1

OpenFlow Research on the Georgia Tech Campus Network

Russ ClarkNick Feamster

Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh

Ramachandran, Umayr Hassan

2

Summary of Research Projects

• Campus Network Deployment– Resonance: Dynamic Access Control for Campus Networks – Pedigree: Traffic Tainting for Securing Enterprise Networks

• Home Network Deployments– User-Proof Networking (with Prof. Keith Edwards)

• Class Projects: Network Management/Network Security– OpenFlow Traffic Classification– SNMP MIB for OpenFlow– Home-Network Management using OpenFlow– OpenFlow for High Availability/Service Migration– OpenFlow and Virtualization – Access Control for Home Networks– Automated Intrusion Detection with OpenFlow

3

Dynamic Access Control

• Enterprise and campus networks are dynamic– Hosts continually coming and leaving

– Hosts may become infected

• Today, access control is static, and poorly integrated with the network layer itself

• Resonance: Dynamic access control– Track state of each host on the network

– Update forwarding state of switches per host as these states change

4

Authentication at GT: “START”

3. VLAN with Private IP

6. VLAN with Public IP

.1. New MAC Addr 2. VQP

7. REBOOT

Web Portal

4. Web Authentication 5. Authentication

Result

VMPS

Switch

New Host

5

Problems with Current Approach

• Access Control is too coarse-grained– Static, inflexible and prone to misconfigurations– Need to rely on VLANs to isolate infected machines

• Cannot dynamically remap hosts to different portions of the network– Needs a DHCP request which for a windows user

would mean a reboot

• Monitoring is not continuous

Idea: Access control policies should reflect network dynamics.

6

Resonance Approach

• Step 1: Controller associates each host with generic states and security classes.

• Step 2: Specify a state machine for moving machines from one state to the other.

• Step 3: Control forwarding state in switches based on the current state of each host.

7

Applying resonance to START

Registration

AuthenticatedOperation

Quarantined

SuccessfulAuthentication

Vulnerability detected

Clean after update

Failed Authentication

Infection removed or manually fixed

Still Infected afte

r an update

8

Challenges

• Scale– How many forwarding entries

per switch?– How much traffic at the

controller?

• Performance– Responsiveness

• Security– MAC address spoofing– Securing the controller (and

control framework)

9

10

Enterprise Information Flow Control• Goal: Control how information flows between different

hosts in the network– Control the spread of malware– Prevent data leaks

• Challenges– Heterogeneous devices– Hosts may not be trusted

• Solution: Pedigree– Classify traffic based on

• What process generated the traffic• Where that process has taken inputs

– Implement control policies in the network

11

Pedigree Design• Trusted tagging

component resides on host.

• Traffic carries taints that reflect provenance of network traffic.

• Switch one hop from hosts makes access control decisions.

12

Current FunctionInternet

1. Host sends request over control channel toopen with flow with taint set.

2. Traffic diverted to controller,which checks policy.

3. Controller inserts flowtable entry, if policy compliant.