H. Jonathan Chao 1

Prof. Chao’s Research Areas

Cyber Security Processor (CYSEP) Next-Generation 10-100 Tb/s Routers

eeweb.poly.edu/~chao

H. Jonathan Chao 2

Intrusions Over the Decades

H. Jonathan Chao 3

Attack Sophistication vs. Intruder Technical Knowledge

Source: Special permission to reproduce the CERT ©/CC graphic © 2000 by Carnegie Melon University, in Electronic Commerce 2002 in Allen et al. (2000).

H. Jonathan Chao 4

What is Distributed Denial of Service (DDoS)?

H. Jonathan Chao 5

What is Distributed Denial of Service (DDoS)?

H. Jonathan Chao 6

Cyber Security Processor (CYSEP)

Issues: Intrusion/virus attacks happen everyday, everywhere,

and cause widespread, catastrophic damages How to detect/prevent them at high-speed of 10 Gbit/s

or 40 Gbit/s lines at routers (why not at hosts?) How to detect instruction across multiple packets How to prevent distributed denial of service (DDoS)

attacks How to distinguish good or bad packets so as to block

them Goals:

Design/implement a CYSEP to be employed at various places of the network to do intrusion, DDoS prevention, and encryption, authentication at high speed

H. Jonathan Chao 7

CYber SEcurity Processor (CYSEP)

EncryptionDecryption

Engine

DDoSEngine Authentication

AuthorizationEngine

PCI BUS Controller

SPI 4.2 Interface

Memory Controller

Cyber Security Processor(CYSEP)

SPI 4.2 Interface

To PCI Bus

To Memory

To/FromFramer

To/From NP orEnd System

IntrusionDetection

Engine

FirewallEngine

H. Jonathan Chao 8

CYSEP Deployed at Various Places in the Network

. . ..

. . .

SwitchSwitch

Edge Router

Core Router

InternetISP Backbone

Enterprise Network

Edge Router

Point of Presence(PoP)

Firewall

`

VPN

Edge Router

E-CommerceServer

Generate alert/logs Eliminate Bad traffic DDoS Defense

Enterprise Network

Intrusion Detection Filter SPAM Encryption/Decryption Authentication/Authorization DDoS Defense

Detect Internal/ExternalIntrusion

Encryption/Decryption Authentication/

Authorization

Point of Presence Point of Presence

Point ofPresence

Enterprise Network

. . ..

CYSEP

Encryption/Decryption

Authentication/Authorization

Legend

. . .

H. Jonathan Chao 9

Participants

Professors

H. Jonathan Chao Ramesh Karri

PhD Students

Sertac Artan Nikhil JoshiHuizhong SunBo Yang

MS Students

Paulo Ayres Wei-Chen HuangAndrew KimArun RadhakrishnanEvelyn Yen

H. Jonathan Chao 10

What a Router Looks Like?

H. Jonathan Chao 11

Today’s TERA POP Architecture – Why so complex and costly?

Access/Hub Routers

ParallelWAN Links

Intra POPInterconnection

Links

Hub-to-Core Links

Clustering of multiple core routers in POP(Point of Presence) WHY? • Routers lack of port capacity and switching capacity to meet POP to POP demand• Unreliable routers and lack of network restoration result back to back router configuration• Lack of connectivity/bandwidth reservation concept in IP networks (tend to over-engineering)

RESULTS• About 50% of port capacity used for intra POP interconnection – waste customer investment

REAL PROBLEM MOVING FORWARD• Can this POP Architecture support data traffic growth yet to be realized?

H. Jonathan Chao 12

In a few years, POP will look like this

Access/Hub Routers

ParallelWAN Links

Intra POPInterconnection

Links

Hub-to-Core Links

• More Routers thrown into the POP creating serious management nightmare• More portion of switch ports are used for inter- connection• Service/Network reliability has not been resolved

Need Fundamental Re-thinking

H. Jonathan Chao 13

Access/Hub Routers

Hub-to-Core Links

New POP Architecture – Paradigm Shift

One box solution Carrier-grade

reliability Large port counts Every port carries

real user traffic 10 – 100 terabit

packet switching capacity

Bundled Parallel Links

H. Jonathan Chao 14

LC

Switch Fabric

MC

CL

K

Data Path

Control

Line-cardShelf

Controller (LSC)

Line cards (LC)

RouteControlle

r (RC)

Management

Controller (MC)

FabricShelf

Controller (FSC)

System Clock (CLK)

LC

LS

CL

SCLC

RC

FS

C

LC

LC

LS

CL

SCLC

LC

LC

LS

CL

SCLC

H. Jonathan Chao 15

Issues of Building a 10-100 Tbit/s Router

Single-stage vs. multiple-stage switch fabrics Electronic vs. optical switch fabrics Distributed vs. centralized packet scheduler (4ns at

40Gbit/s) Memory speed and size

For a 40 Gbit/s line, required memory cycle time < 2.66 ns Buffer size: 500 Mbytes per 40 Gbit/s line

Quality control (8 ns for packet scheduling and discarding)

Interconnections and power consumption Chip to chip: 128 SERDES bidirectional I/O @ 20W Rack to rack: VCSEL up to 300 ms with 250mW

Fault tolerance and in-service scalabilityText book: Broadband Packet Switching Technologies(EL737) by Chao, Lam, and Oki; John Wiley & Sons, Aug 2001

H. Jonathan Chao 16

TM board

IM/OM board

CM board

Backplane

H. Jonathan Chao 17

FPGA chips

SERDES chips

H. Jonathan Chao 18

ATM Switch Chip

H. Jonathan Chao 19

VCI Overwriting

Optical Packet Switch Experiment

H. Jonathan Chao 20

Wavelength Converter

Optical Packet Switch Experiment

H. Jonathan Chao 21

Cell Delineation and VCI-Overwrite

H. Jonathan Chao 22

Route Controller

Shared-Memory Controller

H. Jonathan Chao 23

Awarded Packet Switches Projects

Fabrication and Demonstration of a WDM, ATM Multicast Switch

DARPA ($3.2M) 7/95 for 6 years

A Quasi-Static Optoelectronic ATM Switch NSF ($350K) 9/99 for 4 years

A Terabit IP Router with Advanced QoS Support NSF ($450K) 110/99 for 4 years

High-Performance Stable Switches NSF ($500K) 10/04 for 3 years

H. Jonathan Chao 24

Current Participants

Professors

H. Jonathan Chao Shiv Panwar

Post-doc Yihan Li

PhD Students

Shi JiangYanming Shen

H. Jonathan Chao 25

We need motivated students doing research with us.

chao@poly.edu