SlideShare a Scribd company logo

Mr201304 open flow_security_eng

FFRI, Inc.
FFRI, Inc.
TechnologyBusiness
1 of 23
Download to read offline
Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp OpenFlow Security ver2.00.02 Junichi Murakami Executive Officer, Director of Advanced Development Division
Fourteenforty Research Institute, Inc. 1. Introduction 2. OpenFlow Overview – Software Defined Network(SDN) and OpenFlow – Background and circumstances – Technical basics – Controllers and Switches – Example of network design and traffic 3. Threat of OpenFlow – Threat analysis – Flow entry / Network capability / Switch / Controller – Conclusions – Further research 4. References Agenda 2
Fourteenforty Research Institute, Inc. • This slide describes an overview of OpenFlow technology and its threat analysis under the current specification • This research focuses on the specification of OpenFlow 1.0 • Threats described in this slide does not always mean the feasibility of attacks on the threats is proven Introduction 3
Fourteenforty Research Institute, Inc. • SDN – Usual networks are fixed system, which are defined by each network device’s deployment, connections and configurations – Virtualizations for servers and storages are in progress in a data center in recent years. – A network is not so flexible yet, so it needs to be re-designed and re- configured every time (operation cost is highly increasing) – SDN is general concept to define network as software for making it more flexible in terms of its design, control and management • OpenFlow – A kind of technology specifications to realize the SDN Software Defined Network(SDN) and OpenFlow 4
Fourteenforty Research Institute, Inc. • Open Networking Foundation(ONF) draws up the specification – https://www.opennetworking.org/ • Board member of ONF is shown as below(4/15/2013) – Deutsche Telekom, Facebook, Goldman Sachs, Google, Microsoft, NTT Communications, Verizon, Yahoo! • Currently most implementations are based on version 1.0 Background and circumstances 5 Date Occurrence 12/31/2009 Version 1.0 published(mainly worked by Stanford University) 2/28/2011 Version 1.1 published 3/21/2011 Open Networking Foundation Founded 12/5/2011 Version 1.2 published 5/25/2012 Version 1.3 published 9/6/2012 Version 1.3.1 published
Fourteenforty Research Institute, Inc. • Basic concept – Separate control plane from network devices – Build up network with OpenFlow Controllers and OpenFlow Switches – The specification mainly defines switch spec. and communication interface between OpenFlow Controllers and OpenFlow Switches Technical basis (1/5) 6 Data plane (frame transfer) Control plane (routing, etc.) Application (QoS, redundant, etc.) Data plane Control plane Application usual network device OpenFlow Switch OpenFlow Controller OpenFlow spec. Interface Switch spec.
Fourteenforty Research Institute, Inc. • Flow – A unit of traffic handled by OpenFlow • Flow Entry: management structure of Flow consists of 3 elements below – Header Fields:conditions to determine a target flow – Instructions: a set of actions which describes how the matched flow being processed – Counter:statistics information of the matched flow Technical Basis (2/5) 7 Header Fields Ingress port IP src Ether src IP dst Ether dst IP proto Ether type IP ToS bits VLAN id TCP/UDP src port VLAN priority TCP/UDP dst port Actions (partial) Forward output the flow to specified port DROP discard the flow Modify-Field modify specified fields of the flow
Fourteenforty Research Institute, Inc. • Controller – Write a flow entry to a switch – Respond to a switch’s query (shown as below) • Switch – Keep flow entries on a flow table – Process each flow based on a flow table – Query to controller if appropriate entry does not exist Technical Basis (3/5) 8 Controller Switch - output flow to port3 if IP_DST == 192.168.1.4 - drop all UDP flow - modify IP_SRC to 192.168.1.5 and output the flow to port5 if IP_DST == 10.1.3.51 Flow Entry query Flow Table * Flow Entry (eg.)
Fourteenforty Research Institute, Inc. • Can control switch behavior based on flow entry – repeater, switch, router, load balancer and so on • Doesn’t need to change physical connections and each device configurations • Retrieve counters from each switch’s flow table – Can manipulate routing appropriately according to flow type and load • Each flow entry on a flow table has a timeout – hard timeout – idle timeout Technical Basis (4/5) 9
Fourteenforty Research Institute, Inc. • Secure-Channel:communication interface between switches and controllers – following messages are exchanged over TCP or TLS connections a. Controller to Switch • Features:to request the capability of a switch • Configuration:to set and query configuration parameter in a switch • Modify-State: to add or delete entry in a flow table and modify port configuration • Read-State:to collect statistics from a switch b. Switch to Controller (asynchronous) • Packet-in:to notify an incoming packet which is not matched to any flow entry • Flow-Removed:to notify a flow has expired and is deleted from a table • Port-Status:to notify switch’s port configuration states has changed (eg. link- down) c. bidirectional (asynchronous) • HELLO: messages exchanged when establishing a connection • ECHO(Request/Reply):ping/pong over the secure-channel Technical Basis (5/5) 10
Fourteenforty Research Institute, Inc. Controllers and Switches 11 Software Hardware Switch • Open vSwitch(OSS) • Indigo(OSS) • LINC(OSS) • UNIVERGE PF1000(NEC) • UNIVERGE PF5220/PF5240/ PF5248/PF5820(NEC) • RackSwitch G8264/G8264T(IBM) • Pronto 3290/3780(Pica8) • AS4600-54T/L3(Riava) • HP2920-24G(HP) Controller • NOX(OSS) • POX(OSS) • Trema(OSS) • Floodlight(OSS) • Virtual Network Controller Version 2.0 (NTT data) • Ryu(OSS) • UNIVERGE PF6800(NEC) • Both software and hardware implantations are available • Hardware based switch is a bit expensive yet
Fourteenforty Research Institute, Inc. • Install Open vSwitch and Trema on Linux box • Create a bridge device as br0 and activate it • Run Trema on localhost:6633/tcp, and specify the controller’s address in the switch parameter • Run the controller code below on Trema which makes the switch act like an repeater Example of network design and traffic(1/4) 12 eth2eth1 host-1 host-2 trema 0.0.0.00.0.0.0 192.168.1.2/24192.168.1.1/24 127.0.0.1:6633/tcp src: http://www.trema.info/2012/09/repeater-hub/ class RepeaterHub < Controller def packet_in datapath_id, message send_flow_mod_add( datapath_id, :match => ExactMatch.from( message ), :actions => ActionOutput.new( OFPP_FLOOD ) ) send_packet_out( datapath_id, :packet_in => message, :actions => ActionOutput.new( OFPP_FLOOD ) ) end end Open vSwitch br0 secure-channel
Fourteenforty Research Institute, Inc. • Both controller and switch run on same Linux box • TCP based Secure-Channel (not TLS) • Red background on screen is the switch’s traffic Example of network design and traffic(2/4) 13 struct ofp_header { uint8_t version; uint8_t type; uint16_t length; uint32_t xid; }; enum ofp_type { OFTP_HELLO, // 0x0 OFTP_ERROR, // 0x1 OFTP_ECHO_REQUEST, // 0x2 OFTP_ECHO_REPLY, // 0x3 OFTP_VENDOR, // 0x4 OFTP_FEATURES_REQUEST // 0x5 OFTP_FEATURES_REPLY, // 0x6 ... OFTP_SET_CONFIG, // 0x9 OFTP_PACKET_IN, // 0xa ... OFTP_FLOW_MOD, // 0xe ■Exchanging HELLO messages between the switch and the controller
Fourteenforty Research Institute, Inc. Example of network design and traffic (3/4) 14 OFTP_FEATURES_REQUESTOFTP_FEATURES_REPLY replying port configurations ■Features request and reply
Fourteenforty Research Institute, Inc. Example of network design and traffic (4/4) 15 OFTP_PACKET_IN OFTP_FLOW_MOD ■Initial configuration and writing flow entry from controller / PACKET_IN message from switch 12 bytes OFTP_SET_CONFIG
Fourteenforty Research Institute, Inc. Threat analysis 16 [premises] • Assets: a)Flow entry in switch, b)Network capability offered by OpenFlow • Information system: c)Switch, d)Controller • Analyze assets’ threat against CIA and the others are against CIAAAR – CIAAAR: ISO/IEC TR 13335(GMITS) Assets Information system Flow entry Network capability Switch Controller Confidentiality Integrity Availability Authenticity Accountability Reliability region for analysis
Fourteenforty Research Institute, Inc. Flow entry 17 Assumed threat Countermeasure and comment C Information leaking on the network Using TLS for Secure-Channel Information leaking from switches Hardening switches Information leaking from controllers Hardening controllers I Tampering on the network Using TLS for Secure-Channel Tampering in switches Hardening switches Tampering from controllers Hardening controllers A Flooding a table using spoofed packet Applying flow entry to prohibit address spoofing (References 2.c) Flushing a flow table in switches Hardening switches
Fourteenforty Research Institute, Inc. Network capability 18 Assumed threat Countermeasure and comment C Information leaking by corrupted flow entry Hardening switches and controllers I Traffic tampering by corrupted flow entry Hardening switches and controllers Integrity loss by secure channel disconnection making secure-channel redundant A Denial of service by corrupted flow entry Hardening switches and controllers Denial of service by switches and controllers failure Hardening switches and controllers Network failure by secure channel disconnection making secure-channel redundant
Fourteenforty Research Institute, Inc. Switch 19 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening switches In Hacking a system (eg. exploiting, password cracking) Hardening switches Av Hacking a system (eg. exploiting, password cracking) Hardening switches DoS attack from controllers Hardening controllers (premise: controllers compromise) Dos attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening switches Redirection to fake controllers (eg. ARP Poisoning) Authenticating controllers using TLS based on certifications Ac Tampering logs by hacking Hardening switches Re Hacking a system (eg. exploiting, password cracking) Hardening switches
Fourteenforty Research Institute, Inc. Controller 20 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening controllers In Hacking a system (eg. exploiting, password cracking) Hardening controllers Av Hacking a system (eg. exploiting, password cracking) Hardening controllers DoS attack from switches Hardening switches (premise: switches compromise) DoS attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening controllers Redirection to fake switches (eg. ARP Poisoning) Authenticating switches using TLS based on certifications Ac Tampering logs by system hacking Hardening controllers Re Hacking a system (eg. exploiting, password cracking) Hardening controllers
Fourteenforty Research Institute, Inc. Threat sources Conclusions 21 • Hardening switches and controllers and TLS for Secure-Channel are required (depends on where both devices be deployed) • Both switches and controllers have software component in the system – usual countermeasures are important technically and operationally • Especially, should be careful about controllers as it might be an SPOF Controller breach Switch breach Hijacking the Secure-Channel Flow entry corruption Taking over the network
Fourteenforty Research Institute, Inc. • Any way to make a DoS situation to a controller by sending special crafted packet like smurf(#1) attack and DNS Amp(#2) attack? – Packet-in flood – Flow-Removed flood – Port-Status flood • remote flow entry detection by various probing packets • Auditing each individual device’s design and implementation • Security problem from actual environment and operations – Logic error in flow entry Further research 22 #1 http://www.ipa.go.jp/security/ciadr/crword.html#S #2 http://www.ipa.go.jp/security/vuln/documents/2008/200812_DNS.html
Fourteenforty Research Institute, Inc. 1. Books (Japanese) a. クラウド時代のネットワーク技術 OpenFlow実践入門 (ISBN-10: 4774154652) 2. Online resources a. Openflow Networking Foundation https://www.opennetworking.org/ b. OpenFlow Switch Specifications version 1.0.0 http://www.openflow.org/documents/openflow-spec-v1.0.0.pdf c. SDNのセキュリティ / Inter-Domain Routing Security 23 (Japanese) http://irs.ietf.to/wiki.cgi?page=IRS23 References 23

Recommended

Cisco Openflow
Cisco OpenflowCisco Openflow
Cisco OpenflowVijayaguru Jayaram
 
Tcp ip management &amp; security
Tcp ip management &amp; securityTcp ip management &amp; security
Tcp ip management &amp; securityAsif Qureshi
 
How does the ue know when an eNB is talking to it
How does the ue know when an eNB is talking to itHow does the ue know when an eNB is talking to it
How does the ue know when an eNB is talking to italiirfan04
 
An3906 serial to eth freescale
An3906 serial to eth freescaleAn3906 serial to eth freescale
An3906 serial to eth freescaleFernando
 
Dealing with Exceptions Computer Architecture part 1
Dealing with Exceptions Computer Architecture part 1Dealing with Exceptions Computer Architecture part 1
Dealing with Exceptions Computer Architecture part 1Gaditek
 
Rfc1058
Rfc1058Rfc1058
Rfc1058kiennguyen1991
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlowrjain51
 
etherlink plus developers guide
etherlink plus developers guideetherlink plus developers guide
etherlink plus developers guidepanamjayait
 

Recommended

Cisco Openflow
Cisco OpenflowCisco Openflow
Cisco OpenflowVijayaguru Jayaram
 
Tcp ip management &amp; security
Tcp ip management &amp; securityTcp ip management &amp; security
Tcp ip management &amp; securityAsif Qureshi
 
How does the ue know when an eNB is talking to it
How does the ue know when an eNB is talking to itHow does the ue know when an eNB is talking to it
How does the ue know when an eNB is talking to italiirfan04
 
An3906 serial to eth freescale
An3906 serial to eth freescaleAn3906 serial to eth freescale
An3906 serial to eth freescaleFernando
 
Dealing with Exceptions Computer Architecture part 1
Dealing with Exceptions Computer Architecture part 1Dealing with Exceptions Computer Architecture part 1
Dealing with Exceptions Computer Architecture part 1Gaditek
 
Rfc1058
Rfc1058Rfc1058
Rfc1058kiennguyen1991
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlowrjain51
 
etherlink plus developers guide
etherlink plus developers guideetherlink plus developers guide
etherlink plus developers guidepanamjayait
 
Rfc1723
Rfc1723Rfc1723
Rfc1723kiennguyen1991
 
Sevana VQM Administration Manual
Sevana VQM Administration ManualSevana VQM Administration Manual
Sevana VQM Administration ManualSevana Oü
 
Central processing unit i
Central processing unit iCentral processing unit i
Central processing unit iJyotiprakashMishra18
 
H344250
H344250H344250
H344250IJERA Editor
 
Vulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMVulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMKurra Gopi
 
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...VLSICS Design
 
Device drivers and interrupt service mechanism
Device drivers and interrupt service mechanismDevice drivers and interrupt service mechanism
Device drivers and interrupt service mechanismVijay Kumar
 
Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2Gaditek
 
Lte power management
Lte power managementLte power management
Lte power managementVu Nguyen
 
Profibus programming-guide
Profibus programming-guideProfibus programming-guide
Profibus programming-guideWilliam Fernandes
 
Pci
PciPci
PciIama Marsian
 
CCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukarCCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukarALLCAD Services Pvt Limited
 
VLAN
VLANVLAN
VLANISMT College
 
ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15Aritra Sarkar
 
Presentation_Final
Presentation_FinalPresentation_Final
Presentation_FinalPriyanka Goswami
 
8251
82518251
8251Aisu
 
RFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information ProtocolRFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information ProtocolHoàng Hải Nguyễn
 
Ccna2 ass
Ccna2 assCcna2 ass
Ccna2 assFarhana Sharmin Tithi
 
Pipelining of Processors
Pipelining of ProcessorsPipelining of Processors
Pipelining of ProcessorsGaditek
 
Pheripheral interface
Pheripheral interfacePheripheral interface
Pheripheral interfaceJCT COLLEGE OF ENGINEERING AND TECHNOLOGY
 
Enhancing Security in OpenFlow
Enhancing Security in OpenFlowEnhancing Security in OpenFlow
Enhancing Security in OpenFlowNiketa Chellani
 
OpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesOpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesEswar Publications
 

More Related Content

What's hot

Sevana VQM Administration Manual
Sevana VQM Administration ManualSevana VQM Administration Manual
Sevana VQM Administration ManualSevana Oü
 
Vulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMVulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMKurra Gopi
 
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...VLSICS Design
 
Device drivers and interrupt service mechanism
Device drivers and interrupt service mechanismDevice drivers and interrupt service mechanism
Device drivers and interrupt service mechanismVijay Kumar
 
Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2Gaditek
 
Lte power management
Lte power managementLte power management
Lte power managementVu Nguyen
 
ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15Aritra Sarkar
 
8251
82518251
8251Aisu
 
RFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information ProtocolRFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information ProtocolHoàng Hải Nguyễn
 
Pipelining of Processors
Pipelining of ProcessorsPipelining of Processors
Pipelining of ProcessorsGaditek
 

What's hot (20)

Rfc1723
Rfc1723Rfc1723
Rfc1723
 
Sevana VQM Administration Manual
Sevana VQM Administration ManualSevana VQM Administration Manual
Sevana VQM Administration Manual
 
Central processing unit i
Central processing unit iCentral processing unit i
Central processing unit i
 
H344250
H344250H344250
H344250
 
Vulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMVulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSM
 
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
FPGA IMPLEMENTATION OF DEBLOCKING FILTER CUSTOM INSTRUCTION HARDWARE ON NIOS-...
 
Device drivers and interrupt service mechanism
Device drivers and interrupt service mechanismDevice drivers and interrupt service mechanism
Device drivers and interrupt service mechanism
 
Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2Dealing with exceptions Computer Architecture part 2
Dealing with exceptions Computer Architecture part 2
 
Lte power management
Lte power managementLte power management
Lte power management
 
Profibus programming-guide
Profibus programming-guideProfibus programming-guide
Profibus programming-guide
 
Pci
PciPci
Pci
 
CCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukarCCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukar
 
VLAN
VLANVLAN
VLAN
 
ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15ASTROSAT SSR - 2015-05-15
ASTROSAT SSR - 2015-05-15
 
Presentation_Final
Presentation_FinalPresentation_Final
Presentation_Final
 
8251
82518251
8251
 
RFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information ProtocolRFC 1058 - Routing Information Protocol
RFC 1058 - Routing Information Protocol
 
Ccna2 ass
Ccna2 assCcna2 ass
Ccna2 ass
 
Pipelining of Processors
Pipelining of ProcessorsPipelining of Processors
Pipelining of Processors
 
Pheripheral interface
Pheripheral interfacePheripheral interface
Pheripheral interface
 

Viewers also liked

Enhancing Security in OpenFlow
Enhancing Security in OpenFlowEnhancing Security in OpenFlow
Enhancing Security in OpenFlowNiketa Chellani
 
OpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesOpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesEswar Publications
 
Mr201307 investigation into_emet4.0_jpn
Mr201307 investigation into_emet4.0_jpnMr201307 investigation into_emet4.0_jpn
Mr201307 investigation into_emet4.0_jpnFFRI, Inc.
 
Architecture of OpenFlow SDNs
Architecture of OpenFlow SDNsArchitecture of OpenFlow SDNs
Architecture of OpenFlow SDNsUS-Ignite
 
Software Define Network
Software Define NetworkSoftware Define Network
Software Define NetworkSubith Babu
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorialopenflow
 
OpenFlow 1.5.1
OpenFlow 1.5.1OpenFlow 1.5.1
OpenFlow 1.5.1jungbh
 

Viewers also liked (8)

Enhancing Security in OpenFlow
Enhancing Security in OpenFlowEnhancing Security in OpenFlow
Enhancing Security in OpenFlow
 
OpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense ServicesOpenFlow Security Threat Detection and Defense Services
OpenFlow Security Threat Detection and Defense Services
 
Mr201307 investigation into_emet4.0_jpn
Mr201307 investigation into_emet4.0_jpnMr201307 investigation into_emet4.0_jpn
Mr201307 investigation into_emet4.0_jpn
 
Openflow Protocol
Openflow ProtocolOpenflow Protocol
Openflow Protocol
 
Architecture of OpenFlow SDNs
Architecture of OpenFlow SDNsArchitecture of OpenFlow SDNs
Architecture of OpenFlow SDNs
 
Software Define Network
Software Define NetworkSoftware Define Network
Software Define Network
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorial
 
OpenFlow 1.5.1
OpenFlow 1.5.1OpenFlow 1.5.1
OpenFlow 1.5.1
 

Similar to Mr201304 open flow_security_eng

btNOG 5: Network Automation
btNOG 5: Network AutomationbtNOG 5: Network Automation
btNOG 5: Network AutomationAPNIC
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlowJoel W. King
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 
Analytical Modeling of End-to-End Delay in OpenFlow Based Networks
Analytical Modeling of End-to-End Delay in OpenFlow Based NetworksAnalytical Modeling of End-to-End Delay in OpenFlow Based Networks
Analytical Modeling of End-to-End Delay in OpenFlow Based NetworksAzeem Iqbal
 
SDN Fundamentals - short presentation
SDN Fundamentals - short presentationSDN Fundamentals - short presentation
SDN Fundamentals - short presentationAzhar Khuwaja
 
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...APNIC
 
EC8551 COMMUNICATION NETWORKS
EC8551 COMMUNICATION NETWORKSEC8551 COMMUNICATION NETWORKS
EC8551 COMMUNICATION NETWORKSGOWTHAMMS6
 
sdnppt-140325015756-phpapp01.pptx
sdnppt-140325015756-phpapp01.pptxsdnppt-140325015756-phpapp01.pptx
sdnppt-140325015756-phpapp01.pptxAamirMaqsood8
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Brandon DeVault
 
SDN - OpenFlow protocol
SDN - OpenFlow protocolSDN - OpenFlow protocol
SDN - OpenFlow protocolUlf Marxen
 
btNOG 9 presentation Introduction to Software Defined Networking
btNOG 9 presentation Introduction to Software Defined NetworkingbtNOG 9 presentation Introduction to Software Defined Networking
btNOG 9 presentation Introduction to Software Defined NetworkingAPNIC
 

Similar to Mr201304 open flow_security_eng (20)

btNOG 5: Network Automation
btNOG 5: Network AutomationbtNOG 5: Network Automation
btNOG 5: Network Automation
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
PROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control SpecialistsPROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control Specialists
 
Analytical Modeling of End-to-End Delay in OpenFlow Based Networks
Analytical Modeling of End-to-End Delay in OpenFlow Based NetworksAnalytical Modeling of End-to-End Delay in OpenFlow Based Networks
Analytical Modeling of End-to-End Delay in OpenFlow Based Networks
 
SDN Fundamentals - short presentation
SDN Fundamentals - short presentationSDN Fundamentals - short presentation
SDN Fundamentals - short presentation
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
 
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
W4 profinet frame analysis, peter thomas
W4 profinet frame analysis, peter thomasW4 profinet frame analysis, peter thomas
W4 profinet frame analysis, peter thomas
 
SDN approach.pptx
SDN approach.pptxSDN approach.pptx
SDN approach.pptx
 
Lecture14 1
Lecture14 1Lecture14 1
Lecture14 1
 
EC8551 COMMUNICATION NETWORKS
EC8551 COMMUNICATION NETWORKSEC8551 COMMUNICATION NETWORKS
EC8551 COMMUNICATION NETWORKS
 
Sdn ppt
Sdn pptSdn ppt
Sdn ppt
 
sdnppt-140325015756-phpapp01.pptx
sdnppt-140325015756-phpapp01.pptxsdnppt-140325015756-phpapp01.pptx
sdnppt-140325015756-phpapp01.pptx
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
 
SDN - OpenFlow protocol
SDN - OpenFlow protocolSDN - OpenFlow protocol
SDN - OpenFlow protocol
 
SDN Introduction
SDN IntroductionSDN Introduction
SDN Introduction
 
OpenFlow Tutorial
OpenFlow TutorialOpenFlow Tutorial
OpenFlow Tutorial
 
btNOG 9 presentation Introduction to Software Defined Networking
btNOG 9 presentation Introduction to Software Defined NetworkingbtNOG 9 presentation Introduction to Software Defined Networking
btNOG 9 presentation Introduction to Software Defined Networking
 

More from FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 

More from FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 

Mr201304 open flow_security_eng

  • 1. Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp OpenFlow Security ver2.00.02 Junichi Murakami Executive Officer, Director of Advanced Development Division
  • 2. Fourteenforty Research Institute, Inc. 1. Introduction 2. OpenFlow Overview – Software Defined Network(SDN) and OpenFlow – Background and circumstances – Technical basics – Controllers and Switches – Example of network design and traffic 3. Threat of OpenFlow – Threat analysis – Flow entry / Network capability / Switch / Controller – Conclusions – Further research 4. References Agenda 2
  • 3. Fourteenforty Research Institute, Inc. • This slide describes an overview of OpenFlow technology and its threat analysis under the current specification • This research focuses on the specification of OpenFlow 1.0 • Threats described in this slide does not always mean the feasibility of attacks on the threats is proven Introduction 3
  • 4. Fourteenforty Research Institute, Inc. • SDN – Usual networks are fixed system, which are defined by each network device’s deployment, connections and configurations – Virtualizations for servers and storages are in progress in a data center in recent years. – A network is not so flexible yet, so it needs to be re-designed and re- configured every time (operation cost is highly increasing) – SDN is general concept to define network as software for making it more flexible in terms of its design, control and management • OpenFlow – A kind of technology specifications to realize the SDN Software Defined Network(SDN) and OpenFlow 4
  • 5. Fourteenforty Research Institute, Inc. • Open Networking Foundation(ONF) draws up the specification – https://www.opennetworking.org/ • Board member of ONF is shown as below(4/15/2013) – Deutsche Telekom, Facebook, Goldman Sachs, Google, Microsoft, NTT Communications, Verizon, Yahoo! • Currently most implementations are based on version 1.0 Background and circumstances 5 Date Occurrence 12/31/2009 Version 1.0 published(mainly worked by Stanford University) 2/28/2011 Version 1.1 published 3/21/2011 Open Networking Foundation Founded 12/5/2011 Version 1.2 published 5/25/2012 Version 1.3 published 9/6/2012 Version 1.3.1 published
  • 6. Fourteenforty Research Institute, Inc. • Basic concept – Separate control plane from network devices – Build up network with OpenFlow Controllers and OpenFlow Switches – The specification mainly defines switch spec. and communication interface between OpenFlow Controllers and OpenFlow Switches Technical basis (1/5) 6 Data plane (frame transfer) Control plane (routing, etc.) Application (QoS, redundant, etc.) Data plane Control plane Application usual network device OpenFlow Switch OpenFlow Controller OpenFlow spec. Interface Switch spec.
  • 7. Fourteenforty Research Institute, Inc. • Flow – A unit of traffic handled by OpenFlow • Flow Entry: management structure of Flow consists of 3 elements below – Header Fields:conditions to determine a target flow – Instructions: a set of actions which describes how the matched flow being processed – Counter:statistics information of the matched flow Technical Basis (2/5) 7 Header Fields Ingress port IP src Ether src IP dst Ether dst IP proto Ether type IP ToS bits VLAN id TCP/UDP src port VLAN priority TCP/UDP dst port Actions (partial) Forward output the flow to specified port DROP discard the flow Modify-Field modify specified fields of the flow
  • 8. Fourteenforty Research Institute, Inc. • Controller – Write a flow entry to a switch – Respond to a switch’s query (shown as below) • Switch – Keep flow entries on a flow table – Process each flow based on a flow table – Query to controller if appropriate entry does not exist Technical Basis (3/5) 8 Controller Switch - output flow to port3 if IP_DST == 192.168.1.4 - drop all UDP flow - modify IP_SRC to 192.168.1.5 and output the flow to port5 if IP_DST == 10.1.3.51 Flow Entry query Flow Table * Flow Entry (eg.)
  • 9. Fourteenforty Research Institute, Inc. • Can control switch behavior based on flow entry – repeater, switch, router, load balancer and so on • Doesn’t need to change physical connections and each device configurations • Retrieve counters from each switch’s flow table – Can manipulate routing appropriately according to flow type and load • Each flow entry on a flow table has a timeout – hard timeout – idle timeout Technical Basis (4/5) 9
  • 10. Fourteenforty Research Institute, Inc. • Secure-Channel:communication interface between switches and controllers – following messages are exchanged over TCP or TLS connections a. Controller to Switch • Features:to request the capability of a switch • Configuration:to set and query configuration parameter in a switch • Modify-State: to add or delete entry in a flow table and modify port configuration • Read-State:to collect statistics from a switch b. Switch to Controller (asynchronous) • Packet-in:to notify an incoming packet which is not matched to any flow entry • Flow-Removed:to notify a flow has expired and is deleted from a table • Port-Status:to notify switch’s port configuration states has changed (eg. link- down) c. bidirectional (asynchronous) • HELLO: messages exchanged when establishing a connection • ECHO(Request/Reply):ping/pong over the secure-channel Technical Basis (5/5) 10
  • 11. Fourteenforty Research Institute, Inc. Controllers and Switches 11 Software Hardware Switch • Open vSwitch(OSS) • Indigo(OSS) • LINC(OSS) • UNIVERGE PF1000(NEC) • UNIVERGE PF5220/PF5240/ PF5248/PF5820(NEC) • RackSwitch G8264/G8264T(IBM) • Pronto 3290/3780(Pica8) • AS4600-54T/L3(Riava) • HP2920-24G(HP) Controller • NOX(OSS) • POX(OSS) • Trema(OSS) • Floodlight(OSS) • Virtual Network Controller Version 2.0 (NTT data) • Ryu(OSS) • UNIVERGE PF6800(NEC) • Both software and hardware implantations are available • Hardware based switch is a bit expensive yet
  • 12. Fourteenforty Research Institute, Inc. • Install Open vSwitch and Trema on Linux box • Create a bridge device as br0 and activate it • Run Trema on localhost:6633/tcp, and specify the controller’s address in the switch parameter • Run the controller code below on Trema which makes the switch act like an repeater Example of network design and traffic(1/4) 12 eth2eth1 host-1 host-2 trema 0.0.0.00.0.0.0 192.168.1.2/24192.168.1.1/24 127.0.0.1:6633/tcp src: http://www.trema.info/2012/09/repeater-hub/ class RepeaterHub < Controller def packet_in datapath_id, message send_flow_mod_add( datapath_id, :match => ExactMatch.from( message ), :actions => ActionOutput.new( OFPP_FLOOD ) ) send_packet_out( datapath_id, :packet_in => message, :actions => ActionOutput.new( OFPP_FLOOD ) ) end end Open vSwitch br0 secure-channel
  • 13. Fourteenforty Research Institute, Inc. • Both controller and switch run on same Linux box • TCP based Secure-Channel (not TLS) • Red background on screen is the switch’s traffic Example of network design and traffic(2/4) 13 struct ofp_header { uint8_t version; uint8_t type; uint16_t length; uint32_t xid; }; enum ofp_type { OFTP_HELLO, // 0x0 OFTP_ERROR, // 0x1 OFTP_ECHO_REQUEST, // 0x2 OFTP_ECHO_REPLY, // 0x3 OFTP_VENDOR, // 0x4 OFTP_FEATURES_REQUEST // 0x5 OFTP_FEATURES_REPLY, // 0x6 ... OFTP_SET_CONFIG, // 0x9 OFTP_PACKET_IN, // 0xa ... OFTP_FLOW_MOD, // 0xe ■Exchanging HELLO messages between the switch and the controller
  • 14. Fourteenforty Research Institute, Inc. Example of network design and traffic (3/4) 14 OFTP_FEATURES_REQUESTOFTP_FEATURES_REPLY replying port configurations ■Features request and reply
  • 15. Fourteenforty Research Institute, Inc. Example of network design and traffic (4/4) 15 OFTP_PACKET_IN OFTP_FLOW_MOD ■Initial configuration and writing flow entry from controller / PACKET_IN message from switch 12 bytes OFTP_SET_CONFIG
  • 16. Fourteenforty Research Institute, Inc. Threat analysis 16 [premises] • Assets: a)Flow entry in switch, b)Network capability offered by OpenFlow • Information system: c)Switch, d)Controller • Analyze assets’ threat against CIA and the others are against CIAAAR – CIAAAR: ISO/IEC TR 13335(GMITS) Assets Information system Flow entry Network capability Switch Controller Confidentiality Integrity Availability Authenticity Accountability Reliability region for analysis
  • 17. Fourteenforty Research Institute, Inc. Flow entry 17 Assumed threat Countermeasure and comment C Information leaking on the network Using TLS for Secure-Channel Information leaking from switches Hardening switches Information leaking from controllers Hardening controllers I Tampering on the network Using TLS for Secure-Channel Tampering in switches Hardening switches Tampering from controllers Hardening controllers A Flooding a table using spoofed packet Applying flow entry to prohibit address spoofing (References 2.c) Flushing a flow table in switches Hardening switches
  • 18. Fourteenforty Research Institute, Inc. Network capability 18 Assumed threat Countermeasure and comment C Information leaking by corrupted flow entry Hardening switches and controllers I Traffic tampering by corrupted flow entry Hardening switches and controllers Integrity loss by secure channel disconnection making secure-channel redundant A Denial of service by corrupted flow entry Hardening switches and controllers Denial of service by switches and controllers failure Hardening switches and controllers Network failure by secure channel disconnection making secure-channel redundant
  • 19. Fourteenforty Research Institute, Inc. Switch 19 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening switches In Hacking a system (eg. exploiting, password cracking) Hardening switches Av Hacking a system (eg. exploiting, password cracking) Hardening switches DoS attack from controllers Hardening controllers (premise: controllers compromise) Dos attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening switches Redirection to fake controllers (eg. ARP Poisoning) Authenticating controllers using TLS based on certifications Ac Tampering logs by hacking Hardening switches Re Hacking a system (eg. exploiting, password cracking) Hardening switches
  • 20. Fourteenforty Research Institute, Inc. Controller 20 Assumed threat Countermeasure and comment Co Hacking a system (eg. exploiting, password cracking) Hardening controllers In Hacking a system (eg. exploiting, password cracking) Hardening controllers Av Hacking a system (eg. exploiting, password cracking) Hardening controllers DoS attack from switches Hardening switches (premise: switches compromise) DoS attack from others Applying the flow entry considered such attack Hardware/Software failure Making a system redundant Au Hacking a system (eg. password cracking, identity theft) Hardening controllers Redirection to fake switches (eg. ARP Poisoning) Authenticating switches using TLS based on certifications Ac Tampering logs by system hacking Hardening controllers Re Hacking a system (eg. exploiting, password cracking) Hardening controllers
  • 21. Fourteenforty Research Institute, Inc. Threat sources Conclusions 21 • Hardening switches and controllers and TLS for Secure-Channel are required (depends on where both devices be deployed) • Both switches and controllers have software component in the system – usual countermeasures are important technically and operationally • Especially, should be careful about controllers as it might be an SPOF Controller breach Switch breach Hijacking the Secure-Channel Flow entry corruption Taking over the network
  • 22. Fourteenforty Research Institute, Inc. • Any way to make a DoS situation to a controller by sending special crafted packet like smurf(#1) attack and DNS Amp(#2) attack? – Packet-in flood – Flow-Removed flood – Port-Status flood • remote flow entry detection by various probing packets • Auditing each individual device’s design and implementation • Security problem from actual environment and operations – Logic error in flow entry Further research 22 #1 http://www.ipa.go.jp/security/ciadr/crword.html#S #2 http://www.ipa.go.jp/security/vuln/documents/2008/200812_DNS.html
  • 23. Fourteenforty Research Institute, Inc. 1. Books (Japanese) a. クラウド時代のネットワーク技術 OpenFlow実践入門 (ISBN-10: 4774154652) 2. Online resources a. Openflow Networking Foundation https://www.opennetworking.org/ b. OpenFlow Switch Specifications version 1.0.0 http://www.openflow.org/documents/openflow-spec-v1.0.0.pdf c. SDNのセキュリティ / Inter-Domain Routing Security 23 (Japanese) http://irs.ietf.to/wiki.cgi?page=IRS23 References 23