Session 3

Firewall and NAT

Test Case: Block UDP

sudo mn --topo single,5 --mac --arp --switch ovsk --controller remote
mininet> pingall

mininet> h2 echo Hello > send; nc -lu 1234 < send > recv &
mininet> h4 echo Hi > send; nc -u 10.0.0.2 1234 < send > recv &
mininet> h2 killall nc
mininet> h4 killall nc
mininet> h2 wc -l recv
0 recv
mininet> h4 wc -l recv
0 recv
mininet> exit
sudo mn -c

Test Case: Block Telnet

sudo mn --topo single,5 --mac --arp --switch ovsk --controller remote
mininet> pingall

mininet> h1 echo Hello > send; nc -l 23 < send > recv &
mininet> h5 echo Hi > send; nc 10.0.0.1 23 < send > recv &
mininet> h1 killall nc
mininet> h5 killall nc
mininet> h1 wc -l recv
0 recv
mininet> h5 wc -l recv
0 recv
mininet> exit
sudo mn -c

Test Case: NAT

sudo mn --topo single,5 --mac --arp --switch ovsk --controller remote
mininet> pingall

mininet> h3 echo Hello > send; nc -l 443 < send > recv &
mininet> h5 echo Hi > send; nc 10.0.0.3 80 < send > recv &
mininet> h3 killall nc
mininet> h5 killall nc
mininet> h3 wc -l recv
0 recv
mininet> h5 wc -l recv
0 recv
mininet> exit
sudo mn -c

Firewall Design

When switch connects, install the following rules:

• Match: dl_type=0x0800, nw_proto=17
  Priority: 2
  Action: none
• Match: dl_type=0x0800, nw_proto=6, tp_src=23
  Priority: 2
  Action: none
• Match: dl_type=0x0800, nw_proto=6, tp_dst=23
  Priority: 2
  Action: none

When packet is received and the MAC address was not know, install the following rule:

• Match: dl_src=learned_mac
  Priority: 1
  Action: output:in_port

NAT Design

When switch connects, install the following rules:

• Match: dl_type=0x0800, nw_proto=6, tp_dst=80
  Priority: 2
  Action: controller

When packet is received:

• If the MAC address was not know, install the following rule:
  • Match: dl_src=learned_mac
    Priority: 1
    Action: output:in_port
• If the packet is a TCP packet and the destination port is 80, install the following rules:
  • Match: dl_type=0x0800, nw_src=packet.nw_src, nw_dst=packet.nw_dst, nw_proto=6, tp_dst=80, tp_src=packet.tp_src
    Priority: 3
    Action: tp_dst:443, output:learned_port
  • Match: dl_type=0x0800, nw_src=packet.nw_dst, nw_dst=packet.nw_src, nw_proto=6, tp_src=443, tp_dst=packet.tp_src
    Priority: 3
    Action: tp_dst:80, output:in_port

Round-Robin Load Balancer

Skeleton

We have provided skeleton code for Floodlight.

Design

• Packets are addressed to a special IP address (10.0.0.254) representing our logical load balancer. Install a static ARP entry in each host that will contact the load balancer:

  arp -s 10.0.0.254 00:00:00:00:00:FE

• The controller has a list of server IP and MAC addresses to which traffic can be sent.
• When a new flow starts:
  • The next server (in round-robin order) is selected.
  • A rule is installed, for the specific flow, to re-write the destination IP address and destination MAC address and forward out the appropriate port. (You should assume the port number to which the chosen server is connected is the last octet of the server's IP address.)
  • A rule is installed, for packets going in the reverse direction, to re-write the source IP address and source MAC address and forward out the appropriate port. (As above, you should assume the port number to which the client is connected is the last octet of the client's IP address.)

Floodlight Coding Hints

• The following actions will allow you to change fields in the packets:
  • OFActionDataLayerDestination -- changes the destination MAC
  • OFActionDataLayerSource -- changes the source MAC
  • OFActionNetworkLayerDestination -- changes the destination IP
  • OFActionNetworkLayerSource -- changes the source IP
• When you install the last rule (in a sequence of rule installations), you should add a flush:

  sw.flush();

Extensions & Optimizations

• Modify the round-robin server assignment to be weighted based on the number of packets sent to each server over a given time period.
• Obey the round-robin load balancing semantics, but install as few rules as possible. Hint: What are the minimum match fields necessary to properly return traffic from the server to the client?
• Avoid the need to install static ARP entries for the special "load balancer" IP address (10.0.0.254) by having the controller respond to ARP packets. Hint: You will need to construct the ARP reply packet at the controller and send it to the switch for forwarding.