fi research in china jun bi tsinghua univ./cernet beijing china
TRANSCRIPT
FI Research in China
Jun BiTsinghua Univ./CERNET
Beijing China
Outline
• FI Research Overview in China– Domestic FI related Projects– International Collaborations
• Some FI Research in Tsinghua Univ.– OpenFlow Extension (Openflow+) for Intra-AS
Source Address Validation– NDN
• Audio Conference Tool (Collabrating with PARC/UCLA), to see SIGCOMM11 ICN WS paper
• Caching, test-bed, Router, Gateway…..
Internet Development in China• The largest Internet population in the world
– 2011 July: 485 million Internet users in China
– Still growing fast (only 36.2 % of population)
• The largest Service Providers in the world– China Telecom (largest ISP)
– China Mobile (616 million users)
– China Unicom
• Giant Internet Venders– Huawei, ZTE,…
• Would like to try new tech– IPv6, 3G (TD, W, 2000)
Domestic FI-related Projects• In the 11th 5-years Plan Period (2006-2010)
– MOST Trustworthy Internet• IPv6 Source Address Vadldation Architecure (SAVA)• Trustworthy ID based on SAVA• Trustworthy Application• Deployed in 100 univ campus network as testbed
– MOST NGB • Deployed in Shanghai region
– CNGI• IPv4/IPv6 Transiditon, …..• Largest test-bed
– Smaller NSFC Projects– Mobile/Wireless
• 3G, 4G
Domestic FI-related Projects
• In the 12th 5-year Plan Period (2011-2015)– MOST Triple-Play Network– MOST Future Internet (Planning)
• New Network Architecture• New Network Equipment• Testbed
– CENI infrastructure (Planning)• GENI-like
– CNGI new phase (Planning)• Mainly IPv6, and some FI
– NSFC/973 New Network Architecture (CFP)
International Collaboration• with the USA
– GENI/Openflow• CERNET signed MOU with GENI and Stanford for IPv6 Openflow, Sou
rce Address Validation• CANS to collaborate on Openflow Research/Testbed
– NDN collaboration• Tsinghua Univ., CAS ICT, Huawei….
• with the Europe– Onelab, other FP7 projects involvements
• with CJK– CJK projects on Network Security/FI– AsiaFI
Some FI Research in Tsinghua University
OpenFlow Extension (Openflow+) for Intra-AS Source Address Validation
Tsinghua University, China
Source Address Validation (SAV)
• Why SAV The current Internet Architecture: packet forwarding is only bas
ed on destination address SAV will be good for:
anti-spoofing/network security
network management/traceback
network measurement
network accounting/billing
• Why SAV is tough beyond the first hop Asymmetric Routing, Equal Cost Multiple Path. uRPF only make decision based on local FIB
• What we proposed for Intra-AS SAV– CPF (Calculation based forwarding)
Intra-AS Source Address Validation
– A central control model that a Calculated Path Forwarding (CPF) controller collects the forwarding information of every router in an AS, and calculates all possible forwarding paths for every source address, and then issues filter rules (the result of the calculation) to the routers to verify the source address of packets.
CPF in Current Network Architecture
– SNMP Polling forwarding information, interface informati
on and subnet information from MIB for generating a global forwarding path.
– xFlow Sample packets through xFlow (NetFlow/sFlow) f
or validating source address of sampling packets.
– Telnet To log on the router and configure the ACL calcul
ated by CPF.
Limitations of CPF in the current Internet Architecure
• The network device is not open and the interface is not standardized:
-The ACL structure is not standardized, so we have to design for different vendors-The routing table/forwarding table are not open for modification from outside the router.-The communication between CPF controller and device is in-efficient
-May cause false-negative when topology changes (because the routing table changes can not be reported to CPF in real-time)-Telnet scripts can not be smart enough
-
What OpenFlow bring to us
•OpenFlow enables network innovation, by:- FlowTable and OpenFlow protocol between controller and device implment the standardization and open access of network device. - User-defined new technology can be easily added to the controller as new components. - The centralized mode in OpenFlow makes some functions based on global information possible.
What OpenFlow bring to us
Flow Table
Device Hardware OpenFlow ProtocolControl Protocol
Hardware to OpenFlow
Open and standard
forwarding hardware
Open and standard control
interface
Open and standard new protocol deployment
CPF and Openflow
• Central control architecture of OpenFlow matches CPF, which requires global information of an AS • Using OpenFlow protocol to unify three protocols (SNMP, xFlow and Telnet) for communication between CPF controller and network device• Efficient control from outside the network device
Challenges of Current OpenFlow
• To adapt all future protocols and different vendors, needs to make flow table more open • If a new innovation is mature enough, needs to implemented the controller inside the device, to improve the efficiency• It is hard to pre-define all the communication requirements between the controller and device, needs to make the openflow protocol more open • Needs to run openflow in today’s router, it will make deployment low-cost and deployable
Openflow+
• Openflow+ is an extension to the fundamental architecture of OpenFlow to make it more open, efficient, and low-cost:
- 1: Flow Table Extension - 2: Distribution Mode Extension - 3: Openflow Protocol Extension - 4: Low-cost Openflow for today’s router (OpenRouter)
Extension 1: Flow Table Extension
Flow Table
Mandatory
Optional
Vendor-defined
Device Hardware OpenFlow ProtocolControl Protocol
Hardware to OpenFlow
Extension 2: Distribution Mode Extension
Flow Table
Device Hardware OpenFlow ProtocolControl Protocol
Flow Table
Hardware to OpenFlowProtocol to OpenFlowProtocol to Protocol
Extension 3: Openflow Protocol Extension
• In TLV format, each piece of data is organized by the triple of (Type, Length, Value)
• TLV can be used or arranged recursively
TLV Type(Fixed length)
TLV Length(Fixed length)
TLV Value(“TLV Length”
length)
Extension 4: Low-cost Openflow for today’s router (OpenRouter)
•OpenFlow+ in a commercial router DCRS 5980/5950, DigitalChina Company, Rou
tingSwitch
Extension 4: Low-cost Openflow for today’s router
Architecture of CPF based on OpenFlow+
OpenRouter
NOX
CPF APP
OpenFlow+
CPF Controller
OR A OR B
OR DOR C OR E
OR F OR G
OR OpenRouterFiltering Rule Generato
r
Validation
Module
Rule Adaptor
NOX
OpenFlow
CPF APP
Network State
ProcessorSharing Memory
Socket
Sampling Packet
Processor
The Testbed of CPF based on OpenFlow+
Thanks!