policy routing using process level identifiers
play

Policy Routing using Process-Level Identifiers IEEE International - PowerPoint PPT Presentation

May 03, 2023 •482 likes •1.3k views

Policy Routing using Process-Level Identifiers IEEE International Symposium on Software Defined Systems April 4th, 2016, Berlin, Germany Oliver Michel, Eric Keller Networking and Security Research Group Network Policies 2 Network Policies

  1. Policy Routing using Process-Level Identifiers IEEE International Symposium on Software Defined Systems April 4th, 2016, Berlin, Germany Oliver Michel, Eric Keller Networking and Security Research Group

  2. Network Policies 2

  3. Network Policies Load Balancing 2

  4. Network Policies Address Translation 2

  5. Network Policies Intrusion Detection 2

  6. Network Policies Firewalling 2

  7. Limited Identifiers Ethernet IP TCP/UDP 3

  8. Limited Identifiers Ethernet Source Destination EtherType IP TCP/UDP 3

  9. Limited Identifiers Ethernet Source Destination EtherType IP Source Destination Protocol DSCP ECN TCP/UDP 3

  10. Limited Identifiers Ethernet Source Destination EtherType IP Source Destination Protocol DSCP ECN TCP/UDP Source Destination 3

  11. Why fine-grained identifiers? • Uniquely identifying user sessions BLOCK LDAP User Peter cn=Peter Pan, ou=CS, o=UColorado 4

  12. Why fine-grained identifiers? • Uniquely identifying user sessions BLOCK LDAP User Peter cn=Peter Pan, ou=CS, o=UColorado MAC IP 4

  13. Why fine-grained identifiers? • Uniquely identifying user sessions BLOCK LDAP User Peter cn=Peter Pan, ou=CS, o=UColorado UID MAC IP 4

  14. Why fine-grained identifiers? • Uniquely identifying user sessions BLOCK LDAP User Peter cn=Peter Pan, ou=CS, o=UColorado Controller UID MAC IP LDAP 4

  15. Why fine-grained identifiers? • Isolating vulnerable software 5

  16. Why fine-grained identifiers? • Isolating vulnerable software 6

  17. Why fine-grained identifiers? • Isolating vulnerable software $ openssl sha1 /usr/sbin/httpd SHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7 6

  18. Why fine-grained identifiers? • Isolating vulnerable software $ openssl sha1 /usr/sbin/httpd SHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7 Executable Fingerprint 6

  19. Why fine-grained identifiers? • Isolating vulnerable software $ openssl sha1 /usr/sbin/httpd SHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7 Executable Fingerprint Controller 6

  20. Fine-Grained Information user space Process Process operating system Network Interface IP/MAC 7

  21. Fine-Grained Information user space Process Process Port operating system Network Interface IP/MAC 7

  22. Fine-Grained Information user space Process Process PID Port operating system Network Interface IP/MAC 7

  23. Fine-Grained Information user space Process Process PID GID Port operating system Network Interface IP/MAC 7

  24. Fine-Grained Information user space Process Process PID GID UID Port operating system Network Interface IP/MAC 7

  25. Fine-Grained Information user space Process Process PID GID UID Port operating cgroups system Network Interface IP/MAC 7

  26. Fine-Grained Information user space Process Process PID GID UID Port operating cgroups system open files Network Interface IP/MAC 7

  27. Fine-Grained Information user space Process Process PID GID UID Port operating cgroups system open files exe fingerprint Network Interface IP/MAC 7

  28. Fine-Grained Information user space Process Process operating PID GID UID cgroups open files exe fingerprint system Network Interface IP/MAC MAC Destination MAC Source EtherType IP Source IP Destination Protocol network TCP/UDP Source TCP/UDP Destination 8

  29. Fine-Grained Information user space Process Process operating system Network Interface IP/MAC MAC Destination MAC Source EtherType IP Source IP Destination Protocol network TCP/UDP Source TCP/UDP Destination PID GID UID cgroups open files exe fingerprint 8

  30. Benefiting Scenarios • Uniquely identifying user sessions • Isolating vulnerable software 9

  31. Benefiting Scenarios • Uniquely identifying user sessions • Isolating vulnerable software • Identifying services 9

  32. Benefiting Scenarios • Uniquely identifying user sessions • Isolating vulnerable software • Identifying services • Quality of Service 9

  33. Benefiting Scenarios • Uniquely identifying user sessions • Isolating vulnerable software • Identifying services • Quality of Service • Forensic Analysis 9

  34. PRPL \ ˈ p ə r-p ə l\ Policy Routing using Process-Level Identifiers

  35. PRPL Overview 11

  36. PRPL Overview controller 11

  37. PRPL Overview Distributing and configuring Policy controller 11

  38. PRPL Overview Distributing and configuring Policy controller 11

  39. PRPL Overview Tagging Packets Distributing and configuring Policy controller 11

  40. PRPL Overview Tagging Packets Forwarding Distributing and configuring Policy controller 11

  41. Tagging • Insert a custom header containing a token associated with some policy Ethernet IP TCP/UDP 12

  42. Tagging • Insert a custom header containing a token associated with some policy Ethernet IP TCP/UDP 12

  43. Tagging • Insert a custom header containing a token associated with some policy Ethernet PRPL IP TCP/UDP 12

  44. Tagging • Insert a custom header containing a token associated with some policy 3 2 b i t s Ethernet 0x12d4f7e3 PRPL IP TCP/UDP 12

  45. Tagging user domain Process Host admin domain Policy Controller 13

  46. Tagging user domain Process Host admin domain PRPL Agent Policy Controller 13

  47. Tagging user domain Process Host admin domain PRPL Agent request communication stream Policy Controller 13

  48. Tagging user domain Process Host admin domain PRPL Agent request communication obtain token stream Policy Controller 13

  49. Tagging user domain Process Host classify/mark tag/forward configure admin domain PRPL Agent request communication obtain token stream Policy Controller 13

  50. Forwarding • Programmable Hardware 
 [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon] • Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014] 14

  51. Forwarding PRPL token action drop 0x a4..23 reroute 0x d3..42 • Programmable Hardware 
 [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon] • Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014] 14

  52. Forwarding PRPL token action drop 0x a4..23 reroute 0x d3..42 • Programmable Hardware 
 [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon] • Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014] 14

  53. Implementation 15

  54. Implementation • Linux on-board tools: iptables, custom routing, tunnel devices 15

  55. Implementation • Linux on-board tools: iptables, custom routing, tunnel devices • P4: Matching on token 15

  56. Implementation • Linux on-board tools: iptables, custom routing, tunnel devices • P4: Matching on token • Prototype • P4 behavioral model • tag based on uid • forward or drop 15

  57. Implementation 200 TCP throughput [ Mbit / s ] 150 100 direct transmission 50 using PRPL 0 200 400 600 800 1000 1200 1400 packet size [ Bytes ] • No performance penalty for packets < 200 Bytes 16

  58. Future Work and Conclusion 17

  59. Future Work and Conclusion • Network Management can greatly benefit from fine- grained process-level information 17

  60. Future Work and Conclusion • Network Management can greatly benefit from fine- grained process-level information • System Architecture and Prototype enabling packet processing based on such information 
 17

  61. Future Work and Conclusion • Network Management can greatly benefit from fine- grained process-level information • System Architecture and Prototype enabling packet processing based on such information 
 • Future work: expansion beyond current examples, more complex policies 17

  62. Source Code https://github.com/nsr-colorado/prpl 18

  63. Backup Slides

  64. Future Work • Study feasibility of more complex policy scenarios • Granularity of Tokens • Controller - Agent Interface • Proactive vs. reactive configuration • Trust in tagging process 20

  65. Tagging 25 minimum token size [ bits ] 20 15 500 servers 2000 servers 10 10000 servers 5 1 5 10 50 100 number of policy rules per host ( log. ) • Token sizes between 16 bits and 32 bits sufficient even for large networks 21

  66. Programmable Hardware • new custom ASICs can achieve such flexibility at terabit speeds [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon] • some switches are more programmable than others: • FPGA (Xilinx, Altera, Corsa) • NPU (Ezchip, Netronome) • CPU (OVS, …) 22

  67. P4 Language • P4 program configures forwarding behavior (abstract forwarding model) • express serial dependencies (e.g. ARP/L3 Routing) • P4 compiler translates into a target-specific representation • OF can still be used to install and query rules once forwarding model is defined 23

  68. P4 Forwarding Model / Runtime Switch Parser Match/Action Tables Egress Queues Packet Metadata 24

  69. P4 Forwarding Model / Runtime L2L3.p4 Switch Parser Match/Action Tables Egress Queues Packet Metadata 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Address Family Identifiers Assignment Policy Bill Fenner &lt;fenner@research.att.com&gt; Who

Address Family Identifiers Assignment Policy Bill Fenner &lt;fenner@research.att.com&gt; Who

Address Family Identifiers Assignment Policy Bill Fenner &lt;fenner@research.att.com&gt; Who uses AFI? Routing Who else? Sample AFI value that was not registered for routing: 16 DNS (Domain Name System) What should the policy

300 views • 3 slides
IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | ICANN 54 | 21

IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | ICANN 54 | 21

IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | ICANN 54 | 21 October 2015 Agenda 1 2 3 3 Backgrou ground nd on Prese sentat ntation on Discus cussion sion of Policy cy and of Approac oach h

587 views • 22 slides
Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | 9 March 2016

IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | 9 March 2016

IGO/INGO Identifiers Protection Policy Implementation Meeting with the IRT | 9 March 2016 Agenda 2 3 1 3 Background on Discussion of Policy and Implementation Next Steps Current ICANN Deliverables Work on IGO/INGO Protections 5 min

385 views • 17 slides
Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing forwarding: to select an output port based on destination address and routing table routing: process by which routing table is built

543 views • 13 slides
Online Regulation Policy Introduction Overview of High level review of the old policy

Online Regulation Policy Introduction Overview of High level review of the old policy

Online Regulation Policy Introduction Overview of High level review of the old policy versus the updated policy changes Discussion of significant changes Understanding UGC and show it should be dealt with Complaints process for

379 views • 16 slides
How to Sell Process Improvement Second level Third level Fourth level Fifth

How to Sell Process Improvement Second level Third level Fourth level Fifth

Click to edit Master text styles How to Sell Process Improvement Second level Third level Fourth level Fifth level Molly Levy Manager, Developmental Quality Engineering DRS Technologies A Finmeccanica Company DRS

439 views • 20 slides
NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security Required: authenticity and integrity of routing information o Link state routing: LSAs are originated by the routing process authorized to do so

345 views • 10 slides
Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to

Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to

Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to Locators Oleg Ponomarev 24 March 2009 IETF74, San Francisco OUTLINE OUTLINE Current situation Storage conventions Usage HOST IDENTITY

225 views • 18 slides
CS 557 Inter-Domain Routing Introduction to BGP Routing Tutorial slides from Tim Griffin, 2001

CS 557 Inter-Domain Routing Introduction to BGP Routing Tutorial slides from Tim Griffin, 2001

CS 557 Inter-Domain Routing Introduction to BGP Routing Tutorial slides from Tim Griffin, 2001 Spring 2013 Inter-domain Routing 2153 11537 1706 52 FRGP Level 3 ARIZONA ColoState Autonomous Systems (AS) Border Gateway Protocol

566 views • 30 slides
CENG 342 Digital Systems Routing with a Process Larry Pyeatt SDSM&amp;T Process Statements

CENG 342 Digital Systems Routing with a Process Larry Pyeatt SDSM&amp;T Process Statements

CENG 342 Digital Systems Routing with a Process Larry Pyeatt SDSM&amp;T Process Statements inside a process are written as if they will be executed sequentially . The process is actually a concurrent statement (or set of concurrent

520 views • 11 slides
COMPLETE STREETS Complete Streets Elements Complete Streets Policy Best Practices MDOT

COMPLETE STREETS Complete Streets Elements Complete Streets Policy Best Practices MDOT

State-Level Overview COMPLETE STREETS Complete Streets Elements Complete Streets Policy Best Practices MDOT Process and Approach Agenda Local Examples Lessons Learned Resources Terminology Policy vs. Process Policy: plan

660 views • 19 slides
4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has

4.3 Routing protocols We first look at Routing Tables and routing mechanisms. A routing table has columns for the destination network (or hosts) with the corresponding cost and the next router address to reach a destination. Additional

1.08k views • 84 slides
Keeping Your Process at the Centre of Everything We Do 1 op optimAl pr process ss technology

Keeping Your Process at the Centre of Everything We Do 1 op optimAl pr process ss technology

Keeping Your Process at the Centre of Everything We Do 1 op optimAl pr process ss technology ltd ltd. Process Automation Specialists DRIVING PERFORMANCE Process Engineering Level 1 Process Services Control Systems Level 2 / 3

571 views • 20 slides
Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing Routing

748 views • 37 slides
Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing

Landmark Landmark-based routing based routing Landmark Landmark-based routing based routing [Kleinberg04] J. Kleinberg, A. Slivkins, T. Wexler. Triangulation and Embedding using Small Sets of Beacons. Proc. 45th IEEE Symposium on Foundations of

450 views • 32 slides
Jude Series Lesson #013 August 21, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Jude Series Lesson #013 August 21, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Jude Series Lesson #013 August 21, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. JUDE: C ONTENDING FOR THE F AITH I DENTIFYING W ORLDLY T HINKING IN O UR O WN S OULS J UDE 3 Jude 3, Beloved, while I was very diligent

205 views • 17 slides
Ja James s Va VanDerZee In In T The His e History Of y Of Am Amer erican Portraiture e

Ja James s Va VanDerZee In In T The His e History Of y Of Am Amer erican Portraiture e

Ja James s Va VanDerZee In In T The His e History Of y Of Am Amer erican Portraiture e See Item 23 in Course Bibliography John Singleton Copley (1738-1815) Thomas Eakins (1844-1916) Jo John Singl gleton Copley, Portrait of f An

511 views • 29 slides
Romans Series Lesson #128 December 26, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert

Romans Series Lesson #128 December 26, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert

Romans Series Lesson #128 December 26, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. The Epistle to the ROMANS Worldview Shift Romans 12:2 Rom. 12:1, I beseech you therefore, brethren, by the mercies of God, that

689 views • 32 slides
3. BIM for Owners and Facility Managers. Cand. Scient. Bygningsinformatik. Semester 1, 2010.

3. BIM for Owners and Facility Managers. Cand. Scient. Bygningsinformatik. Semester 1, 2010.

Produkt og Procesmodeller (PPM) i byggeriet. Product and Process models in Construction. 3. BIM for Owners and Facility Managers. Cand. Scient. Bygningsinformatik. Semester 1, 2010. CONTENT Potential and barriers BIM Application

550 views • 41 slides
Angular Momentum r p = L = r i r + + r

Angular Momentum r p = L = r i r + + r

Angular Momentum r p = L = r i r + + r 1 1 = r sin r = cos cos x + cos sin y sin z = sin x +

85 views • 6 slides
Inverse trig functions 11/21/2011 Remember: f 1 ( x ) is the inverse function of f ( x ) if f

Inverse trig functions 11/21/2011 Remember: f 1 ( x ) is the inverse function of f ( x ) if f

Inverse trig functions 11/21/2011 Remember: f 1 ( x ) is the inverse function of f ( x ) if f 1 ( y ) = x . y = f ( x ) implies For inverse functions to the trigonometric functions, there are two notations: f 1 ( x ) f ( x ) sin

392 views • 12 slides
JUST THE MATHS SLIDES NUMBER 3.5 TRIGONOMETRY 5 (Trigonometric identities &amp;

JUST THE MATHS SLIDES NUMBER 3.5 TRIGONOMETRY 5 (Trigonometric identities &amp;

JUST THE MATHS SLIDES NUMBER 3.5 TRIGONOMETRY 5 (Trigonometric identities &amp; wave-forms) by A.J.Hobson 3.5.1 Trigonometric identities 3.5.2 Amplitude, wave-length, frequency and phase-angle UNIT 3.5 - TRIGONOMETRY 5 TRIGONOMETRIC

425 views • 13 slides
MATH 12002 - CALCULUS I 2.3 &amp; 2.4: Derivatives of Trigonometric Functions Professor

MATH 12002 - CALCULUS I 2.3 &amp; 2.4: Derivatives of Trigonometric Functions Professor

MATH 12002 - CALCULUS I 2.3 &amp; 2.4: Derivatives of Trigonometric Functions Professor Donald L. White Department of Mathematical Sciences Kent State University D.L. White (Kent State University) 1 / 11 Derivatives of Sine &amp; Cosine

374 views • 11 slides

More recommend