Hi,
What you really want to do is identifying the packets from the controller,
not mirroring the packets, right?
(Or you need to do mirroring too?)
If so, can you identify the packets by "in_port" field?
e.g.)
if in_port == OFPP_CONTRILLER:
do processing of FSM
To do this, you need to set the output action with "port=OFPP_TABLE".
e.g.)
+ in_port = ofproto.OFPP_CONTROLLER
+ actions = [parser.OFPActionOutput(ofproto.OFPP_TABLE)]
out = parser.OFPPacketOut(datapath=datapath, buffer_id=msg.buffer_id,
in_port=in_port, actions=actions, data=data)
datapath.send_msg(out)
This packet from packet-out message matches the flow entry which has
in_port=OFPP_CONTROLLER.
If you want to do both processing of FSM and forwarding to mirror port
by using OpenFlow mechanism only, it is very difficult, I think.
To realize this, I think you need to implement the special action
of you switch in order to do processing of FSM and forwarding to mirror port.
Thanks,
Iwase
On 2016年05月30日 16:12, Maurizio Marrocco wrote:
> Hi,
> I need to do port mirroring "At switch" because I implement the state (Finite
> State Machine) in switch with OpenState (now switches are smart and manage
> local state), it is some library in addition and without changing OpenFlow
> protocol.
> My objective is security and so: I modify controller to send K PacketOut
> messages to switch and switch must forward only the original ones (other are
> replicas), this to simulate DoS attack.
> My FSM is:
> - state 0: default, switch no received packet yet
> - state 1: switch received 1 PacketOut
> - the transaction 0->1 is performed when switch received PacketOut msg (this
> is why I need to do identify PacketOut with if statement, i.e.
> IF(RECEIVE PACKETOUT)
> change state and forward to mirror port 3.
> - If switch received another PacktOut, it remains in state 1 but now drop
> this packet
> - I return to state 0 after idle_timeout=5sec.
> Thanks for help.
>
>
>
> ________________________________________
> Da: Iwase Yusuke <[email protected]>
> Inviato: lunedì 30 maggio 2016 04.28
> A: [email protected]
> Cc: [email protected]
> Oggetto: Re: [Ryu-devel] How I can identify a packet from the Ryu-controller
> to OpenFlow v1.3 switch?
>
> Hi,
>
> To process the packet using the flow entries,
> you need to output the packet to "OFPP_TABLE" port.
>
> For just forwarding (Not mirroring), please refer to the following.
>
> $ git diff
> diff --git a/ryu/app/simple_switch_13.py b/ryu/app/simple_switch_13.py
> index 3e7c598..9d3741c 100644
> --- a/ryu/app/simple_switch_13.py
> +++ b/ryu/app/simple_switch_13.py
> @@ -48,6 +48,11 @@ class SimpleSwitch13(app_manager.RyuApp):
> ofproto.OFPCML_NO_BUFFER)]
> self.add_flow(datapath, 0, match, actions)
>
> + match = parser.OFPMatch(in_port=ofproto.OFPP_CONTROLLER)
> + mirror_port = 3
> + actions = [parser.OFPActionOutput(mirror_port)]
> + self.add_flow(datapath, 1, match, actions)
> +
> def add_flow(self, datapath, priority, match, actions, buffer_id=None):
> ofproto = datapath.ofproto
> parser = datapath.ofproto_parser
> @@ -114,6 +119,8 @@ class SimpleSwitch13(app_manager.RyuApp):
> if msg.buffer_id == ofproto.OFP_NO_BUFFER:
> data = msg.data
>
> + in_port = ofproto.OFPP_CONTROLLER
> + actions = [parser.OFPActionOutput(ofproto.OFPP_TABLE)]
> out = parser.OFPPacketOut(datapath=datapath,
> buffer_id=msg.buffer_id,
> in_port=in_port, actions=actions,
> data=data)
> datapath.send_msg(out)
>
>
> If you want to do mirroring, it is more complex.
> Because you need to install the flows:
> -one is to forward packets without mirroring
> - one is to do mirroring + forwarding.
> And, you need to switch these flows by 'in_port' match field.
>
> With the fixed topology, it might be more simple,
> but it is still difficult to calculate the flows, I think.
>
> To capture the packet at controller-switch link is not suitable for your
> purpose?
> I think filtering the packet by Wireshark is more easy way.
>
>
> Thanks,
> Iwase
>
> On 2016年05月27日 19:22, Maurizio Marrocco wrote:
>> Hi,
>> I tried to mirror PacketOut msg to port 3 and it's OK
>> But I don't know how identify this packet from controller to switch.
>> I tried to install flow when match the field inPort=ofproto.OFPP_CONTROLLER,
>> but don't work
>> Here the piece of code:
>> """Mirror all control traffic, from control port to output 3 - don't work
>> """
>> match3 = parser.OFPMatch(in_port=ofproto.OFPP_CONTROLLER)
>>
>> actions3 =[parser.OFPActionOutput(3)]
>> self.add_flow(datapath,1, match3, actions3)
>> also because with dpctl I see the flow table and this entry was matched with
>> in_port=-3 Value.
>>
>> Furthermore, I tried group action for mirroring, but don't works because
>> from OFv1.3 spec:
>> "Set-Field actions for OXM types OFPXMT_OFB_IN_PORT,
>> OXM_OF_IN_PHY_PORT and OFPXMT_OFB_METADATA are not supported, because those
>> are not header fi elds."
>> in fact, with wireshark I have ad error: OFBAC_BAD_SET_TYPE (i.e.
>> unsupported type in SET_FIELD ACTION)
>> Any other ideas?
>> I really need for my thesis to instruct my RYU program to said:
>> if(receive OFPT_PACKET_OUT)
>> mirror(port 3)
>>
>> Another thing: if run TCPDUMP to h3, i don't see the OPENFLOW packet right?
>> because OPENFLOW protocol is specified only for controller-switch
>> communication
>> Thanks for helps.
>>
>>
>> ________________________________________
>> Da: Iwase Yusuke <[email protected]>
>> Inviato: giovedì 26 maggio 2016 05.53
>> A: [email protected]
>> Cc: [email protected]
>> Oggetto: Re: [Ryu-devel] How I can identify a packet from the Ryu-controller
>> to OpenFlow v1.3 switch?
>>
>> Hi,
>>
>> You want to do the port mirroring only the packets sent by packet_out
>> messages, right?
>> I think there are some way to do this.
>> For example, please refer to the following snippet.
>> I added a output action in to packet_out message (not into flow_mod
>> messages).
>>
>> $ git diff
>> diff --git a/ryu/app/simple_switch_13.py b/ryu/app/simple_switch_13.py
>> index 3e7c598..55ff4e7 100644
>> --- a/ryu/app/simple_switch_13.py
>> +++ b/ryu/app/simple_switch_13.py
>> @@ -114,6 +114,10 @@ class SimpleSwitch13(app_manager.RyuApp):
>> if msg.buffer_id == ofproto.OFP_NO_BUFFER:
>> data = msg.data
>>
>> + # add output action for port mirroring
>> + mirror_port = 3
>> + actions.append(parser.OFPActionOutput(port=mirror_port))
>> +
>> out = parser.OFPPacketOut(datapath=datapath,
>> buffer_id=msg.buffer_id,
>> in_port=in_port, actions=actions,
>> data=data)
>> datapath.send_msg(out)
>>
>>
>> If you want to identify the packets from the controller at the switches,
>> this might be more complex, I think.
>> Maybe you need to install the specific flows for
>> in_port=ofproto.OFPP_CONTROLLER packets
>> or to use group actions for mirroring.
>>
>> Thanks,
>> Iwase
>>
>>
>> On 2016年05月25日 20:44, Maurizio Marrocco wrote:
>>> Hi, I try with in_port=ofproto.OFPP_CONTROLLER in PktOut msg but don't work.
>>> In other words, how can Mirror all control traffic (pkt_out messages), from
>>> controller to port output 3?
>>> How can match this?
>>> I post the source with attachment to this email.
>>>
>>>
>>> ________________________________________
>>> Da: Iwase Yusuke <[email protected]>
>>> Inviato: mercoledì 25 maggio 2016 03.37
>>> A: [email protected]
>>> Cc: [email protected]
>>> Oggetto: Re: [Ryu-devel] How I can identify a packet from the
>>> Ryu-controller to OpenFlow v1.3 switch?
>>>
>>> Hi,
>>>
>>> On 2016年05月25日 02:39, Maurizio Marrocco wrote:
>>>> Hi to everyone,
>>>>
>>>> I need an help for my thesis,
>>>>
>>>> I want to identify a control packet from Python RYU-controller. In other
>>>> words: How I can to do the following instruction?
>>>>
>>>> |If(I receive a OFPT_PACKET_OUT msg fromryu-controller)dosomething
>>>> (forexample all control traffic from controller must mirroring to an
>>>> output port)|
>>>>
>>>> and How can I match this rule?
>>>>
>>>> I saw in OpenFlow v1.3 specification that there is a
>>>> ofproto.OFPP_CONTROLLER reserved port: How can I use it as an ingress port?
>>>>
>>>> >From OFv1.3 spec.: "OFPP_CONTROLLER: Represents the control channel
>>>> with the OpenFlow controller. Can be used as an ingress port or as an
>>>> output port.
>>>>
>>>> When used as an output port, encapsulate the packet in a packet-in message
>>>> and send it using the OpenFlow protocol.
>>>>
>>>> When used as an ingress port, identify a packet originating from the
>>>> controller."
>>>
>>> How about setting "in_port=ofp.OFPP_CONTROLLER" in OFPPacketOut message?
>>>
>>> http://ryu.readthedocs.io/en/latest/ofproto_v1_3_ref.html#ryu.ofproto.ofproto_v1_3_parser.OFPPacketOut
>>>
>>> Thanks,
>>> Iwase
>>>
>>>>
>>>> Thanks for the help.
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Mobile security can be enabling, not merely restricting. Employees who
>>>> bring their own devices (BYOD) to work are irked by the imposition of MDM
>>>> restrictions. Mobile Device Manager Plus allows you to control only the
>>>> apps on BYO-devices by containerizing them, leaving personal data
>>>> untouched!
>>>> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Ryu-devel mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/ryu-devel
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Mobile security can be enabling, not merely restricting. Employees who
>>> bring their own devices (BYOD) to work are irked by the imposition of MDM
>>> restrictions. Mobile Device Manager Plus allows you to control only the
>>> apps on BYO-devices by containerizing them, leaving personal data untouched!
>>> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
>>>
>>>
>>>
>>> _______________________________________________
>>> Ryu-devel mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/ryu-devel
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
>> patterns at an interface-level. Reveals which users, apps, and protocols are
>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>>
>>
>>
>> _______________________________________________
>> Ryu-devel mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/ryu-devel
>>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> Ryu-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ryu-devel
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
