Académique Documents
Professionnel Documents
Culture Documents
Yoshinori MIYAMOTO*
Hideaki GOTO
Junichi YAMATO
Hideaki SONE
j-yamato@bk.jp.nec.com
packet of all communications and judges the route etc. Our
proposed system by using this feature of OpenFlow manages
a lot of virtual network group without a special field such as
VLAN tag in the packet header.
The rest of this paper is organized as follows. Section II
describes overview of campus network. Section III describes
the problems of campus network. The flexible access
management system based on OpenFlow is presented in
Section IV. The prototype system and evaluation results are
shown in Section V and Section VI.
I. INTRODUCTION
In the current campus networks, a lot of VLANs based
on IEEE802.1Q [1] have been generally used for deploying
many logical networks over minimal fibers/cables.
Especially, a campus-wide Wi-Fi system, such as eduroam
[2], manages networks by using a lot of VLANs for
separating the access networks from other campus networks
and for realizing a sophisticated access control such as guest/home-users separation and security filtering because various
users use the Access Points (APs).
However, using a lot of VLANs has some problems. The
first problem is the limitation of the number of VLAN IDs.
The second problem is that system configuration work
increases as the scale of the network becomes larger even if
there are enough VLAN IDs.
In this paper, we propose a flexible access management
system for campus VLAN based on OpenFlow [3] to solve
these problems. OpenFlow is a new technology attracting
peoples attentions in the field of Future Internet such as FP7
[4] in EU, NSF FIND [5] in U.S. and Akari [6] in Japan and
has the feature that the controller server receives the first
*
University
private
network
Gateway
eduroam
home user
network
eduroam
guest user
network
RADIUS
SSID:SSID:
local Aeduroam
etc
SSID: Local A
etc
347
III.
tag
Check tag
VLAN
Config
tag
Check tag
New Function
Configuration
VLAN
Config
VLAN
Config
tag
Check tag
Control
New Function
Configuration
New Function
Configuration
Control
Control
Forwarding Forwarding
tag
Add tag
OpenFlow protocol
Forwarding Forwarding
OpenFlow
QoS
Path cal
A. OpenFlow
1) Architecture
OpenFlow network is composed of many switches
(OpenFlow switch) and one controller server (OpenFlow
controller).
OpenFlow switch has a data forwarding plane only and
the forwarding process is very simple. A forwarding entry in
the switch is referred when OpenFlow switch receives a
packet. When there is flow information of the packet in the
forwarding entry, the packet is forwarded according the
forwarding entry. When there is not any, the packet is
forwarded to OpenFlow controller.
OpenFlow controller has the integrated control plane of
all switches. In the case of forwarding the packet from a
switch, OpenFlow controller decides the forwarding port of
packet and writes it the forwarding entry of the switch by
OpenFlow protocol. Many other processes such as path
calculation, QoS control and so on are also performed.
Radius
Dst check
ACL
check
Src check
GID-DB
User-DB Tree
Network OS
OpenFlow Controller
Radius
OpenFlow Network
348
User-DB
GID-DB
User : yamasaki
GID : Tohoku Univ.
MAC:
A
OpenFlow
Controller
DHCP
eduroam JP
Reporting Radius
(MAC&GID)
RADIUS
(including Calling Station ID)
IP:Y
EAP
MAC:A
yamasaki
GID-DB
User : yamasaki
GID : Tohoku Univ.
MAC:
A
eduroam JP
OpenFlow
Controller
DHCP
Radius
Request IP
IP:Y
IP:X
MAC:A
yamasaki
Figure 6: DHCP
Compare
Source GID
Destination GID
Step1. Authentication
When user connects the network, the user node sends
EAP packets to an AP. The AP sends RADIUS AccessRequest packets including Calling Station ID (= user MAC
address) to RADIUS server. If the authentication succeeds,
Calling Station ID is saved in User DB as MAC address (see
Figure 5).
DHCP
User-DB
GID-DB
User : yamasaki
GID : Tohoku Univ.
MAC:
A
eduroam JP
OpenFlow
Controller
Radius
inquiry
OpenFlow Protocol
First packet
IP:Y
IP:X
MAC:A
yamasaki
Step2. Reporting
After MAC address is saved in User DB, the RADIUS
server sends a report such as MAC address and GID of the
user to OpenFlow controller. OpenFlow controller saves
these information in GID DBs. After this, RADIUS server
sends RADIUS Access-Accept packet to the AP. Then, user
node can be accepted the network.
DHCP
Step3. DHCP
User node does not have IP address immediately after
accepted. Then, user node sends DHCP Request. This packet
is sent to OpenFlow controller since it is the first packet of a
communication. AMF in OpenFlow controller accepts the
communication because DHCP packet is set to accept by
pre-configuration. Therefore, user node gets IP address (see
Figure 6).
OpenFlow
Controller
User-DB
User : yamasaki
GID : Tohoku Univ.
MAC:
A
eduroam JP
Radius
results
OpenFlow Protocol
IP:Y
IP:X
yamasaki
Figure 8: Communications
349
Hardware
CPU
NEC Express5800/GT110b-s
Intel Core i3-540 3.07GHz
M emory
OS
3GB
Ubuntu 10.10
Software
Step5. Communications
If the communication is accepted, basic functions such as
path calculation are executed. Then, next forwarding port is
written in forwarding entry of each OpenFlow switch on the
communication path (see Figure 8).
NEC Express5800/110Ek
Intel Xeon 3040 1.86GHz
M emory
1GB
OS
CentOS 5.5
FreeRADIUS 2.1.9
Software
DHCP
User
(GID=A)
PostgreSQL 8.4.7
V. PROTOTYPE SYSTEM
We have implemented the proposed system for eduroam
and have also built a test-bed system for evaluations (see
Figure 9). This system is utilizing NECs OpenFlow
controller [13] and FreeRADIUS on Linux operating system.
As our OpenFlow controller, we have implemented AMF
on NECs OpenFlow controller and use PostgreSQL for
GID-DB. In our prototype system, there is hardly a limitation
in the number of GID because ID field of GID-DB is
64Bytes (see Figure 10).
As our RADIUS server, we have implemented reporting
function (RF) on FreeRADIUS to notify OpenFlow of MAC
address and GID and have enhanced User DB for RADIUS
to treat MAC address and GID.
Flexible Access Management System
reject
accept
GID=B
350
VII. CONCLUSION
In this paper, we have proposed a flexible access
management system based on OpenFlow. The system
manages communication access by virtual group ID (GID)
managed in OpenFlow controller instead of VLAN. The
number of ID is hardly restricted and even if GID is changed,
the configuration of switches need not be changed because
GID is only used in OpenFlow controller.
We have also built a prototype system having two useful
functions. The first function is the access management
function equivalent to the authentication VLAN based on
NECs OpenFlow controller. The Second function is
Reporting function of the authentication information based
on FreeRADIUS.
In evaluation results of the system, we have shown the
time for authentication and pings, data retrieval. The times
for authentication and pings are about 10ms longer than
basic OpenFlow controller. However, they are practicable
times.
System evaluations using a real campus network are
included in our future work.
Proposed OFC
Basic OFC
General Network
18.9
10.4
1.5
2.3
2.2
1.6
REFERENCES
[1] IEEE802.1Q, http://www.ieee802.org/1/pages/802.1Q.html.
[2] L.Florio, K. Wierenga, Eduroam, providing mobility for
roaming users, EUNIS, June 2005.
[3] N. Mckeown, T. Anderson, H. Balakrishnan, G. Parulkar, L.
Peterson, J. Rexford, S.Shenker, and J. Turner, Openflow:
Enabling Innovation in Campus Networks, ACM
SIGCOMM Computer Communication Review, vol.38, 2008,
pp.69-74.
[4] The Seventh Framework Programme (FP7),
http://cordis.europa.eu/fp7/dc/index.cfm
[5] NSF NeTS FIND Initiative, http://www.nets-find.net/
[6] AKARI, http://akari-project.nict.go.jp/
[7] IEEE802.1X, http://www.ieee802.org/1/pages/802.1x.html.
[8] C. Rigney, S. Willens, A. Rubens, and W. Simpson,
Proposed OFC
Basic OFC
General Network
644.6
656.3
540.3
Node(ms)
DHCP(ms)
65.6
60.5
57.3
33.1
20.7
7.5
Total(ms)
743.3
737.5
605.0
Src check
Dst check
ACL check
3.0
0.5
1.1
351