Introduction to Packet Processing Prof. Chu-Sing Yang December, 10, 2014 Aaron Liao
Introduction to TCP/IP - Layering ITlab.ee.ncku.edu.tw2
3
4
OSI Model ITlab.ee.ncku.edu.tw5
A private internet ITlab.ee.ncku.edu.tw6
Communication at the physical layer ITlab.ee.ncku.edu.tw7
Communication at the data link layer - ARP ITlab.ee.ncku.edu.tw8
Communication at the network layer – IPv4/IPv6 ITlab.ee.ncku.edu.tw9
A connectionless packet-switched network – IPv4/IPv6 ITlab.ee.ncku.edu.tw10
Forwarding process in a connectionless network ITlab.ee.ncku.edu.tw11
Delay in a connectionless network – ex. Firewall, DPI, etc. ITlab.ee.ncku.edu.tw12
Communication at transport layer – TCP/UDP/DCCP/SCTP ITlab.ee.ncku.edu.tw13
Communication at application layer – HTTP/TELNET/FTP … ITlab.ee.ncku.edu.tw14
Introduction to TCP/IP - Address ITlab.ee.ncku.edu.tw15
physical addresses – fake mac address? 07:01:02:01:2C:4B A 6-byte (12 hexadecimal digits) physical address ITlab.ee.ncku.edu.tw16
logical addresses - IP ITlab.ee.ncku.edu.tw17
port numbers – why do we need? A 16-bit port address represented as one single number ITlab.ee.ncku.edu.tw18
Introduction to TCP/IP - ARP ITlab.ee.ncku.edu.tw19
ARP operation – how does ARP spoofing attack work? ITlab.ee.ncku.edu.tw20
An ARP request is broadcast; an ARP reply is unicast. Note ITlab.ee.ncku.edu.tw21
Encapsulation of ARP packet ITlab.ee.ncku.edu.tw22
ITlab.ee.ncku.edu.tw ARP Example 1 23
Proxy ARP - transparent ITlab.ee.ncku.edu.tw24
ARP components ITlab.ee.ncku.edu.tw25
Introduction to TCP/IP - Internet ITlab.ee.ncku.edu.tw26
An imaginary part of the Internet ITlab.ee.ncku.edu.tw27
Services provided at the source computer ITlab.ee.ncku.edu.tw28
ITlab.ee.ncku.edu.tw Processing at each router 29
Processing at the destination computer ITlab.ee.ncku.edu.tw30
Introduction to TCP/IP - IPv4 ITlab.ee.ncku.edu.tw31
Position of IP in TCP/IP protocol suite ITlab.ee.ncku.edu.tw32
IP header ITlab.ee.ncku.edu.tw33
Multiplexing ITlab.ee.ncku.edu.tw34
A datagram can travel through different networks. Each router decapsulates the IP datagram from the frame it receives, processes it, and then encapsulates it in another frame. The format and size of the received frame depend on the protocol used by the physical network through which the frame has just traveled. The format and size of the sent frame depend on the protocol used by the physical network through which the frame is going to travel. Fragmentation ITlab.ee.ncku.edu.tw35
MTU – each router has different MTU ITlab.ee.ncku.edu.tw36
Flags field in IP header ITlab.ee.ncku.edu.tw37
Fragmentation example ITlab.ee.ncku.edu.tw38
Detailed fragmentation example ITlab.ee.ncku.edu.tw39
IP components – Linux kernel is similar ITlab.ee.ncku.edu.tw40
Introduction to TCP/IP - NAT(Network Address Translation) ITlab.ee.ncku.edu.tw41
NAT – IP sharing box, Linux ITlab.ee.ncku.edu.tw42
Address resolution ITlab.ee.ncku.edu.tw43
Translation ITlab.ee.ncku.edu.tw44
NAT Table with IP address & Port # (1) Must be unique ITlab.ee.ncku.edu.tw45
NAT Table with IP address & Port # (2) ITlab.ee.ncku.edu.tw46
Introduction to TCP/IP - DHCP ITlab.ee.ncku.edu.tw47
Client and server on the same network ITlab.ee.ncku.edu.tw48
ITlab.ee.ncku.edu.tw DHCP packet format – Could iptables filter this? 49
Introduction to TCP/IP - DNS ITlab.ee.ncku.edu.tw50
Purpose of DNS – many attacks, for example? ITlab.ee.ncku.edu.tw51
Introduction to TCP/IP - TCP ITlab.ee.ncku.edu.tw52
TCP/IP protocol suite ITlab.ee.ncku.edu.tw53
Stream delivery ITlab.ee.ncku.edu.tw54
Port numbers ITlab.ee.ncku.edu.tw55
IP addresses versus port numbers ITlab.ee.ncku.edu.tw56
ITlab.ee.ncku.edu.tw Multiplexing and demultiplexing 57
Introduction to TCP/IP - UDP ITlab.ee.ncku.edu.tw58
Position of UDP in the TCP/IP protocol suite ITlab.ee.ncku.edu.tw59
User datagram format ITlab.ee.ncku.edu.tw60
ITlab.ee.ncku.edu.tw61
Encapsulation and decapsulation ITlab.ee.ncku.edu.tw62
Introduction to TCP/IP - SCTP ITlab.ee.ncku.edu.tw63
TCP/IP Protocol suite ITlab.ee.ncku.edu.tw64
Introduction Stream Control Transmission Protocol (SCTP) Multi-streaming Multi-homing Heartbeat Chunk type (payload) Control chunk Data chunk Sequence Number TSN, Transmission Sequence Number SSN, Stream Sequence Number SACK ITlab.ee.ncku.edu.tw65
Motivation Issues of TCP Strict order delivery and single stream Head of Line Blocking (HoLB) DoS attack Not support multi-homing ITlab.ee.ncku.edu.tw66
Related work (1/11) Initiation of the TCP connection and SCTP association TCP SYN Flooding ITlab.ee.ncku.edu.tw67
Related work (2/11) SCTP Packet ITlab.ee.ncku.edu.tw68
Related work (3/11) SCTP 多重串流示意圖 ITlab.ee.ncku.edu.tw69
Related work (4/11) Multi-streaming Meixner and Grinnemo HoL Blocking Use more streams to improve the delay of HoLB. Natarajan Use the Multi-streaming to increase the throughput of file transfer with FTP. ITlab.ee.ncku.edu.tw70
Related work (5/11) Multi-homing SCTP 路徑多宿示意圖 ITlab.ee.ncku.edu.tw71
Related work (6/11) Unordered delivery How to handle the SSN field of data chunk by the receiver node and sender node How to handle the fragmented segment Set U bit as 1 to be Unordered mode. Grinnemo They found that the Unordered delivery mode could reduce the delay of 0~18 % in HoLB. ITlab.ee.ncku.edu.tw72
Related work (7/11) Path MTU Discovery ITlab.ee.ncku.edu.tw73
Related work (8/11) SCTP API - Performance LKSCTP 之堆疊架構圖 SCTPLIB 之堆疊架構圖 ITlab.ee.ncku.edu.tw74
Related work (9/11) TCP 與 SCTP 通訊協定之比較 ProtocolTCPSCTP Initialize a connection Three-way handshake Four-way handshake Close a connection Four-way handshake Three-way handshake Ordered deliveryStrict orderedOrdered within the stream Unordered delivery NOYES Multi-homingNOYES Multi-streamingNOYES SACKCustomDefault Keep-alive heartbeat OptionMUST ITlab.ee.ncku.edu.tw75
Related work (10/11) SCTPGate SCTPGate 網路堆疊圖 ITlab.ee.ncku.edu.tw76
Related work (11/11) TCP/SCTP translator 1.TCP/SCTP translator 網路堆疊圖 2.Kernel space 3.Hard to implement ITlab.ee.ncku.edu.tw77
Deep Packet Inspection
Motivation DPI is applied on these topics Network Service Control Intercept the payload Traffic Classification Rate Limiting for bandwidth Network Security Defense of network threat Disadvantage ITlab.ee.ncku.edu.tw79
Terminology (1/6) Deep Packet Inspection View the payload of the packet Classify the network traffic Implementation technology Software Kernel space (Linux kernel Netfilter framework) User space (Snort) Hardware FPGA CAM (Content Addressable Memory) ITlab.ee.ncku.edu.tw80
Terminology (2/6) Snaplen 95% of network traffic is classified before the first 300 bytes in a payload 99% of network traffic is classified before the first 600 bytes in a payload ITlab.ee.ncku.edu.tw81
Terminology (3/6) Pattern A pattern is also called a signature DPI technology use signatures to classify the type of a packet ITlab.ee.ncku.edu.tw82
Terminology (4/6) Netfilter The core of Linux Firewall Be implemented in Linux kernel Be able to … Filter packet Modify packet NAT (Network Address Translation) ITlab.ee.ncku.edu.tw83
Terminology (5/6) Port Mirror (Offline mode) ITlab.ee.ncku.edu.tw84
Terminology (6/6) Online mode ITlab.ee.ncku.edu.tw85
NetDPI System ITlab.ee.ncku.edu.tw86
System Architecture ITlab.ee.ncku.edu.tw87
Type of Patterns ITlab.ee.ncku.edu.tw88
Type of Patterns Fixed offset pattern The pattern is located at fixed offset Zero offset pattern (a case of fixed offset patterns whose offset locates at zero) Variable offset pattern The location of the pattern is not fixed Arithmetic pattern ITlab.ee.ncku.edu.tw89
Sample of a Arithmetic Pattern if (“Size” equal “Edonkey message length” ) { return PatternMatched; } Arithmetic pattern for edonkey ITlab.ee.ncku.edu.tw90
Flow Chart of getting Service Type ITlab.ee.ncku.edu.tw91
Trie based pattern table ITlab.ee.ncku.edu.tw92
Trie-based pattern matching ITlab.ee.ncku.edu.tw93
Role of Rule Matching ITlab.ee.ncku.edu.tw94
Rule Matching Algorithm if( value>= Pattern num of R) return (matched rule id); ITlab.ee.ncku.edu.tw95
References TCP/IP Protocol Suite, 4 th ed. ITlab.ee.ncku.edu.tw96