Upload
ruo-ando
View
30
Download
1
Embed Size (px)
Citation preview
A user mode implementation of filtering rule management plane using key-value
Ruo AndoNational Institute of informatics, Japan
Yuuki Takano, Shinsuke MiwaNetwork Security Research Institute, National Institute of Information and Communications Technology, Japan
2017 17th IEEE International Conference on Communication Technology | Chengdu, China | Oct 27-30, 2017
Abstract: Towards alternative access control model
[A] The emergence of network virtualization and related technologies such as SDN and Cloud computing make us face the new challenge of new alternative access control model.
[B] Particularly, besides flexibility, fine-grained traffic engineering functionality for coping with scalability and diversified networks is required for the deployments of SDN and Cloud Computing.
[C] Our architecture leverages NoSQL data store for handling a large scale of filtering rules. By adopting NoSQL, we can achieve scalability, availability and tolerance to network partition. Besides, separating management plane and control plane, we can achieve responsiveness and strong consistency at the same time.
[D] In experiment, we have prototyped a lightweight management plane for IP filtering. Access filtering rules including target IP address, prefix and gateway is represented as radix tree. It is shown that proposed method can achieve reasonable utilization in filtering IP packets
Network virtualization: abstraction and centralization
NIC
HD
CPU
RAM
FW
LB
VLANS
VRF
2001 2012
image
vCPU
vRAM
vNIC FlowTable
vFW
vLB
abstraction layer
XenKVM
VMWare
OpenFlowOpen vSwitch
FloodLight
Decouple
Virtualization layer
reproduce
Automate
What is SDN and network virtualization ?Myth: “SDN is network virtualization”
x86 / ARM
Virtualization Layer
Windows Linux
Open Flow
Virtualization Or Slicing
NOX NOX
CPU, Hardisk, PIC, IO
X86 instruction set
Xen, QEMU, etc
Windows Linux
Hardware Resources
Abstraction layer
Virtualization Layer
slice slice
Bandwidth, CPU, FIB
OpenFlow
FlowVisor
Controller Contoller
Definition of a slice• Slice is a set of flows (called flowspace) running on a topology of switches.https://www.clear.rice.edu/comp529/.../tutorial_4.pdf
“when virtual is harder than real”drawbacks of virtualized networkTal Garfinkel , Mendel Rosenblum, When virtual is harder than real: Security challenges in virtual machine based computing environments, HotOS 2005
Scalability. Growth in physical machines is ultimately limited by setup time and bounded by organization‘s capital equipment budget. In contrast creating a new VM is as easy as copying file. Users will frequently have several or even dozens of special purpose VMs . Thus,total number of VMs in an organization can grow at an explosive rate.Rarely all administrative tasks completely automated.
Diversity. Many IT organizations tackle security problems by enforcing homogenity. all machines must run the most current patched software. This creates a range of problems as one must try and maintain patches or other protection for a wide range of OS and deal with the risk posed by having many unpatched machines on the network.
Access Control should be centralized ! CloudPolice: Taking access control out of the network Lucian Popa, Minlan Yu, Steven Y. Ko, Ion Stoica, Sylvia Ratnasamy 9th ACM Workshop on Hot Topics in Networks (HotNets-IX). Monterey, CA, October 2010.Jonathan M McCune, Stefan Berger, Trent Jaeger, Reiner Sailer: Shamon -- A System for Distributed Mandatory Access Control. 22nd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, December 2006
Design requirement: fine grained traffic functioning for scalability, diversity and flexibility.[1] Scalability and diversity: Garfinkel pointed that creating a new virtual instance is far easier than physical environment. the rapid and unpredictable growth can exacerbate management tasks and in worse case the impact of catastorophic events can be multiplied where all instances should be patched. Enforcing homogenity is difficult in the situation that users can have their own special purpose VM easily without expensive cost, like copying files.
[2] Flexibility: In SDN, networks are diversified, programmable and elastic. For a long period, from active networks to advanced network technologies like cloud and SDN, one of the general goals of net working research has been arrived at a network which is flexible.
[3] Fine-grained traffic functioning: commercial corporations,private Enterprises and universities emplos datacenters to run variety of applications and cloud based services. Their study reveals that existing traffic engineering perform 15%to 20% worse than the optimal solution.
MicroTE: fine grained traffic engineering for data centers, CoNEXT '11 Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies
Lucian Popa, Ion Stoica, Sylvia Ratnasamy: Rule-based Forwarding(RBF): Improving Internet’s flexibility and security. HotNets 2009
Tradeoffs between manageability and performance
"Logically centralized?: state distribution trade-offs in software defined networks", Dan Levin, Andreas Wundsam, Brandon Heller, Nikhil Handigol and Anja Feldmann, HotSDN '12 Proceedings of the first workshop on Hot topics in software defined networks
Controller component choices:[1] Strongly consistent – controller components always operate on the same world view. Imposes delay and overhead.[2] Eventually consistent – controller components incorporate information as it becomes available but may make decisions on different world views.http://www.richardclegg.org/node/21
C A
PNoSQLRDBMS
Consistency Availability
Tolerance to networkpartition
CAP Theorem (Eric Brewer 2000)
Enforced Consistency Eventual ConsistencyStrongly Consistent is preferred.
With NoSQL and Key-value,A (availability)P (Tolerance to network partition) S (Scalability)can be achieved.
Basic SDN architecture and proposed system
Node (VM)
Node (VM)
Node (VM)
Flow Table
ControllerSecure Channel
Node (VM)
Node (VM)
Node (VM)
Filtering rule
TableData store
match
match
Ingress packets
Ingress packets
Data plane Control plane
Control and Data plane Management plane
VCRIB: Virtualized rule management in the cloud Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan the 4th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud). Boston, MA, June 2012.
Basic SDN
Proposedsystem,
Avenues of Attack
Sensitive data
Enterprise Network
MissingSecurity Patches
MisconfiguredDatabase
Advanced Attacks
Sensitive Data Leaks
EscalatingUser Privileges
DefaultPasswords
Weak Passwords
Unauthorized Database
WeakPRNG
CDP:Functional & Operational Firewall Pattern - AWS-CloudDesignPatternNemesis: preventing authentication & access control vulnerabilities in web applications, SSYM'09 Proceedings of the 18th conference on USENIX security symposiumDetecting BGP configuration faults with static analysis, NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & ImplementationA security enforcement kernel for OpenFlow networks, HotSDN '12 Proceedings of the first workshop on Hot topics in software defined networks
MisconfiguredFiltering
Adopting basic datastore on management plane
auto_ptr<mongo::DBClientCursor> cursor =client.query(ns, mongo::BSONObj());
while(cursor->more()) {mongo::BSONObj p = cursor->next();mongo::OID oid = p["_id"].OID();
string dest = p["dest"].str();int mask = p["mask"].numberInt();string gateway = p["gateway"].str();
const char *p0 = dest.c_str();const char *p1 = gateway.c_str();
add_rtentry(p0, mask, p1);
int res;res = find_route(dstAddress);if(res==0)
printf("route find ¥n"); /* flush entry /*
rm_rtentry(p0, mask);
{"_id": "$oid":"53370eaeb1f58908a9837910"
"dest":"10.0.0.0","mask": 8,"gateway":"192.168.0.2"}
Filtering rule with BSON (JSON)
a radix tree (also patricia trie or radix trie or compact prefix tree) is a space-optimized triedata structure where each node with only one child is merged with its parent.
14 entry.addr = ntohl(addr dst.s addr);15 entry.prefix len = 32;17 radix tree<rtentry, in addr>::iterator it;1819 it = rttable.longest match(entry);20 if (it == rttable.end()) f21 std::cout << ‘‘no route to ‘‘ << dst << std::endl;22 return 1;
if ((memc = memcached_create(NULL)) == NULL) {fprintf(stderr, "failed to allocate memory¥n");// return 1;}
rv = memcached_server_add(memc, "localhost", 11211);
if (rv != MEMCACHED_SUCCESS) {fprintf(stderr, "failed to set server¥n");return 1;}
char *result;uint32_t flags;size_t result_length;
/* retrieving gateway address */
sprintf(key1,"gate-%s", dstAddress);printf("key1: %s ¥n", key1);
result = memcached_get(memc, key1, strlen(key1),&result_length, &flags, &rv);
if (rv != MEMCACHED_SUCCESS) {fprintf(stderr, "failed to fetch record¥n");return 1;}
/* retrieving netmask */
snprintf(key2,32,"mask-%s", dstAddress);printf("key2: %s ¥n", key2);
result = memcached_get(memc, key2, strlen(key2),&result_length, &flags, &rv);
if (rv != MEMCACHED_SUCCESS) {fprintf(stderr, "failed to fetch record¥n");return 1;}
Adopting Memcached on management plane
import bmemcachedimport random
client = bmemcached.Client(('127.0.0.1:11211', ),'user','password')
client.set('gate-10.0.0.8', '10.0.0.1')client.set('mask-10.0.0.8', '8')
{"_id": "$Basic datastore query representationoid":"53370eaeb1f58908a9837910"
"dest":"10.0.0.0","mask": 8,"gateway":"192.168.0.2"}
Experimental result on Amazon VPC
We compiled our system on ubuntu12 LTS with Linux kernel 3.2.0. proposed system is hosted on Intel Xeon E5645 with 2.4 GHZ clock.
vNIC1 vNIC2
Bridge
IP capture
1
2
3
MongoDB
5
8
7
8
Radix Module6
0
Management plane Control plane
Python module
Experimental result on Amazon VPC (Memcached)
vNIC1 vNIC2
Bridge
IP capture
1
2
3
Memcached
5
8
7
8
Radix Module6
0
Control plane
Python module
We compiled our system on ubuntu12 LTS with Linux kernel 3.2.0. proposed system is hosted on Intel Xeon E5645 with 2.4 GHZ clock.
Conclusions: Towards alternative access control model
[A] The emergence of network virtualization and related technologies such as SDN and Cloud computing make us face the new challenge of new alternative access control model.
[B] Particularly, besides flexibility, fine-grained traffic engineering functionality for coping with scalability and diversified networks is required for the deployments of SDN and Cloud Computing.
[C] Our architecture leverages NoSQL data store for handling a large scale of filtering rules. By adopting NoSQL, we can achieve scalability, availability and tolerance to network partition. Besides, separating management plane and control plane, we can achieve responsiveness and strong consistency at the same time.
[D] In experiment, we have prototyped a lightweight management plane for IP filtering. Access filtering rules including target IP address, prefix and gateway is represented as radix tree. It is shown that proposed method can achieve reasonable utilization in filtering IP packets