Traffic management openflow switch on the netfpga platform
1 / 18

Traffic Management - OpenFlow Switch on the NetFPGA platform - PowerPoint PPT Presentation

  • Uploaded on

Traffic Management - OpenFlow Switch on the NetFPGA platform. Chun-Jen Chung(1203584897) Sriram Gopinath (1203800749). OpenFlow. OpenFlow is an open standard that enables researchers to run experimental protocols in the campus networks we use every day.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Traffic Management - OpenFlow Switch on the NetFPGA platform' - adonai

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Traffic management openflow switch on the netfpga platform

Traffic Management - OpenFlowSwitch on the NetFPGA platform

Chun-Jen Chung(1203584897)



  • OpenFlowis an open standard that enables researchers to run experimental protocols in the campus networks we use every day.

  • OpenFlow is an open interface for remotely controlling the forwarding tables in network switches, routers, and access points. It provides an open protocol to program the flow-table in different switches and routers.

  • An OpenFlow Switch consists of at least three parts:

    (1) A Flow Table, with an action associated with each flow entry, to tell the switch how to process the flow

    (2) A Secure Channel that connects the switch to a remote control process (called the controller), allowing commands and packets to be sent between a controller and the switch

    (3) The OpenFlow Protocol, which provides an open and standard way for a controller to communicate with a switch.

How openflow works
How OpenFlow works?

  • In a classical router or switch, the fast packet forwarding (data path) and the high level routing decisions (control path) occur on the same device.

  • An OpenFlow Switch separates these two functions. The data path portion still resides on the switch, while high-level routing decisions are moved to a separate controller, typically a standard server.

  • The OpenFlow Switch and Controller communicate via the OpenFlow protocol, which defines messages, such as packet-received, send-packet-out, modify-forwarding-table, and get-stats.

  • The data path of an OpenFlow Switch presents a clean flow table abstraction – each flow table entry contains a set of packet fields to match, and an action (such as send-out-port, modify-field, or drop).

  • When an OpenFlow Switch receives a packet it has never seen before, for which it has no matching flow entries, it sends this packet to the controller.

  • The controller then makes a decision on how to handle this packet. It can drop the packet, or it can add a flow entry directing the switch on how to forward similar packets in the future.

Idealized openflow switch diagram
Idealized OpenFlowSwitch diagram

Advantages of open flow
Advantages of OPEN FLOW

  • OpenFlowallows you to easily deploy innovative routing and switching protocols in your network.

  • Amenable to high-performance and low-cost implementations.

  • Capable of supporting a broad range of research.

  • Assured to isolate experimental traffic from production traffic.

  • Consistent with vendors’ need for closed platforms.

Openflow switch implementation for netfpga platform
OpenFlow Switch Implementation for NetFPGA platform

  • NetFPGA is a platform that enables students and researchers to experiment with Gigabit rate networking hardware

  • The NetFPGA is a PCI card that contains a large Xilinx FPGA, 4 Gigabit Ethernet ports, Static RAM (SRAM), Double-Date Rate (DDR2) Dynamic RAM (DRAM).

  • The card design is open-source and the hardware is available at very low cost .

  • A complete network hardware platform implemented with Field Programmable Gate Array (FPGA) logic

  • Put a NetFPGA into a PC to build your own hardware-accelerated, gigabit-speed:

    Any-protocol router

    Cycle-accurate measurement device

    Firewall / IDS / IDP

    Network appliance


  • NetFPGA consist of three parts

    • Hardware (Components of PCI card)

    • Gateware ( Hardware description source code)

    • Software (Device drivers, utilities, router control packages)

Software and hardware
Software and Hardware

  • Software

    • CentOS

    • NetFPGA Package

    • OpenflowPackage

      • VLAN Tag Handler

      • Traffic Monitor

    • Packet Generator

  • Hardware

    • NetFPGA – PCI card

    • PCs


  • Traffic Management

    • To block or monitor the malicious traffic

    • To avoid VLan Hopping Attack

Monitoring malicious traffic
Monitoring Malicious Traffic

  • In this application we will monitor the incoming traffic to take into account the traffic information (Protocol Assign Number, source IP address, and a packet counter of any packed dropped through).

  • This data would be verifiedwith the Black listed IP list

  • Based upon the internal policies we can drop the traffic or generate alerts

What is a vlan hopping attack
What is a VLAN hopping attack?

  • This is computer security exploit, a method of attacking networked resources on a VLAN

  • A double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded.

  • The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.

Avoid vlan hopping attack
Avoid VLan Hopping Attack

  • We intend to configure a VLAN setup and analyze the packets that flow between two hosts in the same VLAN

  • Need to uniquely identify the host that are communicating based upon the packets transmitted

  • Based upon the identifier drop packets if we discover any VLAN hopping attack.

Flow table entries

  • The below schemes could be used to evade the VLAN hopping attack.

  • We would be using the fields captured in the flow table or identify fields that would uniquely identify the hosts

  • We could be using Squash Authentication scheme to authenticate the source before initiating the VLAN connection avoid hopping.


  • Making a switch to act as a basic firewall

  • Prevent VLAN hopping attack

Ref flow entry
Ref-Flow Entry

  • 1. Forward this flow’s packets to a given port (or ports). This allows packets to be routed through the network. In most switches this is expected to take place at line rate.

  • 2. Encapsulate and forward this flow’s packets to a controller. Packet is delivered to Secure Channel, where it is encapsulated and sent to a controller. Typically used for the first packet in a new flow, so a controller can decide if the flow should be added to the Flow Table. Or in some experiments, it could be used to forward all packets to a controller for processing.

  • 3. Drop this flow’s packets. Can be used for security, to curb denial of service attacks, or to reduce spurious broadcast discovery traffic from end-hosts.

  • 4. Forward this flow’s packets through the switch’s normal processing pipeline.

Openflowswitch netfpga trafficmgmt