NFV ISG PoC Proposal VNF Router Performance with DDoS Functionality



Similar documents
OpenDaylight Project Proposal Dynamic Flow Management

BEHAVIORAL SECURITY THREAT DETECTION STRATEGIES FOR DATA CENTER SWITCHES AND ROUTERS

Denial of Service Attacks

VALIDATING DDoS THREAT PROTECTION

End to End Network Function Virtualization Architecture Instantiation

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

WHITE PAPER. How To Compare Virtual Devices (NFV) vs Hardware Devices: Testing VNF Performance

The following normative disclaimer shall be included on the front page of a PoC report:

Survey on DDoS Attack Detection and Prevention in Cloud

OpenStack, OpenDaylight, and OPNFV. Chris Wright Chief Technologist Red Hat Feb 3, CHRIS WRIGHT OpenStack, SDN and NFV

ETSI NFV ISG DIRECTION & PRIORITIES

Using SDN-OpenFlow for High-level Services

Introduction to Quality Assurance for Service Provider Network Functions Virtualization

Complete Protection against Evolving DDoS Threats

OpenStack Networking: Where to Next?

Evaluation and Characterization of NFV Infrastructure Solutions on HP Server Platforms

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

Business Case for a DDoS Consolidated Solution

Panel: Cloud/SDN/NFV 黃 仁 竑 教 授 國 立 中 正 大 學 資 工 系 2015/12/26

Application Defined E2E Security for Network Slices. Linda Dunbar Diego Lopez

CompTIA Network+ (Exam N10-005)

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Introduction about DDoS. Security Functional Requirements

CS 356 Lecture 16 Denial of Service. Spring 2013

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

END-TO-END OPTIMIZED NETWORK FUNCTION VIRTUALIZATION DEPLOYMENT

Keyword: Cloud computing, service model, deployment model, network layer security.

Survey on DDoS Attack in Cloud Environment

DDoS Overview and Incident Response Guide. July 2014

Definition of a White Box. Benefits of White Boxes

How To Stop A Ddos Attack On A Website From Being Successful

TDC s perspective on DDoS threats

Ensuring end-user quality in NFV-based infrastructures

Secure Software Programming and Vulnerability Analysis

Lecture 02b Cloud Computing II

Cheap and efficient anti-ddos solution

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

DoS/DDoS Attacks and Protection on VoIP/UC

Voice Over IP (VoIP) Denial of Service (DoS)

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

WAN Optimization in MPLS Networks- the Transparency Challenge!

Ensuring end-user quality in NFV-based infrastructure

Telecom - The technology behind

How To Block A Ddos Attack On A Network With A Firewall

ETSI NFV Management and Orchestration - An Overview

DoS: Attack and Defense

The Role of Virtual Routers In Carrier Networks

F V CE Brocade Communications Systems, Inc. PROPRIETARY INFORMATION 2

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Securing Cloud using Third Party Threaded IDS

Firewalls and Intrusion Detection

Brocade NetIron Denial of Service Prevention

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Recommended IP Telephony Architecture

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Evolution of OpenCache: an OpenSource Virtual Content Distribution Network (vcdn) Platform

Firewall Firewall August, 2003

Chapter 11 Cloud Application Development

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Restorable Logical Topology using Cross-Layer Optimization

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

On-Premises DDoS Mitigation for the Enterprise

Campus LAN at NKN Member Institutions

Load Balancing Security Gateways WHITE PAPER

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam

Stateless Packet Filtering Firewall on the NIC & Address Based Filtering

Denial of Service (DOS) Testing IxChariot

Leveraging SDN and NFV in the WAN

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Denial of Service (DoS) Technical Primer

Analysis of a DDoS Attack

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Open Source and Network Function Virtualization

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Network Security Demonstration - Snort based IDS Integration -

How To Attack A Website With An Asymmetric Attack

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Basics of Internet Security

Acquia Cloud Edge Protect Powered by CloudFlare

NEFSIS DEDICATED SERVER

Securing the Intelligent Network

NFV Network and Compute Intensive H/W Acceleration (using SDN/PI forwarding)

Arbor s Solution for ISP

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

OpenFlow-enabled SDN and Network Functions Virtualization. ONF Solution Brief February 17, 2014

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

LoadMaster Application Delivery Controller Security Overview

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Solution Brief. Load Balancing to Provide Scalable, Reliable, Secure Access Solutions

Transcription:

NFV ISG PoC Proposal VNF Router Performance with DDoS Functionality 1. NFV ISG PoC Proposal 1.1 PoC Team Members Include additional manufacturers, operators or labs should additional roles apply. PoC Project Name: VNF Router Performance with DDoS Functionality Network Operators/ Service Providers: AT&T Telefonica Architect/Coordinator (Vendor A): Brocade Contact: Steven Wright, sw3588@att.com Contact: Diego Lopez, diego@tid.es Contact: Ram (Ramki) Krishnan, ramk@brocade.com Others: Robert Bays, Muhammad Durrani, Stephen Hemminger Vendor B: Intel Vendor C: Spirent Contact: Trevor Cooper, trevor.cooper@intel.com Contact: Rajesh Rajamani, rajesh.rajamani@spirent.com The Real-time Layer 2-4 DDoS Mitigation in NFV Framework PoC will be implemented using Brocade and Intel technologies including Brocade virtual router product and Intel DPDK [DPDK]. Spirent will provide the physical and/or virtual test platforms. AT&T will contribute expertise in use-case requirements, design of test-cases and oversight of solution characterization/analysis. We are open to inclusion of other vendors/operators in our process subject to resource constraints. 1.2 PoC Project Goals Motivation ETSI GS NFV 004 (Network Functions Virtualization (NFV); Virtualization Requirements) [NFV-REQ] describes the need for appropriate security countermeasures to address security vulnerabilities introduced by the virtualization layer. Behavioral security threats such as Distributed Denial of Service (DDoS) attacks are an ongoing problem in today s Data Centers and are expected to pose even greater challenges to network operators deploying NFV infrastructures. This problem is expected to be most acute in multi-tenant DCs providing Virtual Network Function as a Service. This use-case is described in ETSI GS NFV 001 (Network Functions Virtualization (NFV); Use Cases) [VNFaaS]. Specifically Services provided by the ve-cpe may include a router providing QoS and other high-end services such as L7 stateful firewall, intrusion detection and prevention and more. Goals PoC Project Goal #1: This PoC aims to characterize the performance impact of implementing intrusion detection and prevention in a router VNF. The POC will demonstrate various Layer 2-4 DDoS attacks being handled in real-

time using an integrated VNF router. If this approach is successful, it will be highly complementary to the overall behavioral security threat strategy in NFV DCs. 1.3 PoC Demonstration Venue for the demonstration of the PoC: The PoC is planned to be hosted in Brocade Communications Systems, Inc. San Jose, California, USA (additionally in Intel s Comms. Infrastructure Solutions lab in Hillsboro, Oregon) and can be accessed remotely from any location with reliable Internet service. We propose to use the latter capability to demonstrate the PoC at industry events in 2014, yet to be finalized. 1.4 Publication PoC results will be documented in the form of participating company technical collateral (e.g. white paper) and made available to ETSI members. We also intend to use the PoC for public demos at trade-shows and appropriate industry events. 1.5 PoC Project Timeline What is the PoC start date? o The project is already underway as an internal project with the vendors. First PoC Report target date: February, 2014 First Demonstration target date: Open Networking Summit (ONS), March 2 nd - March 5 th 2014, Santa Clara, CA, USA When is the PoC considered completed? Once performance characterization data is published 2. NFV PoC Technical Details 2.1 PoC Overview Layer 2-4 based DDoS attacks are an ongoing problem in today s networks. Examples of Layer 2-4 based DDoS attacks are [FDDOS]: SYN Flood Attack: Fake TCP connections are setup which result in table overflows in stateful devices. UDP Flood Attack: Servers are flooded with UDP packets which results in consumption of bandwidth and CPU. These can be used to target specific services by attacking, e.g., DNS servers and VOIP servers. These can also be amplification attacks the common ones are NTP and DNS. Christmas Tree Flood Attack: TCP packets from non-existent connections with flags other than the SYN flag sent to servers result in consumption of more CPU than normal packets because of the effort required to discard them. Typically, the above attacks are not from a single host or source IP address; multiple hosts with different source IP addresses working in tandem instigate these attacks hence the term Distributed DoS or DDoS. Real-time Layer 2-4 DDoS mitigation involves automatically recognizing large flows [OPSAWG-large-flow] and performing various types QoS actions such as drop, rate-limit on the recognized flows based on configured policies [I2RS-large-flow].

We plan to demonstrate various Layer 2-4 DDoS attacks (not limited to the ones being described above) being detected and mitigated in real-time by a Virtual switch/router (Brocade Vyatta vrouter 5600) which is running on an Intel x86 server as part of an NFV infrastructure. The Virtual switch/router will employ scalable inline line-rate algorithms for automatically recognizing the large flows which are the cause of DDoS attacks; this should ensure that the Virtual switch/router performance is not impacted. As part of this PoC we plan to investigate x86 and DPDK features that enhance performance of this use case. This includes DPDK QoS features which will be used for DDoS mitigation actions. 2.2 PoC Scenarios Figure 1 below depicts the various functional blocks of the data path processing pipeline of a Brocade Vyatta 5600 Virtual Router. Specific PoC objectives in the context of the data path processing pipeline of are described below. Scenario 1 - Study the performance impact and benefits of the Layer 2/3/4 DDoS detection (large flow detection) block on packet processing. Scenario 2 - Study the performance impact and benefits of the QoS block used for Layer 2/3/4 DDoS mitigation. Various tests which will be performed are summarized below. Test 1: For normal traffic, measure packet latency/jitter/throughput without the Layer 2/3/4 DDoS detection and mitigation blocks. Test 2: For normal traffic, measure packet latency/jitter/throughput with the Layer 2/3/4 DDoS detection and mitigation blocks. Test 3: For DDoS + normal traffic, measure packet latency/jitter/throughput without the Layer 2/3/4 DDoS detection and mitigation blocks. Test 4: For DDoS + normal traffic, measure packet latency/jitter/throughput with the Layer 2/3/4 DDoS detection and mitigation blocks. Blocks coloured in Red: Brocade Vyatta vrouter 5600 PoC Focus: Layer 2-4 DDoS detection (large flow detection) performance Blocks coloured in Blue: Intel DPDK PoC Focus: QoS performance

2.2.1 PoC Test Setup Figure 1: Data path processing pipeline of the Brocade Vyatta 5600 Virtual Router Figure 2 below describes the PoC setup which comprises of a single vrouter running over x86 Server Platform and describes how it maps into NFV Architectural Framework [NFV-ARCH]. The NFV vrouter, which is running on a single VM, is the DDOS victim and will be flooded with attack traffic such as UDP Flood along with normal traffic. vrouter will detect the attack and will take appropriate action in real-time while forwarding the normal traffic without any impact. SRIOV [SRIOV] capability in the NIC is enabled to maximize performance. 2.3 Mapping to NFV ISG Work Figure 2: PoC Test Setup This PoC will demonstrate a VNF using a flexible and scalable platform for rapid innovation. Some of the DDoS detection/mitigation schemes described above could be implemented in specialized hardware. However, challenges include 1) long implementation and verification times 2) lack of flexibility in provisioning for new types of DDoS attacks. 3) lack of flexibility to scale capacity based on performance needs. The architectural blocks in the NFV reference architecture framework [NFV-ARCH] which are relevant for this PoC are depicted in Figure 3; these are 1) VNF vrouter which is managed by the VNF Manager 2) Virtual Compute and Virtual Network which are part of NFVI.

Architectural Blocks relevant to PoC Figure 3: Mapping to NFV Architecture Use Case Requirement E2E Arch Comments Scenario 1 UC#2 VNFaaS Vn-NF, NFVI Demonstrates the performance impact and benefits of the Layer 2/3/4 DDoS detection block on packet processing in a VNF vrouter which is part of the ve-cpe service Scenario 2 UC#2 VNFaaS Vn-NF, NFVI Demonstrates the performance impact and benefits of the QoS block used for Layer 2/3/4 DDoS mitigation in a VNF vrouter which is part of the ve-cpe service 2.4 PoC Success Criteria Our goal is to implement a DDoS scenario using the Brocade virtual router and characterizing performance with DDoS functionality added to the router. Success criteria include demonstrating the concept and collecting performance metrics to understand potential bottlenecks and performance limitations on this virtualized solution. 2.5 Expected PoC Contribution This PoC is expected to provide the following contributions PoC Project Contribution #1: VNF DDoS mitigation (new contribution) to NFV Group SEC EG PoC Project Contribution #2: NFV Performance & Portability Best Practises (ETSI GS NFV-PER 001) VNF as a Service to NFV Group PER EG PoC Project Contribution #3: Performance evaluation of a vrouter with intrusion prevention/detection (new contribution) to NFV Group PER EG 3. References [FDDOS] David Holmes, The DDoS Threat Spectrum, F5 White paper 2012

[OPSAWG-large-flow] Krishnan, R. et al., Mechanisms for Optimal LAG/ECMP Component Link Utilization in Networks, February 2014. [I2RS-large-flow] Krishnan, R. et al., Large Flow Use Cases for I2RS PBR and QoS, April 2014. [NIST-CLOUD] Mell, P. et al., The NIST Definition of Cloud Computing, September 2011. [DPDK] Intel DPDK open source project http://dpdk.org/ [VNFaaS] ETSI GS NFV 001Network Functions Virtualization (NFV); Use Cases http://www.etsi.org/deliver/etsi_gs/nfv/001_099/001/01.01.01_60/gs_nfv001v010101p.pdf [NFV-ARCH] NFV Architectural Framework http://www.etsi.org/deliver/etsi_gs/nfv/001_099/002/01.01.01_60/gs_nfv002v010101p.pdf [SRIOV] http://www.intel.com/content/dam/doc/application-note/pci-sig-sr-iov-primer-sr-iov-technology-paper.pdf [NFV-REQ] NFV Virtualization Requirements: http://www.etsi.org/deliver/etsi_gs/nfv/001_099/004/01.01.01_60/gs_nfv004v010101p.pdf

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information