Download FFPF: Fairly Fast Packet Filters

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
Document related concepts

Multiprotocol Label Switching wikipedia , lookup

Distributed firewall wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

IEEE 1355 wikipedia , lookup

Network tap wikipedia , lookup

TCP congestion control wikipedia , lookup

Net bias wikipedia , lookup

RapidIO wikipedia , lookup

Real-Time Messaging Protocol wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wake-on-LAN wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Deep packet inspection wikipedia , lookup

Transcript 
FFPF: Fairly Fast Packet Filters
u
uspace
k
kspace
n
nspace
Herbert Bos
Willem de Bruijn
Trung Nguyen
Mihai Cristea
Georgios Portokalidis
Vrije Universiteit Amsterdam
Universiteit Leiden
http://ffpf.sourceforge.net/
Vrije Universiteit Amsterdam
●
Why?
Traffic characterisation
–
what % of traffic used by
KaZaa, Gnutella, e-Donkey,
video streams, FTP data?
 difficult due to dynamic ports
Why?
●
●
Security: worms
–
early warning: are there
any worms on the loose?
–
intrusion detection
Denial of Service attacks
spread of CODE-RED in 24 hours
Why?
●
●
Security: worms
–
early warning: are there
any worms on the loose?
–
intrusion detection
Denial of Service attacks
 difficult at high speeds
spread of SAPPHIRE in 30 minutes
Why?
●
●
●
●
traffic engineering
accounting
billing
SLA monitoring
 monitoring increasingly important
 hypothesis: multiple applications on single host
–
monitoring nodes (e.g., gateways)
Network Monitoring
●
Existing solutions:
–
–
●
designed for slow networks
or traffic engineering/QoS
not very flexible
We’re hurting because of
–
–
hardware (bus, memory)
software
 demand for solution:
–
–
–
scales to high link rates
scalable in no. of apps
flexible
-process at lowest possible level
-minimise copying
-minimise context switching
-freedom at the bottom
FFPF contributions
generalised concept of ‘flow’
copying and context switching are minimised
complex processing in kernel or NIC
- reduces no. of packets that must be sent to userspace
- language neutral
- complex packet processing by connecting
simple filters (not unlike UNIX pipes)
FPL: FFPF Packet Language
persistent storage for flow-specific state
flow groups
- applications sharing buffers
reduce copying
●
FFPF avoids both ‘horizontal’ and ‘vertical’ copies
●
3 buffers: PBuf, IBuf, and MBuf
Application A
Application B
U
K
- no ‘vertical’ copies
‘filter’
- no ‘horizontal’ copies
within flow group
- more than ‘just filtering’
Fairly Fast Packet Filters
Flow: “a stream of packets that matches arbitrary user criteria”
eth0
TCP SYN
HTTP
U
IP
TCP
RTSP
“contains worm”
UDP
RTP
UID 0
Efficient
userspace
?
flowgroups: sharing data
kernel
● flowgraphs: sharing computations
●
●
reduced copying and context switches
?
x
“push filtering tasks as far down the processing
hierarchy as possible”
?
?
network card
Extensible
(device,eth0) -> (sampler,2) -> (BPF,”..”) -> (packetcount)
(device,eth0) | (device,eth1) -> (sampler,2) -> (FPL-2,”..”) | (BPF,”..”) -> (bytecount)
(device,eth0) -> (sampler,2) -> (BPF,”..”) -> (packetcount)
(device,eth0) -> (sampler,2) -> (BPF,”..”) -> (strsearch)
✔
modular framework
✔
language agnostic
✔
plug-in filters
device
sampler
BPF
pktcount
strsearch
Compatible
processing hierarchy
MAPI
ANY
APP
PCAP
uspace
kspace
nspace
Buffers
R
O
●
MBuf
–
●
●
O
unstructured array of bytes
PBuf
O
O
–
circular buffer with N fixed-size slots
–
large enough to hold packet
O
O
O
W
IBuf
–
circular buffer with N slots of size ‘sizeof(int)+sizeof(int*)’
–
contains classification result
writer (e.g., kernel) writes in circular buffer at write positio
reader explicitly advances its read pointer
X
Buffers
O
●
MBuf
–
●
●
O
unstructured array of bytes
PBuf
O
O
–
circular buffer with N fixed-size slots
–
large enough to hold packet
O
O
O
R
IBuf
–
circular buffer with N slots of size ‘sizeof(int)+sizeof(int*)’
–
contains classification result
W
writer (e.g., kernel) writes in circular buffer at write positio
reader explicitly advances its read pointer
X
Buffers
X
●
MBuf
–
●
●
X
unstructured array of bytes
PBuf
X
X
–
circular buffer with N fixed-size slots
–
large enough to hold packet
X
O
O
R
IBuf
–
circular buffer with N slots of size ‘sizeof(int)+sizeof(int*)’
–
contains classification result
W
writer (e.g., kernel) writes in circular buffer at write positio
reader explicitly advances its read pointer (typically by >1
X
R1
O
Buffer management
 what to do if writer catches
up with slowest reader?
●
–
●
fast reader preference
–
application responsible for keeping up
●
●
O
O
O
O
can check that packets have been overwritten
different drop rates for different apps
O
O
overall speed determined by slowest reader
overwrite existing packets
O
O
drop new packets
(traditional way of dealing with this)
–
O
O
slow reader preference
–
O
O
O
O
O
W
R1
Languages
IF (PKT.IP_PROTO == PROTO_TCP)
THEN
// reg.0 = hash over flow fields
R[0] = Hash (14,12,256)
●
FFPF is language neutral
●
Currently support:
–
// increment pkt counter at this
// location in MBuf
MEM[ R[0] ]++
BPF
–
C
–
OKE Cyclone
–
FPL-1
–
FPL-2
FI
•simple to use
•compiles to C and then to optimised object code
•resource limited
•restricted FOR loop
•access to persistent storage (Mbuf)
•calls to external functions (e.g., fast C functions
or hardware assists)
•compiler for uspace, kspace, and nspace (ixp1200)
Authorisation and third-party code
●
client requests need to be approved by authd
–
●
may check that:
●
X only looks at packets destined to itself
●
Y never applies a string search
●
string search only occurs after sampling
●
FPL-2 filter really are what they claims they are
FFPF allows third party code in the lowest levels
–
based on Open Kernel Environment
http://www.cs.vu.nl/~herbertb/projects/oke/
Performance results
Performance results
NIC-FIX: FFPF on IXPs
bottom of the processing hierarchy
eliminates mem & bus bottlenecks
uspace
kspace
nspace
Network Processors
“programmable NIC”
zero copy
copy once
on-demand copy
Performance
Copy St rat egies
100
reference
90
d rop
accept
processed (in %)
80
70
60
50
40
30
20
10
0
r eg ular copy
copy once
zer o copy
More Information
http://ffpf.sourceforge.net/
microbenchmarks
Related documents
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034 M.Sc.
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034 M.Sc.
What Percentage of the Earth`s Surface is Water - edventure-GA
What Percentage of the Earth`s Surface is Water - edventure-GA
OPERATING SYSTEM STRUCTURES
OPERATING SYSTEM STRUCTURES
Slides - MIT Database Group
Slides - MIT Database Group
slides
slides
A Low-Power CMOS Output Buffer A low
A Low-Power CMOS Output Buffer A low
Clinical biochemistry (1) water balance
Clinical biochemistry (1) water balance
Murr Emparro Cap e
Murr Emparro Cap e
ST7LNB DiSEqCTM microcontroller family
ST7LNB DiSEqCTM microcontroller family
I/O Managment
I/O Managment
Restoration scale and stream benefits in California rangelands
Restoration scale and stream benefits in California rangelands
A Formula for Success
A Formula for Success