Monday, May 30, 2016

Configurable mirroring

Sometimes, you need to examine traffic on a network to troubleshoot a problem, or copy it to an intrusion detection system (IDS for example, Bro). You might want a copy of everything on a port; or you may want a copy of only certain traffic.

FAUCET allows you to mirror traffic at a port level, but also at a configurable fine grained level - for example, just Ethernet broadcasts. In the following example, we mirror broadcasts to port 3, and we forward everything else by default. 

When a port is the target of a mirror action, forwarding is disabled on that port.

interfaces:    
   1:
       native_vlan: 100        
       acl_in: 99    
   3:        
       native_vlan: 100
vlans:    
   100:        
       description: "untagged"
acls:    
   99:        
       - rule:            
         dl_dst: ff:ff:ff:ff:ff:ff            
         actions:                
           allow: 1                
           mirror: 3        
       - rule:            
         actions:                
           allow: 1

NFV/firewall offload with FAUCET

Sometimes, it's convenient to offload a network functionality something other than a switch. You might want to do DHCP or DNS, or you might want to have separate security policy per port. This is becoming known as NFV.

In this post, we will configure FAUCET to use tagged and untagged ports in the same VLAN (via a trunk), to offload processing to a Linux host (in this case, FAUCET runs on the same host, but it does not have to). The following diagram shows two hosts, each in their own untagged VLAN. The NFV host has a dataplane connection as well, that is in both VLANs, with a tag (so that the host knows which packets belong to what port - potentially, you could have one VLAN per port).

On the NFV host (assuming eth0 is the trunk port), you bridge eth0.2001, eth.2002, et al to containers. Within the containers you run the iptables rules or network services appropriate to that VLAN's policy. If you use OVS as the bridge (rather than plain Linux bridging), and you have a NIC that supports DPDK, it may be possible to offload some firewall rules to hardware on the host as OpenFlow flows.


+-------------------------------------------+
|FAUCET untagged VLAN 2001                  |
|                                           |
|                +---------------+   +--------------------------------+
|                |               |   |      |                         |
|                |          +--+ |   | +--+ |                         |
|                | Host 1   |  +-------+  | |                         |
|                |          +--+ |   | +--+ |                         |
|                |               |   |      |                         |
|                +---------------+   |      |                         |
+-------------------------------------------+                         |
                                     |                                |
                                     |                                |
+-------------------------------------------+                         |
|                +---------------+   |      |                         |
|                |               |   |      |                         |
|                |          +--+ |   | +--+ |                         |
|                | Host 2   |  +-------+  | |                         |
|                |          +--+ |   | +--+ |                         |
|                |               |   |      |                         |
|                +---------------+   |      |    switch               |
|                                    |      |                         |
|FAUCET untagged VLAN 2002           |      |                         |
+-------------------------------------------+                         |
                                     |                                |
+-------------------------------------------+                         |
|                +---------------+   |      |                         |
|                |          +--+ |   | +--+ |                         |
|                |          |  +-------+  | |                         |
|                |          +--+ |   | +--+ |                         |
|FAUCET trunk    |               |   |      |                         |
+-------------------------------------------+                         |
                 |               |   |                                |
+-------------------------------------------+                         |
|                |               |   |      |                         |
|                |          +--+ |   | +--+ |                         |
|                |          |  +-------+  | |                         |
|                |          +--+ |   | +--+ |                         |
|FAUCET CPN      |               |   +--------------------------------+
+-------------------------------------------+
                 | FAUCET        |
                 | control/NFV   |
                 |               |
                 |          +--+ |
                 |          |  +-------------+  INTERNET
                 |          +--+ |
                 +---------------+

The following small FAUCET config accomplishes offloading from the switch.

interfaces:
    1:
        native_vlan: 2001
        name: "port1.0.1"
    2:
        native_vlan: 2002
        name: "port1.0.2"
    24:
        tagged_vlans: [2001,2002]
        name: "port1.0.24"

Further, you might choose to configure FAUCET ACLs (which would run on the switch and would add another layer of protection). FAUCET ACLs can match anything OpenFlow can. For example:

interfaces:
    1:
        acl_in: 99
acls:
    99:
        - rule:
            dl_src: 11:22:33:44:55:66
            actions:
                allow: 0

        - rule:
            actions:
                allow: 1

Would drop on input, any packet from a certain MAC address. This can prevent a machine on a port spoofing the MAC address of the NFV host, for example.


Learning by unicast flooding - or not?

Unicast flooding is commonplace switch functionality. However, you might not want to ever see another host's packets, for security among other reasons.

FAUCET has a feature where learning via unicast flooding can be disabled, and FAUCET will learn only for Ethernet broadcast, ARP, and IPv6 neighbor discovery instead.

This can be configured at the VLAN level. For example:

vlans:
    2001:
        unicast_flood: False


FAUCET on Zodiac FX V0.63 and later

FAUCET has been known to work on the Zodiac FX for simple VLAN switching and port mirroring, as of firmware V0.63.

http://forums.northboundnetworks.com/index.php?topic=52.0

FAUCET quickstart

FAUCET, developed originally by REANNZ (and supported by the Open Network Foundation among others) is an open source SDN controller that implements a familiar learning switch with VLAN and NFV offload support (NMS, NFV, IP routing, ACLs, mirroring, and other features,will be described in future posts), and has unit tests. FAUCET is compatible with OpenFlow switches that support OpenFlow 1.3 and multiple tables, and implements all functionality using OpenFlow exclusively (ie. non "hybrid" mode). 

The switch does all the forwarding based on the flows the controller decides - which means new network functionality (for example, network security features) can be introduced by changing the controller, not the switch. The controller does no forwarding itself, and so can be upgraded/restarted with potentially no impact on forwarding. While FAUCET is in regular office use at several organizations around the world (including REANNZ, and the Open Network Foundation), it is also suitable for lab experimentation and teaching.

In this post, we will set up FAUCET to provide switching for an untagged VLAN with two hosts - the most simple possible configuration. You will need two hosts, a third host to run the FAUCET controller on, and a supported switch. Included here is configuration for an Allied Telesis switch (search for SUPPORTED_HARDWARE in the FAUCET code, which has a list of switches and vendors known by the community to work - an OpenFlow 1.0 switch, or a switch that does not support multitable will absolutely not work - any standards based OpenFlow 1.3 switch with multitable should work). 


Network diagram

+---------------------------------------------+
|                                             |
|  FAUCET untagged VLAN 2001                  |
|                                             |
|                                             |
|                                             |
|           +------------------+  +------------------------------+
|           |                  |  |           |                  |
|           |            +---+ |  |  +---+    |                  |
|           |  Host #1   |   +-------+ 1 |    |                  |
|           |            +---+ |  |  +---+    |                  |
|           |                  |  |           |                  |
|           +------------------+  |           |                  |
|           +------------------+  |           |                  |
|           |                  |  |           |                  |
|           |            +---+ |  |  +---+    |                  |
|           |  Host #2   |   +-------+ 2 |    |                  |
|           |            +---+ |  |  +---+    |                  |
+---------------------------------------------+                  |
            +------------------+  |                              |
                                  |      Hardware OpenFlow 1.3   |
                                  |      switch with multitable  |
                                  |                              |
                                  |                              |
+----------------------------------------------+                 |
|           +------------------+  |            |                 |
|           |                  |  |            |                 |
|           |            +---+ |  |  +----+    |                 |
|           |  FAUCET    |   +-------+ 24 |    |                 |
|           |  (Linux)   +---+ |  |  +---++    |                 |
|           |                  |  +------------------------------+
|           +------------------+               |
|                                              |
|                                              |
|                                              |
|                                              |
|  Control Plane Network (CPN)                 |
+----------------------------------------------+


Physically, there is a direct Ethernet connection between the computer where FAUCET runs, and the switch. Some OpenFlow switches have a dedicated CPN port for OpenFlow; others repurpose a conventional dataplane port (as the Allied Telesis switch does).


Configuring the OpenFlow switch


You will first need to physically install and configure your OpenFlow switch, and test (switch ports 1 and 2)/controller (switch port 24) hosts. You will (of course) need to adjust the configuration depending on your switch/vendor.

!
! 10.0.0.1 is the IP address assigned to the controller machine
openflow controller tcp 10.0.0.1 6633
! This switch reserves for implementation reasons a VLAN for
! OpenFlow control
openflow native vlan 4090
!
! This switch requires VLAN tags to be reserved in advance.
! We reserve 2001-2999.
vlan database
 vlan 1234,2001-2999,4090 state enable
!
interface port1.0.1-1.0.2
 openflow
 switchport
 switchport mode access
!
! port 24 used for CPN
interface port1.0.24
 switchport
 switchport mode access
 switchport access vlan 1234
!
interface vlan1234
 ip address 10.0.0.2/24
!


Writing a configuration file


FAUCET reads a YAML configuration file. This file (typically faucet.yaml) describes the network, and should contain the following:

version: 2
vlans:
    2001:
        name: "VLAN 2001"
dps:
    faucet-1:
        dp_id: 0x0000eccd6df72de7 # change for your switch!!
        hardware: "Allied-Telesis" # see SUPPORTED_HARDWARE
        interfaces:
            1:
                native_vlan: 2001
                name: "port1.0.1"        
            2:
                native_vlan: 2001
                name: "port1.0.2"

Note in particular dp_id (DataPath ID). This must be configured to match your switch. Some switches allow you to configure the DPID on the switch, on others it is hard coded (on the Allied Telesis switch, you can get the DPID from show openflow status).

Note also that YAML is very sensitive about whitespace (and tabs in particular). Be sure to use spaces and matching indentation.


Installing the controller


FAUCET is based on the python Ryu SDN framework. This means that the FAUCET controller is just a python process that reads a configuration file (described below), and listens for an OpenFlow connection initiated by the switch, and installs flows as required. Install and run docker using the instructions provided. At the time of writing Ubuntu 14.0.4 LTS server is known to work well.

Testing and troubleshooting


You now have a switch! Test host 1, should now be able to ping test host 2 (provided you configured them with IP addresses, of course). You will be able to see flows installed in the switch as FAUCET learns the MAC address of each host. For example, on an Allied Telesis switch, shows that a host has been learned on port 1:

awplus#show openflow rules| include b8:ae:ed:73:20:90
table_id=2, duration=103s, n_packets=688, n_bytes=107825, priority=9099,in_port=1,dl_vlan=2002,dl_src=b8:ae:ed:73:20:90,actions=goto_table:3
table_id=2, duration=68s, n_packets=22488, n_bytes=30528441, priority=9099,in_port=1,dl_vlan=2001,dl_src=b8:ae:ed:73:20:90,actions=goto_table:3
table_id=2, duration=61s, n_packets=126, n_bytes=15768, priority=9099,in_port=1,dl_vlan=2003,dl_src=b8:ae:ed:73:20:90,actions=goto_table:3
table_id=3, duration=103s, n_packets=790, n_bytes=205376, priority=9001,dl_vlan=2002,dl_dst=b8:ae:ed:73:20:90,actions=output:1
table_id=3, duration=68s, n_packets=469, n_bytes=87522, priority=9001,dl_vlan=2001,dl_dst=b8:ae:ed:73:20:90,actions=output:1
table_id=3, duration=61s, n_packets=10097, n_bytes=13714852, priority=9001,dl_vlan=2003,dl_dst=b8:ae:ed:73:20:90,actions=output:1

If your test hosts can't reach each other, check that the switch and FAUCET controller can reach each other (ie. that the switch can make a successful OpenFlow connection via TCP to the controller). Check that your YAML file has correct indentation and that your DPID matches.


Where next?

Take a look at FAUCET's unit tests to see what features have been implemented and how they are configured. We'll go into detail in future posts.