Download Full Packet Inspection - TERENA Networking Conference 2005

Capture and Analysis towards
10Gbps
40Gbps
James Spooner
Systems Engineer
Endace Europe Ltd.
www.endace.com
Passive Network Monitoring
• Capturing a network link into analysis device
with any or all of the following:
–
–
–
–
Data Payload
Timing information
Link information
Packet information (metadata)
Capture and Analysis
“Succeed in catching or seizing [packets], and investigate the component
parts of the packet and their relations in making up the packet. “
• Capture
–
–
–
–
–
–
–
–
–
succeed in representing or expressing something intangible; "capture the essence of Spring"; "capture an idea"
attract; cause to be enamored; "She captured all the men's hearts"
the act of forcibly dispossessing an owner of property
a process whereby a star or planet holds an object in its gravitational field
get: succeed in catching or seizing, especially after a chase; "We finally got the suspect"; "Did you catch the thief?"
any process in which an atomic or nuclear system acquires an additional particle
the act of taking of a person by force
the removal of an opponent's piece from the chess board
capture as if by hunting, snaring, or trapping; "I caught a rabbit in the trap toady
• Analysis
–
–
–
–
–
an investigation of the component parts of a whole and their relations in making up the whole
a form of literary criticism in which the structure of a piece of writing is analyzed
the use of closed-class words instead of inflections: e.g., `the father of the bride' instead of `the bride's father'
a branch of mathematics involving calculus and the theory of limits; sequences and series and integration and differentiation
psychoanalysis: a set of techniques for exploring underlying motives and a method of treating various mental disorders; based on the theories of Sigmund Freud;
"his physician recommended psychoanalysis"
Passive Network Montioring
The definitions I will use are the following:
‘End to End’ System (E2E)
Host / Node
Application
‘Third Party Monitoring’ System (MON)
Host / Node
React
Capture
Analysis
Log
Host / Node
Application
E2E vs. MON
• Packet Loss
– E2E nodes can ask for retransmission
– MON nodes must capture all packets
• Data Rate
– E2E nodes can reduce RWIN or otherwise indicate buffer availability
– MON nodes must handle all or any rates
• External Traffic
– E2E nodes need only deal with their own traffic
– MON nodes must deal with all traffic on monitored link
MON - Capture Challenges
• Link rates getting faster?
– Successive LAN bandwidth x10 every 5 years
• Apparently doubling every two years(!)
– DWDM is a reprieve for optical (WAN) links (already parallel)
– … or not - several dozen 40Gbps links already deployed in EU
• More data on these links?
– True for end customers with large pipes (last mile)
– Not true for Telco's that have large numbers of links (backhauls
usually in bunches anyway)
– Grid applications tend to use large bursts (over a number of hours)
• Makes research network harder to monitor than commercial networks
MON - Analysis Challenges
• More data is being transferred
– Better broadband access, more content, higher quality content
• Protocols are becoming more sophisticated
(P2P etc).
–
–
P2P protocols run over any TCP port and choose at random
Decentralized nature make these protocols are even harder to discover and analyse
• Attacks are becoming more virulent
–
–
Worms and virus’s are still evolving, doing more damage to industries that are
increasingly reliant upon networked communication
Attacks need to be detected at all layers (1-7 for those who believe in the ISO OSI)
Emerging help for E2E
• Great New Technology
–
–
–
–
Increasingly faster and more parallel CPUs
Higher Memory Densities
Better Operating systems
Bus bandwidth (PCI and Memory and Disks)
Emerging help for MON
• Great New Technology
–
–
–
–
Increasingly faster and more parallel CPUs
Higher Memory Densities
Better Operating systems
Bus bandwidth (PCI and Memory and Disks)
Differentiating E2E and MON
• E2E and MON use essentially the same
hardware
• Yet MON has a harder job
• Allow me, if you will, some ‘math’
E 2 ETask  MONTask
LatestPC LatestPC

 MONAssist
E 2 ETask MONTask

MONAssist  0
LAN (edge) :
MONTask  E 2ETask
WAN (core) :
MONTask  E 2ETask
Network Monitoring Assistance
• Use resources more efficiently
– Harness Concurrent Parallelism in new PC architectures
– Remove unnecessary overhead (memory copies, OS interaction)
– Use bus efficiently
• Add additional resources
– Add dedicated hardware for particular ‘hard’ operations
– Add additional processor resource on capture hardware
• Minimize data to process
– Push data reducing operations (drop, truncate) into hardware
Efficient use of resources
• Have hardware write to multiple independent
analysis apps (or threads)
• Bypass operating system and provide zero copy
capture
Memory (RAM)
• Use PCI bus
efficiently by
transferring large
amounts of data
with little overhead
App
App
App
OS
Add additional resources
• Custom or Programmable logic (Silicon)
– Full Custom ASIC provide best performance
– FPGAs give speed and flexibility
• Network processor
– High speed processing core
– Multiple parallel network processing engines
– Easily programmable
Add additional resources
(continued.)
• Classification (packet colouring)
–
–
–
–
–
–
•
•
•
VLAN
ATM VC
MPLS Flow
IP Address
UDP/TCP Flow
Content search
TCP Checksum Offload
Compression
Colour based on statistical distribution (Sampling)
others to come…what is becoming necessary?
Data Minimization
•
Hardware support for minimizing the data
–
–
–
Filter on classification match
Truncate on classification match
Use compression in hardware when capturing to disk
–
Forward directly to output port rather than passing through host
Example, Classification
4 bit inspection fields:
1010 0100 1100 1011 1010 1010 0001 1010 1010 0000 0000 0000
0000 0000 0000 0101 1001 1111 1001 0110 0101 1010 0000 1001
1001 1010 1110 1010 0101 0010 1010 1010 1110 1010 1010 0110
128 Byte search window:
1010 0100 1100
L2 Header
1011 1010 1010 0001
MPLS Tag
1010 1010 0000 0000 0000 0000 0000 0000 0101 1001 1111
1001 0110 0101 1010 0000 IP Header
1001 1001 1010 1110 1010 0101 0010 1010
TCP / UDP
Payload..
1010 1110 1010 1010 0110
Example, Classification
Match Lists:
101001010101010010101001010101010101010101010101010101010100100
X010X0101X1010X10101X01010X101010X10101010XXX0101010X10101010
etc…
With Colours:
101010100101010X0XX…
X1010X101010X101010…
10101001010010101010…
•
•
•
Rules with ternary match
Colored rules
Up to currently 16K rules
Example, Classification
Memory (RAM)
App
App
App
OS
Pieces of the puzzle
Capture
Search and Classify
Data Minimization
Parallelize for Efficiency
Efficient Transfer
More Detailed Monitoring Host / Node
Analysis
Analysis
React
Analysis
Analysis
Analysis
Analysis
Analysis
Analysis
Analysis
Log
The bigger picture
• Network monitoring libraries emerging
based around:
– Efficiency
– Hardware offload
• See FFPF and MAPI
– Support hardware offload and multiple
independent streams
The Bigger Picture
(continued.)
Monitoring Host / Node
Capture
Search and Classify
Data Minimization
Parallelize for Efficiency
Efficient Transfer
API (FFPF for example)
React
Analysis
Log
Analysis
Analysis
Analysis
Analysis
To Conclude
• End to End nodes are not always sufficient to
perform monitoring alone
• Current monitoring being designed around
hardware offload
• Speed and efficiency are the key
• Improvement in PC technology doesn’t solve the
problem
• Need to reduce amount of data going to PC and
present in a manner which is able to be processed
in parallel