A user mode implementation of filtering rule management plane using key-value

Ruo AndoNational Institute of informatics, Japan

Yuuki Takano, Shinsuke MiwaNetwork Security Research Institute, National Institute of Information and Communications Technology, Japan

2017 17th IEEE International Conference on Communication Technology | Chengdu, China | Oct 27-30, 2017

Abstract: Towards alternative access control model

[A] The emergence of network virtualization and related technologies such as SDN and Cloud computing make us face the new challenge of new alternative access control model.

[B] Particularly, besides flexibility, fine-grained traffic engineering functionality for coping with scalability and diversified networks is required for the deployments of SDN and Cloud Computing.

[C] Our architecture leverages NoSQL data store for handling a large scale of filtering rules. By adopting NoSQL, we can achieve scalability, availability and tolerance to network partition. Besides, separating management plane and control plane, we can achieve responsiveness and strong consistency at the same time.

[D] In experiment, we have prototyped a lightweight management plane for IP filtering. Access filtering rules including target IP address, prefix and gateway is represented as radix tree. It is shown that proposed method can achieve reasonable utilization in filtering IP packets

Network virtualization: abstraction and centralization

NIC

HD

CPU

RAM

FW

LB

VLANS

VRF

２００１ ２０１２

image

vCPU

vRAM

vNIC FlowTable

vFW

vLB

abstraction layer

XenKVM

VMWare

OpenFlowOpen vSwitch

FloodLight

Decouple

Virtualization layer

reproduce

Automate

What is SDN and network virtualization ?Myth: “SDN is network virtualization”

x86 / ARM

Virtualization Layer

Windows Linux

Open Flow

Virtualization Or Slicing

NOX NOX

CPU, Hardisk, PIC, IO

X86 instruction set

Xen, QEMU, etc

Windows Linux

Hardware Resources

Abstraction layer

Virtualization Layer

slice slice

Bandwidth, CPU, FIB

OpenFlow

FlowVisor

Controller Contoller

Definition of a slice• Slice is a set of flows (called flowspace) running on a topology of switches.https://www.clear.rice.edu/comp529/.../tutorial_4.pdf

“when virtual is harder than real”drawbacks of virtualized networkTal Garfinkel , Mendel Rosenblum, When virtual is harder than real: Security challenges in virtual machine based computing environments, HotOS 2005

Scalability. Growth in physical machines is ultimately limited by setup time and bounded by organization‘s capital equipment budget. In contrast creating a new VM is as easy as copying file. Users will frequently have several or even dozens of special purpose VMs . Thus，total number of VMs in an organization can grow at an explosive rate．Rarely all administrative tasks completely automated.

Diversity. Many IT organizations tackle security problems by enforcing homogenity. all machines must run the most current patched software. This creates a range of problems as one must try and maintain patches or other protection for a wide range of OS and deal with the risk posed by having many unpatched machines on the network.

Access Control should be centralized ! CloudPolice: Taking access control out of the network Lucian Popa, Minlan Yu, Steven Y. Ko, Ion Stoica, Sylvia Ratnasamy 9th ACM Workshop on Hot Topics in Networks (HotNets-IX). Monterey, CA, October 2010.Jonathan M McCune, Stefan Berger, Trent Jaeger, Reiner Sailer: Shamon -- A System for Distributed Mandatory Access Control. 22nd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, December 2006

Design requirement: fine grained traffic functioning for scalability, diversity and flexibility.[1] Scalability and diversity: Garfinkel pointed that creating a new virtual instance is far easier than physical environment. the rapid and unpredictable growth can exacerbate management tasks and in worse case the impact of catastorophic events can be multiplied where all instances should be patched. Enforcing homogenity is difficult in the situation that users can have their own special purpose VM easily without expensive cost, like copying files.

[2] Flexibility: In SDN, networks are diversified, programmable and elastic. For a long period, from active networks to advanced network technologies like cloud and SDN, one of the general goals of net working research has been arrived at a network which is flexible.

[3] Fine-grained traffic functioning: commercial corporations，private Enterprises and universities emplos datacenters to run variety of applications and cloud based services. Their study reveals that existing traffic engineering perform 15%to 20% worse than the optimal solution.

MicroTE: fine grained traffic engineering for data centers, CoNEXT '11 Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies

Lucian Popa, Ion Stoica, Sylvia Ratnasamy: Rule-based Forwarding(RBF): Improving Internet’s flexibility and security. HotNets 2009

Tradeoffs between manageability and performance

"Logically centralized?: state distribution trade-offs in software defined networks", Dan Levin, Andreas Wundsam, Brandon Heller, Nikhil Handigol and Anja Feldmann, HotSDN '12 Proceedings of the first workshop on Hot topics in software defined networks

Controller component choices:[1] Strongly consistent – controller components always operate on the same world view. Imposes delay and overhead.[2] Eventually consistent – controller components incorporate information as it becomes available but may make decisions on different world views.http://www.richardclegg.org/node/21

C A

PNoSQLRDBMS

Consistency Availability

Tolerance to networkpartition

CAP Theorem (Eric Brewer 2000)

Enforced Consistency Eventual ConsistencyStrongly Consistent is preferred.

With NoSQL and Key-value,A (availability)P (Tolerance to network partition) S (Scalability)can be achieved.

Basic SDN architecture and proposed system

Node (VM)

Node (VM)

Node (VM)

Flow Table

ControllerSecure Channel

Node (VM)

Node (VM)

Node (VM)

Filtering rule

TableData store

match

match

Ingress packets

Ingress packets

Data plane Control plane

Control and Data plane Management plane

VCRIB: Virtualized rule management in the cloud Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan the 4th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud). Boston, MA, June 2012.

Basic SDN

Proposedsystem,

Avenues of Attack

Sensitive data

Enterprise Network

MissingSecurity Patches

MisconfiguredDatabase

Advanced Attacks

Sensitive Data Leaks

EscalatingUser Privileges

DefaultPasswords

Weak Passwords

Unauthorized Database

WeakPRNG

CDP:Functional & Operational Firewall Pattern - AWS-CloudDesignPatternNemesis: preventing authentication & access control vulnerabilities in web applications, SSYM'09 Proceedings of the 18th conference on USENIX security symposiumDetecting BGP configuration faults with static analysis, NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & ImplementationA security enforcement kernel for OpenFlow networks, HotSDN '12 Proceedings of the first workshop on Hot topics in software defined networks

MisconfiguredFiltering

Adopting basic datastore on management plane

auto_ptr<mongo::DBClientCursor> cursor =client.query(ns, mongo::BSONObj());

while(cursor->more()) {mongo::BSONObj p = cursor->next();mongo::OID oid = p["_id"].OID();

string dest = p["dest"].str();int mask = p["mask"].numberInt();string gateway = p["gateway"].str();

const char *p0 = dest.c_str();const char *p1 = gateway.c_str();

add_rtentry(p0, mask, p1);

int res;res = find_route(dstAddress);if(res==0)

printf("route find ¥n"); /* flush entry /*

rm_rtentry(p0, mask);

{"_id": "$oid":"53370eaeb1f58908a9837910"

"dest":"10.0.0.0","mask": 8,"gateway":"192.168.0.2"}

Filtering rule with BSON (JSON)

a radix tree (also patricia trie or radix trie or compact prefix tree) is a space-optimized triedata structure where each node with only one child is merged with its parent.

14 entry.addr = ntohl(addr dst.s addr);15 entry.prefix len = 32;17 radix tree<rtentry, in addr>::iterator it;1819 it = rttable.longest match(entry);20 if (it == rttable.end()) f21 std::cout << ‘‘no route to ‘‘ << dst << std::endl;22 return 1;

if ((memc = memcached_create(NULL)) == NULL) {fprintf(stderr, "failed to allocate memory¥n");// return 1;}

rv = memcached_server_add(memc, "localhost", 11211);

if (rv != MEMCACHED_SUCCESS) {fprintf(stderr, "failed to set server¥n");return 1;}

char *result;uint32_t flags;size_t result_length;

/* retrieving gateway address */

sprintf(key1,"gate-%s", dstAddress);printf("key1: %s ¥n", key1);

result = memcached_get(memc, key1, strlen(key1),&result_length, &flags, &rv);

if (rv != MEMCACHED_SUCCESS) {fprintf(stderr, "failed to fetch record¥n");return 1;}

/* retrieving netmask */

snprintf(key2,32,"mask-%s", dstAddress);printf("key2: %s ¥n", key2);

result = memcached_get(memc, key2, strlen(key2),&result_length, &flags, &rv);

if (rv != MEMCACHED_SUCCESS) {fprintf(stderr, "failed to fetch record¥n");return 1;}

Adopting Memcached on management plane

import bmemcachedimport random

client = bmemcached.Client(('127.0.0.1:11211', ),'user','password')

client.set('gate-10.0.0.8', '10.0.0.1')client.set('mask-10.0.0.8', '8')

{"_id": "$Basic datastore query representationoid":"53370eaeb1f58908a9837910"

"dest":"10.0.0.0","mask": 8,"gateway":"192.168.0.2"}

Experimental result on Amazon VPC

We compiled our system on ubuntu12 LTS with Linux kernel 3.2.0. proposed system is hosted on Intel Xeon E5645 with 2.4 GHZ clock.

vNIC1 vNIC2

Bridge

IP capture

1

2

3

MongoDB

5

8

7

8

Radix Module6

0

Management plane Control plane

Python module

Experimental result on Amazon VPC (Memcached)

vNIC1 vNIC2

Bridge

IP capture

1

2

3

Memcached

5

8

7

8

Radix Module6

0

Control plane

Python module

We compiled our system on ubuntu12 LTS with Linux kernel 3.2.0. proposed system is hosted on Intel Xeon E5645 with 2.4 GHZ clock.

Conclusions: Towards alternative access control model

[A] The emergence of network virtualization and related technologies such as SDN and Cloud computing make us face the new challenge of new alternative access control model.

[B] Particularly, besides flexibility, fine-grained traffic engineering functionality for coping with scalability and diversified networks is required for the deployments of SDN and Cloud Computing.

[C] Our architecture leverages NoSQL data store for handling a large scale of filtering rules. By adopting NoSQL, we can achieve scalability, availability and tolerance to network partition. Besides, separating management plane and control plane, we can achieve responsiveness and strong consistency at the same time.

[D] In experiment, we have prototyped a lightweight management plane for IP filtering. Access filtering rules including target IP address, prefix and gateway is represented as radix tree. It is shown that proposed method can achieve reasonable utilization in filtering IP packets