Ns3 Projects for B.E/B.Tech M.E/M.Tech PhD Scholars.  Phone-Number:9790238391   E-mail: ns3simulation@gmail.com

How to Implement Network Micro segmentation in ns3

To implement the network micro segmentation in ns3, within the virtual network environment we have to enhance the security and management by creating a fine-grained segments of network. This is commonly done by configuring routing, access control lists (ACLs), and traffic policies to ensure that traffic is only allowed between designated segments.

Step-by-Step Guide to Implement Network Micro-Segmentation in ns3

Step 1: Setup ns3 Environment

Make certain, you have installed ns3 in your computer.

Step 2: Include Necessary Modules

The necessary ns3 module has to be included in the script. Below, we provided the sample:

cpp

Copy code

#include “ns3/core-module.h”

#include “ns3/network-module.h”

#include “ns3/internet-module.h”

#include “ns3/point-to-point-module.h”

#include “ns3/applications-module.h”

#include “ns3/traffic-control-module.h”

#include “ns3/flow-monitor-module.h”

Step 3: Create the Simulation Script

  1. Setup Nodes and Network:

using namespace ns3;

NS_LOG_COMPONENT_DEFINE (“NetworkMicroSegmentationExample”);

int main (int argc, char *argv[])

{

CommandLine cmd;

cmd.Parse (argc, argv);

// Create nodes

NodeContainer nodes;

nodes.Create (8);

// Create point-to-point links

PointToPointHelper pointToPoint;

pointToPoint.SetDeviceAttribute (“DataRate”, StringValue (“10Mbps”));

pointToPoint.SetChannelAttribute (“Delay”, StringValue (“2ms”));

// Create network topology

NetDeviceContainer devices;

devices = pointToPoint.Install (NodeContainer (nodes.Get (0), nodes.Get (1))));

devices.Add (pointToPoint.Install (NodeContainer (nodes.Get (1), nodes.Get (2))));

devices.Add (pointToPoint.Install (NodeContainer (nodes.Get (2), nodes.Get (3))));

devices.Add (pointToPoint.Install (NodeContainer (nodes.Get (4), nodes.Get (5))));

devices.Add (pointToPoint.Install (NodeContainer (nodes.Get (5), nodes.Get (6))));

devices.Add (pointToPoint.Install (NodeContainer (nodes.Get (6), nodes.Get (7))));

devices.Add (pointToPoint.Install (NodeContainer (nodes.Get (3), nodes.Get (4))));

// Install Internet stack

InternetStackHelper stack;

stack.Install (nodes);

// Assign IP addresses

Ipv4AddressHelper address;

address.SetBase (“10.1.1.0”, “255.255.255.0”);

Ipv4InterfaceContainer interfaces = address.Assign (devices);

// Set up routing

Ipv4GlobalRoutingHelper::PopulateRoutingTables ();

// Create ACLs for micro-segmentation

Ptr<Ipv4> ipv4;

Ipv4StaticRoutingHelper ipv4RoutingHelper;

Ptr<Ipv4StaticRouting> staticRouting;

// Allow traffic within segment 1 (nodes 0-3)

for (uint32_t i = 0; i < 4; ++i)

{

ipv4 = nodes.Get (i)->GetObject<Ipv4> ();

staticRouting = ipv4RoutingHelper.GetStaticRouting (ipv4);

for (uint32_t j = 0; j < 4; ++j)

{

if (i != j)

{

staticRouting->AddNetworkRouteTo (Ipv4Address (“10.1.1.0”), Ipv4Mask (“255.255.255.0”), 1);

}

}

}

// Allow traffic within segment 2 (nodes 4-7)

for (uint32_t i = 4; i < 8; ++i)

{

ipv4 = nodes.Get (i)->GetObject<Ipv4> ();

staticRouting = ipv4RoutingHelper.GetStaticRouting (ipv4);

for (uint32_t j = 4; j < 8; ++j)

{

if (i != j)

{

staticRouting->AddNetworkRouteTo (Ipv4Address (“10.1.1.0”), Ipv4Mask (“255.255.255.0”), 1);

}

}

}

// Block traffic between segments 1 and 2

// This can be done by not adding any routes between the segments or by using traffic control mechanisms

// Set up applications for segment 1

uint16_t port1 = 9;  // Discard port (RFC 863)

Address serverAddress1 (InetSocketAddress (Ipv4Address::GetAny (), port1));

PacketSinkHelper packetSinkHelper1 (“ns3::UdpSocketFactory”, serverAddress1);

ApplicationContainer sinkApps1 = packetSinkHelper1.Install (nodes.Get (3));

sinkApps1.Start (Seconds (1.0));

sinkApps1.Stop (Seconds (20.0));

OnOffHelper onoff1 (“ns3::UdpSocketFactory”, Address (InetSocketAddress (interfaces.GetAddress (3), port1)));

onoff1.SetConstantRate (DataRate (“1Mbps”));

ApplicationContainer apps1 = onoff1.Install (nodes.Get (0));

apps1.Start (Seconds (2.0));

apps1.Stop (Seconds (20.0));

// Set up applications for segment 2

uint16_t port2 = 10;

Address serverAddress2 (InetSocketAddress (Ipv4Address::GetAny (), port2));

PacketSinkHelper packetSinkHelper2 (“ns3::UdpSocketFactory”, serverAddress2);

ApplicationContainer sinkApps2 = packetSinkHelper2.Install (nodes.Get (7));

sinkApps2.Start (Seconds (1.0));

sinkApps2.Stop (Seconds (20.0));

OnOffHelper onoff2 (“ns3::UdpSocketFactory”, Address (InetSocketAddress (interfaces.GetAddress (7), port2)));

onoff2.SetConstantRate (DataRate (“2Mbps”));

ApplicationContainer apps2 = onoff2.Install (nodes.Get (4));

apps2.Start (Seconds (2.0));

apps2.Stop (Seconds (20.0));

// Enable pcap tracing for packet capture

pointToPoint.EnablePcapAll (“network-micro-segmentation”);

// Enable traffic control for segment 1

TrafficControlHelper tch1;

tch1.SetRootQueueDisc (“ns3::RedQueueDisc”);

tch1.Install (devices.Get (0));

tch1.Install (devices.Get (1));

tch1.Install (devices.Get (2));

tch1.Install (devices.Get (3));

// Enable traffic control for segment 2

TrafficControlHelper tch2;

tch2.SetRootQueueDisc (“ns3::PfifoFastQueueDisc”);

tch2.Install (devices.Get (4));

tch2.Install (devices.Get (5));

tch2.Install (devices.Get (6));

tch2.Install (devices.Get (7));

// Enable flow monitor

FlowMonitorHelper flowmon;

Ptr<FlowMonitor> monitor = flowmon.InstallAll ();

Simulator::Stop (Seconds (20.0));

Simulator::Run ();

// Print per-flow statistics

monitor->CheckForLostPackets ();

Ptr<Ipv4FlowClassifier> classifier = DynamicCast<Ipv4FlowClassifier> (flowmon.GetClassifier ());

std::map<FlowId, FlowMonitor::FlowStats> stats = monitor->GetFlowStats ();

for (std::map<FlowId, FlowMonitor::FlowStats>::const_iterator i = stats.begin (); i != stats.end (); ++i)

{

Ipv4FlowClassifier::FiveTuple t = classifier->FindFlow (i->first);

std::cout << “Flow ” << i->first << ” (” << t.sourceAddress << ” -> ” << t.destinationAddress << “)\n”;

std::cout << ”  Tx Bytes:   ” << i->second.txBytes << “\n”;

std::cout << ”  Rx Bytes:   ” << i->second.rxBytes << “\n”;

std::cout << ”  Tx Packets: ” << i->second.txPackets << “\n”;

std::cout << ”  Rx Packets: ” << i->second.rxPackets << “\n”;

std::cout << ”  Throughput: ” << i->second.rxBytes * 8.0 / (i->second.timeLastRxPacket.GetSeconds() – i->second.timeFirstTxPacket.GetSeconds()) / 1024 / 1024 << ” Mbps\n”;

}

Simulator::Destroy ();

return 0;

}

Explanation

  • Node Creation: Create nodes representing diverse devices in the network.
  • Point-to-Point Links: Construct point-to-point links between nodes with specified data rates and delays.
  • Internet Stack: Install the Internet stack on all nodes.
  • IP Configuration: Dispense IP addresses to the interfaces.
  • Routing: We have to make sure that the packets can travel inside the segments by setting up the static routing.
  • ACLs for Micro-Segmentation: Create access control lists (ACLs) to allow traffic inside segments and block traffic among the segments.
  • Applications for Segments: Set up various applications for each segment with diverse data rates and ports.
  • Traffic Control: Apply different traffic control mechanisms for each segment.  In this sample script, Segment 1 uses RedQueueDisc and segment 2 uses PfifoFastQueueDisc.
  • Packet Tracing: To seize the packets we have to enable pcap tracing.
  • Flow Monitor: Use the FlowMonitor module to collect and print statistics about the traffic flows.

Step 4: Run the Simulation

Compile and run your simulation script:

sh

./waf configure

./waf build

./waf –run NetworkMicroSegmentationExample

Advanced Micro-Segmentation Techniques

  1. Dynamic ACLs:

During runtime, we have to fine-tune the access control by executing dynamic ACLs.

Simulator::Schedule (Seconds (10.0), &Ipv4StaticRouting::AddNetworkRouteTo, staticRouting, Ipv4Address (“10.1.2.0”), Ipv4Mask (“255.255.255.0”), Ipv4Address (“10.1.1.2”), 1);

  1. QoS Policies:

Apply dissimilar QoS policies to segments to make certain guaranteed bandwidth, latency, or jitter.

tch1.SetRootQueueDisc (“ns3::FqCoDelQueueDisc”);

tch1.Install (devices.Get (0));

  1. Traffic Isolation:

Ensure traffic isolation between segments to preclude interference.

tch1.SetRootQueueDisc (“ns3::TbfQueueDisc”, “Rate”, DataRateValue (DataRate (“5Mbps”)));

tch1.Install (devices.Get (0));

  1. Monitoring and Analytics:

Analyze the performance of all segments by using advanced monitoring and analytics tools.

monitor->SerializeToXmlFile (“network-micro-segmentation-flowmon-results.xml”, true, true);

This script makes you completely understand the installation and implementation of network micro segmentation in the ns3 tool. We will offer any other details on this topic if needed.

We have successfully implemented Network Microsegmentation in the ns3 program, where we handle the configuration of routing, access control lists (ACLs), and traffic policies tailored to your projects.