FI Research in China Jun Bi Tsinghua Univ./CERNET Beijing China.

FI Research in China

Jun BiTsinghua Univ./CERNET

Beijing China

Outline

• FI Research Overview in China– Domestic FI related Projects– International Collaborations

• Some FI Research in Tsinghua Univ.– OpenFlow Extension (Openflow+) for Intra-AS

Source Address Validation– NDN

• Audio Conference Tool (Collabrating with PARC/UCLA), to see SIGCOMM11 ICN WS paper

• Caching, test-bed, Router, Gateway…..

Internet Development in China• The largest Internet population in the world

– 2011 July: 485 million Internet users in China

– Still growing fast (only 36.2 % of population)

• The largest Service Providers in the world– China Telecom (largest ISP)

– China Mobile (616 million users)

– China Unicom

• Giant Internet Venders– Huawei, ZTE,…

• Would like to try new tech– IPv6, 3G (TD, W, 2000)

Domestic FI-related Projects• In the 11th 5-years Plan Period (2006-2010)

– MOST Trustworthy Internet• IPv6 Source Address Vadldation Architecure (SAVA)• Trustworthy ID based on SAVA• Trustworthy Application• Deployed in 100 univ campus network as testbed

– MOST NGB • Deployed in Shanghai region

– CNGI• IPv4/IPv6 Transiditon, …..• Largest test-bed

– Smaller NSFC Projects– Mobile/Wireless

• 3G, 4G

Domestic FI-related Projects

• In the 12th 5-year Plan Period (2011-2015)– MOST Triple-Play Network– MOST Future Internet (Planning)

• New Network Architecture• New Network Equipment• Testbed

– CENI infrastructure (Planning)• GENI-like

– CNGI new phase (Planning)• Mainly IPv6, and some FI

– NSFC/973 New Network Architecture (CFP)

International Collaboration• with the USA

– GENI/Openflow• CERNET signed MOU with GENI and Stanford for IPv6 Openflow, Sou

rce Address Validation• CANS to collaborate on Openflow Research/Testbed

– NDN collaboration• Tsinghua Univ., CAS ICT, Huawei….

• with the Europe– Onelab, other FP7 projects involvements

• with CJK– CJK projects on Network Security/FI– AsiaFI

Some FI Research in Tsinghua University

OpenFlow Extension (Openflow+) for Intra-AS Source Address Validation

Tsinghua University, China

Source Address Validation (SAV)

• Why SAV The current Internet Architecture: packet forwarding is only bas

ed on destination address SAV will be good for:

anti-spoofing/network security

network management/traceback

network measurement

network accounting/billing

• Why SAV is tough beyond the first hop Asymmetric Routing, Equal Cost Multiple Path. uRPF only make decision based on local FIB

• What we proposed for Intra-AS SAV– CPF (Calculation based forwarding)

Intra-AS Source Address Validation

– A central control model that a Calculated Path Forwarding (CPF) controller collects the forwarding information of every router in an AS, and calculates all possible forwarding paths for every source address, and then issues filter rules (the result of the calculation) to the routers to verify the source address of packets.

CPF in Current Network Architecture

– SNMP Polling forwarding information, interface informati

on and subnet information from MIB for generating a global forwarding path.

– xFlow Sample packets through xFlow (NetFlow/sFlow) f

or validating source address of sampling packets.

– Telnet To log on the router and configure the ACL calcul

ated by CPF.

Limitations of CPF in the current Internet Architecure

• The network device is not open and the interface is not standardized:

-The ACL structure is not standardized, so we have to design for different vendors-The routing table/forwarding table are not open for modification from outside the router.-The communication between CPF controller and device is in-efficient

-May cause false-negative when topology changes (because the routing table changes can not be reported to CPF in real-time)-Telnet scripts can not be smart enough

-

What OpenFlow bring to us

•OpenFlow enables network innovation, by:- FlowTable and OpenFlow protocol between controller and device implment the standardization and open access of network device. - User-defined new technology can be easily added to the controller as new components. - The centralized mode in OpenFlow makes some functions based on global information possible.

What OpenFlow bring to us

Flow Table

Device Hardware OpenFlow ProtocolControl Protocol

Hardware to OpenFlow

Open and standard

forwarding hardware

Open and standard control

interface

Open and standard new protocol deployment

CPF and Openflow

• Central control architecture of OpenFlow matches CPF, which requires global information of an AS • Using OpenFlow protocol to unify three protocols (SNMP, xFlow and Telnet) for communication between CPF controller and network device• Efficient control from outside the network device

Challenges of Current OpenFlow

• To adapt all future protocols and different vendors, needs to make flow table more open • If a new innovation is mature enough, needs to implemented the controller inside the device, to improve the efficiency• It is hard to pre-define all the communication requirements between the controller and device, needs to make the openflow protocol more open • Needs to run openflow in today’s router, it will make deployment low-cost and deployable

Openflow+

• Openflow+ is an extension to the fundamental architecture of OpenFlow to make it more open, efficient, and low-cost:

- 1: Flow Table Extension - 2: Distribution Mode Extension - 3: Openflow Protocol Extension - 4: Low-cost Openflow for today’s router (OpenRouter)

Extension 1: Flow Table Extension

Flow Table

Mandatory

Optional

Vendor-defined

Device Hardware OpenFlow ProtocolControl Protocol

Hardware to OpenFlow

Extension 2: Distribution Mode Extension

Flow Table

Device Hardware OpenFlow ProtocolControl Protocol

Flow Table

Hardware to OpenFlowProtocol to OpenFlowProtocol to Protocol

Extension 3: Openflow Protocol Extension

• In TLV format, each piece of data is organized by the triple of (Type, Length, Value)

• TLV can be used or arranged recursively

TLV Type(Fixed length)

TLV Length(Fixed length)

TLV Value(“TLV Length”

length)

Extension 4: Low-cost Openflow for today’s router (OpenRouter)

•OpenFlow+ in a commercial router DCRS 5980/5950, DigitalChina Company, Rou

tingSwitch

Extension 4: Low-cost Openflow for today’s router

Architecture of CPF based on OpenFlow+

OpenRouter

NOX

CPF APP

OpenFlow+

CPF Controller

OR A OR B

OR DOR C OR E

OR F OR G

OR OpenRouterFiltering Rule Generato

r

Validation

Module

Rule Adaptor

NOX

OpenFlow

CPF APP

Network State

ProcessorSharing Memory

Socket

Sampling Packet

Processor

The Testbed of CPF based on OpenFlow+

Thanks!