SDN and NFV

2024 Spring Project Course, KTH

This is a course project from IK2220 Software Defined Networking (SDN) and Network Function Virtualization (NFV). Please refer to the Github public archive for explanations and implementation details.

Introduction

The goal of the project is to give you hands-on experience in practical SDN & NFV implementations. You should learn how to:

• Emulate network infrastructure,
• Generate traffic patterns using well-known tools,
• Launch and program an SDN controller,
• Instruct the data plane devices using both SDN and NFV techniques,
• Build a simple web-ui that extract data from the network
• Capture the state of any device in the network,
• Capture traffic to inspect the message exchanges,
• Implement advanced network functions (i.e., firewall, load balancer, NAPT, and IDS).

Phase 1 (SDN)

In the first phase, you will use SDN tools to implement a small topology shown in Figure 1. The goal of phase one is to start playing with Mininet, a system to simulate a network, and OpenFlow, an SDN protocol that allows the OpenFlow-enabled switches to communicate with an SDN controller, in our case, POX.

A simple Cloud Topology with three main zones. A public zone(PbZ) that sits close to the Internet, a protected, demilitarized zone (DmZ) that contains servers (Web) and a private zone (PrZ) that contains cloud resources (e.g. VMs). In phase 1, all the network elements are L2 switches and all hosts belong to the same subnet (100.0.0/24).

Implementations

1. In topology/topology.py, setting up hosts, switches and links.
2. In applications/sdn/baseController.py, handling switches with its own dpid and setting up the MAC table.
3. In applications/sdn/baseFirewall.py, defining basic operation and action matching functions for a firewall.
4. In applications/sdn/networkFirewalls.py, setting detailed rules (src, dst, port, protocol, action, etc.) for the specific firewalls.
5. In applications/sdn/webserver.py, setting up web server scripts and corresponding page with @app.route('/path').
6. In topology/topology_test.py and /topology/testing.py, setting testing scenarios and corresponding condition checking.
7. In Makefile, automating make process with script and generating report.

Results

In test, all cases pass and the web server could be reached at port 8080.

[ws1] Web server start:80
[ws2] Web server start:80
[ws3] Web server start:80
h1 ping h2 working as expected, ping True
h2 ping h1 working as expected, ping True
h3 ping h4 working as expected, ping True
h4 ping h3 working as expected, ping True
h3 ping h1 working as expected, ping True
h1 ping h3 working as expected, ping False
h3 ping h2 working as expected, ping True
h2 ping h3 working as expected, ping False
h4 ping h1 working as expected, ping True
h1 ping h4 working as expected, ping False
h4 ping h2 working as expected, ping True
h2 ping h4 working as expected, ping False
h1 ping ws1 working as expected, ping False
h2 ping ws1 working as expected, ping False
h3 ping ws1 working as expected, ping False
h4 ping ws1 working as expected, ping False
h1 http request ws1 successfully
h3 http request ws1 successfully
h1 http request ws2 successfully
h3 http request ws2 successfully
h1 http request ws3 successfully
h3 http request ws3 successfully
Passed 22/22 tests.

Phase 2 (SDN+NFV)

In the second phase, we will complete the topology by adding four new nodes, as follows:

• A load balancer (lb1) is added between the core switch (sw2) and the three web servers ensuring that incoming requests, which target the virtual IP, will be modified accordingly with the destination IP address of a server in a round-robin fashion. Switch sw4 is used to connect the load balancer with the Web cluster.
• An Intrusion Detection System (IDS) module is added before lb1 to inspect the incoming packets. This module will search at the incoming packets’ payload for certain “suspicious” patterns. If such a pattern is identified, the packet will be redirected to the inspector (insp) server for further processing. Otherwise, legal traffic will pass through.
• A Network Address and Port Translator (NAPT) that translates the private IP addresses of hosts in PrZ into public IP addresses within the range of DmZ and PbZ.

Cloud Topology with three main zones. A public zone(PbZ) that sits close to the Internet, a protected, demilitarized zone (DmZ) that contains servers (Web) and a private zone (PrZ) that contains cloud resources (e.g. VMs).

Implementations

1. Updating files to adapt to the new topology.
2. In applications/nfv/ids.click, classifying incoming traffic and sending those packets with mismatched patterns to inspector (insp), which would generate the records.
3. In applications/nfv/lb.click, load balancing incoming traffic to 3 web servers in round-robin fashion, and setting direct return chain from server side.
4. In applications/nfv/napt.click, matching TCP and ICMP packets and performing network address transformation with IPRewriter() and ICMPPingRewriter().
5. In applications/sdn/click_wrapper.py, finishing the script wrapper to python functions.

Results

In test, all cases pass and the web server could be reached at port 8080. The corresponding reports (as well as stream printing outputs) are stored under results and an insp.pcap dumping file is generated.

[ws1] Web server start:80
[ws2] Web server start:80
[ws3] Web server start:80
tcpdump on insp start
----------- Basic Ping Test-----------
h1 ping h2 working as expected, ping True
h3 ping h4 working as expected, ping True
h3 ping h1 working as expected, ping True
h1 ping h3 working as expected, ping False
h3 ping h2 working as expected, ping True
h2 ping h3 working as expected, ping False
h1 ping ws1 working as expected, ping False
h3 ping ws1 working as expected, ping False
----------- Virtual Address Ping Test-----------
h1 ping virtual IP  100.0.0.45  working as expected, ping True
h2 ping virtual IP  100.0.0.45  working as expected, ping True
h3 ping virtual IP  100.0.0.45  working as expected, ping True
h4 ping virtual IP  100.0.0.45  working as expected, ping True
----------- HTTP method Test-----------
h1 operates GET IDS System works correctly
h1 operates POST IDS System works correctly
h1 operates PUT IDS System works correctly
----------- Linux and SQL code injection Test-----------
h1 operates PUT IDS System works correctly
h1 operates PUT IDS System works correctly
h1 operates PUT IDS System works correctly
h1 operates PUT IDS System works correctly
h1 operates PUT IDS System works correctly
Passed 20/20 tests.

Thanks for reading.