Fulvio Risso, Politecnico di Torino – ICNC 2013

Filtering Network Traffic Based on Protocol Encapsulation Rules Fulvio Risso, Politecnico di Torino, Italy http://fulvio.frisso.net

1/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Evolution of the protocol stack

Payload

• Number of application-layer protocols decreases • Surprisingly, more complexity at the lower end of the protocol Payload stack

Payload

Ethertype C-Tag TPID=0x8100

Payload Ethertype

C-Src address

C-Dst address Flags, VNI

Ethertype

C-Tag TPID=0x8100

UDP (VXLAN)

C-Tag TPID=0x8100

C-Src address

Outer IP Src Address

C-Src address

C-Dst address

Outer IP Dst Address

Payload

Ethertype

C-Dst address

Payload

Ethertype

C-Tag TPID=0x8100

I-SID, Flags TPID=0x88e7

Flags, Ingress / Egress Nicknames TPID=TRILL

Ethertype

C-Tag TPID=0x8100

S-Tag TPID=0x88a8

B-Tag TPID=0x88a8

B-Tag TPID=0x8100

B-Tag TPID=0x8100

Src address

Src address

Src address

B-Src address

B-Src address

B-Src address

Dst address

Dst address

Dst address

B-Dst address

B-Dst address

B-Dst address

802.3 Around 1980

802.1Q 1998

802.1ad (QinQ) 2005

802.1ah (MACinMAC) 2008

Ethertype 0x0800

TRILL VXLAN 2011 2012 Slide adapted from Gary Berger, 2012

2/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Two problems in packet filtering

How can I filter my traffic independently from encapsulations used?

(1) The NetPDL language (2) dynamic creation of the actual packet filtering code

How can I select exactly the encapsulations I want for filtering my traffic?

(1) The NetPDL language (2) NetPFL language (3) dynamic creation of the actual packet filtering code

[ICC08 paper]

[Globecom10 paper + this paper]

3/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

The overall filter compilation process The NetPDL language (protocol definitions)

The NetPFL language (filtering string)



tcp in ip* in ethernet

Some (very complex) magic...

; Packet buffer base in ecx 001 mov ax,word ptr [ecx+0Ch] 002 xchg ah,al 003 cmp ax,800h 004 je 006 005 ret ...

; load 2 bytes from packet buffer at offset 12 ; swap byte-order (packet is BE, x86 is LE) ; compare the 2 values ; if equals, jump to 6 and continue ; if not equal, return 0

4/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

The idea • Let’s model the protocol encapsulation graph with a direct, potentially cyclic graph

startproto

ipv6

tcp

http

ip

udp

dns

ethernet

tcp in ip* in ipv6 in ethernet

• Let’s model the filtering string with an automaton

• Let’s put the two together and create a new automaton that models our filter S0

[start]

in ethernet

in ipv6

Q1

Q2

Q0

in ip*

ε

tcp

Q3

Q4

{ip-ip}

S3

{ipv6-ip}

[ip]

{ip-tcp} *

{start-eth}

S1

[eth]

{eth-ipv6}

S2

[ipv6]

S4

{ipv6-tcp}

[tcp]

5/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Why is so difficult? • Isn’t enough to take the protocol encapsulation graph and prune the necessary transitions/protocols, and transform it into an FSA?

Unfortunately no... • For instance, what about if we want to have TCP encapsulated in exactly two IP headers? tcp in ip in ip ipv6 startproto

tcp

http

ethernet

[anything]

ip

udp

ip

ip

tcp

dns

Here we can have any protocol, not necessarily Ethernet and Startproto 6/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Challenges •

Model the NetPFL filter with a FSA [simple]



Create a new FSA that models the actual filtering code – Define the FSA alphabet  each encapsulation relationship is a symbol [simple] – Associate each state to a protocol [not so simple] • Transform states that may be associated to multiple protocols into a set of states each one associated to a single protocol

– Determine which symbols can be received in each state and simplify the FSA accordingly [not so simple] • E.g., the symbol that represents the IP->UDP transition cannot be received if we’re inspecting the Ethernet header



Use classical algorithms to transform the FSA into a DFA and allow FSA composition (union, etc.) [simple, but only in theory]

7/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Details of the algorithm in the

paper

8/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Results: NetPFL filters and NetPDL database #

1

NetPFL filters tcp in ip

2

tcp in ip in ethernet

3

tcp in ip in ethernet in startproto

4

tcp in any+ in ethernet

5

http notin {tcp,udp}

6

tcp

NetPDL database

startproto

ipv6

tcp

http

ip

udp

dns

ethernet

gre

ppp 9/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Results: filtering creation time

Average time [ms]

1000

949.6

70.4

100

978.2

844.0 68.2

Automaton 7.3

10 2.4

3.5

3.2

2.6

Total 2.3

1.1

1 #1

#2

#3 #4 #filter

#5

#6

10/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Results: filtering performance @ run-time

Average time [CPU ticks]

140

129 119

120

100 80

(a)

60

49 45

40 20

(a)

(a) (a)

(a)

(r)

(a)

(a) (r)

(r) (r) (r)

filter #6 filter #1

filter #4 filter #2 21 19 19

9

20 20 18

9

filter #3

filter #5

0 ethernet-ip-tcp-http

ethernet-ip-gre-ppp-ip-tcp-http Packet

11/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Conclusions (the sad news) • The method looks promising but... – It operates only on protocols, not on conditions based on protocol fields • E.g., tcp in ip.src==10.1.1.1

– The algorithm is not very efficient in case of a specific instance of a protocol is required • E.g., tcp in ip%4 in ipv6

– It does not support optimization in case of filtering/actions couples • E.g., tcp in ip%2 extractfields(ip%2.src,ip%2.dst)

• The implementation should be improved – Huge time for filter computation time in case of complex filters

12/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Conclusions (the good news) • Almost all those problems are now solved – A more sophisticated algorithm has been defined – A much more efficient implementation is on the way

• We can filter traffic and select the encapsulations we want – Very powerful filtering language

• The generated filter is optimal – Interesting in case of very complex filters or multiple filters merged together

• We support also actions such as the capability to extract the value of specific fields http in any in ip extractfields(ip.src, ip.dst)

13/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

For further information

Code, samples, tools

http://www.nbee.org

14/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Questions?

15/15

Filtering Network Traffic Based on Protocol ... - Fulvio Risso

Let's put the two together and create a new automaton that models our filter tcp in ip* in ipv6 in ethernet startproto ethernet ip ipv6 tcp http udp dns. Q0. Q3. Q1.

2MB Sizes 0 Downloads 85 Views

Recommend Documents

Capability-based Orchestration on Multi-domain Networks - Fulvio Risso
V. IMPLEMENTATION DETAILS. We implemented the capability-based orchestration logic in the open source FROG orchestrator2. Each domain orchestra-.

User-specific Network Service Functions in an SDN ... - Fulvio Risso
User-specific Network Service Functions in an SDN-enabled Network Node. Ivano Cerrato, Alex ... full network and service virtualization to enable rich and.

End-to-End Service Orchestration across SDN and ... - Fulvio Risso
can actually host many applications (e.g., firewall, NAT) that ... the best domain(s) that have to be involved in the service .... Source code is available at [10].

A Unifying Orchestration Operating Platform for 5G - Fulvio Risso
services, allocated and executed in network slices, will require orchestration ca- pabilities, a ... 5G-OP does not intend to develop one more control-orchestration.

Traffic dynamics based on local routing protocol on a ...
Feb 10, 2006 - Complex networks can describe a wide range of systems in nature and ..... lations are not well confirmed with the analytic predictions for large .

Per-User NFV Services with Mobility Support - Fulvio Risso
Network Automation. TIM. Torino ... Particularly, in our proposal, a service platform dynamically ... the VPNPP service platform to authenticate users and to keep.

CT-MAC: A MAC Protocol for Underwater MIMO Based Network ...
tic networks. Although extensive research has been con- ducted at the physical layer for underwater MIMO commu- nications, the corresponding medium access control (MAC) is still largely ... derwater MIMO based network uplink communications. In. CT-MA

Performance Evaluation of IEEE 802.11e based on ON-OFF Traffic ...
Student. Wireless Telecommunication ... for Wireless Local Area Communications, IEEE 802.11 [1], ..... technology-local and metropolitan area networks, part 11:.

Traffic Based Clustering in Wireless Sensor Network
Traffic Based Clustering in Wireless Sensor. Network ... Indian Institute of Information Technology ... Abstract- To increase the lifetime and scalability of a wireless.

Information filtering based on transferring similarity
Jul 6, 2009 - data and sources, people never have time and vigor to find ... clearer, we draw an illustration in Fig. 1. ... Illustration for transferring similarity.

food recommendation system based on content filtering ... - GitHub
the degree of B.Sc. in Computer Science and Information Technology be processed for the evaluation. .... 2.1.2 Limitations of content based filtering algorithm .