VIRTUAL LABS ON SDN, OPEN VIRTUAL SWITCHES (OVS .

2y ago
40 Views
5 Downloads
1.83 MB
36 Pages
Last View : 1m ago
Last Download : 2m ago
Upload by : Pierre Damon
Transcription

2021 Winter ICT Educators ConferenceVIRTUAL LABS ON SDN, OPEN VIRTUALSWITCHES (OVS), CYBERSECURITY, AND OTHERSJorge CrichignoUniversity of South Carolina

Welcome!I am a faculty member at theUniversity of South Carolina (UofSC)This session will review labs forNETLAB developed at UofSC usingopen-source technology2021 Winter ICT Educators Conference2

Agenda Motivation, NETLAB environment Software-Defined Networking (SDN) labs Open Virtual Switch (OvS) labs Zeek Intrusion Detection Systems labs3

Motivation Science, engineering, mobile applications are generating data at an unprecedented rate From large facilities to portable devices, instruments can produce hundreds of terabytesin short periods of time Data must be typically transferred across high-throughput high-latency Wide AreaNetworks (WANs) The Energy Science Network (ESnet) is the backbone connecting U.S. nationallaboratories and research centersApplicationsESnet traffic4

Motivation A biology experiment using the U.S. National Energy Research Scientific ComputingCenter (NERSC) resourcesSnapChat Dataproduced per dayworldwide by millionsof people 38 TBOne Biology experiment bya team of nine scientists: 114 TB(Photosystem II 715

MotivationThere are features in network devices that are important for high performanceL1L2 / L3L4/L5L5L3/L56

MotivationHow can we teach these topics using a scalable environment?Requirements High performance; speeds of 50 Gbps Scalability; platform must be capable of cloning pods and expand capacity easily Real protocol stack, no simulation Free tools7

MotivationPartnering with the Network Development Group (NDG)FeaturePrivate CloudGranularity to allocateVery granularphysical resourcesEasy to create customEasypodsCostCost effective when used extensivelyApplication layer forpedagogy, presentationVery flexibleof virtual scenariosThe owner controls who can accessTime-sharing compute resources. Easy to implement timesharing policiesresourcesPublic CloudNot granular (access to the physicalresources requires additional fees)More difficult; hard to design complextopologiesCost effective for individual / smallvirtual machines; costly for large virtualmachines over timeNot flexible; limited to providers’interface, e.g., command-line interfaceCloud provider controls who can accessresources (typically, a fee is required peruser accessing resources)8

Environment: MininetIntroduction to Mininet9

Mininet Mininet is a virtual testbed for developing and testing network tools and protocols It creates a realistic virtual network on any type of machine (VM, cloud-hosted, ornative) Inexpensive solution running in line with production networks Mininet offers the following features Fast prototyping for new networking protocolsSimplified testing for complex topologies without the need of buying expensive hardwareRealistic execution as it runs real code on the Unix and Linux kernelsOpen-source environmentIntroduction to Mininet10

Mininet Mininet provides network emulation opposed to simulation, allowing all networksoftware at any layer to be simply run as is Mininet’s logical nodes can be connected into networks Nodes are sometimes called containers, or more accurately, network namespaces Containers consume sufficiently few resources that networks of over a thousandnodes have been created, running on a single laptopIntroduction to Mininet11

Mininet Nodes A Mininet container is a process (or group of processes) that no longer has access toall the host system’s native network interfaces Containers are then assigned virtual Ethernet interfaces, which are connected to othercontainers through a virtual switch Mininet connects a host and a switch using a virtual Ethernet (veth) link The veth link is analogous to a wire connecting two virtual interfacesIntroduction to Mininet12

MiniEdit MiniEdit is a simple GUI network editor for MininetIntroduction to Mininet13

MiniEdit To build Mininet’s minimal topology, two hosts and one switch must be deployedIntroduction to Mininet14

Host Configuration Configure the IP addresses at host h1 and host h2 A host can be configured by holding the right click and selecting properties on thedeviceIntroduction to Mininet15

Starting Emulation Before testing the connection between host h1 and host h2, the emulation must bestarted Click on the Run button to start the emulation The emulation will start and the buttons of the MiniEdit panel will gray out, indicatingthat they are currently disabledIntroduction to Mininet16

Executing Commands on Hosts Open a terminal on host by holding the right click and selecting TerminalIntroduction to Mininet17

Testing Connectivity On host h1’s terminal, type the command ping 10.0.0.2Introduction to Mininet18

Overview SDN Lab Series19

SDN Lab SeriesThe labs provide learning experiences on essential SDN topics Mininet Legacy networks, Border Gateway Protocol (BGP) FRR routing, an open routing implementation MPLS networks – early efforts toward SDN SDN fundamentals – controllers, switches ONOS controller Open Virtual Switch (OVS) Traffic isolation with VXLAN OpenFlow Interconnection between SDN and legacy NetworksOpenFlow Specification20

SDN Lab SeriesLab experimentsLab 1: Introduction to MininetLab 2: Legacy Networks: BGP Example as a distributed system and autonomous forwarding decisionsLab 3: Early efforts of SDN: MPLS example of a control plane that establishes semi-static forwarding pathsLab 4: Introduction to SDNLab 5: Configuring VXLAN to provide network traffic isolationLab 6: Introduction to OpenFlowLab 7: SDN-routing within an SDN networkLab 8: Interconnection between legacy networks and SDN networksLab 9: Configuring Virtual Private LAN Services (VPLS) with SDN networksLab 10: Appling Equal-Cost Multi-Path (ECMP) within SDN networks21

SDN Lab Series The goal of the SDN Lab Series is to provide a practicalexperience to students and IT practitioners The labs provide background information which is reinforcedwith hands-on activities A good book on SDN network (which matches the SDN LabSeries) is “Software Defined Networking, A ComprehensiveApproach”22

Organization of Lab ManualsEach lab starts with a section Overview Objectives Lab settings: passwords, device names Roadmap: organization of the labSection 1 Background information of the topic being covered (e.g., fundamentals of TCP congestion control) Section 1 is optional (i.e., the reader can skip this section and move to lab directions)Section 2 n Step-by-step directions23

ExamplesLegacy networksBGP scenarioMPLS scenario24

ExamplesSDN networks25

Examplesc010.0.0.3/24Interconnection of SDNand legacy -eth0192.168.12.1/30r1-eth0 192.168.13.1/30192.168.12.2/30s3-eth1s3-eth2.1r3.1 r3-eth0r1s4-eth2s5-eth2s4192.168.2.0/24AS -eth0h2AS 200Out-of-band connectionAS 30026

Overview Open Virtual Switch Lab Series27

Open vSwitch Lab Series Open vSwitch (OvS), is an open-source implementation of a distributed virtualmultilayer switch The main purpose of OvS is to provide a switching stack for hardware virtualizationenvironments, while supporting multiple protocols and standards The lab series provides a practical experience on Open vSwitch features Linux Namespaces OpenFlow Traffic isolation with VLAN Open vSwitch Kernel Datapath28

Open vSwitch Lab SeriesLab experimentsLab 1: Introduction to Linux namespaces and Open vSwitchLab 7: Implementing Routing in Open vSwitchLab 2: Introduction to MininetLab 8: Open vSwitch Database Management Protocol (OVSDB)Lab 3: Open vSwitch Flow tableLab 9: Open vSwitch Kernel DatapathLab 4: Introduction to Open vSwitchLab 10: Configuring Stateless Firewall using ACLsLab 5: Implementing VLANs in Open vSwitchLab 11: Configuring Stateful Firewall using Connection TrackingLab 6: VLAN trunking in Open vSwitchLab 12: Configuring GRE Tunnel29

Organization of Lab ManualsEach lab starts with a section Overview Objectives Lab settings: passwords, device names Roadmap: organization of the labSection 1 Background information of the topic being covered (e.g., fundamentals of TCP congestion control) Section 1 is optional (i.e., the reader can skip this section and move to lab directions)Section 2 n Step-by-step directions30

Overview Zeek Intrusion Detection Lab Series31

Zeek Lab SeriesThe lab series introduces learners to an emulated Intrusion Detection System (IDS) thatactively monitors live networks for malicious traffic, policy violations and unidentifiedanomaliesIt helps students to acquire hands-on skills on Understanding Network Intrusion Detection Systems Creating scripts to identify network traffic signatures Emulating scenarios to detect Denial of Service (DoS) attacks Developing Machine Learning classifiers for anomaly inference and classification32

Zeek Lab SeriesThe lab series can be partitioned into four parts Overview of the basic features of Zeek such as parsing, reading and organizingZeek log files Generating, capturing and analyzing network traffic using open-source tools (e.g.,nmap, tcpdump, Wireshak) Introduction to Zeek scripting Using Machine Learning features to infer and classify anomalies33

Zeek Lab SeriesLab experimentsLab 1:Introduction to the Capabilities of ZeekLab 7:Introduction to Zeek SignaturesLab 2:An Overview of Zeek LogsLab 8:Lab 3:Parsing, Reading and Organizing Zeek Log FilesAdvanced Zeek Scripting for Anomaly and Malicious EventDetectionLab 4:Generation, Capturing and Analyzing Network ScannerTrafficLab 9:Profiling and Performance Metrics of ZeekLab 10: Application of the Zeek IDS for Real-Time Network ProtectionLab 5:Generation, Capturing and Analyzing DoS and DDoScentric Network TrafficLab 11:Preprocessing of Zeek Output Logs for Machine LearningLab 6:Introduction to Zeek ScriptingLab 12:Developing Machine LearningInference and ClassificationClassifiersforAnomaly34

Organization of Lab ManualsEach lab starts with a section Overview Objectives Lab settings: passwords, device names Roadmap: organization of the labSection 1 Background information of the topic being covered (e.g., creating Zeek scripts for anomaly detection) Section 1 is optional (i.e., the reader can skip this section and move to lab directions)Section 2 n Step-by-step directions35

2021 Winter ICT EducatorsConferenceThank you

Lab 5: Configuring VXLAN to provide network traffic isolation Lab 6: Introduction to OpenFlow Lab 7: SDN-routing within an SDN network Lab 8: Interconnection between legacy networks and SDN networks Lab 9: Configuring Virtual Private LAN Services (VPLS) with SDN networks Lab 10:

Related Documents:

sdn.301 security protocol3(sp3) sdn.401 security protocol4(sp4) sdn.701 messagesecurity protocol sdn.702 directoryspecs forusewith msp key management sdn.601 keymanagement profile sdn.902 kmp definitionof servicesprovided bykmase sdn.903 kmp servicesprovided bykmase sdn,906 kmp traffickey attribute negotiation access control sdn.801 .

SDN 40-24-100C aND SDN 40-24-480C DImENSIoNS Catalog Number Dimensions - mm (in) h w D SDN 5-24-100C 123.0 (4.85) 50.0 (1.97) 111.0 (4.36) SDN 10-24-100C 123.0 (4.85) 60.0 (2.36) 111.0 (4.36) SDN 20-24-100C 123.0 (4.85) 87.0 (3.42) 127.0 (4.98) SDN 5-24-480C 123.0 (4.85) 50.0 (1.97) 111.0 (4.36) SDN 10-24-480C 123.0 (4.85) 60

SDN Waypoint Enforcement Insight #1: 1 SDN switch Policy enforcement Insight #2: 2 SDN switches Fine-grained control Legacy devices must direct traffic to SDN switches Ensure that all traffic to/from an SDN-controlled port always traverses at least one SDN switch

SDN Lab Series The labs provide learning experiences on essential SDN topics 15 Lab 1: Introduction to Mininet Lab 2: Legacy Networks: BGP Example as a distributed system and autonomous forwarding decisions Lab 3: Early efforts of SDN: MPLS example of a control plane that establishes semi-static forwarding paths Lab 4: Introduction to SDN

SDN in Access network, SDN in Optical Layer & MPLS on top Working in orchestration Depends on -Control Plane, SDN Controllers, APIs Communication through Open Interfaces Access SDN SDN to MPLS Control Plane API Function Edge Gate way Programmable MAC/VLAN/PBB & MPLS to MPLS Mapping Ethernet CPRI/dRoF

solutions that contribute in network performance enhancements. While SDN-based cloud research that contribute in energy efficiency optimization are overviewed in Section4. Furthermore, Section5shows state-of-the-art contributions in SDN-based fog. Section6 presents open issues of both SDN-based clouds and SDN-based fogs. Finally, Section7

SDN security issues [31-37] Security policies in SDN [28,38-52] DDoS [53-56] DDoS vulnerability in SDN [33,36,57] Policies for rescuing SDN from DDoS [58-69] DDoS, distributed denial of service; SDN, software-defined network. focusing on DDoS issue, followed by the comparison of various proposed countermeasures for them. Table I has

Staff in all services across health and care need support and training (ideally joint) to ensure they understand the processes and the information being shared. They need to be competent and understand how to deliver the care and support plan and provide care that meets individual’s personal needs and preferences. “Good communication and information sharing underpins safe and effective .