reichemn
    • Create new note
    • Create a note from template
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Write
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights New
    • Engagement control
    • Make a copy
    • Transfer ownership
    • Delete this note
    • Save as template
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Note Insights Versions and GitHub Sync Sharing URL Create Help
Create Create new note Create a note from template
Menu
Options
Engagement control Make a copy Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Write
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       Owned this note    Owned this note      
    Published Linked with GitHub
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    # SDN Lab 5 Group: - Maximilian Reichel - Daniel Steinacker - Leon Schürmann #### Documentation of the Mininet changes We have extended the Mininet CLI with two commands, namely `do_test_fw` and `do_test_fw_short`, which respectively perform a range of connection tests accross the network, from various hosts. Running `do_test_fw` will cause every host, except `mon`, to test connections to every other host (expect `mon`) on both ports `8080` and `9090`. Running `do_test_fw_short` will cause every host, except `mon`, to test connections to `srv` and `inet` on port `8080` and `9090`. Also, the output is condensed to either success or failure. It is implemented as follows: ``` student@sdnfp02:~/sdn-exercises/ex5$ diff ~/ex5/mininet5.py mininet5.py 45a46,82 > > def do_test_fw(self, line): > if not self.mininet.httpd: > info('Warning: services not running!!\n') > for src in self.mininet.hosts: > for dst in self.mininet.hosts: > if src.name == dst.name or src.name == 'mon' or dst.name == 'mon': > continue > info('**testing '+src.name+' to '+dst.name+'\n') > info('>>'+src.name+' curl --connect-timeout 1 http://'+str(dst.IP())+':8080\n') > info(src.cmd('curl --connect-timeout 1 http://'+str(dst.IP())+':8080')+'\n') > info('>>'+src.name+' curl --connect-timeout 1 http://'+str(dst.IP())+':9090\n') > info(src.cmd('curl --connect-timeout 1 http://'+str(dst.IP())+':9090')+'\n') > > def do_test_fw_short(self, line): > if not self.mininet.httpd: > info('Warning: services not running!!\n') > for src in self.mininet.hosts: > out = "" > dsts = {'srv web':'10.0.0.4:8080', 'srv ssh':'10.0.0.4:9090', 'inet web':'10.0.0.5:8080', 'inet ssh': '10.0.0.5:9090'} > if src.name == 'mon': > continue > info('**testing from '+src.name+'\n') > for name, dst in dsts.items(): > res = src.cmd('curl --connect-timeout 1 http://'+dst) > out=out+'request from '+src.name+' to '+name+': \t' > if 'Thanks' in res: > out =out+ 'success' > elif 'refused' in res: > out += 'refused' > elif 'timed out' in res: > out += 'timeout' > else: > out =out+ 'unknown: '+res > out =out+ '\n' > info(out) > ``` #### Network topology for task 5.1, 5.2 and 5.3: ``` 10.0.0.5 :01:02 inet (web: 8080) | mon ---(eth3) s1 --- srv (web: 8080, 'ssh': 9090) / \ 10.0.0.4 / \ :01:01 / \ h1 h2 10.0.0.1 10.0.0.2 :00:01 :00:02 ``` ## 5.1: Static Policies ### Objectives: Have both a simple firewall as well as a simple network monitor implemented. The simple firewall should enable the following configuration: - host `inet` can only access the web service on `srv` - host `h1` has full access on all services, running on `srv` as well as on `inet` - host `h2` can only access the web service on `srv` (no ssh on `srv` and no web on `inet`) The simple monitor should support the following mode of operation: - host `mon` receives all accesses to the ssh service running on `srv` as well as traffic from `h2` ### Tasks: Implement a static firewall as well as a simple monitor using separate Pyretic modules which can be used individually. The solution is tested by running - the firewall module, along with trying to connect to the individual services - the monitor module, along with running `tcpdump` on `mon` and connecting to the SSH port on `srv` ### Assumptions: - Firewall has a deny all default rule - _full access on all services running on `srv`_ ⇒ TCP ports 8080 and 9090 - We should monitor all layer 2 traffic originating from `h2` - We are allowed to use the `mac_learner` to automatically forward traffic via the corresponding switch port - We have to forward `ARP` traffic - _prints every access to ssh service on `srv`_ ⇒ print every incoming packet to port 9090 - printing packets done via tcpdump, interface is assumed to be in promiscuous mode ### Our solution: Simple Firwall: We built an ingoing and outgoing Pyretic FilterPolicy for each rule and concatenated them with an OR (`|`). If one of the policies matches, the respective packet is returned as a result of this policy. This output is then piped into the input of the appropriate `mac_learner` forwarding policy by use of the `>>` operator. We also created a FilterPolicy to match on `ARP` packets with `flood` as output. Simple Monitor: The simple monitor simply defines a FilterPolicy for all incoming TCP traffic with destination IP `srv` and destination port `9090`. If this FilterPolicy matches a packet, it is directed to the port to which `mon` is connected. Furthermore, the packet is routed to its actual destination by using the MAC learner policy. ### Demo & Output: #### simple_firewall.py output: Connection success table: | Destination & Port / Source | `h1` | `h2` | `srv` | `inet` | |-------------------------------|------|------|-------|--------| | `h1`:8080 | - | ✗ | ✗ | ✗ | | `h1`:9090 | - | ✗ | ✗ | ✗ | | `h2`:8080 | ✗ | - | ✗ | ✗ | | `h2`:9090 | ✗ | - | ✗ | ✗ | | `srv`:8080 | ✓ | ✓ | - | ✓ | | `srv`:9090 | ✓ | ✗ | - | ✗ | | `inet`:8080 | ✓ | ✗ | ✗ | - | | `inet`:9090 | ✗ | ✗ | ✗ | - | ``` student@sdnfp02:~/sdn-exercises/ex5$ sudo ./mininet5.py === Starting Mininet === Unable to contact the remote controller at 127.0.0.1:6653 Connecting to remote controller at 127.0.0.1:6633 *** Configuring hosts h1 h2 mon srv inet *** Starting controller c0 *** Starting 1 switches s1 ... *** Starting CLI: mininet> startservers *** Starting HTTP and SSH services on srv *** Starting HTTP service on inet mininet> dpctl dump-flows *** s1 ------------------------------------------------------------------------ cookie=0x0, duration=8.957s, table=0, n_packets=0, n_bytes=0,\ priority=60002,dl_type=0x88cc actions=CONTROLLER:65535 cookie=0x0, duration=8.957s, table=0, n_packets=28, n_bytes=2408,\ priority=60001,ipv6 actions=drop cookie=0x0, duration=8.957s, table=0, n_packets=0, n_bytes=0,\ priority=0 actions=CONTROLLER:65535 mininet> test_fw_short **testing from h1 request from h1 to inet ssh: timeout request from h1 to srv web: success request from h1 to inet web: success request from h1 to srv ssh: success **testing from h2 request from h2 to inet ssh: timeout request from h2 to srv web: success request from h2 to inet web: timeout request from h2 to srv ssh: timeout **testing from srv request from srv to inet ssh: timeout request from srv to srv web: success request from srv to inet web: timeout request from srv to srv ssh: success **testing from inet request from inet to inet ssh: refused request from inet to srv web: success request from inet to inet web: success request from inet to srv ssh: timeout mininet> test_fw **testing h1 to h2 >>h1 curl --connect-timeout 1 http://10.0.0.2:8080 curl: (28) Connection timed out after 1001 milliseconds >>h1 curl --connect-timeout 1 http://10.0.0.2:9090 curl: (28) Connection timed out after 1001 milliseconds **testing h1 to srv >>h1 curl --connect-timeout 1 http://10.0.0.4:8080 <html>Thanks for requesting this web page!</html> >>h1 curl --connect-timeout 1 http://10.0.0.4:9090 Thanks for requesting this ssh service! **testing h1 to inet >>h1 curl --connect-timeout 1 http://10.0.0.5:8080 <html>Thanks for requesting this web page!</html> >>h1 curl --connect-timeout 1 http://10.0.0.5:9090 curl: (28) Connection timed out after 1001 milliseconds **testing h2 to h1 >>h2 curl --connect-timeout 1 http://10.0.0.1:8080 curl: (28) Connection timed out after 1001 milliseconds >>h2 curl --connect-timeout 1 http://10.0.0.1:9090 curl: (28) Connection timed out after 1001 milliseconds **testing h2 to srv >>h2 curl --connect-timeout 1 http://10.0.0.4:8080 <html>Thanks for requesting this web page!</html> >>h2 curl --connect-timeout 1 http://10.0.0.4:9090 curl: (28) Connection timed out after 1001 milliseconds **testing h2 to inet >>h2 curl --connect-timeout 1 http://10.0.0.5:8080 curl: (28) Connection timed out after 1001 milliseconds >>h2 curl --connect-timeout 1 http://10.0.0.5:9090 curl: (28) Connection timed out after 1001 milliseconds **testing srv to h1 >>srv curl --connect-timeout 1 http://10.0.0.1:8080 curl: (28) Connection timed out after 1001 milliseconds >>srv curl --connect-timeout 1 http://10.0.0.1:9090 curl: (28) Connection timed out after 1001 milliseconds **testing srv to h2 >>srv curl --connect-timeout 1 http://10.0.0.2:8080 curl: (28) Connection timed out after 1001 milliseconds >>srv curl --connect-timeout 1 http://10.0.0.2:9090 curl: (28) Connection timed out after 1001 milliseconds **testing srv to inet >>srv curl --connect-timeout 1 http://10.0.0.5:8080 curl: (28) Connection timed out after 1001 milliseconds >>srv curl --connect-timeout 1 http://10.0.0.5:9090 curl: (28) Connection timed out after 1001 milliseconds **testing inet to h1 >>inet curl --connect-timeout 1 http://10.0.0.1:8080 curl: (28) Connection timed out after 1000 milliseconds >>inet curl --connect-timeout 1 http://10.0.0.1:9090 curl: (28) Connection timed out after 1001 milliseconds **testing inet to h2 >>inet curl --connect-timeout 1 http://10.0.0.2:8080 curl: (28) Connection timed out after 1001 milliseconds >>inet curl --connect-timeout 1 http://10.0.0.2:9090 curl: (28) Connection timed out after 1001 milliseconds **testing inet to srv >>inet curl --connect-timeout 1 http://10.0.0.4:8080 <html>Thanks for requesting this web page!</html> >>inet curl --connect-timeout 1 http://10.0.0.4:9090 curl: (28) Connection timed out after 1001 milliseconds mininet> dpctl dump-flows *** s1 ------------------------------------------------------------------------ cookie=0x0, duration=46.891s, table=0, n_packets=0, n_bytes=0,\ priority=60002,dl_type=0x88cc actions=CONTROLLER:65535 cookie=0x0, duration=46.891s, table=0, n_packets=9, n_bytes=630,\ priority=60001,ipv6 actions=drop cookie=0x0, duration=46.891s, table=0, n_packets=96, n_bytes=8566,\ priority=0 actions=CONTROLLER:65535 cookie=0x0, duration=46.839s, table=0, n_packets=0, n_bytes=0, priority=0,\ arp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=ff:ff:ff:ff:ff:ff,\ arp_spa=10.0.0.4,arp_tpa=10.0.0.2,arp_op=1 \ actions=output:"s1-eth3",output:"s1-eth1",output:"s1-eth5",output:"s1-eth2" cookie=0x0, duration=46.787s, table=0, n_packets=0, n_bytes=0, priority=0,\ arp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:01:01,\ arp_spa=10.0.0.2,arp_tpa=10.0.0.4,arp_op=2 \ actions=output:"s1-eth4",output:"s1-eth5",output:"s1-eth3",output:"s1-eth1" cookie=0x0, duration=7.619s, table=0, n_packets=0, n_bytes=0, priority=0,\ arp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=ff:ff:ff:ff:ff:ff,\ arp_spa=10.0.0.5,arp_tpa=10.0.0.2,arp_op=1 \ actions=output:"s1-eth1",output:"s1-eth2",output:"s1-eth3",output:"s1-eth4" cookie=0x0, duration=7.610s, table=0, n_packets=0, n_bytes=0, priority=0,\ arp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:01:02,\ arp_spa=10.0.0.2,arp_tpa=10.0.0.5,arp_op=2 \ actions=output:"s1-eth4",output:"s1-eth1",output:"s1-eth3",output:"s1-eth5" cookie=0x0, duration=46.083s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.2,nw_dst=10.0.0.4,nw_tos=0,tp_src=38524,tp_dst=8080 \ actions=output:"s1-eth4" cookie=0x0, duration=46.079s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.2,nw_dst=10.0.0.5,nw_tos=0,tp_src=39568,tp_dst=8080 \ actions=drop cookie=0x0, duration=46.035s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:00:02,\ nw_src=10.0.0.4,nw_dst=10.0.0.2,nw_tos=0,tp_src=8080,tp_dst=38524 \ actions=output:"s1-eth2" cookie=0x0, duration=45.110s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.2,nw_dst=10.0.0.4,nw_tos=0,tp_src=45390,tp_dst=9090 \ actions=drop cookie=0x0, duration=44.079s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.4,nw_dst=10.0.0.5,nw_tos=0,tp_src=52220,tp_dst=9090 \ actions=drop cookie=0x0, duration=42.562s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.4,nw_dst=10.0.0.5,nw_tos=0,tp_src=47322,tp_dst=8080 \ actions=drop cookie=0x0, duration=40.296s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.5,nw_dst=10.0.0.4,nw_tos=0,tp_src=52716,tp_dst=8080 \ actions=output:"s1-eth4" cookie=0x0, duration=40.255s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.4,nw_dst=10.0.0.5,nw_tos=0,tp_src=8080,tp_dst=52716 \ actions=output:"s1-eth5" cookie=0x0, duration=39.826s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.5,nw_dst=10.0.0.4,nw_tos=0,tp_src=60122,tp_dst=9090 \ actions=drop cookie=0x0, duration=26.830s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth1",dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,\ nw_src=10.0.0.1,nw_dst=10.0.0.2,nw_tos=0,tp_src=60602,tp_dst=8080 \ actions=drop cookie=0x0, duration=25.815s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth1",dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,\ nw_src=10.0.0.1,nw_dst=10.0.0.2,nw_tos=0,tp_src=52422,tp_dst=9090 \ actions=drop cookie=0x0, duration=24.047s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth1",dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.1,nw_dst=10.0.0.4,nw_tos=0,tp_src=42926,tp_dst=8080 \ actions=output:"s1-eth4" cookie=0x0, duration=23.981s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:00:01,\ nw_src=10.0.0.4,nw_dst=10.0.0.1,nw_tos=0,tp_src=8080,tp_dst=42926 \ actions=output:"s1-eth1" cookie=0x0, duration=23.271s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth1",dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.1,nw_dst=10.0.0.4,nw_tos=0,tp_src=55454,tp_dst=9090 \ actions=output:"s1-eth4" cookie=0x0, duration=23.223s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:00:01,\ nw_src=10.0.0.4,nw_dst=10.0.0.1,nw_tos=0,tp_src=9090,tp_dst=55454 \ actions=output:"s1-eth1" cookie=0x0, duration=22.515s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth1",dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.1,nw_dst=10.0.0.5,nw_tos=0,tp_src=39368,tp_dst=8080 \ actions=output:"s1-eth5" cookie=0x0, duration=22.503s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth1",dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.1,nw_dst=10.0.0.5,nw_tos=0,tp_src=45360,tp_dst=9090 \ actions=drop cookie=0x0, duration=22.439s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=00:00:00:00:00:01,\ nw_src=10.0.0.5,nw_dst=10.0.0.1,nw_tos=0,tp_src=8080,tp_dst=39368 \ actions=output:"s1-eth1" cookie=0x0, duration=21.517s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:00:01,\ nw_src=10.0.0.2,nw_dst=10.0.0.1,nw_tos=0,tp_src=38890,tp_dst=8080 \ actions=drop cookie=0x0, duration=20.502s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:00:01,\ nw_src=10.0.0.2,nw_dst=10.0.0.1,nw_tos=0,tp_src=56322,tp_dst=9090 \ actions=drop cookie=0x0, duration=18.739s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.2,nw_dst=10.0.0.4,nw_tos=0,tp_src=38562,tp_dst=8080 \ actions=output:"s1-eth4" cookie=0x0, duration=18.737s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.2,nw_dst=10.0.0.4,nw_tos=0,tp_src=45426,tp_dst=9090 \ actions=drop cookie=0x0, duration=18.695s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:00:02,\ nw_src=10.0.0.4,nw_dst=10.0.0.2,nw_tos=0,tp_src=8080,tp_dst=38562 \ actions=output:"s1-eth2" cookie=0x0, duration=17.767s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.2,nw_dst=10.0.0.5,nw_tos=0,tp_src=39608,tp_dst=8080 \ actions=drop cookie=0x0, duration=16.752s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.2,nw_dst=10.0.0.5,nw_tos=0,tp_src=44570,tp_dst=9090 \ actions=drop cookie=0x0, duration=15.734s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:00:01,\ nw_src=10.0.0.4,nw_dst=10.0.0.1,nw_tos=0,tp_src=55356,tp_dst=8080 \ actions=drop cookie=0x0, duration=14.719s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:00:01,\ nw_src=10.0.0.4,nw_dst=10.0.0.1,nw_tos=0,tp_src=38226,tp_dst=9090 \ actions=drop cookie=0x0, duration=13.703s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:00:02,\ nw_src=10.0.0.4,nw_dst=10.0.0.2,nw_tos=0,tp_src=58308,tp_dst=8080 \ actions=drop cookie=0x0, duration=12.688s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:00:02,\ nw_src=10.0.0.4,nw_dst=10.0.0.2,nw_tos=0,tp_src=35236,tp_dst=9090 \ actions=drop cookie=0x0, duration=11.669s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.4,nw_dst=10.0.0.5,nw_tos=0,tp_src=47366,tp_dst=8080 \ actions=drop cookie=0x0, duration=10.655s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:01:02,\ nw_src=10.0.0.4,nw_dst=10.0.0.5,nw_tos=0,tp_src=52270,tp_dst=9090 \ actions=drop cookie=0x0, duration=9.641s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=00:00:00:00:00:01,\ nw_src=10.0.0.5,nw_dst=10.0.0.1,nw_tos=0,tp_src=48112,tp_dst=8080 \ actions=drop cookie=0x0, duration=8.625s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=00:00:00:00:00:01,\ nw_src=10.0.0.5,nw_dst=10.0.0.1,nw_tos=0,tp_src=60296,tp_dst=9090 \ actions=drop cookie=0x0, duration=7.567s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=00:00:00:00:00:02,\ nw_src=10.0.0.5,nw_dst=10.0.0.2,nw_tos=0,tp_src=54926,tp_dst=8080 \ actions=drop cookie=0x0, duration=6.620s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=00:00:00:00:00:02,\ nw_src=10.0.0.5,nw_dst=10.0.0.2,nw_tos=0,tp_src=40260,tp_dst=9090 \ actions=drop cookie=0x0, duration=4.883s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.5,nw_dst=10.0.0.4,nw_tos=0,tp_src=52766,tp_dst=8080 \ actions=output:"s1-eth4" cookie=0x0, duration=4.839s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth5",dl_src=00:00:00:00:01:02,dl_dst=00:00:00:00:01:01,\ nw_src=10.0.0.5,nw_dst=10.0.0.4,nw_tos=0,tp_src=60170,tp_dst=9090 \ actions=drop cookie=0x0, duration=4.839s, table=0, n_packets=0, n_bytes=0, priority=0,\ tcp,in_port="s1-eth4",dl_src=00:00:00:00:01:01,dl_dst=00:00:00:00:01:02,\ **[** nw_src=10.0.0.4,nw_dst=10.0.0.5,nw_tos=0,tp_src=8080,tp_dst=52766 \ actions=output:"[s1-[eth5" ``` #### simple_monitor.py tcpdump output: This output is obtained while running `test_fw` in the Mininet CLI similar to what is done above. However, instead of `simple_firewall`, `simple_monitor` in standalone mode is used, which forwards select packets to the monitor in addition to using the MAC learner to perform regular forwarding. ``` 18:55:22.404968 IP 10.0.0.1.32768 > 10.0.0.2.http-alt: Flags [S], \ seq 2364622693, win 42340, options [mss 1460,sackOK,TS val 94822261 \ ecr 0,nop,wscale 9], length 0 18:55:22.433680 IP 10.0.0.2.http-alt > 10.0.0.1.32768: Flags [R.], \ seq 0, ack 2364622694, win 0, length 0 18:55:22.537177 IP 10.0.0.2.9090 > 10.0.0.1.52820: Flags [R.], \ seq 0, ack 4028174318, win 0, length 0 18:55:22.605319 IP 10.0.0.1.43324 > 10.0.0.4.http-alt: Flags [S], \ seq 1855093280, win 42340, options [mss 1460,sackOK,TS val 181026882 \ ecr 0,nop,wscale 9], length 0 18:55:23.529284 IP 10.0.0.1.55852 > 10.0.0.4.9090: Flags [S], \ seq 1879490765, win 42340, options [mss 1460,sackOK,TS val 181027806 \ ecr 0,nop,wscale 9], length 0 18:55:23.632702 IP 10.0.0.1.55852 > 10.0.0.4.9090: Flags [.], \ ack 4058066381, win 83, options [nop,nop,TS val 181027925 ecr \ 3440594493], length 0 18:55:23.654064 IP 10.0.0.1.55852 > 10.0.0.4.9090: Flags [P.], \ seq 0:77, ack 1, win 83, options [nop,nop,TS val 181027925 ecr \ 3440594493], length 77 18:55:24.241608 IP 10.0.0.1.55852 > 10.0.0.4.9090: Flags [.], \ ack 18, win 83, options [nop,nop,TS val 181028526 ecr 3440595118], \ length 0 18:55:24.284804 IP 10.0.0.1.55852 > 10.0.0.4.9090: Flags [F.], \ seq 77, ack 203, win 83, options [nop,nop,TS val 181028569 ecr \ 3440595119], length 0 18:55:24.328739 IP 10.0.0.1.39766 > 10.0.0.5.http-alt: Flags [S], \ seq 234059465, win 42340, options [mss 1460,sackOK,TS val 1211659683 \ ecr 0,nop,wscale 9], length 0 18:55:25.263692 IP 10.0.0.2.39288 > 10.0.0.1.http-alt: Flags [S], \ seq 399939513, win 42340, options [mss 1460,sackOK,TS val 2615026430 \ ecr 0,nop,wscale 9], length 0 18:55:25.381217 IP 10.0.0.2.56720 > 10.0.0.1.9090: Flags [S], \ seq 4101072734, win 42340, options [mss 1460,sackOK,TS val 2615026515 \ ecr 0,nop,wscale 9], length 0 18:55:25.481097 IP 10.0.0.2.38960 > 10.0.0.4.http-alt: Flags [S], \ seq 1869054725, win 42340, options [mss 1460,sackOK,TS val 3688455792 \ ecr 0,nop,wscale 9], length 0 18:55:25.680734 IP 10.0.0.2.38960 > 10.0.0.4.http-alt: Flags [.], \ ack 2645561923, win 83, options [nop,nop,TS val 3688455995 ecr \ 1332138829], length 0 18:55:25.706134 IP 10.0.0.2.38960 > 10.0.0.4.http-alt: Flags [P.], \ seq 0:77, ack 1, win 83, options [nop,nop,TS val 3688455995 ecr \ 1332138829], length 77: HTTP: GET / HTTP/1.1 18:55:26.294110 IP 10.0.0.2.38960 > 10.0.0.4.http-alt: Flags [.], \ ack 18, win 83, options [nop,nop,TS val 3688456598 ecr 1332139554], \ length 0 18:55:26.336793 IP 10.0.0.2.38960 > 10.0.0.4.http-alt: Flags [F.], \ seq 77, ack 213, win 83, options [nop,nop,TS val 3688456643 ecr \ 1332139554], length 0 18:55:26.392719 IP 10.0.0.2.45824 > 10.0.0.4.9090: Flags [S], \ seq 2706022374, win 42340, options [mss 1460,sackOK,TS val 3688456652 \ ecr 0,nop,wscale 9], length 0 18:55:26.508755 IP 10.0.0.2.45824 > 10.0.0.4.9090: Flags [.], \ ack 1148066628, win 83, options [nop,nop,TS val 3688456803 ecr \ 1332139741], length 0 18:55:26.510420 IP 10.0.0.2.45824 > 10.0.0.4.9090: Flags [P.], \ seq 0:77, ack 1, win 83, options [nop,nop,TS val 3688456803 ecr \ 1332139741], length 77 18:55:27.099320 IP 10.0.0.2.45824 > 10.0.0.4.9090: Flags [.], \ ack 18, win 83, options [nop,nop,TS val 3688457404 ecr 1332140359], \ length 0 18:55:27.140700 IP 10.0.0.2.45824 > 10.0.0.4.9090: Flags [F.], \ seq 77, ack 203, win 83, options [nop,nop,TS val 3688457447 ecr \ 1332140359], length 0 18:55:27.184829 IP 10.0.0.2.40006 > 10.0.0.5.http-alt: Flags [S], \ seq 3682310094, win 42340, options [mss 1460,sackOK,TS val \ 116426705 ecr 0,nop,wscale 9], length 0 18:55:27.412766 IP 10.0.0.2.40006 > 10.0.0.5.http-alt: Flags [.], \ ack 2372835483, win 83, options [nop,nop,TS val 116426967 ecr \ 1820799852], length 0 18:55:27.413993 IP 10.0.0.2.40006 > 10.0.0.5.http-alt: Flags [P.], \ seq 0:77, ack 1, win 83, options [nop,nop,TS val 116426967 ecr \ 1820799852], length 77: HTTP: GET / HTTP/1.1 18:55:28.003069 IP 10.0.0.2.40006 > 10.0.0.5.http-alt: Flags [.], \ ack 18, win 83, options [nop,nop,TS val 116427556 ecr 1820800582], length 0 18:55:28.044733 IP 10.0.0.2.40006 > 10.0.0.5.http-alt: Flags [F.], \ seq 77, ack 213, win 83, options [nop,nop,TS val 116427599 ecr \ 1820800582], length 0 18:55:28.088766 IP 10.0.0.2.44968 > 10.0.0.5.9090: Flags [S], \ seq 30624878, win 42340, options [mss 1460,sackOK,TS val \ 116427609 ecr 0,nop,wscale 9], length 0 18:55:28.389260 IP 10.0.0.2.http-alt > 10.0.0.4.58706: Flags [R.], \ seq 0, ack 544556965, win 0, length 0 18:55:28.453882 IP 10.0.0.2.9090 > 10.0.0.4.35634: Flags [R.], \ seq 0, ack 2979077110, win 0, length 0 18:55:29.477179 IP 10.0.0.2.http-alt > 10.0.0.5.55324: Flags [R.], \ seq 0, ack 1020529494, win 0, length 0 18:55:29.545591 IP 10.0.0.2.9090 > 10.0.0.5.40658: Flags [R.], \ seq 0, ack 3753418337, win 0, length 0 18:55:30.316153 IP 10.0.0.5.60568 > 10.0.0.4.9090: Flags [S], \ seq 3595740532, win 42340, options [mss 1460,sackOK,TS val \ 2859780710 ecr 0,nop,wscale 9], length 0 18:55:30.408749 IP 10.0.0.5.60568 > 10.0.0.4.9090: Flags [.], \ ack 3572562051, win 83, options [nop,nop,TS val 2859780805 ecr \ 2292463290], length 0 18:55:30.425754 IP 10.0.0.5.60568 > 10.0.0.4.9090: Flags [P.], \ seq 0:77, ack 1, win 83, options [nop,nop,TS val 2859780805 ecr \ 2292463290], length 77 18:55:31.052751 IP 10.0.0.5.60568 > 10.0.0.4.9090: Flags [.], \ ack 18, win 83, options [nop,nop,TS val 2859781408 ecr \ 2292463900], length 0 18:55:31.061038 IP 10.0.0.5.60568 > 10.0.0.4.9090: Flags [F.], \ seq 77, ack 203, win 83, options [nop,nop,TS val 2859781453 ecr \ 2292463900], length 0 ``` ## 5.2: Dynamic Policies ### Objectives: Have a Quality-of-Service Module implemented, which degrades traffic in a controlled manner (to implicitly prioritize other flows). ### Tasks: Implement a dynamic policy which counts packets and dynamically blocks or forwards packets, based on the number of counted packets of their associated flow. ### Assumptions: - Don't have to simulate excessive network load - A wide variety of solutions is possible ### Our Solution: The traffic of each host is, randomly, assigned a number `n = rand([5, 20])`, indicating the `n`-th packet to be dropped. If the next packet of a sender should be dropped, a console log entry is generated. This meets the description of a "very crude Quality-of-Service" implementation. To achieve this, we implicitly count the packets sent from a node. This is never output anywhere; however the task description is satisfied. This functionality requires a dynamic policy, one which will invoke a function for every packet matching a specific Pyretic query. We use a helper method `update_count` to keep track of the packets originating from a specific host, in order to be able to update the current forwarding policy accordingly. Once the target count is reached, the policy is updated to drop packets originating from this specific host. For all following packets, the policy is once again set to use the `mac_learner()` instance created while initializing the initial state. ### Demo & Output: Partial output of Pyretic controller: ``` student@sdnfp02:~/sdn-exercises/ex5$ pyretic.py -v low -m r0 qos POX 0.5.0 (eel) / Copyright 2011-2014 James McCauley, et al. Connected to pyretic frontend. INFO:core:POX 0.5.0 (eel) is up. INFO:openflow.of_01:[00-00-00-00-00-01 1] connected INFO:openflow.of_01:[00-00-00-00-00-01 1] closed INFO:openflow.of_01:[00-00-00-00-00-01 3] connected Dropping every 18 packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 19 from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:01 Dropping every 10 packet from 00:00:00:00:00:02 Updating policies to: Fwd packet from 00:00:00:00:00:02 Drop next packet with number 37 from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 11 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 21 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Drop next packet with number 55 from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 31 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 41 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 [.....] Updating policies to: Drop next packet with number 251 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Drop next packet with number 289 from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 261 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 271 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 281 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 291 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Updating policies to: Drop next packet with number 301 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 ``` In the mininet we used the following commands for the tests and compared the files afterwards: ``` student@sdnfp02:~/sdn-exercises/ex5$ sudo ./mininet5.py === Starting Mininet === Unable to contact the remote controller at 127.0.0.1:6653 Connecting to remote controller at 127.0.0.1:6633 *** Configuring hosts h1 h2 mon srv inet *** Starting controller c0 *** Starting 1 switches s1 ... *** Starting CLI: mininet> inet ./udpreceiver 4000 > inet.log & mininet> srv ./udpreceiver 4000 > srv.log & mininet> h1 ./udpsender 10.0.0.5 4000 300& mininet> h2 ./udpsender 10.0.0.4 4000 300 Sending 3000 datagrams to 10.0.0.4:4000 ... done ``` Numbers missing in the output of `srv ./udpreceiver 4000`: 10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 110, 120, 130, 140, 150, 160, 170, 180, 190, 200, 210, 220, 230, 240, 250, 260, 270, 280, 290 Numbers missing in the output of `inet ./udpreceiver 4000`: 18, 36, 54, 72, 90, 108, 126, 144, 162, 180, 198, 216, 234, 252, 270, 288 (given that the udpsender starts counting at 0, but we're referring to the `n`-th packet, there is a constant 1-offset in these numbers compared to the Pyretic policy output) The receiver on `srv` is missing every 10th packet what matches the output of the controller, that it will drop every 10th packet originating from sender with a mac address of `00:00:00:00:00:02`, which is the mac address of `h2`. Analogously to this, the receiver on `inet` behaves the same way. It is missing every 18th packet. ## 5.3: Policy Composition ### Objectives: Have a composition of the previous modules implemented. It should implement the following network policies: * a monitoring firewall, which only monitors the filtered traffic, while not influencing forwarding * a monitoring firewall with QoS capabilities. ### Tasks: Implement a composition of the three already implemented modules. ### Assumptions: - We are supposed to implement both a monitor which only sees firewalled packets, as well as a monitor which sees all matching packets ### Our Solution: #### Monitoring Firewall: The packets which are filtered by our firewall, will be forwarded to our monitor and the MAC learner. As our firewall module would not filter ARP packets and the MAC learner would learn these, we are just using the firewalling part of our firewall module here. #### Monitoring Firewall with QoS: Possible combinations would be to 1. First apply QoS filtering, then firewall and monitoring afterwards - Useful if the firewall can not handle full line rate. Use QoS to limit packets. And monitor only traffic which actually reaches the host. 3. Monitoring first, then firewall and QoS afterwards - Monitor all traffic that could reach hosts, afterwards filter flows and limit packets. 5. Monitoring first, then QoS and firewall afterwards - We monitor all incoming traffic and apply filtering afterwards, but limit line rate as the firewall cannot the rate of packets. 6. QoS first, then monitoring and firewall afterwards - Would allow us to monitor the QoS component. 7. Firewall filtering first, then QoS and monitor afterwards - Useful if we don't want to affect the QoS by unwanted traffic. In our implementation we used the third combination: We monitor all incoming traffic and first apply the firewall filtering and the QoS filter afterwards. To accomplish this we piped the output of the firewall with the `>>` operator to the QoS filtering and used the `+` operator to combine this construct with the monitor operation, so that both filters are applied on all incoming packets in parallel. ### Demo & Output: #### Monitoring Firewall: To test the component we started the Pyretic controller with `pyretic.py -v low -m r0 monitor_firewall` and executed the following commands at the Mininet cli: ``` student@sdnfp02:~/sdn-exercises/ex5$ sudo ./mininet5.py === Starting Mininet === Unable to contact the remote controller at 127.0.0.1:6653 Connecting to remote controller at 127.0.0.1:6633 *** Configuring hosts h1 h2 mon srv inet *** Starting controller c0 *** Starting 1 switches s1 ... *** Starting CLI: mininet> startservers *** Starting HTTP and SSH services on srv *** Starting HTTP service on inet mininet> mon tcpdump > mon.log & mininet> test_fw_short **testing from h1 request from h1 to inet ssh: timeout request from h1 to srv web: success request from h1 to inet web: success request from h1 to srv ssh: success **testing from h2 request from h2 to inet ssh: timeout request from h2 to srv web: success request from h2 to inet web: timeout request from h2 to srv ssh: timeout **testing from srv request from srv to inet ssh: timeout request from srv to srv web: success request from srv to inet web: timeout request from srv to srv ssh: success **testing from inet request from inet to inet ssh: refused request from inet to srv web: success request from inet to inet web: success request from inet to srv ssh: timeout ``` Output of `mon tcpdump`: ``` 15:35:02.341636 IP 10.0.0.1.50582 > 10.0.0.4.9090: Flags [S], seq 227157105,\ win 42340, options [mss 1460,sackOK,TS val 4118380035 ecr 0,nop,wscale 9],\ length 0 15:35:02.432735 IP 10.0.0.1.50582 > 10.0.0.4.9090: Flags [.], ack 1595977888,\ win 83, options [nop,nop,TS val 4118380131 ecr 3082979415], length 0 15:35:02.459179 IP 10.0.0.1.50582 > 10.0.0.4.9090: Flags [P.], seq 0:77,\ ack 1, win 83, options [nop,nop,TS val 4118380131 ecr 3082979415],\ length 7 15:35:03.046611 IP 10.0.0.1.50582 > 10.0.0.4.9090: Flags [.], ack 18, win 83,\ options [nop,nop,TS val 4118380733 ecr 3082980034], length 0 15:35:03.088720 IP 10.0.0.1.50582 > 10.0.0.4.9090: Flags [F.], seq 77,\ ack 203, win 83, options [nop,nop,TS val 4118380778 ecr 3082980034],\ length 0 15:35:04.092778 IP 10.0.0.2.33684 > 10.0.0.4.http-alt: Flags [S],\ seq 944671468, win 42340, options [mss 1460,sackOK,TS val 3330840524\ ecr 0,nop,wscale 9], length 0 15:35:04.192709 IP 10.0.0.2.33684 > 10.0.0.4.http-alt: Flags [.], ack\ 1707831611, win 83, options [nop,nop,TS val 3330840604 ecr 974523551],\ length 0 15:35:04.213736 IP 10.0.0.2.33684 > 10.0.0.4.http-alt: Flags [P.], seq 0:77,\ ack 1, win 83, options [nop,nop,TS val 3330840604 ecr 974523551],\ length 77: HTTP: GET / HTTP/1.1 15:35:04.801320 IP 10.0.0.2.33684 > 10.0.0.4.http-alt: Flags [.], ack 18,\ win 83, options [nop,nop,TS val 3330841216 ecr 974524172], length 0 15:35:04.844728 IP 10.0.0.2.33684 > 10.0.0.4.http-alt: Flags [F.], seq 77,\ ack 213, win 83, options [nop,nop,TS val 3330841260 ecr 974524172],\ length 0 ``` #### Monitoring Firewall with QoS: The monitoring firewall with QoS is a bit tricky to test because the QoS only sees packets passing the firewall, we can not use the UDP sender and receiver for testing. No UDP packets pass the firewall. The curl command can not be used to proof that QoS is working, because dropped packets are retransmitted by TCP. To proof that the setup is working as intended we can use these retransmitted TCP packets. For convenience we use Wireshark to capture all traffic for mon, because Wireshark highlights retransmitted TCP packets. We started the Pyretic controller with `pyretic.py -v low -m r0 monitor_firewall_qos`: ``` student@sdnfp02:~/sdn-exercises/ex5$ pyretic.py -v low -m r0 monitor_firewall_qos POX 0.5.0 (eel) / Copyright 2011-2014 James McCauley, et al. Connected to pyretic frontend. INFO:core:POX 0.5.0 (eel) is up. INFO:openflow.of_01:[00-00-00-00-00-01 2] connected Dropping every 10 packet from 00:00:00:00:00:02 Dropping every 6 packet from 00:00:00:00:01:01 Updating policies to: Drop next packet with number 11 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Drop next packet with number 11 from 00:00:00:00:00:02 Drop next packet with number 7 from 00:00:00:00:01:01 Updating policies to: Drop next packet with number 11 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Drop next packet with number 13 from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Drop next packet with number 21 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Drop next packet with number 19 from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:01:01 [Until here we run the three curls on h2 to show the QoS is working behind the firewall. Now we run the firewall test to show that the firewall is also working] Dropping every 15 packet from 00:00:00:00:00:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Drop next packet with number 25 from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Drop next packet with number 31 from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:01 Dropping every 6 packet from 00:00:00:00:01:02 Updating policies to: Fwd packet from 00:00:00:00:00:02 Drop next packet with number 16 from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Drop next packet with number 7 from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Drop next packet with number 37 from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Drop next packet with number 31 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Drop next packet with number 31 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Drop next packet with number 43 from 00:00:00:00:01:01 Updating policies to: Drop next packet with number 31 from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Drop next packet with number 13 from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Drop next packet with number 49 from 00:00:00:00:01:01 Updating policies to: Fwd packet from 00:00:00:00:00:02 Fwd packet from 00:00:00:00:00:01 Fwd packet from 00:00:00:00:01:02 Fwd packet from 00:00:00:00:01:01 ``` Running the mininet cli: ``` student@sdnfp02:~/sdn-exercises/ex5$ sudo ./mininet5.py === Starting Mininet === Unable to contact the remote controller at 127.0.0.1:6653 Connecting to remote controller at 127.0.0.1:6633 *** Configuring hosts h1 h2 mon srv inet *** Starting controller c0 *** Starting 1 switches s1 ... *** Starting CLI: mininet> startservers *** Starting HTTP and SSH services on srv *** Starting HTTP service on inet mininet> h2 curl http://10.0.0.4:8080 <html>Thanks for requesting this web page!</html> mininet> h2 curl http://10.0.0.4:8080 <html>Thanks for requesting this web page!</html> mininet> h2 curl http://10.0.0.4:8080 <html>Thanks for requesting this web page!</html> mininet> test_fw_short **testing from h1 request from h1 to inet ssh: timeout request from h1 to srv web: success request from h1 to inet web: success request from h1 to srv ssh: success **testing from h2 request from h2 to inet ssh: timeout request from h2 to srv web: success request from h2 to inet web: timeout request from h2 to srv ssh: timeout **testing from srv request from srv to inet ssh: timeout request from srv to srv web: success request from srv to inet web: timeout request from srv to srv ssh: success **testing from inet request from inet to inet ssh: refused request from inet to srv web: success request from inet to inet web: success request from inet to srv ssh: timeout ``` Each curl command causes multiple TCP packets to be sent by `h2`. ![](https://i.imgur.com/jISloJm.png) The black lines indicate retransmitted TCP packets. This proves that some packets are dropped by QoS after the firewall. ## 5.4: Comparison of Forwarding Policies ### Objectives: Have a comparison of the space complexity of hypothetical flows of the blue and orange path throughout the network. Answer the question about which aspects Pyretic is not able to fully abstract from. ### Tasks: Hypothetically implement a Pyretic module for routing across the given paths through the topology, namely `blue.py` and `orange.py`. Think about how such a policy would be mapped to OpenFlow rules. ### Assumptions: - We do not have to implement the given topology and hence do not have to test our Pyretic module. ### Our solution: - The blue path is described entirely by just forwarding each packet out on port 2. This reduces the number of policies down to 1. - The orange path has to be described almost entirely (only the FilterPolicies for switch 3 and switch 8 can be ORed for a single forward policy) Pyretic is not able to fully abstract from the network topology, such as the given switch ports, etc. Also, in hardware, the number of installed flows will equal the hop count, which is the same for both paths.

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully