policy routing using process-level identiﬁers · • p4 program conﬁgures forwarding behavior...

IEEE International Symposium on Software Defined Systems April 4th, 2016, Berlin, Germany

Oliver Michel, Eric Keller Networking and Security Research Group

Policy Routing using Process-Level Identifiers

Network Policies

2

Network Policies

2

Load Balancing

Network Policies

2

Address Translation

Network Policies

2

Intrusion Detection

Network Policies

2

Firewalling

Limited Identifiers

3

IP

Ethernet

TCP/UDP

Limited Identifiers

3

IP

Ethernet

TCP/UDP

Source Destination EtherType

Limited Identifiers

3

IP

Ethernet

TCP/UDP


Source Destination

DSCPProtocol ECN

Limited Identifiers

3

IP

Ethernet

TCP/UDP


Source Destination

DSCPProtocol ECN

Source Destination

Petercn=Peter Pan, ou=CS, o=UColorado

LDAP UserBLOCK

Why fine-grained identifiers?

4

• Uniquely identifying user sessions


LDAP UserBLOCK


4


MAC IP


LDAP UserBLOCK


4


MAC IP UID


LDAP UserBLOCK


4


MAC IP UIDLDAP

Controller


5

• Isolating vulnerable software


6



6

$ openssl sha1 /usr/sbin/httpdSHA1(/usr/sbin/httpd)=5fdbdb587fce265656fd3e2960a6293262efedb7



6

Executable Fingerprint




6

Executable Fingerprint


Controller


Fine-Grained Information

7

Process Process

Network Interface IP/MAC

user space

operating system


7

Process Process


Port

user space

operating system


7

PID

Process Process


Port

user space

operating system


7

GID

PID

Process Process


Port

user space

operating system


7

UID

GID

PID

Process Process


Port

user space

operating system


7

UID

GID

PID

cgroups

Process Process


Port

user space

operating system


7

UID

GID

PID

cgroups

open files

Process Process


Port

user space

operating system


7

UID

GID

PID

cgroups

open files

exe fingerprint

Process Process


Port

user space

operating system


8

user space

operating system

network

Process Process

IP Source IP Destination

EtherTypeMAC Source MAC Destination

Protocol

TCP/UDP Source TCP/UDP Destination


UIDGIDPID cgroups open files exe fingerprint



Benefiting Scenarios

9



• Identifying services


9




• Quality of Service


9




• Quality of Service

• Forensic Analysis


9

PRPL\ˈpər-pəl\

Policy Routing using Process-Level Identifiers

PRPL Overview

11

PRPL Overview

controller

11

PRPL Overview

controller

Distributing and configuring Policy

11

PRPL Overview

Tagging Packets

controller


11

PRPL Overview

Tagging Packets

controller


Forwarding

11

Tagging

Ethernet

IP

TCP/UDP

• Insert a custom header containing a token associated with some policy

12

Tagging

Ethernet

IP

TCP/UDP

PRPL


12

Tagging

Ethernet

IP

TCP/UDP

PRPL 0x12d4f7e3

32 bits


12

Tagging

13

Process

Policy Controller

Host

user domain

admin domain

Tagging

13

PRPL Agent

Process

Policy Controller

Host

user domain

admin domain

Tagging

13

PRPL Agent

Process

Policy Controller

Host

request communication stream

user domain

admin domain

Tagging

13

PRPL Agent

Process

Policy Controller

Host

request communication stream obtain token

user domain

admin domain

Tagging

13

PRPL Agent

classify/mark tag/forward

configure

Process

Policy Controller

Host

request communication stream obtain token

user domain

admin domain

• Programmable Hardware [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]

• Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014]

Forwarding

14

PRPL token action0xa4..23 drop

reroute0xd3..42

• Programmable Hardware [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]

• Dataplane Forwarding Model in P4 [SIGCOMM CCR 2014]

Forwarding

14

Implementation

15

• Linux on-board tools: iptables, custom routing, tunnel devices

Implementation

15


• P4: Matching on token

Implementation

15


• P4: Matching on token

• Prototype

• P4 behavioral model

• tag based on uid

• forward or drop

Implementation

15

Implementation

direct transmission

using PRPL

200 400 600 800 1000 1200 14000

50

100

150

200

packet size [Bytes]

TCPthroughput

[Mbit/s

]

• No performance penalty for packets < 200 Bytes

16

Future Work and Conclusion

17

• Network Management can greatly benefit from fine-grained process-level information


17


• System Architecture and Prototype enabling packet processing based on such information


17


• System Architecture and Prototype enabling packet processing based on such information

• Future work: expansion beyond current examples, more complex policies


17

Source Code

18

https://github.com/nsr-colorado/prpl

Backup Slides

• Study feasibility of more complex policy scenarios

• Granularity of Tokens

• Controller - Agent Interface

• Proactive vs. reactive configuration

• Trust in tagging process

Future Work

20

• Token sizes between 16 bits and 32 bits sufficient even for large networks

Tagging

21

500 servers

2000 servers

10000 servers

1 5 10 50 1005

10

15

20

25

number of policy rules per host (log.)

minimum

tokensize

[bits]

• new custom ASICs can achieve such flexibility at terabit speeds [Kangaroo INFOCOM ’10, SDN Chip SIGCOMM ’13, Intel FM6000 switch silicon]

• some switches are more programmable than others:

• FPGA (Xilinx, Altera, Corsa)

• NPU (Ezchip, Netronome)

• CPU (OVS, …)

Programmable Hardware

22

• P4 program configures forwarding behavior (abstract forwarding model)

• express serial dependencies (e.g. ARP/L3 Routing)

• P4 compiler translates into a target-specific representation

• OF can still be used to install and query rules once forwarding model is defined

P4 Language

23

P4 Forwarding Model / Runtime

24

Switch

Parser Match/ActionTables

Packet Metadata

Egress Queues


24

L2L3.p4

Switch


Packet Metadata

Egress Queues


24

L2L3.p4

Switch


Packet Metadata

Egress Queues

COMPILE


24

L2L3.p4

Switch


Packet Metadata

Egress Queues

COMPILE

Eth

VLAN IP4 IP6

TCP UDP


24

L2L3.p4

Switch


Packet Metadata

Egress Queues

COMPILE

Eth

VLAN IP4 IP6

TCP UDP

Controller

Routing Firewall NAT


24

Switch


Packet Metadata

Egress Queues

COMPILE

Eth

VLAN IP4 IP6

TCP UDP

Controller



24

Switch


Packet Metadata

Egress Queues

COMPILE

Eth

VLAN IP4 IP6

TCP UDP

Controller


OF1-3.p4


24

Switch


Packet Metadata

Egress Queues

COMPILE

Eth

VLAN IP4 IP6

TCP UDP

Controller


OF1-3.p4

Open Flow 1.3

Architecture

25

Network

PolicyController

DirectoryService

verifyexistence

installflow entries

GatewaySwitch

Internet

user domain

admin domain

PRPL Agent

Process Process

Socket Socket

Switch

request stream/obtain token

ANNOTATING PACKET STREAMS PRPLFORWARDING

CONTROLLING/DISTRIBUTING POLICY

A

PRPL token action0xa4..23 drop

reroute0xd3..42

B

C

Process

Socket

classify/mark annotate/forward

configure

P4 Parsing

26

EthernetPolicy Token

IP

...

Eth PRPL

TCP UDP

0xd3...42 drop0xa4...29 reroute

continue0xa6...76

IP

10.0.1/2410.0.2/24

12

Routing Table

Policy Table

Parsing FSMIncoming Packet

P4 Implementation

27

table prpl { reads { prpl.token : exact;

} actions { _nop; _drop; forward; } size : 128;

}

header_type prpl_t { fields { token : 8;

} }

header prpl_t prpl;

parser start { return parse_ethernet;

} parser parse_ethernet { extract(ethernet); return parse_prpl;

}parser parse_prpl { extract(prpl); return ingress;

}

table_set_default prpl _noptable_add prpl _nop 0x00000001 =>table_add prpl _drop 0x00000002 =>table_add prpl forward 0x00000001 => 4

iptables

28

iptables OUTPUT chain--uid-owner1003 --set-mark 0xd2

1003

process

policy_d2default dev tun2

policy_54default dev tun5

from all mark 0xd2 lookup policy_d2routing rules

/etc/iproute2/rt_tables

tun2

Policy Agent Network

tun5

admin domain

user domain

policy routing using process-level identiﬁers · • p4 program conﬁgures forwarding behavior...

Documents