Transcript Chao
Prof. Chao’s Research Areas
Cyber Security Processor (CYSEP)
Next-Generation 10-100 Tb/s Routers
eeweb.poly.edu/~chao
H. Jonathan Chao
1
Intrusions Over the Decades
H. Jonathan Chao
2
Attack Sophistication vs.
Intruder Technical Knowledge
Source: Special permission to reproduce the CERT ©/CC graphic © 2000 by Carnegie Melon
University, in Electronic Commerce 2002 in Allen et al. (2000).
H. Jonathan Chao
3
What is Distributed Denial of Service (DDoS)?
H. Jonathan Chao
4
What is Distributed Denial of Service (DDoS)?
H. Jonathan Chao
5
Cyber Security Processor (CYSEP)
Issues:
Intrusion/virus attacks happen everyday, everywhere, and
cause widespread, catastrophic damages
How to detect/prevent them at high-speed of 10 Gbit/s or
40 Gbit/s lines at routers (why not at hosts?)
How to detect instruction across multiple packets
How to prevent distributed denial of service (DDoS) attacks
How to distinguish good or bad packets so as to block them
Goals:
Design/implement a CYSEP to be employed at various places
of the network to do intrusion, DDoS prevention, and
encryption, authentication at high speed
H. Jonathan Chao
6
CYber SEcurity Processor (CYSEP)
To Memory
Cyber Security Processor
(CYSEP)
Memory Controller
S
P
I
4
.2
In
t
e
rf
a
c
e
S
P
I
4
.
2
In
te
rf
a
c
e
To/From
Framer
Firewall
Engine
DDoS
Engine
Encryption
Decryption
Engine
Authentication
Authorization
Engine
Intrusion
Detection
Engine
To/From NP or
End System
PCI BUS Controller
To PCI Bus
H. Jonathan Chao
7
CYSEP Deployed at Various Places
in the Network
H. Jonathan Chao
8
Participants
Professors
H. Jonathan Chao
Ramesh Karri
PhD
Students
Sertac Artan
Nikhil Joshi
Huizhong Sun
Bo Yang
MS
Students
Paulo Ayres
Wei-Chen Huang
Andrew Kim
Arun Radhakrishnan
Evelyn Yen
H. Jonathan Chao
9
What a Router Looks Like?
H. Jonathan Chao
10
Today’s TERA POP Architecture –
Why so complex and costly?
Parallel
WAN Links
Intra POP
Interconnection
Links
Clustering of multiple core routers in POP
(Point of Presence)
WHY?
• Routers lack of port capacity and switching
capacity to meet POP to POP demand
• Unreliable routers and lack of network restoration
result back to back router configuration
• Lack of connectivity/bandwidth reservation
concept in IP networks (tend to over-engineering)
Hub-to-Core
Links
RESULTS
• About 50% of port capacity used for intra POP
interconnection – waste customer investment
REAL PROBLEM MOVING FORWARD
• Can this POP Architecture support data traffic growth
yet to be realized?
Access/Hub Routers
H. Jonathan Chao
11
In a few years, POP will look like this
Parallel
WAN Links
Intra POP
Interconnection
Links
• More Routers thrown into the POP creating serious
management nightmare
• More portion of switch ports are used for interconnection
• Service/Network reliability has not been resolved
Hub-to-Core
Links
Need Fundamental
Re-thinking
Access/Hub Routers
H. Jonathan Chao
12
New POP Architecture –
Paradigm Shift
Bundled
Parallel Links
One box solution
Hub-to-Core Links
Carrier-grade
reliability
Large port counts
Every port carries
real user traffic
10 – 100 terabit
packet switching
capacity
Access/Hub Routers
H. Jonathan Chao
13
Line-card
Shelf
Controller (LSC)
LC
LSC
LC
LC
LSC
LC
LSC
LC
LC
LSC
LSC
LC
LC
LSC
LC
Data Path
Line cards
(LC)
Control
FSC
RC
Switch Fabric
CLK
Management
Controller
(MC)
MC
Route
Controller
(RC)
Fabric
Shelf
Controller
(FSC)
System
Clock (CLK)
H. Jonathan Chao
14
Issues of Building a 10-100 Tbit/s Router
Single-stage vs. multiple-stage switch fabrics
Electronic vs. optical switch fabrics
Distributed vs. centralized packet scheduler (4ns at 40Gbit/s)
Memory speed and size
Quality control (8 ns for packet scheduling and discarding)
Interconnections and power consumption
For a 40 Gbit/s line, required memory cycle time < 2.66 ns
Buffer size: 500 Mbytes per 40 Gbit/s line
Chip to chip: 128 SERDES bidirectional I/O @ 20W
Rack to rack: VCSEL up to 300 ms with 250mW
Fault tolerance and in-service scalability
Text book: Broadband Packet Switching Technologies
(EL737)
by Chao, Lam, and Oki; John Wiley & Sons, Aug 2001
H. Jonathan Chao
15
Backplane
TM board
IM/OM board
CM board
H. Jonathan Chao
16
FPGA
chips
SERDES
chips
H. Jonathan Chao
17
ATM Switch Chip
H. Jonathan Chao
18
Optical Packet Switch Experiment
VCI Overwriting
H. Jonathan Chao
19
Optical Packet Switch Experiment
Wavelength Converter
H. Jonathan Chao
20
Cell Delineation and VCI-Overwrite
H. Jonathan Chao
21
Shared-Memory Controller
Route Controller
H. Jonathan Chao
22
Awarded Packet Switches Projects
Fabrication and Demonstration of a WDM, ATM Multicast Switch
A Quasi-Static Optoelectronic ATM Switch
NSF ($350K)
9/99 for 4 years
A Terabit IP Router with Advanced QoS Support
DARPA ($3.2M)
7/95 for 6 years
NSF ($450K)
110/99 for 4 years
High-Performance Stable Switches
NSF ($500K)
10/04 for 3 years
H. Jonathan Chao
23
Current Participants
Professors
H. Jonathan Chao
Shiv Panwar
Post-doc
Yihan Li
PhD
Students
Shi Jiang
Yanming Shen
H. Jonathan Chao
24
We need motivated
students doing
research with us.
[email protected]
H. Jonathan Chao
25