openflow research on the georgia tech campus network
DESCRIPTION
OpenFlow Research on the Georgia Tech Campus Network. Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran, Umayr Hassan. Summary of Research Projects. Campus Network Deployment Resonance: Dynamic Access Control for Campus Networks - PowerPoint PPT PresentationTRANSCRIPT
1
OpenFlow Research on the Georgia Tech Campus Network
Russ ClarkNick Feamster
Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh
Ramachandran, Umayr Hassan
2
Summary of Research Projects
• Campus Network Deployment– Resonance: Dynamic Access Control for Campus Networks – Pedigree: Traffic Tainting for Securing Enterprise Networks
• Home Network Deployments– User-Proof Networking (with Prof. Keith Edwards)
• Class Projects: Network Management/Network Security– OpenFlow Traffic Classification– SNMP MIB for OpenFlow– Home-Network Management using OpenFlow– OpenFlow for High Availability/Service Migration– OpenFlow and Virtualization – Access Control for Home Networks– Automated Intrusion Detection with OpenFlow
3
Dynamic Access Control
• Enterprise and campus networks are dynamic– Hosts continually coming and leaving
– Hosts may become infected
• Today, access control is static, and poorly integrated with the network layer itself
• Resonance: Dynamic access control– Track state of each host on the network
– Update forwarding state of switches per host as these states change
4
Authentication at GT: “START”
3. VLAN with Private IP
6. VLAN with Public IP
.1. New MAC Addr 2. VQP
7. REBOOT
Web Portal
4. Web Authentication 5. Authentication
Result
VMPS
Switch
New Host
5
Problems with Current Approach
• Access Control is too coarse-grained– Static, inflexible and prone to misconfigurations– Need to rely on VLANs to isolate infected machines
• Cannot dynamically remap hosts to different portions of the network– Needs a DHCP request which for a windows user
would mean a reboot
• Monitoring is not continuous
Idea: Access control policies should reflect network dynamics.
6
Resonance Approach
• Step 1: Controller associates each host with generic states and security classes.
• Step 2: Specify a state machine for moving machines from one state to the other.
• Step 3: Control forwarding state in switches based on the current state of each host.
7
Applying resonance to START
Registration
AuthenticatedOperation
Quarantined
SuccessfulAuthentication
Vulnerability detected
Clean after update
Failed Authentication
Infection removed or manually fixed
Still Infected afte
r an update
8
Challenges
• Scale– How many forwarding entries
per switch?– How much traffic at the
controller?
• Performance– Responsiveness
• Security– MAC address spoofing– Securing the controller (and
control framework)
9
10
Enterprise Information Flow Control• Goal: Control how information flows between different
hosts in the network– Control the spread of malware– Prevent data leaks
• Challenges– Heterogeneous devices– Hosts may not be trusted
• Solution: Pedigree– Classify traffic based on
• What process generated the traffic• Where that process has taken inputs
– Implement control policies in the network
11
Pedigree Design• Trusted tagging
component resides on host.
• Traffic carries taints that reflect provenance of network traffic.
• Switch one hop from hosts makes access control decisions.
12
Current FunctionInternet
1. Host sends request over control channel toopen with flow with taint set.
2. Traffic diverted to controller,which checks policy.
3. Controller inserts flowtable entry, if policy compliant.