Test 3 SDN Firewall Flashcards
SDN Firewall: 2 defining characteristics
SDN separates the control plane from the data plane
An SDN consolidates the control plane, so that a single software control program controls multiple data-plane elements.
Control plane
Decides how to handle traffic
Data plane
Forwards traffic according to decisions that the control plane makes
Active networking
A programming interface (or network API) that exposes resources (e.g. processing, storage, and packet queues) on individual network nodes.
Supports construction of custom functionality to apply to a subset of packets.
OpenFlow Switch Rule Table includes:
A bit pattern (including wildcards, for matching header fields such as MAC and IP addresses, protocol, TCP/UDP port numbers, physical input port, etc)
A priority: to break ties between overlapping patterns.
A list of actions: for example, forward out a port, flood, drop, send to controller, assign a new value to a header field, etc
Optional hard and soft timeouts to evict stale rules
Byte and packet counters that collect information about how much traffic is flowing through each rule
Pyretic sequential composition
Treats the output of one policy as the input of another
Pyretic parallel composition
Applies two policy functions on the same packet and combines the results
3 Stages in History of SDN
Active Networks (1990s-2000s): introduced programmable functions in the network to enable greater innovation
Control and Data Plane Separation (2001-2007): developed open interfaces between the control and data planes
OpenFlow API and network operating systems (from 2007-2010): first instance of widespread adoption of open interface, developed ways to make control-data pane separation scalable and practical
Active Networking Programming Models
Capsule Model: code to execute at the
nodes was carried in-band in data packet
programmable router/switch model, where the code
to execute at the nodes was established by out-of-band
mechanisms
Technology Pushes encouraging active networking
reduction in the cost of computing
advances in programming languages such as Java offered platform portability and some code executing safety,
virtual machine technology that protected the host machine
Technology Use Pulls for active networking
Motivation similar to motivation for SDN today
Issues include network service provider frustration with the timescales necessary to develop and deploy new network services (network ossification)
this-party interest in value -added, fine-grained control to dynamically meet the needs of particular applications or network conditions
researcher desire for a platform that would support experimentation at scale
unified control over middleboxes, including firewalls, proxies, and transcoders
Active Networks Intellectual Contributions
Programmable functions in the network to lower the
barrier to innovation.
Network virtualization, and the ability to demultiplex
to software programs based on packet headers.
The vision of a unified architecture for middlebox orchestration.
Motivation for Separating Control and Data Planes
In the early 2000s, increasing traffic volumes and a
greater emphasis on on network reliability, predictability,
and performance led network operators to seek better approaches to certain network-management functions such as the control over the paths used to deliver traffic (a practice commonly known as traffic engineering)
Separate Control and Data Planes Intellectual Contributions
Logically centralized control using an open interface to the data plane.
Distributed state management
OpenFlow
An OpenFlow switch has a table of packet-handling
rules, where each rule has:
a pattern (that matches on bits in the packet header),
a list of actions (e.g., drop, flood, forward out a particular interface, modify a header field, or send the packet to the controller),
a set of counters (to
track the number of bytes and packets), and a priority (to disambiguate between rules with overlapping patterns).
Upon receiving a packet, an OpenFlow switch identifies the highest-priority matching rule, performs the associated
actions, and increments the counters.
Intellectual Contributions of OpenFlow
Generalizing network devices and functions.
– Still, OpenFlow does not offer data-plane support for deep packet inspection or connection reassembly; as such, OpenFlow alone cannot efficiently enable sophisticated
middlebox functionality.
The vision of a network operating system.
• Distributed state management techniques
Network Operating Systems
More generally, the emergence of a network operating system
offered a conceptual decomposition of network operation into three layers [46]:
(1) a data plane with an open interface;
(2) a state management layer that is responsible
for maintaining a consistent view of network state;
(3) control logic that performs various operations depending
on its view of network state.
Network Virtualization
Network virtualization
presents the abstraction of a network that is decoupled
from the underlying physical equipment. Network virtualization
allows multiple virtual networks to run over a
shared infrastructure, and each virtual network can have a
much simpler (more abstract) topology than the underlying
physical network.
overlay network
a small set of upgraded
nodes use tunnels to form their own topology on
top of a legacy network.
In an overlay network, the upgraded nodes run their own control-plane protocol, and direct data traffic (and control-plane messages) to each other by encapsulating packets, sending them through the
legacy network, and decapsulating them at the other end.
The Mbone (for multicast) [50], the 6bone (for IPv6) [43], and the X-Bone [76] were prominent early examples.
OpenFlow protocol
The OpenFlow protocol defines how the controller and switches
interact. The controller maintains a connection to each switch over which OpenFlow messages are sent.
The controller uses
these OpenFlow messages to (un)install rules, query the traffic
counters, learn the network topology, and receive packets when
the switch applies the “send to controller” action.
Advantages of Pyretic
it helps support modular programming
Pyretic integrates monitoring into the policy function and supports
a high level query API. The programmer can easily combine monitoring and forwarding using parallel composition
provides facilities for creating a dynamic policy whose behavior will change over time, as specified by the programmer.
Pyretic offers a rich topology-abstraction facility that allow programmers to apply policy functions to an abstract view of the underlying network.
predicate policies
we use predicate policies (including match and conjunction)
to disambiguate between packets based on their location in the
network as well as their contents;
modification policies
we use modification policies (such as fwd) to change the header content or location of packets;
and we use composition operators (such as +, parallel composition
and»_space;, sequential composition) to put together policy
components.
Sequential composition
Sequential composition (>>) treats the output of one policy as the input to another
Parallel composition
Parallel composition (+) applies two policy functions on the same packet and combines the results
Difficulties of Network Configuration
difficult to define what we mean by correct behavior in the first place
the interactions between multiple routing protocols can lead to unpredictability. Furthermore, each autonomous system on the internet is independently configured. And the interaction between the policies of these autonomous systems can lead to unintended, or unwanted behaviour.
he third reason that configuration is hard, is that operators simply make mistakes. Configuration is difficult, and network policies are very complex. Furthermore, Network configuration has historically been distributed across hundreds, or more, network devices. Across the network where each device is configured with vendor-specific low-level configuration.
SDN provides three things:
The first, is network-wide views of both topology and traffic.
The second, is the ability to satisfy network level objectives such as those that we talked about before including load balance, security, and other high level goals.
The third thing, that software defined networking provides that network operators need, is direct control. In particular, rather than requiring network operators to configure each device individually with indirect configuration, SDN allows an operator to write a control program that directly affects the data plane. So rather than having to configure each device individually and guess or infer what might happen, software-defined networking allows a network operator to express network level objectives and direct control from A logically centralized controller.
2 SDN defining characteristics
- In an SDN, the Control Plane runs in a logically centralized controller.
Additionally, the controller typically controls multiple routers across the network and often, the control program exerts control over all the routers in the network, thus facilitating network-wide control.
- The separation of data and control allows a network operator to build a network with commodity devices, where the control, resides in a separate control program.
This re-factoring allows us to move from a network where devices are vertically integrated making it very tough to innovate to a network where the devices have open interfaces that can be controlled by software. Thus, allowing for much more rapid innovation.
Advantages of SDN
easier to coordinate behavior among a network of devices.
behavior of the network is easier to evolve, and it’s also easier to reason about.
History of SDN
Previous to 2004, configuration was distributed
—buggy and unpredictable behavior.
Around 2004, logically centralized controller focused on the border gateway protocol, and was called the routing control platform, or RCP.
In 2005, different planes:
- –The decision plane which computed the forwarding state for devices in the network,
- –the Data Plane, which forwarded traffic based on decisions made by the decision plane.
- –dissemination and discovery planes, which provide the decision plane the information that it needs to compute the forwarding state, which ultimately gets pushed to the data plane.
Around 2008, OpenFlow.
- –emergence of cheap switches that were build based on open chip sets that could be controlled from software.
- – allowed us to decouple the control plane and the data plane in commodity switching hardware.
SDN Infrastructure
the Control Plane is typically a software program written in a high level language, such as Python or C,
the Data Plane is typically programmable hardware that’s controlled by the control plane.
The controller effects the forwarding state that’s in the switch using control commands.
–Open flow is one standard that defines a set of control commands by which the controller can control the behavior of one or more switches.
SDN has many applications including data centers, wide area backbone networks, enterprise networks, internet exchange points or IXPs, and home networks. Later modules in this course will explore how software defined networks.
Control Plane Operations
The job of the Control Plane is to compute state that ultimately ends up in the data plane.
computing a forwarding path that satisfies a high-level policy
computing shortest path routing trees.
making decisions about whether or not a user’s device should be allowed to send traffic or not based on that device’s MAC address
Data Plane Operations
Rate-limiting
load-balancing
(decisions are being made at forwarding time, not by a centralized high-level program.)
Differences in Control Plane and Data Plane
control plane is the logic that controls forwarding behavior.
- –Examples of control plane functions include routing protocols as well as logic for configuring network middle boxes.
- –routing protocol functions that compute the paths
Data plane: The forwarding table themselves and specifically the actions associated with forwarding traffic according to the Control plane logic
- –examples of data plane function include forwarding packets at the IP layer, and doing things like switching at layer two
- –the act of actually taking a packet, on an input port, and forwarding it, to an output port
why is separating the data and control planes a good idea?
independent evolution and development. Thus, software control of the network, can involve independently of the network hardware.
the opportunity to control the network behavior from a high-level software program. Controlling the network from a high-level program in theory allows network operators to debug and check network behavior more easily. Then in the status quo, where network behavior is determined by the distributed low level configuration across hundreds of switches and routers.
provides opportunities for better network management and data centers by facilitating such network tasks as virtual machine migration to adapt to fluctuating network demands.
In Routing, the separation of data and control provides more control over decision logic.
In Enterprise networks, SDN provides the ability to write security applications such as applications that manage network access control.
In Research networks, the separation of data and control. Effectively allows to virtualize the network, so that, research networks and experimental protocols can co-exist with production networks on the same, underlying network hardware.
Reasons for Separating Data and Control
Separating the data and control plane can allow for independent evolution of the data and control plane.
Separating vendor hardware from the logic that controls the behavior of the network, and the potential to more easily reason about network behavior since the behavior is now controlled from a single logically-centralized control program.
(The separation of data and control plain does not inherently make the network more fault tolerant or more scalable. )
Example SDN: Data Centers
A data center, typically consists of many racks of servers. And any particular cluster might have, as many as 20,000 servers. Assuming that each one of these servers can run about 200 virtual machines. That’s 400,000 virtual machines in a cluster.
A significant problem is provisioning or migrating these virtual machines in response to varying traffic loads. SDN solves this problem by programming the switch state from a central database
If we need to provision additional virtual machines. Or migrate a virtual machine from one server to another in the data center, the state in these switches must be updated. Updating the state in this fashion is much easier to do, from a central controller or a central database, facilitating.
This type of migration is also made easier by the fact that the servers are addressed with Layer two Addressing. And the entire data center Looks like a flat layer two topology. What this means, is that a server can be migrated from one portion of the data center to another without requiring the virtual machine to obtain new addresses. All that needs to happen for forwarding to work ,is the state of these switches. Needs to be updated. The task of updating switch date in this fashion is very easy to do, when the control and data plans are separate..
how does the control data plan separation make managing data centers easier?
control data plane separation can make it easier to manage the data center by monitoring and controlling routes from a central point and allowing virtual machines to be migrated without renumbering host addresses.
The control data plane separation does not inherently make it possible to build a data center with few switches nor does it automatically balance load.
2 SDN Challenges
scalability & consistency
security or robustness
SDN and security of internet backbones
Where filtering attack traffic is a regular network management task. Suppose that an attacker is sending lots of traffic towards a victim.
In this case a measurement system might detect the attack, identify the entry point, and a controller such as the RCP might install what is called a null route to ensure that no more traffic reaches the victim from the attacker.