Enabling Active Flow Manipulation In Silicon-based Network - PowerPoint PPT Presentation

Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian - tlavian@ieee.org Phil Wang, Ramesh Durairaj, Jennifer Rasimas, Doan Hoang, Franco Travostino. Nortel Networks, Advanced Technology Labs Open Source - http://www.openetlab.org DANCE Exposition May 28-29, 2002 1

Outline of the talk • AN technology Transfer • Issues in the realization of AN technologies • Main contributions of the paper. • Commercial Active Services Platform • Application Example 1 – SSL • Application Example 2 – ASF • A Demo Application • Next Generation Active Services Platform • Conclusion DANCE Exposition May 28-29, 2002 2

AN Technology Transfer Great Ideas Usable/Realizable Active Nets Community Active Nets Community Mechanisms/Products Active Nets Ideas Active Nets Ideas Real Internet Realistic Active Mechanisms Services Products Scan the technology horizon DANCE Exposition May 28-29, 2002 3

Any AN products? Experimental/Laboratory Platforms Active Nets Community Active Nets Community Active Nets Active Nets Ideas Ideas Commercial Active Services Platform? ? Realistic Mechanisms Nortel Networks Active Services Products Scan the technology horizon SSL ASF IDS VPN SSL ASF IDS VPN DANCE Exposition May 28-29, 2002 4

Great Active Nets Community Solutions Great Active Nets Community Solutions • Active networks (AN) approach opens an exciting opportunity for individual applications to define the service provided by the network through programmability. • Active Networks technologies expose a novel approach that allows customer value-added services to be introduced to the network “on-the-fly”. • Active Nets program has produced a new network platform flexible and extensible at runtime to accommodate the rapid evolution and deployment of network technologies. • The exciting opportunity exists for network service providers and third parties, not just the network device providers, to program the network infrastructure and services. DANCE Exposition May 28-29, 2002 5

AN issues AN issues Lack of industrial-strength Active Network devices that dispel major concerns: • AN requires substantial supports from a NOS • AN introduces substantial software component, hence delay on the data path • AN lacks adequate measures to addressing integrity and security of network devices. DANCE Exposition May 28-29, 2002 6

Main contributions of the paper • Active Flow Manipulation Concept — Flow abstraction — Actions on Flows — Control/Data separation • Openet Platform — Commercial Network Devices — Runtime Environment — Active Services • Applications DANCE Exposition May 28-29, 2002 7

Active Flow Manipulation • A key enabling technology of Openet Policy AFM • Two abstractions Action — Primitive flows Filters Filter Packet — Primitive actions Packet • Customer network services exercise Forwarding active network Forwarding Processor Processor control — Identifying specific flows — Apply actions to alter network behavior in real- Packet time DANCE Exposition May 28-29, 2002 8

Dynamic L2-L7 Filtering L2-L7 Filtering Active Flow Manipulation Capability • Source Address • Flow redirection • Source Port • Stop/Forward flow • Destination Address • Change DSCP field • Destination Port • Set VLAN priority • Protocol • Adjust priority queue • VLAN • Modify session table • Diffserv Code Points • Parsing request header • Content Filtering • Parsing application contents • Cookies Filtering DANCE Exposition May 28-29, 2002 9

Openet: An active service platform ANTS User Oplets Application services Firewall, DiffServ OpletService, Jcapture, HTTP, Standard Services Function Services Shell, Logger IpPacket ORE JFWD JVM JNI/Native Code MEM CPU … Control Plane Monitor status New forwarding rules Filtered packets Data Plane Forwarding Engine DANCE Exposition May 28-29, 2002 10

Openet Alteon Active Services Platform = A Powerful Platform for AN Technologies Transfer Computation • A powerful and Content Power Aware extensible control Active and computational Services plane — Partitioning Dynamic hardware/software Service Enabling resources — Active service enabling — Content filtering in real- time — Active services Optical Wireless accommodation Edge Device router Content gateway DANCE Exposition May 28-29, 2002 11

Nortel Networks’ contributions to Active Services • Practical Active Services Architecture on real network device. • First Commercial Active Services platform. — ASF - Product — SSL – Product — Open Active Architecture for more product — Alteon+iSD as a research platform — L3 programmable routing switch PP8600 – used by research community — Photonic Switch – Early prototype • Identify Active applications (More than Ping  ) — Active VPN – Carrier A — Active fault diagnostic – Carrier A — Active SLA reliability — Active Extranet on Demand – CeNTIE- Media post production industry — Early stages in disaster recovery and fault tolerant networks DANCE Exposition May 28-29, 2002 12

Strong computation power inside network device. Active Services Platform Active Services Platform Active Services Platform Active Services Platform Computation Active Services Platform Active Services Platform Active Services Platform Up to 256 Linux based engines Intercepts selected flows and performs intelligent processing based on L2-L7 Forwarding filtering Users Servers The emphasis is on interception and processing transparently. Entities at both ends may not be aware of the existence of the Alteon in the path DANCE Exposition May 28-29, 2002 13

This slide is from the official product literature!!! Active Service – Example 1 ASF – Alteon Switched Firewall A Real Product DANCE Exposition May 28-29, 2002 14

Alteon Switched Firewall (ASF) A Real Product Active Services Download Runtime Environment For Active Services Active Service: Policy Checking AFM Flow (Req.) AFM Action Selection on the data Flow 1 st pkt Servers 1 2 Data data for the session DANCE Exposition May 28-29, 2002 15

Alteon Switched Firewall (ASF) A Real Product Active Services Download Runtime Environment Active Service: For Active Services Policy Checking AFM Flow AFM Action Selection on the Flow 1 3 Add Delete Conn. after UDP 1 Conn. timeout if session is inactive Servers 1 st pkt 1 2 Data for the session accelerated DANCE Exposition May 28-29, 2002 16

Secure XL & NAAP in Action TCP session Alteon Switched Firewall (ASF) 1 Policy Check Clients 3 1 7 1 5 6 Delete Add Update Update Update Servers Conn. Conn. Conn. Conn. Conn. SYN 1 (F2F) 2 SYN/ACK 3 ACK (TCP 3-way handshake complete ) 4 TCP 3-way handshake complete, data for the session accelerated FIN-1 5 6 FIN-2 7 ACK DANCE Exposition May 28-29, 2002 17

AFS as an Active Service Technology • The Alteon selectively redirects new connection requests to the Alteon Switched Firewall Director to perform policy checking. • The Director runs the Check Point FireWall-1 engine as an Active Service. • The Active Service manages the connection table, specifies rules for handling packets in the session, passes the connection table to the Alteon Switched Accelerator. • 90% of traffic is accelerated, supporting a throughput of 3.2 Gbps. DANCE Exposition May 28-29, 2002 18

This slide is from the official product literature!!! SSL Acceleration How Does the iSD-SSL Accelerator work? How Does the iSD-SSL Accelerator work? • Client sends an HTTPS request • Switch redirects request on port 443 to iSD-SSL • iSD-SSL completes SSL handshake • iSD-SSL initiates HTTP connection to server on port 80 • Switch selects real server based on configured LB policy • Server responds to HTTP request and replies to the iSD-SSL • iSD-SSL encrypts session and sends HTTPS response to client HTTPS, SMTP-S, POP3-S and IMAP-S services DANCE Exposition May 28-29, 2002 19

SSL Acceleration Cont Active Services Download Runtime Environment For Active Services Encrypt Decrypt Policy Server Check Selection Conn. Splice AFM Flow (Req.) AFM Action Selection on the data Flow Servers Data Accelar data for the session accelerated DANCE Exposition May 28-29, 2002 20

On the Horizon: Alteon Security Cluster Acceleration and intelligent integration of security applications Single point of secure central management Management Plane BBI, CLI, SSI, Plug and Play IDS SSL Virus SSL Fir URL IDS Fir SSL IDS SSL Firewall IDS Fi Fi SSL IDS VPNs Filtering Scan Application Plane Controller of accelerated Security Appliance sessions Control Plane Nortel Appliance Acceleration Protocol NAAP (Enables application control of switch sessions) Switch based acceleration of Security Accelerator session data Data Plane DANCE Exposition May 28-29, 2002 21