscles of Software-Defined Networking

Revisiting Routing Control Platforms with the Eyes and Muscles of Software-Defined Networking

Revisiting Routing Control Platforms with the Eyes and Muscles of Software-Defined Networking ACM SIGCOMM HotSDN' 12 Workshop Helsinki, Finland, 13 August 2012 Agenda Research in scope and contribution RouteFlow Control Platform

621 views • 31 slides
CS 356: Computer Network Architectures Lecture 26: Router hardware, Software defined networking,

CS 356: Computer Network Architectures Lecture 26: Router hardware, Software defined networking,

CS 356: Computer Network Architectures Lecture 26: Router hardware, Software defined networking, and programmable routers [PD] chapter 3.4 Xiaowei Yang xwy@cs.duke.edu Overview Switching hardware Software defined networking

1.07k views • 70 slides
Raytheon BBN Technologies Network Measurement in a World of Software Defined Radios Dr. Craig

Raytheon BBN Technologies Network Measurement in a World of Software Defined Radios Dr. Craig

Raytheon BBN Technologies Network Measurement in a World of Software Defined Radios Dr. Craig Partridge Chief Scientist Network Research AIMS Workshop SDRs are Chameleons They change frequencies and protocols as applications and

559 views • 7 slides
SDX: A Software-Defined Internet Exchange Arpit Gupta Laurent Vanbever, Muhammad Shahbaz, Sean

SDX: A Software-Defined Internet Exchange Arpit Gupta Laurent Vanbever, Muhammad Shahbaz, Sean

SDX: A Software-Defined Internet Exchange Arpit Gupta Laurent Vanbever, Muhammad Shahbaz, Sean Donovan, Brandon Schlinker, Nick Feamster, Jennifer Rexford, Scott Shenker, Russ Clark, Ethan Katz-Bassett Georgia Tech, Princeton University, UC

508 views • 33 slides
Software Defined VPNs S Konstantaras & G Thessalonikefs stavros.konstantaras@os3.nl

Software Defined VPNs S Konstantaras & G Thessalonikefs stavros.konstantaras@os3.nl

University of Amsterdam System and Network Engineering MSc July 3, 2014 Software Defined VPNs S Konstantaras & G Thessalonikefs stavros.konstantaras@os3.nl george.thessalonikefs@os3.nl Background Software Defined Virtual Private

942 views • 34 slides
Enforcing Customizable Consistency Properties in Software-Defined Networks Wenxuan Zhou , Dong

Enforcing Customizable Consistency Properties in Software-Defined Networks Wenxuan Zhou , Dong

Enforcing Customizable Consistency Properties in Software-Defined Networks Wenxuan Zhou , Dong Jin, Jason Croft, Matthew Caesar, Brighten Godfrey 1 Network changes control applications, changes in traffic load, system upgrades,

476 views • 21 slides
Flexible Building Blocks for Software Defined Network Function Virtualization

Flexible Building Blocks for Software Defined Network Function Virtualization

Introduction Solution Evaluation Summary Flexible Building Blocks for Software Defined Network Function Virtualization (Tenant-Programmable Virtual Networks) Aryan TaheriMonfared Chunming Rong Department of Electrical Engineering and

1.76k views • 37 slides
Architecture for Software-Defined Wireless Networks Julius Schulz-Zander, Nadi Sarrar, Stefan

Architecture for Software-Defined Wireless Networks Julius Schulz-Zander, Nadi Sarrar, Stefan

AeroFlux: A Near-Sighted Controller Architecture for Software-Defined Wireless Networks Julius Schulz-Zander, Nadi Sarrar, Stefan Schmid WiFi needs SDN! Network services as applications Channel Selection Coarse Grained Control

573 views • 7 slides
Modeling Persistent Congestion for Tail Drop Queue Alex Marder & Jonathan M. Smith University

Modeling Persistent Congestion for Tail Drop Queue Alex Marder & Jonathan M. Smith University

Modeling Persistent Congestion for Tail Drop Queue Alex Marder & Jonathan M. Smith University of Pennsylvania Problem Can we determine the severity of persistent congestion? 100mbit >> 1mbit Why? How bad is interdomain

389 views • 34 slides
Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

916 views • 87 slides
CS 134: Operating Systems Security 1 / 29 Overview CS134 Overview 2014-04-22 Introduction

CS 134: Operating Systems Security 1 / 29 Overview CS134 Overview 2014-04-22 Introduction

CS134 2014-04-22 CS 134: Operating Systems Security CS 134: Operating Systems Security 1 / 29 Overview CS134 Overview 2014-04-22 Introduction to Security Classification Cryptography Overview Attacks Introduction to Security

574 views • 38 slides
Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group Overview Why do we need secure channels? What properties should they have?

480 views • 31 slides
traffic confirmation attacks despite noise Jamie Hayes University College London

traffic confirmation attacks despite noise Jamie Hayes University College London

traffic confirmation attacks despite noise Jamie Hayes University College London j.hayes@cs.ucl.ac.uk anonymous communication We kill people based on the metadata. - Michael Hayden (Former NSA Director) - Sometimes encryption isnt

720 views • 29 slides
Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

IN3210 Network Security Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure Computer Security Security of computers and networks Protection of digital assets Axioms of Computer Security:

240 views • 23 slides
Introduction Introduction Nils Gruschka University Kiel (Diploma in Computer Science)

Introduction Introduction Nils Gruschka University Kiel (Diploma in Computer Science)

Network and Communications Security (IN3210/IN4210) Introduction Introduction Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg University Kiel (PhD in Computer Science) Nils Gruschka NEC

767 views • 33 slides
IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org /

IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org /

IPv6 prerequisite All about Routing Header extension Security implications Solutions and workaround IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org / philippe.biondi(at)eads.net arno(at)natisbad.org /

896 views • 61 slides

More recommend