def example_setup(num_clients=3, num_servers=3):
### EXAMPLE PARAMETERS
# NETWORK BREAKDOWN
ethernet = [2,3,4,1000]
ip_core = [5,6,7,1002]
gateway = [1001]
# SUBNET ADDRESSING
eth_prefix = '10.0.0.'
ip_prefix = '10.0.1.'
prefix_len = 24
eth_cidr = eth_prefix + '0/' + str(prefix_len)
ip_cidr = ip_prefix + '0/' + str(prefix_len)
# END HOST ADDRESSES
public_ip = IP('10.0.1.100')
fake_mac = MAC('BB:BB:BB:BB:BB:BB')
eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \
for i in range(1,1+num_clients) }
ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \
for i in range(1,1+num_servers) }
host_macs = dict(eth_macs.items() + ip_macs.items())
host_macs.update({IP(public_ip) : fake_mac})
### POLICIES FOR THIS EXAMPLE
eth_pol = mac_learner()
ip_pol = mac_learner()
gw_pol = gateway_forwarder(eth_cidr,ip_cidr,host_macs)
return ((switch_in(ethernet) & eth_pol) +
(switch_in(gateway) & gw_pol ) +
(switch_in(ip_core) & ip_pol ))
def example_setup(num_clients=3, num_servers=3):
### EXAMPLE PARAMETERS
# NETWORK BREAKDOWN
ethernet = [2, 3, 4, 1000]
ip_core = [5, 6, 7, 1002]
gateway = [1001]
# SUBNET ADDRESSING
eth_prefix = '10.0.0.'
ip_prefix = '10.0.1.'
prefix_len = 24
eth_cidr = eth_prefix + '0/' + str(prefix_len)
ip_cidr = ip_prefix + '0/' + str(prefix_len)
# END HOST ADDRESSES
public_ip = IP('10.0.1.100')
fake_mac = MAC('BB:BB:BB:BB:BB:BB')
eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \
for i in range(1,1+num_clients) }
ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \
for i in range(1,1+num_servers) }
host_macs = dict(eth_macs.items() + ip_macs.items())
host_macs.update({IP(public_ip): fake_mac})
### POLICIES FOR THIS EXAMPLE
eth_pol = mac_learner()
ip_pol = virtualize(mac_learner(), merge(name=5, from_switches=ip_core))
gw_pol = gateway_forwarder(eth_cidr, ip_cidr, host_macs)
return ((switch_in(ethernet) >> eth_pol) + (switch_in(gateway) >> gw_pol) +
(switch_in(ip_core) >> ip_pol))
def example_setup(num_clients=3, num_servers=3):
### EXAMPLE PARAMETERS
# NETWORK BREAKDOWN
ethernet = [2,3,4,1000]
ip_core = [5,6,7,1002]
gateway = [1001]
# SUBNET ADDRESSING
eth_prefix = '10.0.0.'
ip_prefix = '10.0.1.'
prefix_len = 24
eth_cidr = eth_prefix + '0/' + str(prefix_len)
ip_cidr = ip_prefix + '0/' + str(prefix_len)
# END HOST ADDRESSES
public_ip = IP('10.0.1.100')
fake_mac = MAC('BB:BB:BB:BB:BB:BB')
eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \
for i in range(1,1+num_clients) }
ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \
for i in range(1,1+num_servers) }
host_macs = dict(eth_macs.items() + ip_macs.items())
host_macs.update({IP(public_ip) : fake_mac})
# PARAMETERS FOR FIREWALL/LOAD BALANCER
R = [IP(ip_prefix + str(i)) for i in range(2, 2+num_servers)]
H = {IP(eth_prefix + str(i)) : 0 for i in range(2,2+num_clients)}
W = {(c,public_ip) for c in H.keys()}
### POLICIES FOR THIS EXAMPLE
eth_pol = mac_learner()
alb = dynamic(lb)(public_ip,R,H) >> fix_dstmac(ip_macs)
afw = if_(ARP,passthrough,dynamic(fw)(W))
ip_pol = if_(match(srcip=eth_cidr),
afw >> alb,
alb >> afw) >> mac_learner()
ip_pol = virtualize(ip_pol,BFS_vdef(name=5,from_switches=ip_core))
gw_pol = gateway_forwarder(eth_cidr,ip_cidr,host_macs)
return (switch_in(ethernet)[ eth_pol ] +
switch_in(gateway)[ gw_pol ] +
switch_in(ip_core)[ ip_pol ])
def example_setup(num_clients=3, num_servers=3):
### EXAMPLE PARAMETERS
# NETWORK BREAKDOWN
ethernet = [2,3,4,1000]
ip_core = [5,6,7,1002]
gateway = [1001]
# SUBNET ADDRESSING
eth_prefix = '10.0.0.'
ip_prefix = '10.0.1.'
prefix_len = 24
eth_cidr = eth_prefix + '0/' + str(prefix_len)
ip_cidr = ip_prefix + '0/' + str(prefix_len)
# END HOST ADDRESSES
public_ip = IP('10.0.1.100')
fake_mac = MAC('BB:BB:BB:BB:BB:BB')
eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \
for i in range(1,1+num_clients) }
ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \
for i in range(1,1+num_servers) }
host_macs = dict(eth_macs.items() + ip_macs.items())
host_macs.update({IP(public_ip) : fake_mac})
# PARAMETERS FOR FIREWALL/LOAD BALANCER
R = [IP(ip_prefix + str(i)) for i in range(2, 2+num_servers)]
H = {IP(eth_prefix + str(i)) : 0 for i in range(2,2+num_clients)}
W = {(c,public_ip) for c in H.keys()}
### POLICIES FOR THIS EXAMPLE
eth_pol = mac_learner()
alb = dynamic(lb)(public_ip,R,H) >> fix_dstmac(ip_macs)
afw = if_(ARP,passthrough,dynamic(fw)(W))
ip_pol = if_(match(srcip=eth_cidr),
afw >> alb,
alb >> afw) >> mac_learner()
ip_pol = virtualize(ip_pol,BFS_vdef(name=5,from_switches=ip_core))
gw_pol = gateway_forwarder(eth_cidr,ip_cidr,host_macs)
return ((switch_in(ethernet) & eth_pol) +
(switch_in(gateway) & gw_pol ) +
(switch_in(ip_core) & ip_pol ))
def setup(num_internet_hosts=253, num_dmz_servers=1, num_internal_hosts=2):
#-----------------
#Network breakdown (virtual components)
internal_net_edge = [1000]
gateway = [1001]
blackhole_checker_redirector = [1002]
firewall = [1003]
internet_edge = [1004]
#-----------------
#IP subnets
internal_prefix = '10.1.1.'
internet_prefix = '10.1.2.'
prefix_len = 24
internal_cidr = internal_prefix + '0/' + str(prefix_len)
internet_cidr = internet_prefix + '0/' + str(prefix_len)
#-----------------
#End hosts and servers
internal_ip_to_macs = {
IP(internal_prefix + str(i + 1)): MAC('00:00:00:00:00:0' + str(i))
for i in range(1, 1 + num_internal_hosts + num_dmz_servers)
}
internet_ip_to_macs = {
IP(internet_prefix + str(i + 1)): MAC('00:00:00:00:00:04')
for i in range(1, 1 + num_internet_hosts)
}
host_ip_to_macs = dict(internal_ip_to_macs.items() +
internet_ip_to_macs.items())
#-----------------
#params for blackhole checker/redirector
#threshold rate of packets belonging to the same (srcip,dstip,dstport) flow (careful: TCP protocol!)
#if this rate is surpassed, we conider this a possible DoS and redirect
#the flow to the blackhole host for further examination
threshold_rate = 5 #packets per sec (you can tune it if needed)
blackhole_port_dict = {
'untrusted': 2,
'trusted': 1,
'blackhole': 3
} #see exercise setup (figure 2)
ips_and_tcp_ports_to_protect = [("10.1.1.4", 80)] #protect apache server
#-----------------
#params for firewall
firewall_port_dict = {
'untrusted': 2,
'trusted': 1
} #see exercise setup (ports of firewall, figure 2)
whitelist = set([])
for i in internal_ip_to_macs.keys():
for j in internet_ip_to_macs.keys():
internal_ip = str(i)
internet_ip = str(j)
#here we check if the internal_ip is the server
#and if this is the server we make by-directional connection
#else we make one direction connection
if internal_ip != '10.1.1.4':
whitelist.add((internal_ip, internet_ip))
else:
whitelist.add((internal_ip, internet_ip))
whitelist.add((internet_ip, internal_ip))
#ATTENTION: Build whitelist!!! (see how firewall expects it)
print "Firewall whitelist"
print whitelist
#-----------------
#policies
#ATTENTION: internal network edge policy???
#ATTENTION: gateway policy???
#ATTENTION: black-hole host policy??
#ATTENTION: firewall policy???-->ATTENTION: besides the IP whitelist, the firewall policy should let ARP packets reach the gateway! (hint: use 'if_')
#ATTENTION: internet edge policy???
#initial test policies for firewall and blackhole
#blackhole_pol=
blackhole_pol = BlackholeCheckerRedirector(threshold_rate,
blackhole_port_dict,
ips_and_tcp_ports_to_protect)
# proo8ei to paketo
firewall_pol = (
if_(ARP, passthrough, fw(whitelist)) >> dumb_forwarder(1, 2))
#idio level
eth_pol = mac_learner()
ip_pol = mac_learner()
gw_pol = gateway_forwarder(internal_cidr, internet_cidr, host_ip_to_macs)
return ((switch_in(blackhole_checker_redirector) >> blackhole_pol) +
(switch_in(firewall) >> firewall_pol) +
(switch_in(internal_net_edge) >> eth_pol) +
(switch_in(gateway) >> gw_pol) +
(switch_in(internet_edge) >> ip_pol))
def setup(num_internet_hosts=253, num_dmz_servers=1, num_internal_hosts=2):
#-----------------
#Network breakdown (the virtual components in Pyretic)
internal_net_edge = [1000]
gateway = [1001]
flow_monitor_blackhole_redirector = [1002]
firewall = [1003]
internet_edge = [1004]
#-----------------
#IP subnets
internal_prefix = '10.1.1.'
internet_prefix = '10.1.2.'
prefix_len = 24
internal_cidr = internal_prefix + '0/' + str(prefix_len)
internet_cidr = internet_prefix + '0/' + str(prefix_len)
#-----------------
#End hosts and servers
internal_ip_to_macs = {IP(internal_prefix+str(i)) : MAC('00:00:00:00:00:0'+str(i)) for i in range(1,1+num_internal_hosts+num_dmz_servers)}
internet_ip_to_macs = {IP(internet_prefix+str(i)) : MAC('00:00:00:00:00:04') for i in range(1,1+num_internet_hosts)}
host_ip_to_macs = dict(internal_ip_to_macs.items() + internet_ip_to_macs.items())
print "Third Arguement:" + str(host_ip_to_macs)
#-----------------
#Parameters for flow monitor and blackhole redirector.
#Threshold rate of packets belonging to the same (srcip,dstip,dstport) flow.
#If this rate is surpassed, the flow is suspected to be a DoS attack; then redirect flow to the blackhole host.
threshold_rate = 5 #packets per sec (you can change this if you want to check)
blackhole_port_dict = {'untrusted' : 2, 'trusted' : 1, 'blackhole' : 3} #see Figure 2 in the project description
ips_and_tcp_ports_to_protect = [("10.1.1.3",80)] #protect the Apache server
#-----------------
#Parameters for the stateful firewall
firewall_port_dict = {'untrusted' : 2, 'trusted' : 1} #see Figure 2 in project description
whitelist = set([])
for i in internal_ip_to_macs.keys():
for j in internet_ip_to_macs.keys():
internal_ip = str(i)
internet_ip = str(j)
if (internal_ip == '10.1.1.3'):
whitelist.add((internal_ip,internet_ip))
whitelist.add((internet_ip,internal_ip))
else:
whitelist.add((internal_ip,internet_ip))
### write your code ###: Build whitelist of IP addresses (see how firewall expects it)
print "Firewall whitelist:"
print whitelist
#-----------------
#Define policies
### write your code ###: internal network edge policy?
internal_network_edge_policy = mac_learner()
### write your code ###: gateway policy?
gateway_policy = gateway_forwarder(internal_cidr,internet_cidr,host_ip_to_macs)
### write your code ###: blackhole host policy?
blackhole_policy = FlowMonitorBlackholeRedirector(threshold_rate, blackhole_port_dict, ips_and_tcp_ports_to_protect)
### write your code ###: firewall policy? Note that besides the IP addresses in the firewall whitelist, the firewall policy should let ARP packets reach the gateway (hint: use 'if_')
### write your code ###: internet edge policy???
internet_edge_policy = mac_learner()
#Commands to do initial test of policies for firewall and blackhole
firewall_policy = if_(ARP,passthrough,fw(whitelist)) >> dumb_forwarder(firewall_port_dict['trusted'],firewall_port_dict['untrusted'])
#-----------------
### write your code ###: return ? --> Combine the policies! (Hint: check gateway_3switch_example_basic.py in the ~/pyretic/pyretic/examples directory)
return((switch_in(internal_net_edge) >> internal_network_edge_policy) +
(switch_in(gateway) >> gateway_policy) +
(switch_in(flow_monitor_blackhole_redirector) >> blackhole_policy) +
(switch_in(firewall) >> firewall_policy) +
(switch_in(internet_edge) >> internet_edge_policy))
def setup(num_internet_hosts=253, num_dmz_servers=1, num_internal_hosts=2):
#-----------------
#Network breakdown (the virtual components in Pyretic)
internal_net_edge = [1000]
gateway = [1001]
flow_monitor_blackhole_redirector = [1002]
firewall = [1003]
internet_edge = [1004]
#-----------------
#IP subnets
internal_prefix = '10.1.1.'
internet_prefix = '10.1.2.'
prefix_len = 24
internal_cidr = internal_prefix + '0/' + str(prefix_len)
internet_cidr = internet_prefix + '0/' + str(prefix_len)
#-----------------
#End hosts and servers
internal_ip_to_macs = {
IP(internal_prefix + str(i)): MAC('00:00:00:00:00:0' + str(i))
for i in range(1, 1 + num_internal_hosts + num_dmz_servers)
}
internet_ip_to_macs = {
IP(internet_prefix + str(i)): MAC('00:00:00:00:00:04')
for i in range(1, 1 + num_internet_hosts)
}
host_ip_to_macs = dict(internal_ip_to_macs.items() +
internet_ip_to_macs.items())
print "Third Arguement:" + str(host_ip_to_macs)
#-----------------
#Parameters for flow monitor and blackhole redirector.
#Threshold rate of packets belonging to the same (srcip,dstip,dstport) flow.
#If this rate is surpassed, the flow is suspected to be a DoS attack; then redirect flow to the blackhole host.
threshold_rate = 5 #packets per sec (you can change this if you want to check)
blackhole_port_dict = {
'untrusted': 2,
'trusted': 1,
'blackhole': 3
} #see Figure 2 in the project description
ips_and_tcp_ports_to_protect = [("10.1.1.3", 80)
] #protect the Apache server
#-----------------
#Parameters for the stateful firewall
firewall_port_dict = {
'untrusted': 2,
'trusted': 1
} #see Figure 2 in project description
whitelist = set([])
for i in internal_ip_to_macs.keys():
for j in internet_ip_to_macs.keys():
internal_ip = str(i)
internet_ip = str(j)
if (internal_ip == '10.1.1.3'):
whitelist.add((internal_ip, internet_ip))
whitelist.add((internet_ip, internal_ip))
else:
whitelist.add((internal_ip, internet_ip))
### write your code ###: Build whitelist of IP addresses (see how firewall expects it)
print "Firewall whitelist:"
print whitelist
#-----------------
#Define policies
### write your code ###: internal network edge policy?
internal_network_edge_policy = mac_learner()
### write your code ###: gateway policy?
gateway_policy = gateway_forwarder(internal_cidr, internet_cidr,
host_ip_to_macs)
### write your code ###: blackhole host policy?
blackhole_policy = FlowMonitorBlackholeRedirector(
threshold_rate, blackhole_port_dict, ips_and_tcp_ports_to_protect)
### write your code ###: firewall policy? Note that besides the IP addresses in the firewall whitelist, the firewall policy should let ARP packets reach the gateway (hint: use 'if_')
### write your code ###: internet edge policy???
internet_edge_policy = mac_learner()
#Commands to do initial test of policies for firewall and blackhole
firewall_policy = if_(ARP, passthrough, fw(whitelist)) >> dumb_forwarder(
firewall_port_dict['trusted'], firewall_port_dict['untrusted'])
#-----------------
### write your code ###: return ? --> Combine the policies! (Hint: check gateway_3switch_example_basic.py in the ~/pyretic/pyretic/examples directory)
return (
(switch_in(internal_net_edge) >> internal_network_edge_policy) +
(switch_in(gateway) >> gateway_policy) +
(switch_in(flow_monitor_blackhole_redirector) >> blackhole_policy) +
(switch_in(firewall) >> firewall_policy) +
(switch_in(internet_edge) >> internet_edge_policy))
def setup(num_internet_hosts=253, num_dmz_servers=2, num_internal_hosts=4):
#-----------------
#Network breakdown (virtual components)
internal_net_edge = [1000]
gateway = [1001]
blackhole_checker_redirector = [1002]
firewall = [1003]
internet_edge = [1004]
#-----------------
#IP subnets
internal_prefix = '10.1.1.'
internet_prefix = '10.1.2.'
prefix_len = 24
internal_cidr = internal_prefix + '0/' + str(prefix_len)
internet_cidr = internet_prefix + '0/' + str(prefix_len)
#-----------------
#End hosts and servers
internal_ip_to_macs = {IP(internal_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) for i in range(1,1+num_internal_hosts+num_dmz_servers)}
internet_ip_to_macs = {IP(internet_prefix+str(i+1)) : MAC('00:00:00:00:00:07') for i in range(1,1+num_internet_hosts)}
host_ip_to_macs = dict(internal_ip_to_macs.items() + internet_ip_to_macs.items())
#-----------------
#params for blackhole checker/redirector
#threshold rate of packets belonging to the same (srcip,dstip,dstport) flow (careful: TCP protocol!)
#if this rate is surpassed, we conider this a possible DoS and redirect
#the flow to the blackhole
threshold_rate =6#packets per sec (you can tune it if needed)
blackhole_port_dict = {'untrusted' : 2, 'trusted' : 1, 'blackhole' : 3} #see exercise setup (figure 2)
ips_and_tcp_ports_to_protect = [("10.1.1.6",22),("10.1.1.7",80)] #protect ssh and apache servers
#-----------------
#params for firewall
firewall_port_dict = {'untrusted' : 2, 'trusted' : 1} #see exercise setup (ports of firewall, figure 2)
whitelist = set([])
for i in internal_ip_to_macs.keys():
for j in internet_ip_to_macs.keys():
internal_ip = str(i)
internet_ip = str(j)
#ATTENTION: Build whitelist!!! (see how firewall expects it)
if internal_ip == '10.1.1.6' or internal_ip == '10.1.1.7':
#Allow bi-direction on server node
whitelist.add((internal_ip,internet_ip))
whitelist.add((internet_ip,internal_ip))
else:
#Allow single-direction on intenal host
whitelist.add((internal_ip,internet_ip))
#print "Firewall whitelist"
#print whitelist
#-----------------
#policies
#ATTENTION: internal network edge policy???
internal_pol = mac_learner()
#ATTENTION: gateway policy???
gateway_pol = gateway_forwarder(internal_cidr,internet_cidr,host_ip_to_macs)
#ATTENTION: black-hole host policy??
blackhole_pol=BlackholeCheckerRedirector(threshold_rate,blackhole_port_dict,ips_and_tcp_ports_to_protect)
#ATTENTION: firewall policy???-->ATTENTION: besides the IP whitelist, the firewall policy should let ARP packets reach the gateway! (hint: use 'if_')
firewall_pol = (if_(ARP,passthrough,fw(whitelist)) >> dumb_forwarder(1,2))
#ATTENTION: internet edge policy???
internet_pol = mac_learner()
#initial test policies for firewall and blackhole
#blackhole_pol = dumb_forwarder(1,2)
#firewall_pol = dumb_forwarder(1,2)
#-----------------
#ATTENTION: return ??? --> Combine the policies! (hint: check gateway_3switch_example_basic.py)
return ((switch_in(internal_net_edge) >> internal_pol)+(switch_in(gateway) >> gateway_pol)+(switch_in(blackhole_checker_redirector) >> blackhole_pol)+(switch_in(firewall) >> firewall_pol)+(switch_in(internet_edge) >> internet_pol))
