Changes between Version 7 and Version 8 of GENIEducation/SampleAssignments/OpenFlowAssignment/ExerciseLayout/Execute


Ignore:
Timestamp:
05/21/13 16:15:27 (11 years ago)
Author:
shuang@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • GENIEducation/SampleAssignments/OpenFlowAssignment/ExerciseLayout/Execute

    v7 v8  
    100100  Note that this approach to implementing a firewall has drawbacks. Because the OpenFlow controller does not, and can not efficiently, track the precise state of the TCP flow it is forwarding, the rules are a little bit sloppy. In particular, connections “in progress” when the firewall comes online are not differentiated from new connections created after the firewall is initialized, and connection closings can not be detected by the controller. The former can be managed by inspecting the packet headers included in the ''OFPT_PACKET_IN'' message when a connection is opened, but the latter cannot easily be mitigated. This means that connections with long idle times (and 300 s is not particularly unusual, in the long tail of TCP connection statistics!) will be disconnected unnecessarily, and new connections reusing recent four-tuples may be passed through the firewall without examination by the controller. [[BR]]
    101101
     102  '''To get you started, you can download an incomplete version of `firewall.rb` from [http://www.gpolab.bbn.com/experiment-support/OpenFlowExampleExperiment/firewall.rb Here], as well as a sample fw.conf [http://www.gpolab.bbn.com/experiment-support/OpenFlowExampleExperiment/fw.conf Here] ''' [[BR]]
     103  '''Question 1. fill up the blanks in function `switch_ready` to insert rules into the openflow switch that allow ICMP and ARP packets to go through''' [[BR]]
     104  '''Question 2. fill up the blanks in function `packet_in` to insert a flow match in the OpenFlow device that allows the packets (as well as those in the reverse path) that match rules in the fw.conf to pass''' [[BR]]
     105  '''Question 3. fill up the blanks in function `packet_in` to insert rules that drops all other packets that does not match the rules specified in fw.conf''' [[BR]]
     106  To verify your implementation, run the following on the switch:
     107{{{
     108/opt/trema-trema-8e97343/trema run 'firewall.rb fw.conf'
     109}}}
     110   Then try to ping from left to right. Ping should go through since you allowed ICMP packets and ARP packets to pass. [[BR]]
     111   If you are using the fw.conf we provided, try to run a TCP session from left to right using iperf using port 5001, 5002, 5003.
     112   Since in the fw.conf file we provided, we specifically allow TCP to go through port 5001 and 5002, but not port 5003, you should be able to see that iperf gives back throughput results for port 5001 and 5002 but not 5003.
     113
     114   Try play with the code as well as the fw.conf file to setup more rules, then verify your setting via iperf or telnet. [[BR]]
     115   You can check the flow table on the OpenFlow Switch via:
     116{{{
     117sudo /opt/openvswitch-1.6.1-F15/bin/ovs-ofctl dump-flows tcp:127.0.0.1:6634
     118}}}
     119   A sample output should be something like the following:
     120{{{
     121NXST_FLOW reply (xid=0x4):
     122 cookie=0x1, duration=165.561s, table=0, n_packets=6, n_bytes=360, idle_age=17,priority=65535,arp actions=NORMAL
     123 cookie=0xa, duration=43.24s, table=0, n_packets=3, n_bytes=222, idle_timeout=300,idle_age=22,priority=65535,tcp,in_port=1,vlan_tci=0x0000,dl_src=00:02:b3:65:d1:2b,dl_dst=00:03:47:94:c7:fd,nw_src=10.10.10.1,nw_dst=10.10.11.1,nw_tos=0,tp_src=46361,tp_dst=5003 actions=drop
     124 cookie=0x5, duration=147.156s, table=0, n_packets=18289, n_bytes=27682198, idle_timeout=300,idle_age=137,priority=65535,tcp,in_port=1,vlan_tci=0x0000,dl_src=00:02:b3:65:d1:2b,dl_dst=00:03:47:94:c7:fd,nw_src=10.10.10.1,nw_dst=10.10.11.1,nw_tos=0,tp_src=33385,tp_dst=5001 actions=NORMAL
     125 cookie=0x9, duration=105.294s, table=0, n_packets=4, n_bytes=296, idle_timeout=300,idle_age=60,priority=65535,tcp,in_port=1,vlan_tci=0x0000,dl_src=00:02:b3:65:d1:2b,dl_dst=00:03:47:94:c7:fd,nw_src=10.10.10.1,nw_dst=10.10.11.1,nw_tos=0,tp_src=46360,tp_dst=5003 actions=drop
     126 cookie=0x7, duration=124.764s, table=0, n_packets=17902, n_bytes=27095256, idle_timeout=300,idle_age=114,priority=65535,tcp,in_port=1,vlan_tci=0x0000,dl_src=00:02:b3:65:d1:2b,dl_dst=00:03:47:94:c7:fd,nw_src=10.10.10.1,nw_dst=10.10.11.1,nw_tos=0,tp_src=57908,tp_dst=5002 actions=NORMAL
     127 cookie=0x3, duration=165.561s, table=0, n_packets=1, n_bytes=74, idle_timeout=300,idle_age=124,priority=65535,tcp,nw_src=10.10.10.0/24,nw_dst=10.10.11.0/24,tp_dst=5002 actions=CONTROLLER:65535
     128 cookie=0x4, duration=165.561s, table=0, n_packets=1, n_bytes=74, idle_timeout=300,idle_age=147,priority=65535,tcp,nw_src=10.10.10.0/24,nw_dst=10.10.11.0/24,tp_dst=5001 actions=CONTROLLER:65535
     129 cookie=0x2, duration=165.561s, table=0, n_packets=0, n_bytes=0, idle_age=165,priority=65535,icmp actions=NORMAL
     130 cookie=0x6, duration=147.156s, table=0, n_packets=9387, n_bytes=624254, idle_timeout=300,idle_age=137,priority=65535,tcp,nw_src=10.10.11.1,nw_dst=10.10.10.1,tp_src=5001,tp_dst=33385 actions=NORMAL
     131 cookie=0x8, duration=124.764s, table=0, n_packets=9257, n_bytes=617666, idle_timeout=300,idle_age=114,priority=65535,tcp,nw_src=10.10.11.1,nw_dst=10.10.10.1,tp_src=5002,tp_dst=57908 actions=NORMAL
     132}}}
     133
     134
    102135  '''Hints''' [[BR]]
    103136  The following list of hints may help you design and debug your implementation more rapidly.