Transcript 6MoN plus
6MoN plus geographically distributed dual stack network monitoring Speaker: Abraham Gebrehiwot #TNC16 | #IIT-CNR | #6MoN Present-day Internet architecture 6MoN plus IPv6 6to4 router 6to4 relay #TNC16 | #IIT-CNR | #6MoN Dual-stack (IPv4/IPv6) networks monitoring ★ Oftentimes, maybe unknown to us, IPv6 is already up and running on our devices. 6MoN plus ★ We need a tool to simplify the management and monitoring of dualstack networks, having three fixed goals: ○ understand the networks and hosts behavior; ○ resolve any network anomalies; ○ monitor the IPv4/IPv6 address utilization. #TNC16 | #IIT-CNR | #6MoN Geo-distributed network monitoring ★ Managing and monitoring geo-distributed network is not a simple task: 6MoN plus ○ we need to be physically connected to the remote network in order to gather some traffic; ○ present-day Internet architecture does not help: ■ Firewalls and NATs might be found! ★ We need to have a distributed monitoring tool accessible from a unique GUI. #TNC16 | #IIT-CNR | #6MoN 6MoN plus - what does it offer? 6MoN plus ★ it detects, mitigates and notifies rogue IPv6 Router Advertisments; ★ it allows to monitor network addresses utilization by finding associations between IPv4, IPv6, MAC addresses, DUIDs, Usernames, etc. within a period of time; ★ it inspects routers' IPv6 neighbor caches leveraging SNMP protocol; ★ it detects and notifies the presence of rogue DHCPv4 servers. ★ L2 loop detection ★ IPv4 address collision ★ MacFind ★ remote controling of the probes and the installed modules ★ NAT and Firewall traversal ★ previleged based multi user management ★ efficient and better algorithms #TNC16 | #IIT-CNR | #6MoN 6MoN plus - comparison with other solutions 6MoN plus ★ Rogue router advertisment mitigation ○ RA-guard: L2 filtering of rogue router advertisment ○ SEcure Neighbor Discovery (SEND): Cryptographic method ○ Host based packet filtering ○ 6MoN: previously developed by our team ○ NDPMon - dual stack network monitoring tool (remote monitoring modules are not stable for production use) ★ DHCP Monitoring: L2 filtering #TNC16 | #IIT-CNR | #6MoN 6MoN plus - development team Filippo Lauria 6MoN plus Claudio Porta Andrea De Vita Abraham Gebrehiwot #TNC16 | #IIT-CNR | #6MoN 6MoN plus - system architecture hybrid architecture: back-end front-end 6MoN plus Probe 1 Probe 2 distributed back-end: N Probes A central Core Probe N Core DB multi-tier front-end. GUI #TNC16 | #IIT-CNR | #6MoN 6MoN plus - backend behavior Probe: a remote application able to gather and extract relevant information from the network traffic; 6MoN plus Probe 1 Probe 2 Core: process able to collect and manage data incoming from the probes; Features: NAT and Firewall Traversal Probe N Core DB Communication: control plane, data plane #TNC16 | #IIT-CNR | #6MoN 6MoN plus - front end behavior Probe: a remote application able to gather and extract relevant information from the network traffic; 6MoN plus Probe 1 Probe 2 Core: process able to collect and manage data incoming from the probes; Probe N Core DB GUI: to easily allow access, configuration and control of the system. GUI #TNC16 | #IIT-CNR | #6MoN 6MoN plus - backend gathering information ★ In order to synthesize the information a probe performs few simple tasks: 6MoN plus ○ select only the relevant pieces of information ■ e.g. from an ARP packet we need to know only SW_ADDR (IP Address) and HW_ADDR (MAC Address) fields ○ reduce transmission of information (to the core), using a caching system #TNC16 | #IIT-CNR | #6MoN 6MoN plus - probe’s caching system ★ Threshold-based caching system (simplified version): ○ Time-based (default: 30 seconds) ○ Based on number of processed packets (default: 30 packets) Caching System 6MoN plus ARP Processing Unit update counting threshold hit don’t send thresholds expired erase entry Packet Sniffer miss insert new entry send to core #TNC16 | #IIT-CNR | #6MoN 6MoN plus - use case 6MoN plus #TNC16 | #IIT-CNR | #6MoN 6MoN plus - strengths Modularity 6MoN plus Scalability Efficiency Easy setup Low installation and managing costs #TNC16 | #IIT-CNR | #6MoN 6MoN plus - development ● Probe ○ it can execute on a Raspberry Pi, too! ● Core ○ it can be installed on a VM, too! 6MoN plus ● Open Source ○ no additional licence costs ○ source code available #TNC16 | #IIT-CNR | #6MoN 6MoN plus - future work ★ extend 6MoN Plus’ functionalities: ○ IoT applications (e.g. devices, vehicles, buildings, etc.); ○ Smart Cities applications (e.g. traffic monitor, air quality monitor, etc.). 6MoN plus #TNC16 | #IIT-CNR | #6MoN Thank you for your attention 6MoN plus For further details: [email protected]