CS6250 Exam 2
L8: What's the purpose of SDX?
In a traditional IXP, the participant ASes connect BGP-speaking border router to a shared layer-two network and a BGP route server. In the SDX architecture, each AS has the illusion of its own virtual SDN switch that connects its border router to every other participant AS.
L7: What is the difference between a traditional and SDN approach in terms of coupling of control and data plane?
In the traditional approach, the routing algorithms (control plane) and forwarding function (data plane) are closely coupled. The router runs and participates in the routing algorithms. From there it is able to construct the forwarding table which consults it for the forwarding function. In the SDN approach, there is a remote controller that computes and distributes the forwarding tables to be used by every router. This controller is physically separate from the router. We have a separation of the functionalities. The routers are solely responsible for forwarding, and the remote controllers are solely responsible for computing and distributing the forwarding tables. The controller is implemented in software, and therefore we say the network is software-defined.
L11 - What developments lead to the popularity of consuming media content over the Internet?
Increase in bandwidth of network core and last mile access links Better video compression Digital Rights management culture has encourages content providers to put content on the Internet
L10 - Explain a scenario of connectivity disruption detection in case of the outbound blocking.
Outbound blocking is the filtering imposed on the outgoing path from the reflector. Here, the reflector receives the SYN-ACK packet and generates a RST packet. As per our example, in step 3, the IP ID increments to 7. However, the RST packet does not reach the site. When the site doesn't receive a RST packet, it continues to resend the SYN-ACK packets at regular intervals depending on the site's OS and its configuration. This is shown in step 5 of the figure. It results in further increment of the IP ID value of the reflector. In step 6, the probe by the measurement machine reveals the IP ID has again increased by 2, which shows that retransmission of packets has occurred. In this way, outbound blocking can be detected.
L7: What are the four defining features in an SDN architecture?
1) Flow-based forwarding: The rules for forwarding packets in the SDN-controlled switches can be computed based on any number of header field values in various layers such as the transport-layer, network-layer and link-layer. This differs from the traditional approach where only the destination IP address determines the forwarding of a packet. 2) Separation of data plane and control plane: The SDN-controlled switches operate on the data plane and they only execute the rules in the flow tables. Those rules are computed, installed, and managed by software that runs on separate servers. 3) Network control functions: The SDN control plane, (running on multiple servers for increased performance and availability) consists of two components: the controller and the network applications. The controller maintains up-to-date network state information about the network devices and elements (for example, hosts, switches, links) and provides it to the network-control applications. This information, in turn, is used by the applications to monitor and control the network devices. 4) A programmable network: The network-control applications act as the "brain" of the SDN control plane by managing the network. Example applications can include network management, traffic engineering, security, automation, analytics, etc. For example, we can have an application that determines the end-to-end path between sources and destinations in the network using Dijkstra's algorithm.
L8: Describe the three perspectives of the SDN landscape.
1. A plane oriented view > Management plane, control plane, data plane 2. The SDN layers > Network apps, PL, language-based virtualization, northbound interface, network OS, network hypervisor, southbound interface, and network infrastructure 3. A system design > Network applications, network OS and network hypervisors, and hardware
L7: What are the three phases in the history of SDN?
1. Active networks 2. Control and data plane separation 3. OpenFlow API and network operating systems
L7: Summarize each phase in the history of SDN.
1. Active networks 2. Control and data plane separation 3. OpenFlow API and network operating systems Active networks > Researchers wanted to test new ideas to improve network services. This required standardization of new protocols by the IETF which was a slow/frustrating process. > More active networks which wanted to open up network control. > Community belief: simplicity of the network core was vital to internet success. The pushes that encouraged active networking: > Reduction in computation cost > PL Advancement (like java) > Advances in rapid code compilation and formal methods. Active networking envisioned unified control that could replace individually managing these boxes. Active networks made three major contributions related to SDN: > Programmable functions in the network to lower the barrier of innovation > Introduced the idea of using programmable networks to overcome the slow speed of innovation in networking. Active networking produced a framework that described a platform that would support experimentation with different programming models. This led to network visualization. Active networking was more involved in redesigning the architecture of networks, so not as much emphasis was given to performance and security. Since there were no specific short-term problems that active networks solved, it was harder to see widespread deployment. The next efforts had a more focused scope and distinguished between control and data planes. This difference made it easier to focus on innovation in a specific plane and inflict widespread change. Control and data plane separation > Network operators were looking for better network-management functions such as control over paths to deliver traffic. > Identified that the challenge in network management depended on the way existing routers and switches tightly integrated the control and data planes. > Efforts the separate the two began: >> Higher link speeds in backbone networks led vendors to implement packet forwarding directly in the hardware >> ISPs found it hard to meet the increasing demands for greater reliability and new services. Two main innovations: Open interface between control and data planes AND logically centralized control of the network Differed from active networking, it: > Focused on spurring innovation by/for network administrators rather than end users/researchers. > Emphasized programmability in the control domain rather than the data domain. > Worked to network-wide visibility rather than device Attempts to separate control and data planes resulted in two concepts used in further SDN design: > Logically centralized control using an open interface to the data plane. > Distributed state management - There was skepticism to moving away from a simple network where all have a common view of the network state to one where the router only had a local view of the outcome of route-selection. This concept of separation of planes helped researchers think clearly about distributed state management. OpenFlow API and network operating systems > OpenFlow was born out of interest in the idea of network experimentation at scale, by researchers and funding agencies. > OpenFlow built on the existing hardware and enabled more functions than earlier route controllers. Enabled immediate deployment. The basic working of an OpenFlow switch: Each switch contains a table of packet-handling rules. Each rule has a pattern, list of actions, set of counters and a priority. When an OpenFlow switch receives a packet, it determines the highest priority matching rule, performs the associated action and increments the counter. OpenFlow was adopted in the industry, unlike its predecessors. Companies started investing more in programmers to write control programs, and less in proprietary switches that could not support new features easily. This allowed many smaller players to become competitive in the market by supporting capabilities like OpenFlow. Key effects that OpenFlow had were: Generalizing network devices and functions Vision of a network operating systems Distributed state management techniquesr
L8: What are three information sources provided by OpenFlow protocol?
1. Event-based messages sent by forwarding devices to controller given a link/port change. 2. Flow statistics generated by forwarding devices and collected by controller. 3. Packet messages are sent by forwarding devices to controller when they do not know what to do with a new incoming flow.
L9: What are 3 classes of features used to determine the likelihood of a security breach within an organization?
1. Mismanagement symptoms 2. Malicious Activities 3. Security Incident Reports
L10: List five DNS censorship techniques and briefly describe their working principles.
1. Packet Dropping > All network traffic going to a set of specific IP addresses is discarded. 2. DNS Poisoning > When a DNS receives a query for resolving hostname to IP address- if there is no answer returned or an incorrect answer is sent to redirect/mislead the request, this scenario is called DNS Poisoning. 3A. Proxy-based content inspection > Allows for all network traffic to pass through a proxy where the traffic is examined for content, and the proxy rejects requests that serve objectionable content. 3B. Intrusion detection system (IDS) based content inspection > An alternative approach is to use parts of an IDS to inspect network traffic. An IDS is easier and more cost effective to implement than a proxy based system as it is more responsive than reactive in nature, in that it informs the firewall rules for future censorship. 4. Blocking with Resets > The GFW employs this technique where it sends a TCP reset (RST) to block individual connections that contain requests with objectionable content. We can see this by packet capturing of requests that are normal and requests that contain potentially flaggable keywords. 5. Immediate Reset of Connections > Censorship systems like GFW have blocking rules in addition to inspecting content, to suspend traffic coming from a source immediately, for a short period of time. After sending a request with flaggable keywords (above), we see a series of packet trace, like this: > The reset packet received by the client is from the firewall. It does not matter that the client sends out legitimate GET requests following one "questionable" request. It will continue to receive resets from the firewall for a particular duration.
L10 - What are the steps involved in the global measurement process using DNS resolvers?
1. Performing global DNS queries 2. Annotating DNS responses with auxiliary information 3. Additional PTR and TLS scanning
L9: What are the two automated techniques used by ARTEMIS to protect against BGP hijacking?
1. Prefix deaggregation 2. Mitigation with Multiple Origin AS (MOAS)
L10: What is DNS censorship?
> A large-scale network traffic filtering strategy opted by a network to enforce control and censorship over Internet infrastructure to suppress material which they deem as objectionable. > An example of large scale DNS censorship is that implemented by networks located in China, which use a Firewall, popularly known as the Great Firewall of China (GFW). This Firewall looks like an opaque system that uses various techniques to censor China's internet traffic and block access to various foreign websites.
L8: Describe the SDX architecture.
> AS A has a virtual switch connecting to the virtual switches of ASes B and C. > Each AS can define forwarding policies as if it is the only participant at the SDX, without influencing how other participants forward packets on their own virtual switches. > Each AS can have its own SDN applications for dropping, modifying, or forwarding their traffic. Policies can also be different based on the direction of the traffic. An inbound policy is applied on the traffic coming from other SDX participants on a virtual switch. An outbound policy is applied to traffic from the participant's virtual switch port towards other participants. > The SDX is responsible to combine the policies from multiple participants into a single one for the physical switch.
L8: What are the applications of SDX in the domain of wide area traffic delivery?
> Application specific peering > Inbound traffic engineering > Wide-area server load balancing > Redirection through middle boxes
L9: What are the main data sources to identify hosts that likely belong to rogue networks, used by FIRE (FInding Rogue nEtworks system)?
> Botnet command and control providers > Drive-by-download hosting providers > Phish housing providers
L9: What are the properties of secure communication?
> Confidentiality > Integrity > Authentication > Availability
L10: What are the three steps involved in DNS injection?
> DNS probe is sent to the open DNS resolvers. > The probe is checked against the blocklist of domains and keywords. > For domain level blocking, a fake DNS A record response is sent back. There are two levels of blocking domains: the first one is by directly blocking the domain, and the second one is by blocking it based on keywords present in the domain
L10: Our understanding of censorship around the world is relatively limited. Why is it the case? What are the challenges?
> Diverse measurements > Need for scale > Identifying the intent to restrict content access > Ethics and minimizing risks Diverse Measurements: Such understanding would need a diverse set of measurements spanning different geographic regions, ISPs, countries, and regions within a single country. Need for Scale: There is a need for methods and tools that are independent of human intervention and participation. Identifying the intent to restrict content access: Identifying DNS manipulation requires that we detect the intent to block access to content. It poses its own challenges. So we need to rely on identifying multiple indications to infer DNS manipulation. Ethics and Minimizing Risks: Obviously, there are risks associated with involving citizens in censorship measurement studies, based on how different countries may be penalizing access to censored material. Therefore it is safer to stay away from using DNS resolvers or DNS forwarders in home networks of individual users. Instead, rely on open DNS resolvers that are hosted in Internet infrastructure, for example within Internet service providers or cloud hosting providers).
L10: What are the properties of GFW (Great Firewall of China)?
> Locality of GFW nodes > Centralized management > Load balancing
L9: How does Round Robin DNS (RRDNS) work?
> Responds to a DNS request with a list of DNS A records, which it then cycles through in a round robin manner. > The DNS client can then choose a record using different strategies - choose the first record each time, use the closest record in terms of network proximity, etc. Each "A" record also has a TTL for this mapping which specifies the number of seconds the response is valid. If the lookup is repeated while the mapping is still active, the client will receive the same set of records.
L8: Which BGP limitations can be addressed by using SDN?
> Routing only on destination IP prefix > Networks have little control over end-to-end paths > SDN can perform multiple actions on the traffic by matching over various header fields, not only by matching on the destination prefix.
L7: What spurred the development of Software Defined Networking (SDN)?
> SDN arose to make CN more programmable > Networks are complex/difficult to manage due to the diversity of equipment on the network and proprietary technologies for the equipment > These made them highly complex, slow to innovate, and drove up the costs of running a network. SDN divides the network into two planes (separation of tasks): 1. control plane 2. data plane.
L9: What are the defenses against DDoS attacks?
> Traffic Scrubbing Services > Access Control List Filters > BGP Flowspec
L10 - How is it possible to achieve connectivity disruption using routing disruption approach?
A routing mechanism decides which part of the network can be reachable. Routers use BGP to communicate updates to other routers in the network. The routers share which destinations it can reach and continuously update its forwarding tables to select the best path for an incoming packet. If this communication is disrupted or disabled on critical routers, it could result in unreachability of the large parts of a network. Using this approach can be easily detectable, as previously advertised prefixes must be withdrawn or re-advertising them with different properties and therefore modifying the global routing state of the network, which is the control plane.
L11 - How does the bitrate adaptation work in DASH (Dynamic Streaming over HTTP)?
A video is divided into chunks that can be downloaded at different bitrates. The client adapts the bitrate based on its estimation of network conditions.
L9: What are the key ideas behind ARTEMIS?
ARTEMIS - a system run locally by network operators to safeguard its own prefixes against malicious BGP hijacking attempts. The key ideas behind ARTEMIS are: > A configuration file - all the prefixes owned by the network are listed for reference. > A mechanism for receiving BGP updates - allows receiving updates from local routers and monitoring services. Built into the system Using the local configuration file as a reference, ARTEMIS can check for prefixes and AS-PATH fields and trigger alerts when there are anomalies.
Expanded History
Active networks Intro Slow and frustrating process to standardize protocols fostered the push for active networks trying to open up network control Active networks with their network API went against the concept of keeping the core simple 2 types of programming models in active networking: Capsule model - carried in-band in data packets Programmable router/switch model - established by out-of-band mechanisms Technology push - The pushes that encouraged active networking were: Reduction in computation cost (more processing into the network). Advancement in programming languages. (Java: platform portability, code execution safety, and VM (virtual machine) technology to protect the active node in case of misbehaving programs). Advances in rapid code compilation and formal methods. Funding from agencies such as DARPA (U.S. Defense Advanced Research Projects Agency) for a collection promoted interoperability among projects. There were no short-term use cases. Use pull - The use pulls for active networking were: Network service provider frustration concerning the long timeline to develop and deploy new network services. Third party interests to add value by implementing control at a more individualistic nature. This meant dynamically meeting the needs of specific applications or network conditions. Researchers' interest in having a network that would support large-scale experimentation. Unified control over middleboxes. Active networking envisioned unified control that could replace individually managing these boxes. Active networks contributions related to SDN: Programmable functions in the network to lower the barrier to innovation. While many early visions for SDN concentrated on increasing programmability of the control-plane, active networks focused on the programmability of the data-plane. The concept of isolating experimental traffic from normal traffic has emerged from active networking and is heavily used in OpenFlow and other SDN technologies. Network virtualization, and the ability to demultiplex to software programs based on packet headers. The vision of a unified architecture for middlebox orchestration. Conclusion: Did not see widespread deployment because it didn't solve a specific short-term problem and was too ambitious. It also did not focus on performance and security. Control and data plane separation Intro This phase was different from active networking in several ways: It focused on spurring innovation by and for network administrators rather than end users and researchers. It emphasized programmability in the control domain rather than the data domain. It worked towards network-wide visibility and control rather than device-level configurations. Technology push - The technology pushes that encouraged control and data plane separation were: Higher link speeds in backbone networks led vendors to implement packet forwarding directly in the hardware, thus separating it from the control-plane software. Internet Service Providers (ISPs) found it hard to meet the increasing demands for greater reliability and new services (such as virtual private networks), and struggled to manage the increased size and scope of their networks. Servers had substantially more memory and processing resources than those deployed one-two years prior. This meant that a single server could store all routing states and compute all routing decisions for a large ISP network. This also enabled simple backup replication strategies - thus, ensuring controller reliability. Open source routing software lowered the barrier to creating prototype implementations of centralized routing controllers. These pushes inspired two main innovations: Open interface between control and data planes Logically centralized control of the network Use pull Selecting between network paths based on the current traffic load Minimizing disruptions during planned routing changes Redirecting/dropping suspected attack traffic Allowing customer networks more control over traffic flow Offering value-added services for virtual private network customers Control and data plane separation contributions related to SDN: Logically centralized control using an open interface to the data plane. Distributed state management. Conclusion Did see widespread adoption because it had a more focused scope, and distinguished between control and data planes. This made it easier to focus on innovation in a specific plane. OpenFlow API and network operating systems Intro The basic working of an OpenFlow switch is as follows. Each switch contains a table of packet-handling rules. Each rule has a pattern, list of actions, set of counters and a priority. When an OpenFlow switch receives a packet, it determines the highest priority matching rule, performs the action associated with it and increments the counter. Technology push - OpenFlow was adopted in the industry, unlike its predecessors. This could be due to: Before OpenFlow, switch chipset vendors had already started to allow programmers to control some forwarding behaviors. This allowed more companies to build switches without having to design and fabricate their own data plane. Early OpenFlow versions built on technology that the switches already supported. This meant that enabling OpenFlow initially was as simple as performing a firmware upgrade! Use pull: OpenFlow came up to meet the need of conducting large scale experimentation on network architectures. OpenFlow was useful in data-center networks - there was a need to manage network traffic at large scales. Companies started investing more in programmers to write control programs, and less in proprietary switches that could not support new features easily. This allowed many smaller players to become competitive in the market by supporting capabilities like OpenFlow. Some key effects that OpenFlow had were: Generalizing network devices and functions. The vision of a network operating system. Distributed state management techniques.
L9: (BGP hijacking) What is the classification by AS-Path announcement?
An illegitimate AS announces the AS-path for a prefix for which it doesn't have ownership rights. Achieve this: > Type-0 hijacking: An AS announcing a prefix not owned by itself. > Type-N hijacking: An attack where the counterfeit AS announces an illegitimate path for a prefix that it does not own to create a fake link (path) between different ASes. For example, {AS2, ASx, ASy, AS1 - 10.0.0.0/23} denotes a fake path between AS2 and AS1, where there is no link between AS2 and ASx. The N denotes the position of the rightmost fake link in the illegitimate announcement, e.g. {AS2, ASy, AS1 - 10.0.0.0/23} is a Type-2 hijacking > Type-U hijacking: The hijacking AS does not modify the AS-PATH but may change the prefix
L11 - How does the encoding of analog audio work (in simple terms)?
Analog is a continuous wave. For digital, thousands of samples are taken per second and then rounded to some discrete value to best approximate the analog wave. This is known as quantization.
L9: Explain IXP blackholing.
At IXPs, if the AS is a member of an IXP infrastructure and it is under attack, it sends the blackholing messages to the IXP route server when a member connects to the route server. The route server then announces the message to all the connected IXP member ASes, which then drops the traffic towards the blackholed prefix. The null interface to which the traffic should be sent is specified by the IXP. The blackholing message sent to the IXP should contain the IXP blackhole community.
L9: Explain the scenario of hijacking a path.
Attacker manipulates received updates before propagating them to neighbors. > AS1 advertises the prefix 10.10.0.0/16. > AS2 and AS3 receive and propagate legitimately the path for the prefix. > At AS4, attacker compromises update for the path by changing it to 4, 1 and propagates it to the neighbors AS3, AS2, and AS5. Therefore it claims that it has a direct link to AS1 so that others believe the new false path. > AS5 receives the false path (4,1) "believes" the new false path and it adopts it. But the rest of the ASes don't adopt the new path because they either have a shorter path already or an equally long path to AS1 for the same prefix. The attacker does not need not to announce a new prefix, but rather it manipulates an ad before propagating it.
L9: Explain the scenario of prefix hijacking.
Attacker uses a router at AS4 to send false announcements and hijack the prefix 10.10.0.0/16 that belongs to AS1. > The attacker uses a router to announce the prefix 10.10.0.0/16 that belongs to AS1, with a new origin AS4, pretending that the prefix belongs to AS4. > This new announcement causes a conflict of origin for the ASes that receive it. > As a result of the new announcement, AS2, AS3 and AS5 receive the false ads and compare it with the previous entries in their RIB. > AS2 will not select the route as the best route as it has the same path length with an existing entry. > AS3 and AS5 believe the new ad, and they will update their entries (10.10.0.0/16 with path 4,2,1) to (10.10.0.0/16 with path 4). Therefore AS5 and AS3 will send all traffic for prefix 10.10.0.0/16 to AS4 instead of AS1.
L9: Describe a Reflection and Amplification attack.
Attackers use a set of reflectors to initiate an attack on the victim. A reflector is any server that sends a response to a request. The master directs the slaves to send spoofed requests to a very large number of reflectors. The slaves set the source address of the packets to the victim's IP address, thereby redirecting the response of the reflectors to the victim. Thus, the victim receives responses from millions of reflectors resulting in exhaustion of its bandwidth. In addition, the victim's resources are wasted in processing these responses, making it unable to respond to legitimate requests. The master commands the three slaves to send spoofed requests to the reflectors, which in turn sends traffic to the victim. This is in contrast with the conventional DDoS attack we saw in the previous section, where the slaves directly send traffic to the victim. Victims can easily identify the reflectors from the response packets but reflectors can't identify the slave sending the spoofed requests. If the requests are chosen in such a way that the reflectors send large responses to the victim, it is a reflection and amplification attack. Not only would the victim receive traffic from millions of servers, the response sent would be large in size, making it further difficult for the victim to handle it.
L9: Explain provider-based blackholing.
BGP blackholing - Countermeasure to mitigate a DDoS attack. With this mechanism, all attack traffic to a targeted DoS destination is dropped to a null location. The premise of this approach is that the traffic is stopped closer to the source of the attack and before it reaches the targeted victim. For a high volume attack, it proves to be an effective strategy when compared to other mitigation options. Provider-based blackholing - A network that offers blackholing service is known as a blackholing provider. It is also responsible for providing the blackholing community that should be used. Network or customer providers act as blackholing providers at the network edge. ISPs or IXPs act as blackholing providers at the Internet core. If the blackholing provider is a peer or an upstream provider, the AS must announce its associated blackhole community along with the blackhole prefix. Assume the IP 130.149.1.1 in AS2 is under attack.
L11 - How does error concealment technique deal with the packet loss in VoIP?
By replacing a lost packet with either a copy of a prior packet or an approximated packet (using interpolation with the packets before and after the lost packet)
L9: How does DNS-based content delivery work?
CDNs distribute the load among multiple servers at a single location, but also distribute servers across the world. When accessing the name of the service using DNS, the CDN computes the 'nearest edge server' and returns its IP address to the DNS client. It uses sophisticated techniques based on network topology and current link characteristics to determine the nearest server. This results in the content being moved 'closer' to the DNS client which increases responsiveness and availability. CDNs can react quickly to changes in link characteristics as their TTL is lower than that in RRDNS.
L8: What are the two main operations of P4 forwarding model?
CONFIGURE - determines the packet processing and the supported protocols in a switch whereas POPULATE - decides the policies to be applied to the packets.
L9: What is spoofing, and how is it related to DDoS attack?
IP spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a legitimate server. In DDoS attacks, the source IP address is spoofed, resulting in the response of the server sent to some other client instead of the attacker's machine. This results in wastage of network resources and the client resources while also causing denial of service to legitimate users. Also, the attacker sets the same IP address in both the src/dst IP fields. This results in the server sending replies to itself, causing it to crash.
L10 - What kind of disruptions does Augur focus on identifying?
IP-based disruptions as opposed to DNS-based manipulations.
L8: What are the differences between centralized and distributed architectures of SDN controllers?
Centralized controllers can't scale. Distributed controllers can. Centralized controllers have a single POF while distributed systems do not (i.e. they have fault tolerance). Centralized controllers: In this architecture, we typically see a single entity that manages all forwarding devices in the network, which is a single point of failure and may have scaling issues. Also, a single controller may not be enough to handle a large number of data plane elements. Some enterprise class networks and data centers use such architectures, such as Maestro, Beacon, NOX-MT. Distributed controllers: Unlike single controller architectures that cannot scale in practice, a distributed network operating system (controller) can be scaled to meet the requirements of potentially any environment - small or large networks. Distribution can occur in two ways: it can be a centralized cluster of nodes or physically distributed set of elements. Typically, a cloud provider that runs across multiple data centers interconnected by a WAN may require a hybrid approach to distribution - clusters of controllers inside each data center and distributed controller nodes in different sites. Properties of distributed controllers: 1. Weak consistency semantics 2. Fault tolerance
L10 - What metrics does Iris use to identify DNS manipulation once data annotation is complete? Describe the metrics. Under what condition, do we declare the response as being manipulated?
Consistency Metrics > Domain access should have some consistency, in terms of network properties, infrastructure or content, even when accessed from different global vantage points. Some consistency metrics used are IP address, Autonomous System, etc Independent Verifiability Metrics > Use metrics that can be externally verified using external data sources. Some of the independent verifiability metrics used are: HTTPS certificate. Neither metric is satisfied, response = manipulated.
L7: What is the function of the control and data planes?
Control plane - controls forwarding behavior of routers, such as routing protocols and network middlebox configurations. Data plane - performs actual forwarding as dictated by the control plane. IP forwarding and layer 2 switching are functions of the data plane.
L11 - What are the characteristics of conversational voice and video over IP?
Conversational streaming usually involves 2 or more clients and is highly delay sensitive. Delays under 150ms are unnoticeable, and delays over 400ms can be frustrating to users. Conversational applications are loss tolerant as long as the lost information is not too concentrated.
L10 - How to identify DNS manipulation via machine learning with Iris?
If any consistency metric or independent verifiability metric is satisfied, the response is correct. Otherwise, the response is classified as manipulated.
L9: Explain the structure of a DDoS attack.
DDOS is an attempt to compromise a server or network resources with a flood of traffic. To achieve this, the attacker first compromises and deploys flooding servers (slaves). Later, when initiating an attack, the attacker instructs flooding servers to send a high volume of traffic to the victim. This results in the victim host either becoming unreachable or in exhaustion of its bandwidth. The master host sends control messages to the three compromised slaves directing them to send a huge amount of traffic to the victim. The packets sent from the slave contain the source address as a random IP address and the destination as the victim's IP address. This master-slave configuration amplifies the intensity of the attack while also making it difficult to protect against it. The attack traffic sent by the slaves contain spoofed source addresses making it difficult for victims to track slaves. Also, since traffic is sent from multiple sources, it's harder to isolate and block the attack traffic.
L10: How does DNS injection work?
DNS injection is one of the most common censorship techniques employed by the GFW. The GFW uses a ruleset to determine when to inject DNS replies to censor network traffic. To start with, it is important to identify and isolate networks that use DNS injection for censorship.
L7: Why did the SDN lead to opportunities in various areas such as data centers, routing, enterprise networks, and research network?
Data Centers - Management of large data centers is not easy. SDN makes it easier. Routing - BGP constrains routes. There are limited controls over inbound and outbound traffic. With SDN, it's easier to update the router's state and SDN provides more control over path selection. Enterprise Networks - Using SDN, it is easier to protect a network from volumetric attacks such as DDOS if we drop the attack traffic at strategic locations on the network. Research Networks - SDN allows research networks to coexist with production ones. Separation of the control and data planes supports the independent evolution and development of both. Thus, the software aspect of the network can evolve independent of the hardware aspect. Since both control and forwarding behavior are separate, this enables us to use higher-level software programs for control. This makes it easier to debug and check the network's behavior.
L11 - What kind of delays are included in "end-to-end delay"?
Encoding Converting data into packets Network delay Playback delay (from recipient's buffer) Decoding
L11 - What are three QoS VoIP metrics?
End to end delay Jitter Packet Loss
L11 - Compare the three major methods for dealing with packet loss in VoIP protocols.
FEC (Forward Error Correction) Interleaving Error Concealment
L9: How do Fast-Flux Service Networks work?
FFSN is based on a 'rapid' change in DNS answers, with a TTL lower than that of RRDNS and CDN. One key difference between FFDN and the other methods is that after the TTL expires, it returns a different set of A records from a larger set of compromised machines. These compromised machines act as proxies between the incoming request and control node/mothership, forming a resilient, robust, one-hop overlay network.
Forwarding vs Routing Expanded
Forwarding - Is the process inside a router of determining through which output link to send the packet it received at its input link. - It could actually block the packet from exiting the router, if it is suspected to have been sent by a malicious router. - It could also duplicate the packet and send it along multiple output links. - Forwarding usually takes place in nanoseconds and is implemented in the hardware. - Forwarding is a function of the data plane. - A router looks at the header of an incoming packet and consults the forwarding table, to determine the outgoing link to send the packet to. Routing - Involves determining the path from the sender to the receiver across the network. - Routers rely on routing algorithms for this purpose. - It is an end-to-end process for networks. - It usually takes place in seconds and is implemented in software. - Routing is a function of the control plane.
L10: What are the limitations of main censorship detection systems?
Global censorship measurement tools were created by efforts to measure censorship by running experiments from diverse vantage points. For example, CensMon used PlanetLab nodes in different countries. However, many such methods are no longer in use. One of the most common systems/approaches is the OpenNet Initiative where volunteers perform measurements on their home networks at different times since the past decade. Relying on volunteer efforts makes continuous and diverse measurements very difficult.
L9: What are the causes or motivations behind BGP attacks?
Human Error Targeted Attack (MitM) High Impact Attack
L8: Describe the responsibility of each layer in the SDN layer perspective.
Infrastructure > Consists of networking equipment (routers, switches, etc). Diff - these physical networking equipment are merely forwarding elements that do a simple forwarding task, and any logic to operate them is directed from the centralized control system. Southbound interfaces > Connects bridges between connecting and forwarding elements. Sit between control and data plane, so play a crucial role in separating plane functionality. APIs are tightly coupled with forwarding elements of the underlying physical or virtual infrastructure. Network virtualization > Network infrastructure needs to provide support for arbitrary network topologies and addressing schemes. Existing virtualization constructs can provide full network virtualization, however they're connected by a box-by-box basis config and there is no unifying abstraction that can be leveraged to configure them globally, making network provisioning tasks as long as months/years. Network OS > SDN eases network management and solves networking problems by using a logically centralized controller - the network (NOS). Provides abstractions, essential services and common APIs to developers. Such systems propel more innovation by reducing inherent complexity of creating new network protocols and applications. Northbound interfaces > Two core abstractions of an SDN ecosystem are Southbound and Northbound interfaces. Northbound interfaces are supposed to be a mostly software ecosystem, as opposed to the Southbound interfaces. Another key requirement is the abstraction that guarantees PL and controller independence. Language-based virtualization > Important characteristic of virtualization is the ability to express modularity and allowing different levels of abstraction. For example, using virtualization we can view a single physical device in different ways. Takes the complexity away from app devs without compromising on security which is inherently guaranteed. Network programming languages > Achieved using low-level or high-level programming languages. Using low-level languages, it is difficult to write modular code, reuse it and it generally leads to more error-prone development. HL programming languages in SDNs provide abstractions, make development more modular, code more reusable in the control plane, do away with device specific and low-level configurations, and generally allow faster development. Network applications > Implement the control plane logic and translate to commands in the data plane. SDNs can be deployed on traditional networks, and can find itself in home area networks, data centers, IXPs etc. Due to this, there is a wide variety of network applications such as routing, load balancing, security enforcement, end-to-end QoS enforcement, power consumption reduction, network virtualization, mobility management, etc.
L11 - How does interleaving deal with the packet loss in VoIP/streaming stored audio? What are the tradeoffs of interleaving?
Interleaving spreads playback information across multiple chunks. This way, if one chunk is lost, there is still enough information in the other chunks to reconstruct the output. The idea is that many smaller audio gaps are preferable to one large audio gap. The receiving side has to wait longer to receive consecutive chunks of audio, and that increases latency.
L10 - How does Iris counter the issue of lack of diversity while studying DNS manipulation? What are the steps associated with the proposed process?
Iris uses open DNS resolvers located globally. In order to avoid using home routers (which are usually open due to configuration issues), this dataset is then restricted to a few thousand that are part of the Internet infrastructure. Steps: > Scanning the Internet's IPv4 space for open DNS resolvers > Identifying Infrastructure DNS Resolvers
L11 - What are the characteristics of streaming stored video?
It's interactive (users can pause, rewind or fast forward), and should play continuously. Video is usually stored in a CDN and can be shared using client + server model or p2p.
L11 - How does "delay jitter" occur?
Jitter occurs because different packets experience different levels of delay.
Describe ONOS
ONOS (Open Networking Operating System) is a distributed SDN control platform. It aims to provide a global view of the network to the applications, scale-out performance and fault tolerance. There are several ONOS instances running in a cluster. The management and sharing of the network state across these instances is achieved by maintaining a global network view. This view is built by using the network topology and state information (port, link and host information, etc) that is discovered by each instance. To make forwarding and policy decisions, the applications consume information from the view and then update these decisions back to the view. The corresponding OpenFlow managers receive the changes the applications make to the view, and the appropriate switches are programmed. Titan, a graph database and a distributed key value store Cassandra are used to implement the view. The applications interact with the network view using the Blueprints graph API. The distributed architecture of ONOS offers scale-out performance and fault tolerance. Each ONOS instance serves as the master OpenFlow controller for a group of switches. The propagation of state changes between a switch and the network view is handled solely by the master instance of that switch. The workload can be distributed by adding more instances to the ONOS cluster in case the data plane increases in capacity or the demand in the control plane goes up. Zookeeper is used to maintain the mastership between the switch and the controller.
L8: Describe the purpose of each component of ONOS (Open Networking Operating System)
ONOS - distributed SDN control platform. 1. Application 2. Network View 3. OF Manager View is built by using the network topology and state info (port, link and host information, etc) discovered by each instance. To make forwarding and policy decisions, the applications consume information from the view and then update these decisions back to the view. The corresponding OpenFlow managers receive the changes the applications make to the view, and the appropriate switches are programmed. The applications interact with the network view using the Blueprints graph API. The distributed architecture of ONOS offers scale-out performance and fault tolerance.
L8: How does ONOS achieve fault tolerance?
ONOS redistributes the work of a failed instance to other remaining instances. Each switch in the network connects to multiple ONOS instances with only one instance acting as its master. Upon failure of an ONOS instance, an election is held on a consensus basis to choose a master for each of the switches that were controlled by the failed instance. For each switch, a master is selected among the remaining instances with which the switch had established connection.
L9: What are two findings from ARTEMIS?
Outsource the task of BGP announcement to third parties: Having just a single external org to mitigate BGP attacks is highly effective against attacks. Comparison of outsourcing BGP announcements vs prefix filtering: When compared against prefix filtering (current standard defense mechanism), found that filtering is less optimal when compared against BGP announcements.
L8: What is P4?
P4 - a language that was developed to offer programmability on the data plane. P4 (Programming Protocol-independent Packet Processors) - a HL PL to configure switches which works in conjunction with SDN control protocols. P4 is used to configure the switch programmatically and acts as a general interface between switches and the controller with its main aim of allowing the controller to define how the switches operate.
L10: Which DNS censorship technique is susceptible to overblocking?
Packet Dropping
L10 - How is it possible to achieve connectivity disruption using packet filtering approach?
Packet filtering can be used to block packets matching a certain criteria disrupting the normal forwarding action. This approach can be harder to detect and might require active probing of the forwarding path or monitoring traffic of the impacted network.
L9: (BGP hijacking) What is the classification by affected prefix?
Primarily concerned with the IP prefixes that are advertised by BGP. There are different ways the prefix can be targeted, such as: > Exact prefix hijacking: When two different ASes (one genuine, other counterfeit) announce a path for the same prefix. Traffic is routed towards the hijacker wherever AS-path route is shortest, thereby disrupting traffic. > Sub-prefix hijacking: This is an extension of exact prefix hijacking, except that in this case, the hijacking AS works with a sub-prefix of the genuine prefix of the real AS. Exploits characteristics of BGP to favor more specific prefixes, and as a result route large/entire amounts of traffic to hijacking AS. Example: A given hijacking AS labelled AS2 announces that it has a path to prefix 10.10.0.0/24 which is a part of 10.10.0.0/16 owned by AS1. > Squatting: In this type of attack, the hijacking AS announces a prefix that has not yet been announced by the owner AS
L8: What are the primary goals of P4?
Reconfigurability > Method of parsing and processing of packets takes place in the switches should be modifiable by the controller. Protocol independence > To enable switches to be independent of protocol, controller defines a packet parser and a set of tables mapping matches and their actions. The packet parser extracts the header fields which are then passed on to the match+action tables to be processed. Target independence > Packet processing programs should be programmed independent of the underlying target devices. > These generalized programs written in P4 should be converted into target-dependent programs by a compiler which are then used to configure the switch.
L11 - How does FEC (Forward Error Correction) deal with the packet loss in VoIP?
Redundant data is transmitted to the recipient. There a XOR is applied to the data which essentially fills the holes created by the lost packet. Redundant data is usually lower quality than the original.
L11 - Summarize how progressive download works.
Requests (HTTP GET) are made for content of varying bit rates (depending on network intelligence). Servers send over information as fast as possible. Progressive download starts in a "Buffer filling" state where it continuously makes requests until the buffer is full and a "Steady state", where requests are made as space becomes available.
L7: What are the main components of SDN network and their responsibilities?
SDN-controlled network elements > Forwards network traffic based on rules computed by the SDN control plane. SDN controller > Acts as an interface between other two Network-control applications > Programs that manage underlying network by collecting info on elements with help of the controller.
L11 - What was the original vision of the application-level protocol for video content delivery and why was HTTP chosen eventually?
Specialized stateful servers (intelligence on the server). HTTP was used because of existing CDN infrastructure, which uses HTTP. It also made bypassing middleboxes and firewalls easier since they already know HTTP.
L10: What are the strengths and weaknesses of "DNS poisoning" DNS censorship technique?
Strength > No overblocking: Since there is an extra layer of hostname translation, access to specific hostnames can be blocked versus blanket IP address blocking.
L10: What are the strengths and weaknesses of "packet dropping" DNS censorship technique?
Strengths > Easy to implement > Low cost Weaknesses > Maintenance of blocklist - Challenging to stay updated on list of IP addresses to block > Overblocking - If two websites share same IP address and the intention is to only block one, there's a risk of blocking both
L10: What are the strengths and weaknesses of "content inspection" DNS censorship technique?
Strengths > Precise censorship: A very precise level of censorship can be achieved, down to the level of single web pages or even objects within the web page. > Flexible: Works well with hybrid security systems e.g. with a combination of other censorship techniques like packet dropping and DNS poisoning Weakness > Not scalable: They are expensive to implement on a large scale network as the processing overhead is large (through a proxy)
L11 - Which protocol is preferred for video content delivery -UDP or TCP? Why?
TCP. Reliability and congestion control are the 2 factors that lead to TCP winning out. Reliability is important because lost data will likely lead to decoding failure. Congestion control is key to preventing re-buffering
L7: What are the three layers of SDN controller?
The SDN controller is a part of the SDN control plane and acts as an interface between the network elements and the network-control applications. The SDN controller, although viewed as a monolithic service by external devices and applications, is implemented by distributed servers to achieve fault tolerance, high availability and efficiency. Despite the issues of synchronization across servers, many modern controllers such as OpenDayLight and ONOS have solved it and prefer distributed controllers to provide highly scalable services. An SDN controller can be broadly split into three layers: Communication layer: communicating between the controller and the network elements Controller's "southbound" interface OpenFlow is an example of this protocol Network-wide state-management layer: stores information of network-state (hosts, links, switches, flow tables of the switches, etc.) Interface to the network-control application layer: communicating between controller and applications Controller's "northbound" interface Network-control applications can read/write network state and flow tables in the controller's state-management layer.
L11 - What are the tradeoffs of FEC?
The biggest trade off is the increased bandwidth consumption. The receiver also needs a larger buffer to handle the duplicate data, which leads to playback delay.
L9: What is one of the major drawbacks of BGP blackholing?
The destination under attack becomes unreachable since all the traffic including the legitimate traffic is dropped. Consider the DDoS attack scenario where there is no mitigation strategy in place. In the control plane, the prefix 100.10.10.0/24 is advertised by AS1. Suppose a web service running on IP 100.10.10.10 comes under attack, which falls under AS1. This results in unreachability of the service by users from both AS2 and AS3 as the network port in AS1 becomes overloaded.
L9: (BGP hijacking) What is the classification by data plane traffic manipulation?
The intention of the attacker is to hijack the network traffic and manipulate the redirected network traffic on its way to the receiving AS. Three ways the attack can be realized under this classification: > Dropped, so it never reaches the intended destination. This attack falls under the category of blackholing (BH) attack. > Eavesdropped or manipulated before it reaches receiving AS, also called MitM > Impersonated - network traffic of the victim AS is impersonated and response to this network traffic is sent back to the sender. This attack is called an imposture (IM) attack.
L7: Why separate the control from the data plane?
The reasons we separate the two are: Independent evolution and development - Routers only focus on forwarding. - Improvement in routing algorithms can take place without affecting any of the existing routers. - By limiting the interplay between these two functions, we can develop them more easily. Control from high-level software program - In SDN, we use software to compute the forwarding tables. Thus, we can easily use higher-order programs to control the routers' behavior. - The decoupling of functions makes debugging and checking the behavior of the network easier.
L10 - Explain a scenario of connectivity disruption detection in case of the inbound blocking.
The scenario where filtering occurs on the path from the site to the reflector is termed as inbound blocking. In this case, the SYN-ACK packet sent from the site in step 3 does not reach the reflector. Hence, there is no response generated and the IP ID of the reflector does not increase. The returned IP ID in step 4 will be 7 (IPID(t4)) as shown in the figure. Since the measurement machine observes the increment in IP ID value as 1, it detects filtering on the path from the site to the reflector.
L10: Explain a scenario of connectivity disruption detection in case when no filtering occurs.
The sequence of events is as follows: The measurement machine probes the IP ID of the reflector by sending a TCP SYN-ACK packet. It receives a RST response packet with IP ID set to 6 (IPID (t1)). Now, the measurement machine performs perturbation by sending a spoofed TCP SYN to the site. The site sends a TCP SYN-ACK packet to the reflector and receives a RST packet as a response. The IP ID of the reflector is now incremented to 7. The measurement machine again probes the IP ID of the reflector and receives a response with the IP ID value set to 8 (IPID (t4)). The measurement machine thus observes that the difference in IP IDs between steps 1 and 4 is 2 and infers that communication has occurred between the two hosts.
L11 - What are the characteristics of streaming live audio and video?
These are more delay sensitive than stored video, but not as delay sensitive as conversation voice and video. Live video and audio streams tend to have lots of simultaneous users. Generally, up to 10 seconds delay is ok.
L8: What's the main purpose of southbound interfaces?
They're the separating medium between the control plane and data plane functionality. They promote interoperability and deployment of vendor-agnostic devices.
L8: When would a distributed controller be preferred to a centralized controller?
To prevent a single point of failure and scaling issues. To take advantage of fault tolerance.
L8: What are the core SDN controller functions?
Topology, statistics, notifications, device management, along with shortest path forwarding and security mechanisms. Security mechanisms are critical components to provide basic isolation and security enforcement between services and applications.
L7: What is the relationship between forwarding and routing?
Traditional approach - the routing algorithms (control plane) and forwarding function (data plane) are closely coupled. The router runs and participates in the routing algorithms. From there, it is able to construct the forwarding table which it consults for the forwarding. SDN approach - a remote controller that computes and distributes the forwarding tables to be used by every router. This controller is physically separate from the router. There is a clear separation of the functionalities. The routers are solely responsible for forwarding, and the remote controllers are solely responsible for computing and distributing the forwarding tables.
SDN Intro, the 3 planes
Traditionally viewed, computer networks have three planes of functionality, which are all abstract logical concepts: Data plane: These are functions and processes that forward data in the form of packets or frames. Control plane: These refer to functions and processes that determine which path to use by using protocols to populate forwarding tables of data plane elements. Management plane: These are services that are used to monitor and configure the control functionality, e.g. SNMP-based tools. In short, say if a network policy is defined in the management plane, the control plane enforces the policy and the data plane executes the policy by forwarding the data accordingly.
L8: What are the applications of SDN? Provide examples of each application.
Traffic Engineering > ElasticTree identifies and shuts down specific links and devices depending on the traffic load. > Load balancing applications such as Plug-n-Serve and Aster*x achieve scalability by creating rules based on wildcard patterns which enables handling of large numbers of requests from a particular group. Mobility and Wireless > OpenRadio enables decoupling of the wireless protocols from the underlying hardware by providing an abstraction layer. > Light virtual access points (LVAPs) offer an improved way of managing wireless networks by using a one-to-one mapping between LVAPs and clients. Measurement and Monitoring > New functions can be added easily to measurement systems such as BISmark in an SDN-based broadband connection, which enables the system to respond to change in network conditions. > OpenSketch is a southbound API that offers flexibility for network measurements. > OpenSample and PayLess are examples of monitoring frameworks. Security and Dependability > Randomly mutating the IP addresses of hosts to fake dynamic IPs to the attackers (OF-RHM) > Monitoring the cloud infrastructures (CloudWatcher). Data Center Networking > LIME is one such SDN application which aims to provide live migration > FlowDiff is an application which detects abnormalities.
L9: The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. Describe 2 phases of this system.
Training phase > The system learns control-plane behavior typical of both types of ASes. The system is given a list of known malicious and legitimate ASes. It then tracks the behavior of these ASes over time to track their business relationships with other ASes and their BGP updates/withdrawals patterns. ASwatch then computes statistical features of each AS. The system then uses supervised learning to capture the known behaviors and patterns with a trained model. Operational phase > Given an unknown AS, it then calculates the features for this AS. It uses the model to then assign a reputation score to the AS. If the system assigns the AS a low reputation score for several days in a row (indicating consistent suspicious behavior), it flags it as malicious.
L11 - How to handle network and user device diversity?
Use multiple bitrates to accommodate varying network conditions and screen sizes. The client can then pick the best bitrate. At the beginning of every video session, the client first downloads a manifest file that contains all the metadata information about the video content (ex. bitrates) and the associated URLs.
L11 - What are the functions that signaling protocols are responsible for?
User location - Identifying where the recipient/calee of the signal is Session establishment - for recipient/calee (handling acceptance / rejection / redirection) Session negotiation (synchronizing participants on some set of session properties) Call participation management (handling endpoints joining or leaving an existing session)
L11 - Compare the bitrate for video, photos, and audio.
Video has the highest bitrate (2 Mbps) by a large margin, while audio (128 kbps) has the lowest bitrate. Photos (320 kbps) are in between video and audio.
L11 - Provide a high-level overview of adaptive video streaming.
Video is available in multiple bitrates. The client will select a bitrate for each fetch depending on the network conditions
L8: Describe a pipeline of flow tables in OpenFlow.
When a packet arrives, the lookup process starts in the first table and ends either with a match in one of the tables of the pipeline or with a miss (no rule is found for that packet). It is based on a pipeline of flow tables where each entry of a flow table has three parts: a) a matching rule, b) actions to be executed on matching packets, and c) counters that keep statistics of matching packets. Actions for the packet include: > Forward packet to outgoing port > Encapsulate packet and forward to controller > Drop packet > Send packet to normal processing pipeline > Send packet to next flow table
L11 - What are the three major categories of VoIP encoding schemes?
narrowband broadband multimode