Policy Routing using Process-Level Identifiers IEEE International - - PowerPoint PPT Presentation

IEEE International Symposium on Software Defined Systems

April 4th, 2016, Berlin, Germany

Oliver Michel, Eric Keller

Networking and Security Research Group

Policy Routing using Process-Level Identifiers

Network Policies

2

Network Policies

2

Load Balancing

Network Policies

2

Address Translation

Network Policies

2

Intrusion Detection

Network Policies

2

Firewalling

Limited Identifiers

3

IP

Ethernet TCP/UDP

Limited Identifiers

3

IP

Ethernet TCP/UDP

Source Destination EtherType

Limited Identifiers

3

IP

Ethernet TCP/UDP

Source Destination EtherType Source Destination DSCP Protocol ECN

Limited Identifiers

3

IP

Ethernet TCP/UDP

Source Destination EtherType Source Destination DSCP Protocol ECN Source Destination

Peter

cn=Peter Pan, ou=CS, o=UColorado

LDAP User

BLOCK

Why fine-grained identifiers?

4

• Uniquely identifying user sessions

Peter

cn=Peter Pan, ou=CS, o=UColorado

LDAP User

BLOCK

Why fine-grained identifiers?

4

• Uniquely identifying user sessions

MAC IP

Peter

cn=Peter Pan, ou=CS, o=UColorado

LDAP User

BLOCK

Why fine-grained identifiers?

4

• Uniquely identifying user sessions

MAC IP

UID

Peter

cn=Peter Pan, ou=CS, o=UColorado

LDAP User

BLOCK

Why fine-grained identifiers?

4

• Uniquely identifying user sessions

MAC IP

UID LDAP Controller

Why fine-grained identifiers?

5

• Isolating vulnerable software

Why fine-grained identifiers?

6

• Isolating vulnerable software

Why fine-grained identifiers?

6

$ openssl sha1 /usr/sbin/httpd

SHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7

• Isolating vulnerable software

Why fine-grained identifiers?

6

Executable Fingerprint

$ openssl sha1 /usr/sbin/httpd

SHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7

• Isolating vulnerable software

Why fine-grained identifiers?

6

Executable Fingerprint

$ openssl sha1 /usr/sbin/httpd

SHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7

Controller

• Isolating vulnerable software

Fine-Grained Information

7

Process Process Network Interface IP/MAC

user space

• perating

system

Fine-Grained Information

7

Process Process Network Interface IP/MAC Port

user space

• perating

system

Fine-Grained Information

7

PID Process Process Network Interface IP/MAC Port

user space

• perating

system

Fine-Grained Information

7

GID PID Process Process Network Interface IP/MAC Port

user space

• perating

system

Fine-Grained Information

7

UID GID PID Process Process Network Interface IP/MAC Port

user space

• perating

system

Fine-Grained Information

7

UID GID PID cgroups Process Process Network Interface IP/MAC Port

user space

• perating

system

Fine-Grained Information

7

UID GID PID cgroups

• pen files

Process Process Network Interface IP/MAC Port

user space

• perating

system

Fine-Grained Information

7

UID GID PID cgroups

• pen files

exe fingerprint Process Process Network Interface IP/MAC Port

user space

• perating

system

Fine-Grained Information

8

user space

• perating

system network

Process Process

IP Source IP Destination EtherType MAC Source MAC Destination Protocol TCP/UDP Source TCP/UDP Destination

Network Interface IP/MAC UID GID PID cgroups

• pen files

exe fingerprint

Fine-Grained Information

8

user space

• perating

system network

Process Process

IP Source IP Destination EtherType MAC Source MAC Destination Protocol TCP/UDP Source TCP/UDP Destination

Network Interface IP/MAC UID GID PID cgroups

• pen files

exe fingerprint

• Uniquely identifying user sessions
• Isolating vulnerable software

Benefiting Scenarios

9

• Uniquely identifying user sessions
• Isolating vulnerable software
• Identifying services

Benefiting Scenarios

9

• Uniquely identifying user sessions
• Isolating vulnerable software
• Identifying services
• Quality of Service

Benefiting Scenarios

9

• Uniquely identifying user sessions
• Isolating vulnerable software
• Identifying services
• Quality of Service
• Forensic Analysis

Benefiting Scenarios

9

PRPL

\ˈpər-pəl\

Policy Routing using Process-Level Identifiers

PRPL Overview

11

PRPL Overview

controller

11

PRPL Overview

controller

Distributing and configuring Policy

11

PRPL Overview

controller

Distributing and configuring Policy

11

PRPL Overview

Tagging Packets

controller

Distributing and configuring Policy

11

PRPL Overview

Tagging Packets

controller

Distributing and configuring Policy Forwarding

11

Tagging

Ethernet IP TCP/UDP

• Insert a custom header containing a token associated

with some policy

12

Tagging

Ethernet IP TCP/UDP

• Insert a custom header containing a token associated

with some policy

12

Tagging

Ethernet IP TCP/UDP

PRPL

• Insert a custom header containing a token associated

with some policy

12

Tagging

Ethernet IP TCP/UDP

PRPL

0x12d4f7e3 3 2 b i t s

• Insert a custom header containing a token associated

with some policy

12

Tagging

13

Process

Policy Controller Host

user domain admin domain

Tagging

13

PRPL Agent

Process

Policy Controller Host

user domain admin domain

Tagging

13

PRPL Agent

Process

Policy Controller Host

request communication stream user domain admin domain

Tagging

13

PRPL Agent

Process

Policy Controller Host

request communication stream

• btain token

user domain admin domain

Tagging

13

PRPL Agent classify/mark tag/forward

configure

Process

Policy Controller Host

request communication stream

• btain token

user domain admin domain

• Programmable Hardware


[Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]

• Dataplane Forwarding Model

in P4 [SIGCOMM CCR 2014]

Forwarding

14

PRPL token

action

0xa4..23

drop reroute

0xd3..42

• Programmable Hardware


[Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]

• Dataplane Forwarding Model

in P4 [SIGCOMM CCR 2014]

Forwarding

14

PRPL token

action

0xa4..23

drop reroute

0xd3..42

• Programmable Hardware


[Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]

• Dataplane Forwarding Model

in P4 [SIGCOMM CCR 2014]

Forwarding

14

Implementation

15

• Linux on-board tools: iptables, custom routing, tunnel

devices

Implementation

15

• Linux on-board tools: iptables, custom routing, tunnel

devices

• P4: Matching on token

Implementation

15

• Linux on-board tools: iptables, custom routing, tunnel

devices

• P4: Matching on token
• Prototype
• P4 behavioral model
• tag based on uid
• forward or drop

Implementation

15

Implementation

direct transmission using PRPL

200 400 600 800 1000 1200 1400 50 100 150 200 packet size [Bytes] TCP throughput [Mbit/s]

• No performance penalty for packets < 200 Bytes

16

Future Work and Conclusion

17

• Network Management can greatly benefit from fine-

grained process-level information

Future Work and Conclusion

17

• Network Management can greatly benefit from fine-

grained process-level information

• System Architecture and Prototype enabling packet

processing based on such information


Future Work and Conclusion

17

• Network Management can greatly benefit from fine-

grained process-level information

• System Architecture and Prototype enabling packet

processing based on such information


• Future work: expansion beyond current examples, more

complex policies

Future Work and Conclusion

17

Source Code

18

https://github.com/nsr-colorado/prpl

Backup Slides

• Study feasibility of more complex policy scenarios
• Granularity of Tokens
• Controller - Agent Interface
• Proactive vs. reactive configuration
• Trust in tagging process

Future Work

20

• Token sizes between 16 bits and 32 bits sufficient even

for large networks

Tagging

21

500 servers 2000 servers 10000 servers

1 5 10 50 100 5 10 15 20 25 number of policy rules per host (log.) minimum token size [bits]

• new custom ASICs can achieve such flexibility at

terabit speeds [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13,

Intel FM6000 switch silicon]

• some switches are more programmable than others:
• FPGA (Xilinx, Altera, Corsa)
• NPU (Ezchip, Netronome)
• CPU (OVS, …)

Programmable Hardware

22

• P4 program configures

forwarding behavior (abstract forwarding model)

• express serial dependencies

(e.g. ARP/L3 Routing)

• P4 compiler translates into a

target-specific representation

• OF can still be used to install

and query rules once forwarding model is defined

P4 Language

23

P4 Forwarding Model / Runtime

24

Switch Parser Match/Action Tables Packet Metadata Egress Queues

P4 Forwarding Model / Runtime

24

L2L3.p4 Switch Parser Match/Action Tables Packet Metadata Egress Queues

P4 Forwarding Model / Runtime

24

L2L3.p4 Switch Parser Match/Action Tables Packet Metadata Egress Queues COMPILE

P4 Forwarding Model / Runtime

24

L2L3.p4 Switch Parser Match/Action Tables Packet Metadata Egress Queues COMPILE Eth VLAN IP4 IP6 TCP UDP

P4 Forwarding Model / Runtime

24

L2L3.p4 Switch Parser Match/Action Tables Packet Metadata Egress Queues COMPILE Eth VLAN IP4 IP6 TCP UDP Controller Routing Firewall NAT

P4 Forwarding Model / Runtime

24

L2L3.p4 Switch Parser Match/Action Tables Packet Metadata Egress Queues COMPILE Eth VLAN IP4 IP6 TCP UDP Controller Routing Firewall NAT

P4 Forwarding Model / Runtime

24

L2L3.p4 Switch Parser Match/Action Tables Packet Metadata Egress Queues COMPILE Eth VLAN IP4 IP6 TCP UDP Controller Routing Firewall NAT

P4 Forwarding Model / Runtime

24

Switch Parser Match/Action Tables Packet Metadata Egress Queues COMPILE Eth VLAN IP4 IP6 TCP UDP Controller Routing Firewall NAT

P4 Forwarding Model / Runtime

24

Switch Parser Match/Action Tables Packet Metadata Egress Queues COMPILE Eth VLAN IP4 IP6 TCP UDP Controller Routing Firewall NAT OF1-3.p4

P4 Forwarding Model / Runtime

24

Switch Parser Match/Action Tables Packet Metadata Egress Queues COMPILE Eth VLAN IP4 IP6 TCP UDP Controller Routing Firewall NAT OF1-3.p4

Open Flow 1.3

Architecture

25

Network Policy Controller Directory Service verify existence install flow entries Gateway Switch Internet user domain admin domain PRPL Agent Process Process Socket Socket Switch request stream/

• btain token

ANNOTATING PACKET STREAMS PRPL FORWARDING CONTROLLING/DISTRIBUTING POLICY

A

PRPL token

action

0xa4..23

drop reroute

0xd3..42

B C

Process Socket classify/mark annotate/forward configure

P4 Parsing

26

Ethernet Policy Token IP ... Eth PRPL TCP UDP 0xd3...42 drop 0xa4...29 reroute continue 0xa6...76 IP 10.0.1/24 10.0.2/24 1 2 Routing Table Policy Table Parsing FSM Incoming Packet

P4 Implementation

27

table prpl { reads { prpl.token : exact; } actions { _nop; _drop; forward; } size : 128; } header_type prpl_t { fields { token : 8; } } header prpl_t prpl; parser start { return parse_ethernet; } parser parse_ethernet { extract(ethernet); return parse_prpl; } parser parse_prpl { extract(prpl); return ingress; } table_set_default prpl _nop table_add prpl _nop 0x00000001 => table_add prpl _drop 0x00000002 => table_add prpl forward 0x00000001 => 4

iptables

28

iptables OUTPUT chain

• -uid-owner1003
• -set-mark 0xd2

1003 process policy_d2 default dev tun2 policy_54 default dev tun5 from all mark 0xd2 lookup policy_d2 routing rules

/etc/iproute2 /rt_tables

tun2 Policy Agent Network tun5 admin domain user domain