SlideShare a Scribd company logo

SDN and Security: some real-world experience

APNIC
APNIC

Presentation by Jeff Young at APRICOT 2018 on Tuesday, 27 February 2018.

Internet
1 of 13
SDN and Security Some real-world experience Jeff Young Product Architecture, Global Platforms
Agenda • Telstra Programmable Network • How do I view the problem? • Network vulnerabilities (Openflow, control plane, data plane) • Application vulnerabilities • Our Solution(s) • Research and Presentations
3 The Telstra Programmable Network (7) (3) (1) (5) (4) (2) (3) (1) (1) (1) (1) (1) NFV Farm Internet Breakout VPN Interconnect NFV Farm Sydney, Hong Kong, Tokyo, Singapore, Los Angeles, New Jersey, London Internet Sydney, Hong Kong, Tokyo, Singapore, Los Angeles, Secaucus New Jersey, London Telstra NextIP Interconnect Sydney, Melbourne IPVPN/GWAN Interconnect Hong Kong, Singapore, New Jersey, London External exchanges AWS (7), ECX (6), AxonVX (2), Epsilon (2), Westin (1) • Fortinet Fortigate NGFW • Fortinet Fortiweb vAppliance • Palo Alto VM-series • Cisco vASA • Cisco CSR1000v • Riverbed vSteelhead • VeloCloud • Juniper vSRX • Cisco Primare vNAM • FortiAnalyzer 35 Programmable Network PoPs in 17 cities and 11 countries and territories Directly connected to Telstra’s network of more than 2,000 points of presence in 200 countries Connect to leading public cloud providers via various DC Exchange providers How do I view the problem?
Openflow Basics 4 Network Attributes • Separation of control/data planes • Controller is smart, switches are dumb • switches act on simple match/act • switches have limited fwd tables • By use of a protocol, switches discovered • OFDP ~ LLDP • Controller has both north and southbound • Network traffic CAN prompt controller to • create forwarding rules • create drop rules • do something else? Telstra PN
Openflow Basics 5 Possible Attacks • Attack the controller/application (later) • Controller is smart, switches are dumb • overload the controller • overload the switch tables • By use of a protocol, switches discovered • snoop/react to OFDP • masquerade as a switch (send bad info) • Controller has both north and southbound • reveal controller patterns to identify • specific attacks on controller type • Network traffic CAN prompt controller to • create malicious rules Telstra PN
Openflow Basics 6 Possible Solutions • Protect controller/application (later) • Controller is smart, switches are dumb • drop unknown traffic rather than fwd • not always possible… • By use of a protocol, switches discovered • don’t use OFDP (or modify it) • LLDP encryption, BFD, (see research) • Controller has both north and southbound • write your own controller :-) • Network traffic CAN prompt controller to Telstra PN
Open Kilda
 7 HDFS HBASEKAFKA ZOOKEEPER STORM OpenTSDB TOPOLOGY ENGINE NORTHBOUNDAPI OPENFLOWSWITCH NEO4J Architecture
OpenKilda — a whole new controller 8
Application Security 9 Customer Driven (created) • Multiple canvases • Multi-tenant • Create flows (L2) between building blocks “Lego” Building Blocks: • IPVPN’s • Exchanges • VNF’s (in server farms) • Internet • Switch Ports • Bandwidth (on demand) Open Marketplace • Bring your own ’service’ One-Click “Deploy” • Guaranteed deploy time • Changes as-needed (self-provision)
10 https://www.youtube.com/watch?v=g16DSycaApo&t=198s Portal Experience
Application Security 11 Authentication • carry token at every step • both in the web UI • and in the API DOS • be vigilant at the API interface • ready/protected from DOS Future • P4 • product direction exposes _____ • who knows?
Research and Presentations: 12 A Security Enforcement Kernel for OpenFlow Networks Phillip Porras† Seungwon Shin‡ Vinod Yegneswaran† Martin Fong† Mabry Tyson† Guofei Gu‡ http://www.cs.columbia.edu/~lierranli/coms6998-8SDNFall2013/papers/FortNox- HotSDN2012.pdf sOFTDP: Secure and Efficient Topology Discovery Protocol for SDN Abdelhadi Azzouni1, Raouf Boutaba2, Nguyen Thi Mai Trang1, and Guy Pujolle1 https://arxiv.org/pdf/1705.04527.pdf A Survey on the Security of Stateful SDN Data Planes Tooska Dargahi, Alberto Caponi, Moreno Ambrosin, Giuseppe Bianchi, and Mauro Conti http://ieeexplore.ieee.org/document/7890396/ Data Plane Programmability the next step in SDN http://sites.ieee.org/netsoft/files/2017/07/Netsoft2017_Keynote_Bianchi.pdf
Thank you 13

Recommended

kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptxanumeha bhatnagar
 
Kali linux
Kali linuxKali linux
Kali linuxMaryamAlR
 
Kali linux
Kali linuxKali linux
Kali linuxHarsh Gor
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)NAIM Networks, Inc.
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxShubham Agrawal
 
Kali linux summarised
Kali linux summarisedKali linux summarised
Kali linux summarisedSanchit Srivastava
 
Percepio Tracealyzer for FreeRTOS on MiniZED
Percepio Tracealyzer for FreeRTOS on MiniZEDPercepio Tracealyzer for FreeRTOS on MiniZED
Percepio Tracealyzer for FreeRTOS on MiniZEDVincent Claes
 
kali linux
kali linux kali linux
kali linux Avinash Hanwate
 

Recommended

kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptxanumeha bhatnagar
 
Kali linux
Kali linuxKali linux
Kali linuxMaryamAlR
 
Kali linux
Kali linuxKali linux
Kali linuxHarsh Gor
 
2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)2nd sdn interest group session2 (121218)
2nd sdn interest group session2 (121218)NAIM Networks, Inc.
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxShubham Agrawal
 
Kali linux summarised
Kali linux summarisedKali linux summarised
Kali linux summarisedSanchit Srivastava
 
Percepio Tracealyzer for FreeRTOS on MiniZED
Percepio Tracealyzer for FreeRTOS on MiniZEDPercepio Tracealyzer for FreeRTOS on MiniZED
Percepio Tracealyzer for FreeRTOS on MiniZEDVincent Claes
 
kali linux
kali linux kali linux
kali linux Avinash Hanwate
 
Using Texas Instruments Code Composer Studio for The CC3200XL Launchpad
Using Texas Instruments Code Composer Studio for The CC3200XL LaunchpadUsing Texas Instruments Code Composer Studio for The CC3200XL Launchpad
Using Texas Instruments Code Composer Studio for The CC3200XL LaunchpadVincent Claes
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Kali linux
Kali linux Kali linux
Kali linux Fa6ma_
 
Kali linux
Kali linuxKali linux
Kali linuxfutaimbinlahej
 
kali linux
kali linuxkali linux
kali linuxDarshan Dalwadi
 
kali linux Presentaion
kali linux Presentaion kali linux Presentaion
kali linux PresentaionDev Gandhi
 
Kali linux
Kali linuxKali linux
Kali linuxAadhithyanPandian
 
Your House is My House: Use of Offensive Enclaves In Adversarial Operations
Your House is My House: Use of Offensive Enclaves In Adversarial OperationsYour House is My House: Use of Offensive Enclaves In Adversarial Operations
Your House is My House: Use of Offensive Enclaves In Adversarial OperationsDimitry Snezhkov
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecuritySkeeve Stevens
 
Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...
Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...
Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...Vincent Claes
 
Matriux blue
Matriux blueMatriux blue
Matriux blueInMobi Technology
 
Kalilinux
KalilinuxKalilinux
Kalilinuxhaha loser
 
Configuring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA FirewallsConfiguring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA FirewallsKelvin Charles
 
Between you me and the network security boundary
Between you me and the network security boundaryBetween you me and the network security boundary
Between you me and the network security boundaryPatrick Fussell
 
The Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial FootprintsThe Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial Footprintsk3vb0t
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxChanchal Dabriya
 
ION Toronto - IETF Update
ION Toronto - IETF UpdateION Toronto - IETF Update
ION Toronto - IETF UpdateDeploy360 Programme (Internet Society)
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)Andrew Denner
 
Developing micro controller applications
Developing micro controller applicationsDeveloping micro controller applications
Developing micro controller applicationsSteve Mylroie
 
Elastix4.0 High Availability without ElastixHA module
Elastix4.0 High Availability without ElastixHA moduleElastix4.0 High Availability without ElastixHA module
Elastix4.0 High Availability without ElastixHA moduleHani Perkasa
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDNMuhammad Moinur Rahman
 
Introduction to OpenNetwork and SDN
Introduction to OpenNetwork and SDNIntroduction to OpenNetwork and SDN
Introduction to OpenNetwork and SDNHungWei Chiu
 

More Related Content

What's hot

Using Texas Instruments Code Composer Studio for The CC3200XL Launchpad
Using Texas Instruments Code Composer Studio for The CC3200XL LaunchpadUsing Texas Instruments Code Composer Studio for The CC3200XL Launchpad
Using Texas Instruments Code Composer Studio for The CC3200XL LaunchpadVincent Claes
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Kali linux
Kali linux Kali linux
Kali linux Fa6ma_
 
kali linux Presentaion
kali linux Presentaion kali linux Presentaion
kali linux PresentaionDev Gandhi
 
Your House is My House: Use of Offensive Enclaves In Adversarial Operations
Your House is My House: Use of Offensive Enclaves In Adversarial OperationsYour House is My House: Use of Offensive Enclaves In Adversarial Operations
Your House is My House: Use of Offensive Enclaves In Adversarial OperationsDimitry Snezhkov
 
Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...
Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...
Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...Vincent Claes
 
Configuring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA FirewallsConfiguring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA FirewallsKelvin Charles
 
Between you me and the network security boundary
Between you me and the network security boundaryBetween you me and the network security boundary
Between you me and the network security boundaryPatrick Fussell
 
The Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial FootprintsThe Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial Footprintsk3vb0t
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)Andrew Denner
 
Developing micro controller applications
Developing micro controller applicationsDeveloping micro controller applications
Developing micro controller applicationsSteve Mylroie
 
Elastix4.0 High Availability without ElastixHA module
Elastix4.0 High Availability without ElastixHA moduleElastix4.0 High Availability without ElastixHA module
Elastix4.0 High Availability without ElastixHA moduleHani Perkasa
 

What's hot (20)

Using Texas Instruments Code Composer Studio for The CC3200XL Launchpad
Using Texas Instruments Code Composer Studio for The CC3200XL LaunchpadUsing Texas Instruments Code Composer Studio for The CC3200XL Launchpad
Using Texas Instruments Code Composer Studio for The CC3200XL Launchpad
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
 
Kali linux
Kali linux Kali linux
Kali linux
 
Kali linux
Kali linuxKali linux
Kali linux
 
kali linux
kali linuxkali linux
kali linux
 
kali linux Presentaion
kali linux Presentaion kali linux Presentaion
kali linux Presentaion
 
Kali linux
Kali linuxKali linux
Kali linux
 
Your House is My House: Use of Offensive Enclaves In Adversarial Operations
Your House is My House: Use of Offensive Enclaves In Adversarial OperationsYour House is My House: Use of Offensive Enclaves In Adversarial Operations
Your House is My House: Use of Offensive Enclaves In Adversarial Operations
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...
Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...
Integrating a custom AXI IP Core in Vivado for Xilinx Zynq FPGA based embedde...
 
Matriux blue
Matriux blueMatriux blue
Matriux blue
 
Kalilinux
KalilinuxKalilinux
Kalilinux
 
Configuring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA FirewallsConfiguring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA Firewalls
 
Between you me and the network security boundary
Between you me and the network security boundaryBetween you me and the network security boundary
Between you me and the network security boundary
 
The Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial FootprintsThe Ransomware Threat: Tracking the Digitial Footprints
The Ransomware Threat: Tracking the Digitial Footprints
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
ION Toronto - IETF Update
ION Toronto - IETF UpdateION Toronto - IETF Update
ION Toronto - IETF Update
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
 
Developing micro controller applications
Developing micro controller applicationsDeveloping micro controller applications
Developing micro controller applications
 
Elastix4.0 High Availability without ElastixHA module
Elastix4.0 High Availability without ElastixHA moduleElastix4.0 High Availability without ElastixHA module
Elastix4.0 High Availability without ElastixHA module
 

Similar to SDN and Security: some real-world experience

Introduction to OpenNetwork and SDN
Introduction to OpenNetwork and SDNIntroduction to OpenNetwork and SDN
Introduction to OpenNetwork and SDNHungWei Chiu
 
OpenKilda: Stream Processing Meets Openflow
OpenKilda: Stream Processing Meets OpenflowOpenKilda: Stream Processing Meets Openflow
OpenKilda: Stream Processing Meets OpenflowAPNIC
 
Operators experience and perspective on SDN with VLANs and L3 Networks
Operators experience and perspective on SDN with VLANs and L3 NetworksOperators experience and perspective on SDN with VLANs and L3 Networks
Operators experience and perspective on SDN with VLANs and L3 NetworksJakub Pavlik
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfAswathRangaraj1
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)Mike Svoboda
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
SDN, ONOS, and Network Virtualization
SDN, ONOS, and Network VirtualizationSDN, ONOS, and Network Virtualization
SDN, ONOS, and Network Virtualizationsangyun han
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch IntroductionHungWei Chiu
 
What is SDN and how to approach it with Python
What is SDN and how to approach it with PythonWhat is SDN and how to approach it with Python
What is SDN and how to approach it with PythonJustin Park
 
Stratum: Next-Gen SDN (beyond OpenFlow)
Stratum: Next-Gen SDN (beyond OpenFlow)Stratum: Next-Gen SDN (beyond OpenFlow)
Stratum: Next-Gen SDN (beyond OpenFlow)PLVision
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Cumulus networks - Overcoming traditional network limitations with open source
Cumulus networks - Overcoming traditional network limitations with open sourceCumulus networks - Overcoming traditional network limitations with open source
Cumulus networks - Overcoming traditional network limitations with open sourceNat Morris
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 RedHatTelco
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)inwin stack
 

Similar to SDN and Security: some real-world experience (20)

Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
 
Introduction to OpenNetwork and SDN
Introduction to OpenNetwork and SDNIntroduction to OpenNetwork and SDN
Introduction to OpenNetwork and SDN
 
OpenKilda: Stream Processing Meets Openflow
OpenKilda: Stream Processing Meets OpenflowOpenKilda: Stream Processing Meets Openflow
OpenKilda: Stream Processing Meets Openflow
 
Operators experience and perspective on SDN with VLANs and L3 Networks
Operators experience and perspective on SDN with VLANs and L3 NetworksOperators experience and perspective on SDN with VLANs and L3 Networks
Operators experience and perspective on SDN with VLANs and L3 Networks
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
Introductionto SDN
Introductionto SDN Introductionto SDN
Introductionto SDN
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
 
SDN, ONOS, and Network Virtualization
SDN, ONOS, and Network VirtualizationSDN, ONOS, and Network Virtualization
SDN, ONOS, and Network Virtualization
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch Introduction
 
What is SDN and how to approach it with Python
What is SDN and how to approach it with PythonWhat is SDN and how to approach it with Python
What is SDN and how to approach it with Python
 
Stratum: Next-Gen SDN (beyond OpenFlow)
Stratum: Next-Gen SDN (beyond OpenFlow)Stratum: Next-Gen SDN (beyond OpenFlow)
Stratum: Next-Gen SDN (beyond OpenFlow)
 
Software defined networking: Primer
Software defined networking: PrimerSoftware defined networking: Primer
Software defined networking: Primer
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Cumulus networks - Overcoming traditional network limitations with open source
Cumulus networks - Overcoming traditional network limitations with open sourceCumulus networks - Overcoming traditional network limitations with open source
Cumulus networks - Overcoming traditional network limitations with open source
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
 
State of the OpenDaylight Union
State of the OpenDaylight UnionState of the OpenDaylight Union
State of the OpenDaylight Union
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 

Recently uploaded (20)

FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 

SDN and Security: some real-world experience

  • 1. SDN and Security Some real-world experience Jeff Young Product Architecture, Global Platforms
  • 2. Agenda • Telstra Programmable Network • How do I view the problem? • Network vulnerabilities (Openflow, control plane, data plane) • Application vulnerabilities • Our Solution(s) • Research and Presentations
  • 3. 3 The Telstra Programmable Network (7) (3) (1) (5) (4) (2) (3) (1) (1) (1) (1) (1) NFV Farm Internet Breakout VPN Interconnect NFV Farm Sydney, Hong Kong, Tokyo, Singapore, Los Angeles, New Jersey, London Internet Sydney, Hong Kong, Tokyo, Singapore, Los Angeles, Secaucus New Jersey, London Telstra NextIP Interconnect Sydney, Melbourne IPVPN/GWAN Interconnect Hong Kong, Singapore, New Jersey, London External exchanges AWS (7), ECX (6), AxonVX (2), Epsilon (2), Westin (1) • Fortinet Fortigate NGFW • Fortinet Fortiweb vAppliance • Palo Alto VM-series • Cisco vASA • Cisco CSR1000v • Riverbed vSteelhead • VeloCloud • Juniper vSRX • Cisco Primare vNAM • FortiAnalyzer 35 Programmable Network PoPs in 17 cities and 11 countries and territories Directly connected to Telstra’s network of more than 2,000 points of presence in 200 countries Connect to leading public cloud providers via various DC Exchange providers How do I view the problem?
  • 4. Openflow Basics 4 Network Attributes • Separation of control/data planes • Controller is smart, switches are dumb • switches act on simple match/act • switches have limited fwd tables • By use of a protocol, switches discovered • OFDP ~ LLDP • Controller has both north and southbound • Network traffic CAN prompt controller to • create forwarding rules • create drop rules • do something else? Telstra PN
  • 5. Openflow Basics 5 Possible Attacks • Attack the controller/application (later) • Controller is smart, switches are dumb • overload the controller • overload the switch tables • By use of a protocol, switches discovered • snoop/react to OFDP • masquerade as a switch (send bad info) • Controller has both north and southbound • reveal controller patterns to identify • specific attacks on controller type • Network traffic CAN prompt controller to • create malicious rules Telstra PN
  • 6. Openflow Basics 6 Possible Solutions • Protect controller/application (later) • Controller is smart, switches are dumb • drop unknown traffic rather than fwd • not always possible… • By use of a protocol, switches discovered • don’t use OFDP (or modify it) • LLDP encryption, BFD, (see research) • Controller has both north and southbound • write your own controller :-) • Network traffic CAN prompt controller to Telstra PN
  • 7. Open Kilda
 7 HDFS HBASEKAFKA ZOOKEEPER STORM OpenTSDB TOPOLOGY ENGINE NORTHBOUNDAPI OPENFLOWSWITCH NEO4J Architecture
  • 8. OpenKilda — a whole new controller 8
  • 9. Application Security 9 Customer Driven (created) • Multiple canvases • Multi-tenant • Create flows (L2) between building blocks “Lego” Building Blocks: • IPVPN’s • Exchanges • VNF’s (in server farms) • Internet • Switch Ports • Bandwidth (on demand) Open Marketplace • Bring your own ’service’ One-Click “Deploy” • Guaranteed deploy time • Changes as-needed (self-provision)
  • 11. Application Security 11 Authentication • carry token at every step • both in the web UI • and in the API DOS • be vigilant at the API interface • ready/protected from DOS Future • P4 • product direction exposes _____ • who knows?
  • 12. Research and Presentations: 12 A Security Enforcement Kernel for OpenFlow Networks Phillip Porras† Seungwon Shin‡ Vinod Yegneswaran† Martin Fong† Mabry Tyson† Guofei Gu‡ http://www.cs.columbia.edu/~lierranli/coms6998-8SDNFall2013/papers/FortNox- HotSDN2012.pdf sOFTDP: Secure and Efficient Topology Discovery Protocol for SDN Abdelhadi Azzouni1, Raouf Boutaba2, Nguyen Thi Mai Trang1, and Guy Pujolle1 https://arxiv.org/pdf/1705.04527.pdf A Survey on the Security of Stateful SDN Data Planes Tooska Dargahi, Alberto Caponi, Moreno Ambrosin, Giuseppe Bianchi, and Mauro Conti http://ieeexplore.ieee.org/document/7890396/ Data Plane Programmability the next step in SDN http://sites.ieee.org/netsoft/files/2017/07/Netsoft2017_Keynote_Bianchi.pdf