-
Notifications
You must be signed in to change notification settings - Fork 3
/
README
77 lines (56 loc) · 1.67 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
Preinstall
--------
p4
Run
--------
$ ./compile_bmv2.sh
$ sudo ./network.py
$ ./send_cmd.sh
mininet> xterm h1 h2
(h1)$ ./sender.py
(h2)$ ./receiver.py
Clear Env
--------
$ sudo mn --clean
Description
--------
Monitor
* Traffic monitor(count min sketch with 3 hashes)
* IP 3 tuple as key
* Constant threshold for heavy hitter detection
* Timestamp window to exclude too old counts
* Split flow to Different proxy according to client IP
Proxy
* 2^n proxy to share redirect(TODO) load (used 2 for PoC)
* Redirect and send back client packets
Token
* Add token between IP header and TCP header
* Currently, token is fixed. Real token, for example, should be generated by RNG with keys shared by "token switch" and "verifier switch"
Verifier(P4 switch)
* Check token
* Drop packet if invalid
Support bi-direction
* client <-> Proxy <-> Server
Packet handle
* Currently, only handle IPV4 and ARP packets. Others are ignored
Topology
--------
See concept/
Testing
--------
[Connectivity]
* Test1: Client to Proxy
c0 ping/nc h11(eth0)
c1 ping/nc h12(eth0)
c2 ping/nc h11(eth0)
c0 and c2 would be directed to h11, so c0 and c2 can only ping/nc to h11(through eth0). It's the same for c1 to h12.
* Proxy to Server
h11(eth1) ping/nc h2
h12(eth1) ping/nc h2
* Attacker
c3 ping/nc h2
Packets from c3 would be dropped since they don't have token.
[Monitor]
c0 ping/nc h11(eth0)
c1, c2 can also be used in this test
If there are too many packets sended to monitor, heavy hitters would be dropped. Count's Arrival time previous than current timestamp window would be reset, so heavy hitter will be consider as non heavy if it stops sending packets for a while.