Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University Hardware based packet filtering.

Slides:

Advertisements

Similar presentations

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

Advertisements

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.

CSCI 4550/8556 Computer Networks Comer, Chapter 18: IP: Internet Protocol Addresses.

A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

CSIE NCKU High-performance router architecture 高效能路由器的架構與設計.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.

Two stage packet classification using most specific filter matching and transport level sharing Authors: M.E. Kounavis *,A. Kumar,R. Yavatkar,H. Vin Presenter:

SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.

Packet Classification George Varghese. Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail.

Algorithms for Advanced Packet Classification with TCAMs Karthik Lakshminarayanan UC Berkeley Joint work with Anand Rangarajan and Srinivasan Venkatachary.

Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

March 1, Packet Classification and Filtering for Network Processors JC Ho.

Chapter 9 Classification And Forwarding. Outline.

Department of Electrical and Computer Engineering Kekai Hu, Harikrishnan Chandrikakutty, Deepak Unnikrishnan, Tilman Wolf, and Russell Tessier Department.

1 Efficient packet classification using TCAMs Authors: Derek Pao, Yiu Keung Li and Peng Zhou Publisher: Computer Networks 2006 Present: Chen-Yu Lin Date:

Sarang Dharmapurikar With contributions from : Praveen Krishnamurthy,

ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.

Fast and deterministic hash table lookup using discriminative bloom filters  Author: Kun Huang, Gaogang Xie,  Publisher: 2013 ELSEVIER Journal of Network.

Applied Research Laboratory Edward W. Spitznagel 7 October Packet Classification for Core Routers: Is there an alternative to CAMs? Paper by: Florin.

(TPDS) A Scalable and Modular Architecture for High-Performance Packet Classification Authors: Thilan Ganegedara, Weirong Jiang, and Viktor K. Prasanna.

ECE 526 – Network Processing Systems Design Networking: protocols and packet format Chapter 3: D. E. Comer Fall 2008.

Chapter 6 Delivery and Forwarding of IP Packets

Fast Packet Classification Using Bloom filters Authors: Sarang Dharmapurikar, Haoyu Song, Jonathan Turner, and John Lockwood Publisher: ANCS 2006 Present:

Packet Classification on Multiple Fields 참고 논문 : Pankaj Gupta and Nick McKeown SigComm 1999.

Packet Classifiers In Ternary CAMs Can Be Smaller Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison) Jia Wang.

A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,

Applied Research Laboratory Edward W. Spitznagel 24 October Packet Classification using Extended TCAMs Edward W. Spitznagel, Jonathan S. Turner,

Jump to first page One-gigabit Router Oskar E. Bruening and Cemal Akcaba Advisor: Prof. Agarwal.

Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6600: Internet Protocols Informal Quiz #14 Shivkumar Kalyanaraman: GOOGLE: “Shiv RPI”

EECB 473 DATA NETWORK ARCHITECTURE AND ELECTRONICS PREPARED BY JEHANA ERMY JAMALUDDIN Basic Packet Processing: Algorithms and Data Structures.

1. Outline Introduction Related work on packet classification Grouper Performance Analysis Empirical Evaluation Conclusions 2/42.

Author ： Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher ： ANCS’06 Presenter ： Zong-Lin Sie Date ： 2011/01/05.

StrideBV: Single chip 400G+ packet classification Author: Thilan Ganegedara, Viktor K. Prasanna Publisher: HPSR 2012 Presenter: Chun-Sheng Hsueh Date:

Lecture 13: Reconfigurable Computing Applications October 10, 2013 ECE 636 Reconfigurable Computing Lecture 11 Reconfigurable Computing Applications.

HARDWARE BASED PACKET FILTERING USING FPGAs (or “How hardware is better than software at judging a book by its cover”) Timothy Whelan Supervisor: Mr Barry.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,

TCAM –BASED REGULAR EXPRESSION MATCHING SOLUTION IN NETWORK Phase-I Review Supervised By, Presented By, MRS. SHARMILA,M.E., M.ARULMOZHI, AP/CSE.

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises: Lab 5 (Deep Packet Inspection)

A Dynamic Longest Prefix Matching Content Addressable Memory for IP Routing Author: Satendra Kumar Maurya, Lawrence T. Clark Publisher: IEEE TRANSACTIONS.

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

CS 740: Advanced Computer Networks IP Lookup and classification Supplemental material 02/05/2007.

A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching Yao Song 11/05/2015.

OpenFlow MPLS and the Open Source Label Switched Router Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,

A Fast Regular Expression Matching Engine for NIDS Applying Prediction Scheme Author: Lei Jiang, Qiong Dai, Qiu Tang, Jianlong Tan and Binxing Fang Publisher:

Packet Classification Using Multidimensional Cutting Sumeet Singh (UCSD) Florin Baboescu (UCSD) George Varghese (UCSD) Jia Wang (AT&T Labs-Research) Reviewed.

Author: Weirong Jiang and Viktor K. Prasanna Publisher: The 18th International Conference on Computer Communications and Networks (ICCCN 2009) Presenter:

1 Binding Protocol Addresses (ARP ). 2 Resolving Addresses Hardware only recognizes MAC addresses IP only uses IP addresses Consequence: software needed.

Author: Weirong Jiang, Viktor K. Prasanna Publisher: th IEEE International Conference on Application-specific Systems, Architectures and Processors.

A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN, LONG TAN, RAWAD FELIMBAN and ABDELSHAKOUR ABUZNEID Department.

Author Name Security and Networks Research Group Department of Computer Science Rhodes University SNRG SLIDE TEMPLATE.

Behrouz A. Forouzan TCP/IP Protocol Suite, 3rd Ed.

Snort – IDS / IPS.

Author: Yun R. Qu, Shijie Zhou, and Viktor K. Prasanna Publisher:

An NP-Based Router for the Open Network Lab Overview by JST

Jason Klaus Supervisor: Duncan Elliott August 2, 2007 (Confidential)

Characteristics of Reconfigurable Hardware

Scalable Memory-Less Architecture for String Matching With FPGAs

Implementing an OpenFlow Switch on the NetFPGA platform

High-performance router/switch architecture 高效能路由器/交換器的架構與設計

Hash Functions for Network Applications (II)

Authors: Ding-Yuan Lee, Ching-Che Wang, An-Yeu Wu Publisher: 2019 VLSI

Presentation transcript:

Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University Hardware based packet filtering using FPGA’s (Part 2!)

What’s happened since last time? Started my literature review WORKED FOR FESTIVAL Finished my literature review (Ordered a new toy)

But first – my toy :D

Presentation plan The packet classification problem Overview of literature review Classification algorithms Deep packet inspection algorithms Plan of action

The packet classification problem Most packets contain the basic 5-tuple (Source/Destination IP addresses, Source/Destination Port numbers, protocol). The 5-tuple can determine much of packet routing and how packets should be handled (dropped, ignored, allowed etc.). Different combinations of values of fields in the 5-tuple require different actions i.e. match different filters. Reactions to packets can also be based on the contents of the packet’s payload; may depend on packet’s context/classification. The packet classification problem aims to determine what response a packet should elicit given its field properties and payload contents. (Packet classification tends to ignore deep packet inspection)

Classification Algorithms Linear/Parallel search Grid-of-tries Cross-producting Bit-vector Example: The BV-TCAM Architecture

Linear/Parallel search LinearvsParallel Easy to implementVery fast ReliableVery fast (and reliable) Not very fastResource expensive

Parallel search – TCAM technology Pros Performs parallel address look-ups Searches for content in memory instead of locating an address Can store a ternary value – ‘*’ Cons Expensive, inefficient, requires extra over-head, “doesn’t scale well”

Grid-of-tries Useful for prefix ranges Good for 2D filters, worse for >2D Will probably use this approach for IP address filters

Cross-producting Initial field matching can be performed in parallel Uses one more look-up in the cross-product table Requires large memory to perform cross-producting

Bit vector A geometric approach to packet classification 1.Determine the set of applicable filters for each field 2.Intersection of filters yields applicable filters for whole packet Also lends itself to parallelism Address 10; port 7: yield AND > (will probably also use this technique to combine results of port range matching)

The BV-TCAM architecture Song and Lockwood observed that in a filter set there are few unique IP addresses or address masks but varying protocols and port numbers Used TCAM’s for IP address matching – small variety of unique addresses TCAM output was encoded in a bit vector Grid-of-tries used for protocol matching – protocol determined which set of tries to search Output also in the form of a bit vector Intersection of bit vectors yielded final set of matched filters Designed achieved 2.5 Gbps

Deep packet inspection Simple N parallel rule check Deterministic finite state automata

N parallel rule checks N comparators each search for a string at each offset within the packet Header processing and payload inspection can be pipelined to increase throughput Sourdis and Pnevmatikatos achieved 10Gbps throughput

Deterministic finite state automata Deterministic automata were created using software tools and then mapped to FPGAs. Each DFA searched for a separate string.

Comments on literature Packet classification is a well rehearsed problem with many different solutions that leverage the well known structure of received packets. Deep packet inspection is a much harder problem to solve efficiently due to the obfuscated appearance of most packet payloads hence there is a greater need for raw processing power and parallelized implementations. Multi-gigabit implementations of packet processors are viable options and have been proven to work on FPGA platforms.

Future project progress Waiting for new FPGA development board Browsing through Xilinx SDK to familiarise myself with Ethernet interfacing on the FPGA Searching the Internet for other open-source TCP/IP or Ethernet processing code segments Still to do: Finish implementation of complete system Testing and timings of final system Write report