h. jonathan chao1 prof. chao’s research areas cyber security processor (cysep) next-generation...
TRANSCRIPT
H. Jonathan Chao 1
Prof. Chao’s Research Areas
Cyber Security Processor (CYSEP) Next-Generation 10-100 Tb/s Routers
eeweb.poly.edu/~chao
H. Jonathan Chao 3
Attack Sophistication vs. Intruder Technical Knowledge
Source: Special permission to reproduce the CERT ©/CC graphic © 2000 by Carnegie Melon University, in Electronic Commerce 2002 in Allen et al. (2000).
H. Jonathan Chao 6
Cyber Security Processor (CYSEP)
Issues: Intrusion/virus attacks happen everyday, everywhere,
and cause widespread, catastrophic damages How to detect/prevent them at high-speed of 10 Gbit/s
or 40 Gbit/s lines at routers (why not at hosts?) How to detect instruction across multiple packets How to prevent distributed denial of service (DDoS)
attacks How to distinguish good or bad packets so as to block
them Goals:
Design/implement a CYSEP to be employed at various places of the network to do intrusion, DDoS prevention, and encryption, authentication at high speed
H. Jonathan Chao 7
CYber SEcurity Processor (CYSEP)
EncryptionDecryption
Engine
DDoSEngine Authentication
AuthorizationEngine
PCI BUS Controller
SPI 4.2 Interface
Memory Controller
Cyber Security Processor(CYSEP)
SPI 4.2 Interface
To PCI Bus
To Memory
To/FromFramer
To/From NP orEnd System
IntrusionDetection
Engine
FirewallEngine
H. Jonathan Chao 8
CYSEP Deployed at Various Places in the Network
. . ..
. . .
SwitchSwitch
Edge Router
Core Router
InternetISP Backbone
Enterprise Network
Edge Router
Point of Presence(PoP)
Firewall
`
VPN
Edge Router
E-CommerceServer
Generate alert/logs Eliminate Bad traffic DDoS Defense
Enterprise Network
Intrusion Detection Filter SPAM Encryption/Decryption Authentication/Authorization DDoS Defense
Detect Internal/ExternalIntrusion
Encryption/Decryption Authentication/
Authorization
Point of Presence Point of Presence
Point ofPresence
Enterprise Network
. . ..
CYSEP
Encryption/Decryption
Authentication/Authorization
Legend
. . .
H. Jonathan Chao 9
Participants
Professors
H. Jonathan Chao Ramesh Karri
PhD Students
Sertac Artan Nikhil JoshiHuizhong SunBo Yang
MS Students
Paulo Ayres Wei-Chen HuangAndrew KimArun RadhakrishnanEvelyn Yen
H. Jonathan Chao 11
Today’s TERA POP Architecture – Why so complex and costly?
Access/Hub Routers
ParallelWAN Links
Intra POPInterconnection
Links
Hub-to-Core Links
Clustering of multiple core routers in POP(Point of Presence) WHY? • Routers lack of port capacity and switching capacity to meet POP to POP demand• Unreliable routers and lack of network restoration result back to back router configuration• Lack of connectivity/bandwidth reservation concept in IP networks (tend to over-engineering)
RESULTS• About 50% of port capacity used for intra POP interconnection – waste customer investment
REAL PROBLEM MOVING FORWARD• Can this POP Architecture support data traffic growth yet to be realized?
H. Jonathan Chao 12
In a few years, POP will look like this
Access/Hub Routers
ParallelWAN Links
Intra POPInterconnection
Links
Hub-to-Core Links
• More Routers thrown into the POP creating serious management nightmare• More portion of switch ports are used for inter- connection• Service/Network reliability has not been resolved
Need Fundamental Re-thinking
H. Jonathan Chao 13
Access/Hub Routers
Hub-to-Core Links
New POP Architecture – Paradigm Shift
One box solution Carrier-grade
reliability Large port counts Every port carries
real user traffic 10 – 100 terabit
packet switching capacity
Bundled Parallel Links
H. Jonathan Chao 14
LC
Switch Fabric
MC
CL
K
Data Path
Control
Line-cardShelf
Controller (LSC)
Line cards (LC)
RouteControlle
r (RC)
Management
Controller (MC)
FabricShelf
Controller (FSC)
System Clock (CLK)
LC
LS
CL
SCLC
RC
FS
C
LC
LC
LS
CL
SCLC
LC
LC
LS
CL
SCLC
H. Jonathan Chao 15
Issues of Building a 10-100 Tbit/s Router
Single-stage vs. multiple-stage switch fabrics Electronic vs. optical switch fabrics Distributed vs. centralized packet scheduler (4ns at
40Gbit/s) Memory speed and size
For a 40 Gbit/s line, required memory cycle time < 2.66 ns Buffer size: 500 Mbytes per 40 Gbit/s line
Quality control (8 ns for packet scheduling and discarding)
Interconnections and power consumption Chip to chip: 128 SERDES bidirectional I/O @ 20W Rack to rack: VCSEL up to 300 ms with 250mW
Fault tolerance and in-service scalabilityText book: Broadband Packet Switching Technologies(EL737) by Chao, Lam, and Oki; John Wiley & Sons, Aug 2001
H. Jonathan Chao 23
Awarded Packet Switches Projects
Fabrication and Demonstration of a WDM, ATM Multicast Switch
DARPA ($3.2M) 7/95 for 6 years
A Quasi-Static Optoelectronic ATM Switch NSF ($350K) 9/99 for 4 years
A Terabit IP Router with Advanced QoS Support NSF ($450K) 110/99 for 4 years
High-Performance Stable Switches NSF ($500K) 10/04 for 3 years
H. Jonathan Chao 24
Current Participants
Professors
H. Jonathan Chao Shiv Panwar
Post-doc Yihan Li
PhD Students
Shi JiangYanming Shen