DPX: Data-Plane eXtensions for SDN Security Service Instantiation - - PowerPoint PPT Presentation

DPX: 


Data-Plane eXtensions for SDN Security Service Instantiation

Taejune Park¹, Yeonkeun Kim¹, 
 Vinod Yegneswaran², Phillip Porras², 
 Zhaoyan Xu³, 
 KyoungSoo Park¹, and Seungwon Shin¹

1) KAIST, Korea 2) SRI International, USA 3) Palo Alto Networks, USA

/ 35 2

Software-Defined Networking

• Decouple control-plane from data-plane
• Centralized controller
• S

DN S wit ches

• Centralized operation with standard

protocol (e.g., OpenFlow)

• Programable net work management
• Dynamic t raffic engineering

set_ip_dst(20.0.0.2),output(1) drop actions

• utput(2)

* tcp_dst * 22 ip_src tcp_src * in_port 10.0.0.1 * 20.0.0.1 ip_dst * * * 10.0.0.2 80 * 1 2

L4 Routing Network Discovery …

Control-Plane (Controller) Data-Plane (Switches) Control Interface (OpenFlow)

/ 35

• Decouple control-plane from data-plane
• Centralized controller
• S

DN S wit ches

• Centralized operation with standard

protocol (e.g., OpenFlow)

• Programable net work management
• Dynamic t raffic engineering

set_ip_dst(20.0.0.2),output(1) drop actions

• utput(2)

* tcp_dst * 22 ip_src tcp_src * in_port 10.0.0.1 * 20.0.0.1 ip_dst * * * 10.0.0.2 80 * 1 2

L4 Routing Network Discovery …

Control-Plane (Controller) Data-Plane (Switches) Control Interface (OpenFlow)

3

Software-Defined Networking

Security is still required

• S

hin, S eung Won, et al. "Fresco: Modular composable security services for software-defined networks."

• S

hin, S eung Won, et al. ”Cloudwatcher: Network security monitoring using openflow in dynamic cloud networks."

• Braga, Rodrigo, et al. "Lightweight DDoS flooding attack detection using NOX/OpenFlow."
• Y
• on, Changhoon, et al. "Enabling security functions with SDN: A feasibility study."
• S

. K. Fayazbakhsh, et al. “Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags”

• Z. A. Qazi, et al. “SIMPLE-fying Middlebox Policy Enforcement Using SDN.”
• And so on…

/ 35 4

Security in Software-Defined Networking

Network Application Network Application Network Application Network Application Network Application Security Application

Middlebox (e.g., NFV)

Control Interface (OpenFlow) Control-Plane (Controller) Data-Plane (Switches)

/ 35 5

Security in Software-Defined Networking

Network Application Network Application Network Application Network Application Network Application Security Application

Middlebox (e.g., NFV)

Control Interface (OpenFlow) Control-Plane (Controller) Data-Plane (Switches)

• Security applications on a control plane
• Applying security service in network-widely
• Cheap price
• Easy to manage

/ 35 6

Security in Software-Defined Networking

Network Application Network Application Network Application Network Application Network Application Security Application

Middlebox (e.g., NFV)

Control Interface (OpenFlow) Control-Plane (Controller) Data-Plane (Switches)

• Limitation
• S

imple security only available

• Controller overhead
• Low performance
• Security applications on a control plane
• Applying security service in network-widely
• Cheap price
• Easy to manage

/ 35 7

Security in Software-Defined Networking

Network Application Network Application Network Application Network Application Network Application Security Application

Middlebox (e.g., NFV)

Control Interface (OpenFlow) Control-Plane (Controller) Data-Plane (Switches)

• Middle-boxes (e.g., NFV)
• Better performance
• Rich functions (e.g., payload inspection)
• No controller overhead

/ 35 8

Security in Software-Defined Networking

Network Application Network Application Network Application Network Application Network Application Security Application

Middlebox (e.g., NFV)

Control Interface (OpenFlow) Control-Plane (Controller) Data-Plane (Switches)

• Middle-boxes (e.g., NFV)
• Better performance
• Rich functions (e.g., payload inspection)
• No controller overhead
• Limitation
• Network overhead caused by traffic

detouring (Performance loss)

• Require flow steering for NFs
• Additional control channels for NFs

/ 35

Service Chaining

DoS Detector Scan Detector Deep Packet Insepctor

Network

S

• urce

Destination

/ 35 10

Service Chaining

DoS Detector 1 Scan Detector 1 DPI 1 DoS Detector 1 DPI 1 DoS Detector 1 Scan Detector 2 DoS Detector 2 DPI 2 DPI 2

Flow_A Flow_B Flow_C Flow_D Flow_E

/ 35 11

Service Chaining

Flow_E forward(DPI2) forward(DoS1) Actions forward(DoS2) forward(DoS1) forward(DoS1) Flow_D Flow_C Flow_B Flow_A Match Rules for incoming flows forward(Scan2) Actions Match Flow_C Flow_A forward(Scan1) Flow_B forward(DPI1) Rules for DoS1 Flow_A forward(DPI1) Actions Match Rules for Scan1 Actions Flow_B Match forward(…) forward(…) Flow_A Rules for DPI1 Flow_C forward(…) Actions Match Rules for Scan2 Actions Flow_E Match forward(…) forward(…) Flow_D Rules for DPI2 Flow_D forward(DPI2) Actions Match Rules for DoS2

DoS1 Scan1 DPI1 Scan2 DoS2 DPI2

Flow_ A/B/C Flow_ A/B/C Flow_A Flow_A Flow_A Flow_B Flow_A/B Flow_C Flow_D Flow_D Flow_E Flow_D Flow_C Flow_D/E

/ 35 12

Challenges of Security in SDN

Performance Management

/ 35 13

Challenges of Security in SDN

Performance Management Flow steering/engineering

/ 35 14

DPX: Data-Plane eXtensions for SDN Security Service Instantiation

• Provides security services as a part of packet processing logic.
• S

ecurity services as a set of OpenFlow act ions

• Processing packets without detouring

DPI S can

Packet

MATCH Actions Flow_A sec_dos(mbps=1000), output:2 Flow_B sec_dos(…), sec_scan(…),output:3

DoS

/ 35 15

Security actions

• Providing security services for an incoming flow

ip_src ip_dst tcp_src tcp_dst Actions 10.0.0.1 10.0.0.2 * * sec_dos(mbps=1000, policy=alert), output:2 * * * 80 sec_dpi(pattern=“rule.txt”, policy=discard),output:3

Pkt: -> tcp_80 Pkt: 10.0.0.1->10.0.0.2

DPX

Security Action: sec_dos(mbps=1000, policy=alert)

{ {

Threshold Policy

15

• To deploy, set a threshold and policy to the parameters of a required security action

/ 35 16

Security actions

• High-compatibility with common OpenFlow actions
• Fine-grained security deployment per a flow
• Easy configuration for a security service chaining

MATCH Actions Flow_A sec_dos(mbps=1000), set_ip_dst(10.0.0.2), output:2 MATCH Actions Flow_A sec_dos(mbps=1000), output:2 Flow_B sec_dos(mbps=500),output:2 Flow_C sec_dos(mbps=750),output:2 MATCH Actions Flow_A sec_dos(…), sec_scan(…), sec_dpi(…), output:2

/ 35 17

System Design

DPX dataplane

Flow Table

F l

• w

_ k e y F l

• w

_ s t a t s

Security Actions

Common Actions Data Section Inspection Logic Policy Handler

Controller

Event Msg.

Network Application Network Application Security Application Network Application Network Application Network Application

Rule deployment (via Flow_mod)

OpenFlow Channel

• Similar to a conventional SDN
• Mat ch a flow rule in a flow t able 

• > Perform act ions
• Security action block
• DPX security application

/ 35 18

Security Action Block

• Individual processing block 


for a security action

• Data S

ection

• Inspection Logic
• Policy Handler

DPX dataplane

Flow Table

Flow_key Flow_stats

Security Actions

Common Actions Data Section Inspection Logic Policy Handler

Controller

Event Msg.

Network Application Network Application Security Application Network Application Network Application Network Application

Rule deployment (via Flow_mod)

OpenFlow Channel

Security Actions

Data Section Inspection Logic Policy Handler

/ 35 19

Security Action Block: Data Section

• Store required statistics data

• f a packet by
• Flow_key: Packet-level metadata 


used for indexing a flow table

• Flow_st at s: Flow table statistics

DPX dataplane

Flow Table

Flow_key Flow_stats

Security Actions

Common Actions Data Section Inspection Logic Policy Handler

Controller

Event Msg.

Network Application Network Application Security Application Network Application Network Application Network Application

Rule deployment (via Flow_mod)

OpenFlow Channel

Flow_key Flow_stats Data Section

/ 35 20

Security Action Block: Inspection Logic

• Perform actual inspection
• Calculate statistics using the data section
• Determine a security violation with

threshold values in the parameter

• sec_dos(mbps=1000,…

)

DPX dataplane

Flow Table

Flow_key Flow_stats

Security Actions

Common Actions Data Section Inspection Logic Policy Handler

Controller

Event Msg.

Network Application Network Application Security Application Network Application Network Application Network Application

Rule deployment (via Flow_mod)

OpenFlow Channel

Inspection Logic

/ 35 21

Security Action Block: Policy Handler

• Handle a violation according to a policy
• sec_dos(…

,policy=redirect:2)

=> If the current bps exceeds a threshold, 
 redirect the flow to Port 2.

• Three polices
• Alert : S

end an alert msg t o a cont roller

• Discard: Terminat es t he packet processing 


and drop t he packet

• Redirect : Forward packet s 


t o an alt ernat ive port

DPX dataplane

Flow Table

Flow_key Flow_stats

Security Actions

Common Actions Data Section Inspection Logic Policy Handler

Controller

Event Msg.

Network Application Network Application Security Application Network Application Network Application Network Application

Rule deployment (via Flow_mod)

OpenFlow Channel

Policy Handler Event Msg.

/ 35 22

Action Enforcement

• DPX provides a controller API set 


for the security actions

• Listen and process an alert message
• Install the security actions to the data-plane
• S

ecurity application on a controller

DPX dataplane

Flow Table

Flow_key Flow_stats

Security Actions

Common Actions Data Section Inspection Logic Policy Handler

Controller

Event Msg.

Network Application Network Application Security Application Network Application Network Application Network Application

Rule deployment (via Flow_mod)

OpenFlow Channel

Event Msg. Rule deployment (via Flow_mod)

OpenFlow Channel Controller

Network Application Network Application Security Application

/ 35 23

Challenge in the flow-level security deployment

• The flow-level security deployment can’t represent a security policy across multiple flows
• S

imple example:

The total incoming bandwidth from Flow A/ B evident ly exceeds 1000 Mbps,
 but the DoS detectors never trigger an alert!

DPX Switch (Capacity: 1000Mbps) Flow A 800Mbps Flow B 700Mbps Flow A Flow B Actions Flow A sec_dos(mbps=1000),output:1 sec_dos(mbps=1000),output:2 Match Flow B

800 Data 700

DoS Data section DoS Inspection logic

Benign

(Mbps > 1000) ? true : false

Benign

(Mbps > 1000) ? true : false

Flow A 800Mbps Flow B 700Mbps

/ 35

… Actions C B

sec_xyz (id = 10, …)

Match

sec_xyz (id = 10, …)

A …

sec_xyz (id = 10, …)

sec_xyz

24

Action Clustering

• All security actions have a cluster ID in their parameter
• The security actions that use the same cluster ID are considered to belong to the same cluster
• The clustered action works as the integrated single action across different flow rules
• Implementing by sharing the data section by the cluster map

sec_scan (id = 10, …), sec_dpi (id = 30,…) Flow_E sec_scan (id = 10, …) Actions Flow_C Flow_B sec_dos (id = 10, …) Match sec_dos (id = 90119, …) Flow_A Flow_D sec_dos (id =10, …)

sec_dos

bps

90119 10 Data ID

Clustering Map

bps

bps Threshold

sec_scan

port

10 Data ID

Clustering Map

Port Count

sec_dpi

30 Data ID

Clustering Map

rules

Pattern Matching

Inspection logic

Flow Table 40

rules

Inspection logic Inspection logic

/ 35

• Applying the action clustering to the previous example

The DoS detector can successfully detect the bandwidth excess and alert this.

Applying Action Clustering

DPX Switch (Capacity: 1000Mbps) Flow A 800Mbps Flow B 700Mbps Flow A Flow B Actions Flow A sec_dos(mbps=1000,id=10),… sec_dos(mbps=1000,id=10),… Match Flow B

25

800 + 700

ID

… 10 Data …

DoS Data section

Flow A 800Mbps Flow B 700Mbps

DoS Inspection logic

Detected

(Mbps > 1000) ? true : false

/ 35

Applying DPX

26

Flow_E forward(DPI2) forward(DoS1) Actions forward(DoS2) forward(DoS1) forward(DoS1) Flow_D Flow_C Flow_B Flow_A Match Rules for incoming flows forward(Scan2) Actions Match Flow_C Flow_A forward(Scan1) Flow_B forward(DPI1) Rules for DoS1 Flow_A forward(DPI1) Actions Match Rules for Scan1 Actions Flow_B Match forward(…) forward(…) Flow_A Rules for DPI1 Flow_C forward(…) Actions Match Rules for Scan2 Actions Flow_E Match forward(…) forward(…) Flow_D Rules for DPI2 Flow_D forward(DPI2) Actions Match Rules for DoS2

DoS1 Scan1 DPI1 Scan2 DoS2 DPI2

Flow_ A/B/C Flow_ A/B/C Flow_A Flow_A Flow_A Flow_B Flow_A/B Flow_C Flow_D Flow_D Flow_E Flow_D Flow_C Flow_D/E

/ 35

Applying DPX

27

Flow_E sec_dpi(id=20, ...), ... sec_dos(id=10, ...), sec_dpi(id=10, ...), ... Actions sec_dos(id=20, ...), sec_dpi(id=20, ...), ... sec_dos(id=10, ...), sec_scan(id=20, ...), ...

sec_dos(id=10, ...), sec_scan(id=10, ...),sec_dpi(id=10, ...), ...

Flow_D Flow_C Flow_B Flow_A Match

/ 35 28

Implementation

• Prove our design in both hardware and software:

/ 35 29

Implementation

• Prove our design in both hardware and software:
• NetFPGA-SUME, FPGA-based PCI Express board for 10 and 100 Gbps operation
• S

upport DoS

det ect or and Deep Packet Inspect or

• Intf. 0
• Intf. 1
• Intf. 2
• Intf. 3

Host Intf. Flow Table Controller

• Intf. 0
• Intf. 1
• Intf. 2
• Intf. 3

Host Intf. OpenFlow Action processor

Flow_key Packet

Packet buffer

Input

• utput

Flow_key, stats & Action key

Input Arbiter + Output queue

Packet preprocessor Policy handler

Discard Alert Redirect

<Security Action Module>

Data Section (BRAM)

Update Data Section

Read Payload

Inspection Logic

Seuciry Action Input Selector <Security Action Module>

Data Section (BRAM)

Update Data Section

Read Payload

Inspection Logic

<Security Action Module>

Data Section (BRAM)

Update Data Section

Read Payload

Inspection Logic

Wide Data Bus

/ 35 30

Implementation

• Prove our design in both hardware and software:
• Open vSwitch, Open-source implementation of a distributed virtual switch
• S

upport DoS

det ect or, Vert ical/ Horizont al S canning det ect or, Anomaly Det ect or, S ession Monit or and Deep Packet Inspect or

Security Action Block Security Action Block

<Security Action Block> O.F . Actions DPX Entry point

Execute Actions

Data Section

Inspection Logic

Policy Handler

Alert Redirect

Forward

Valid Discard

Flow Table Lookup

Send Alert MSG Send Event Msg.

• utput

Flow_key, stats

Alert to controller

Socket buffer & Action key

/ 35 31

Performance Evaluation

• Measured the performance of
• Each security action
• S

ervice chain of all available security actions

• S

imple forwarding

• Naive NFV which does nothing

Datapath (HW-DPX / SW-DPX)

h1

10GbE 10GbE

DPX Controller (1)

h2

10GbE 10GbE (2) 10GbE (3)

NFV(Do nothing)

10GbE

/ 35 32

Performance Evaluation_hardware

• Throughput
• Latency

Packet size (bytes)

64 256 512 1024 1514

Throughput (Gbps)

2 4 6 8 1011 128 Simple DoS DPI100 DPI500 DPI1000 Chain NFV

Latency (msec)

0.5 1 1.5

CDF

0.2 0.4 0.6 0.8 1

Simple DoS DPI Chain NFV

DPX
 & S imple Fwd. DPX
 & S imple Fwd. NFV NFV

/ 35 33

Flow-table Simplification

…

…

h2 h1 NFV

Spine Leaf

POX Controller

(forwarding.l2_learning)

…

The number of Leaf-Hosts (ea) 1 3 5 7 9 The number of Rules (ea) 0 400 800 12001600 Chain 0 (==DPX) Chain 1 Chain 2 Chain 3 Chain 4

• Assuming a leaf-spine topology network with increasing the number of hosts
• The hosts have to visit/ use arbitrary service chains varying length.
• Measured the required number of rules for passing a pingall test

/ 35 34

Conclusion

• Provide security services as a part of packet processing logic
• As as a set of actions
• S

upport the security policy and the controller API set

• Action clustering
• Achieve the simplified management and high-performance
• Catches both advantages of a middlebox and S

DN application for security in S DN.

• Expect that the approach of DPX has high-potential in complex network nowadays

Thank you! Questions?

http:/ / nss.kaist.ac.kr taej une.park@ kaist.ac.kr