policy routing using process-level identifiers · • p4 program configures forwarding behavior...
TRANSCRIPT
IEEE International Symposium on Software Defined Systems April 4th, 2016, Berlin, Germany
Oliver Michel, Eric Keller Networking and Security Research Group
Policy Routing using Process-Level Identifiers
Network Policies
2
Network Policies
2
Load Balancing
Network Policies
2
Address Translation
Network Policies
2
Intrusion Detection
Network Policies
2
Firewalling
Limited Identifiers
3
IP
Ethernet
TCP/UDP
Limited Identifiers
3
IP
Ethernet
TCP/UDP
Source Destination EtherType
Limited Identifiers
3
IP
Ethernet
TCP/UDP
Source Destination EtherType
Source Destination
DSCPProtocol ECN
Limited Identifiers
3
IP
Ethernet
TCP/UDP
Source Destination EtherType
Source Destination
DSCPProtocol ECN
Source Destination
Petercn=Peter Pan, ou=CS, o=UColorado
LDAP UserBLOCK
Why fine-grained identifiers?
4
• Uniquely identifying user sessions
Petercn=Peter Pan, ou=CS, o=UColorado
LDAP UserBLOCK
Why fine-grained identifiers?
4
• Uniquely identifying user sessions
MAC IP
Petercn=Peter Pan, ou=CS, o=UColorado
LDAP UserBLOCK
Why fine-grained identifiers?
4
• Uniquely identifying user sessions
MAC IP UID
Petercn=Peter Pan, ou=CS, o=UColorado
LDAP UserBLOCK
Why fine-grained identifiers?
4
• Uniquely identifying user sessions
MAC IP UIDLDAP
Controller
Why fine-grained identifiers?
5
• Isolating vulnerable software
Why fine-grained identifiers?
6
• Isolating vulnerable software
Why fine-grained identifiers?
6
$ openssl sha1 /usr/sbin/httpdSHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7
• Isolating vulnerable software
Why fine-grained identifiers?
6
Executable Fingerprint
$ openssl sha1 /usr/sbin/httpdSHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7
• Isolating vulnerable software
Why fine-grained identifiers?
6
Executable Fingerprint
$ openssl sha1 /usr/sbin/httpdSHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7
Controller
• Isolating vulnerable software
Fine-Grained Information
7
Process Process
Network Interface IP/MAC
user space
operating system
Fine-Grained Information
7
Process Process
Network Interface IP/MAC
Port
user space
operating system
Fine-Grained Information
7
PID
Process Process
Network Interface IP/MAC
Port
user space
operating system
Fine-Grained Information
7
GID
PID
Process Process
Network Interface IP/MAC
Port
user space
operating system
Fine-Grained Information
7
UID
GID
PID
Process Process
Network Interface IP/MAC
Port
user space
operating system
Fine-Grained Information
7
UID
GID
PID
cgroups
Process Process
Network Interface IP/MAC
Port
user space
operating system
Fine-Grained Information
7
UID
GID
PID
cgroups
open files
Process Process
Network Interface IP/MAC
Port
user space
operating system
Fine-Grained Information
7
UID
GID
PID
cgroups
open files
exe fingerprint
Process Process
Network Interface IP/MAC
Port
user space
operating system
Fine-Grained Information
8
user space
operating system
network
Process Process
IP Source IP Destination
EtherTypeMAC Source MAC Destination
Protocol
TCP/UDP Source TCP/UDP Destination
Network Interface IP/MAC
UIDGIDPID cgroups open files exe fingerprint
Fine-Grained Information
8
user space
operating system
network
Process Process
IP Source IP Destination
EtherTypeMAC Source MAC Destination
Protocol
TCP/UDP Source TCP/UDP Destination
Network Interface IP/MAC
UIDGIDPID cgroups open files exe fingerprint
• Uniquely identifying user sessions
• Isolating vulnerable software
Benefiting Scenarios
9
• Uniquely identifying user sessions
• Isolating vulnerable software
• Identifying services
Benefiting Scenarios
9
• Uniquely identifying user sessions
• Isolating vulnerable software
• Identifying services
• Quality of Service
Benefiting Scenarios
9
• Uniquely identifying user sessions
• Isolating vulnerable software
• Identifying services
• Quality of Service
• Forensic Analysis
Benefiting Scenarios
9
PRPL\ˈpər-pəl\
Policy Routing using Process-Level Identifiers
PRPL Overview
11
PRPL Overview
controller
11
PRPL Overview
controller
Distributing and configuring Policy
11
PRPL Overview
controller
Distributing and configuring Policy
11
PRPL Overview
Tagging Packets
controller
Distributing and configuring Policy
11
PRPL Overview
Tagging Packets
controller
Distributing and configuring Policy
Forwarding
11
Tagging
Ethernet
IP
TCP/UDP
• Insert a custom header containing a token associated with some policy
12
Tagging
Ethernet
IP
TCP/UDP
• Insert a custom header containing a token associated with some policy
12
Tagging
Ethernet
IP
TCP/UDP
PRPL
• Insert a custom header containing a token associated with some policy
12
Tagging
Ethernet
IP
TCP/UDP
PRPL 0x12d4f7e3
32 bits
• Insert a custom header containing a token associated with some policy
12
Tagging
13
Process
Policy Controller
Host
user domain
admin domain
Tagging
13
PRPL Agent
Process
Policy Controller
Host
user domain
admin domain
Tagging
13
PRPL Agent
Process
Policy Controller
Host
request communication stream
user domain
admin domain
Tagging
13
PRPL Agent
Process
Policy Controller
Host
request communication stream obtain token
user domain
admin domain
Tagging
13
PRPL Agent
classify/mark tag/forward
configure
Process
Policy Controller
Host
request communication stream obtain token
user domain
admin domain
• Programmable Hardware [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]
• Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014]
Forwarding
14
PRPL token action0xa4..23 drop
reroute0xd3..42
• Programmable Hardware [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]
• Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014]
Forwarding
14
PRPL token action0xa4..23 drop
reroute0xd3..42
• Programmable Hardware [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]
• Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014]
Forwarding
14
Implementation
15
• Linux on-board tools: iptables, custom routing, tunnel devices
Implementation
15
• Linux on-board tools: iptables, custom routing, tunnel devices
• P4: Matching on token
Implementation
15
• Linux on-board tools: iptables, custom routing, tunnel devices
• P4: Matching on token
• Prototype
• P4 behavioral model
• tag based on uid
• forward or drop
Implementation
15
Implementation
direct transmission
using PRPL
200 400 600 800 1000 1200 14000
50
100
150
200
packet size [Bytes]
TCPthroughput
[Mbit/s
]
• No performance penalty for packets < 200 Bytes
16
Future Work and Conclusion
17
• Network Management can greatly benefit from fine-grained process-level information
Future Work and Conclusion
17
• Network Management can greatly benefit from fine-grained process-level information
• System Architecture and Prototype enabling packet processing based on such information
Future Work and Conclusion
17
• Network Management can greatly benefit from fine-grained process-level information
• System Architecture and Prototype enabling packet processing based on such information
• Future work: expansion beyond current examples, more complex policies
Future Work and Conclusion
17
Source Code
18
https://github.com/nsr-colorado/prpl
Backup Slides
• Study feasibility of more complex policy scenarios
• Granularity of Tokens
• Controller - Agent Interface
• Proactive vs. reactive configuration
• Trust in tagging process
Future Work
20
• Token sizes between 16 bits and 32 bits sufficient even for large networks
Tagging
21
500 servers
2000 servers
10000 servers
1 5 10 50 1005
10
15
20
25
number of policy rules per host (log.)
minimum
tokensize
[bits]
• new custom ASICs can achieve such flexibility at terabit speeds [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]
• some switches are more programmable than others:
• FPGA (Xilinx, Altera, Corsa)
• NPU (Ezchip, Netronome)
• CPU (OVS, …)
Programmable Hardware
22
• P4 program configures forwarding behavior (abstract forwarding model)
• express serial dependencies (e.g. ARP/L3 Routing)
• P4 compiler translates into a target-specific representation
• OF can still be used to install and query rules once forwarding model is defined
P4 Language
23
P4 Forwarding Model / Runtime
24
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
P4 Forwarding Model / Runtime
24
L2L3.p4
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
P4 Forwarding Model / Runtime
24
L2L3.p4
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
COMPILE
P4 Forwarding Model / Runtime
24
L2L3.p4
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
COMPILE
Eth
VLAN IP4 IP6
TCP UDP
P4 Forwarding Model / Runtime
24
L2L3.p4
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
COMPILE
Eth
VLAN IP4 IP6
TCP UDP
Controller
Routing Firewall NAT
P4 Forwarding Model / Runtime
24
L2L3.p4
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
COMPILE
Eth
VLAN IP4 IP6
TCP UDP
Controller
Routing Firewall NAT
P4 Forwarding Model / Runtime
24
L2L3.p4
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
COMPILE
Eth
VLAN IP4 IP6
TCP UDP
Controller
Routing Firewall NAT
P4 Forwarding Model / Runtime
24
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
COMPILE
Eth
VLAN IP4 IP6
TCP UDP
Controller
Routing Firewall NAT
P4 Forwarding Model / Runtime
24
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
COMPILE
Eth
VLAN IP4 IP6
TCP UDP
Controller
Routing Firewall NAT
OF1-3.p4
P4 Forwarding Model / Runtime
24
Switch
Parser Match/ActionTables
Packet Metadata
Egress Queues
COMPILE
Eth
VLAN IP4 IP6
TCP UDP
Controller
Routing Firewall NAT
OF1-3.p4
Open Flow 1.3
Architecture
25
Network
PolicyController
DirectoryService
verifyexistence
installflow entries
GatewaySwitch
Internet
user domain
admin domain
PRPL Agent
Process Process
Socket Socket
Switch
request stream/obtain token
ANNOTATING PACKET STREAMS PRPLFORWARDING
CONTROLLING/DISTRIBUTING POLICY
A
PRPL token action0xa4..23 drop
reroute0xd3..42
B
C
Process
Socket
classify/mark annotate/forward
configure
P4 Parsing
26
EthernetPolicy Token
IP
...
Eth PRPL
TCP UDP
0xd3...42 drop0xa4...29 reroute
continue0xa6...76
IP
10.0.1/2410.0.2/24
12
Routing Table
Policy Table
Parsing FSMIncoming Packet
P4 Implementation
27
table prpl { reads { prpl.token : exact;
} actions { _nop; _drop; forward; } size : 128;
}
header_type prpl_t { fields { token : 8;
} }
header prpl_t prpl;
parser start { return parse_ethernet;
} parser parse_ethernet { extract(ethernet); return parse_prpl;
}parser parse_prpl { extract(prpl); return ingress;
}
table_set_default prpl _noptable_add prpl _nop 0x00000001 =>table_add prpl _drop 0x00000002 =>table_add prpl forward 0x00000001 => 4
iptables
28
iptables OUTPUT chain--uid-owner1003 --set-mark 0xd2
1003
process
policy_d2default dev tun2
policy_54default dev tun5
from all mark 0xd2 lookup policy_d2routing rules
/etc/iproute2/rt_tables
tun2
Policy Agent Network
tun5
admin domain
user domain