Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

Slides:

Advertisements

Similar presentations

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

Advertisements

CS 453 Computer Networks Lecture 20 Layer 3Network Layer Network Layer of the Internet.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Router Architecture : Building high-performance routers Ian Pratt

Spring 2002CS 4611 Router Construction Outline Switched Fabrics IP Routers Tag Switching.

FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

ECE 526 – Network Processing Systems Design

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

March 1, Packet Classification and Filtering for Network Processors JC Ho.

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

Chapter 9 Classification And Forwarding. Outline.

 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.

IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.

Gursharan Singh Tatla Transport Layer 16-May

Computer Networks Switching Professor Hui Zhang

Sven Ubik, CESNET TNC2004, Rhodos, 9 June 2004 Performance monitoring of high-speed networks from NREN perspective.

Sven Ubik, Petr Žejdl CESNET TNC2008, Brugges, 19 May 2008 Passive monitoring of 10 Gb/s lines with PC hardware.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.

The Network Layer. Network Projects Must utilize sockets programming –Client and Server –Any platform Please submit one page proposal Can work individually.

ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.

1 Chapter Client-Server Interaction. 2 Functionality  Transport layer and layers below  Basic communication  Reliability  Application layer.

Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

N E T G R O U P P O L I T E C N I C O D I T O R I N O Towards Effective Portability of Packet Handling Applications Across Heterogeneous Hardware Platforms.

UDT: UDP based Data Transfer Yunhong Gu & Robert Grossman Laboratory for Advanced Computing University of Illinois at Chicago.

University of the Western Cape Chapter 12: The Transport Layer.

ECE 526 – Network Processing Systems Design Networking: protocols and packet format Chapter 3: D. E. Comer Fall 2008.

1 Lecture 14 High-speed TCP connections Wraparound Keeping the pipeline full Estimating RTT Fairness of TCP congestion control Internet resource allocation.

ECE 526 – Network Processing Systems Design Packet Processing I: algorithms and data structures Chapter 5: D. E. Comer.

Multi-Field Range Encoding for Packet Classification in TCAM Author: Yeim-Kuan Chang, Chun-I Lee and Cheng-Chien Su Publisher: INFOCOM 2011 Presenter:

EECB 473 DATA NETWORK ARCHITECTURE AND ELECTRONICS PREPARED BY JEHANA ERMY JAMALUDDIN Basic Packet Processing: Algorithms and Data Structures.

1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.

Sven Ubik, Petr Zejdl, Vladimir Smotlacha TNC-2006, Catania, Hardware anonymization.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.

Page 1 Network Addressing CS.457 Network Design And Management.

4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.

Vladimír Smotlacha CESNET High-speed Programmable Monitoring Adapter.

Lecture 12: Reconfigurable Systems II October 20, 2004 ECE 697F Reconfigurable Computing Lecture 12 Reconfigurable Systems II: Exploring Programmable Systems.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

CS 740: Advanced Computer Networks IP Lookup and classification Supplemental material 02/05/2007.

EECB 473 Data Network Architecture and Electronics Lecture 1 Conventional Computer Hardware Architecture

An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.

An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.

1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.

Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.

Packet Classification Using Multidimensional Cutting Sumeet Singh (UCSD) Florin Baboescu (UCSD) George Varghese (UCSD) Jia Wang (AT&T Labs-Research) Reviewed.

1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.

4343 X2 – The Transport Layer Tanenbaum Ch.6.

Spring 2000CS 4611 Router Construction Outline Switched Fabrics IP Routers Extensible (Active) Routers.

1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Sven Ubik, Aleš Friedl CESNET TNC 2009, Malaga, Spain, 11 June 2009 Experience with passive monitoring deployment in GEANT2 network.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

Snort – IDS / IPS.

Chapter 5 Network and Transport Layers

CS 457 – Lecture 10 Internetworking and IP

Transport Layer Unit 5.

I. Basic Network Concepts

Network Core and QoS.

A flow aware packet sampling mechanism for high speed links

Performing Security Auditing In Hardware

Network Core and QoS.

Intelligent Network Services through Active Flow Manipulation

Presentation transcript:

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges

High-speed network monitoring Scalability limited by: throughput of local bus - flow at 10 Gb/s exceeds throughput of PCI-X 64/133 CPU performance data handling in RAM disk systems - amount of stored data - sustained write speed

Flow based monitoring Motivation: describe dynamics of link traffic Elementary flow specified by - source and host IP address - transport protocol - source and destination port (if applicable) - start and end time (Timeouts ! ) Flow data aggregation - end point - host, network, AS - time granularity Example: NetFlow - implemented in routers - database of open flows - statistics of each flow

Packet based monitoring Motivation: describe dynamics of selected connections Flow specification - all packets that match arbitrary criteria (e.g., “all UDP and TCP packets sent to port 456”) - flow is dealt as generalized socket - filter is expressed in a special language (e.g., BPF, FPL, C library) Example: pcap - based on BPF - used in tcpdump, snort, ntop, ngrep, ethereal,... - intuitive way of writing filters

Software optimization Performance - effective filters - CPU instructions/packets - optimal manipulation with packets - memory mapping - parallelism in packet processing examples: FFPF - new extensible language - intensive computation pushed into kernel - support of network processors nCap - handle full 1 Gbps data flow

Monitoring API Basic abstraction: network flow - create & terminate the flow - read packets from the flow - apply functions to the flow - read results of functions MAPI functions - filtering ( BPF filters) - logging - accounting - sampling - cooking (IP defragmentation & TCP reassembly) - string search

Hardware-software codesign Putting functionality down to the hardware FFPF - support of network processors MAPI - utilizes available functionality - DAG cards - SCAMPI cards

Intelligent hardware adapters Goals - reduce the amount of data passing local bus - reduce CPU load and memory request - do complex classification of packets - move computational intensive algorithms to adapter - introduce new parallel algorithms - accurate timestamps

Adapters functionality Timestamping - unique accurate timestamp to each packet - clock synchronization required Header based filtering - rule to specify passing through packets or Header based classification - one rule per each class - disjunctive rules - packets belongs to one class - non-disjunctive rules - packet can belong to more classes

Adapters functionality (cont) Packet shrinking - cut unnecessary payload to reduce data Sampling - reduction of packet number - deterministic x probabilistic Calculation of statistics - based on packet length x time interval between packets String searching - packets containing string pass the unit

SCAMPI adapter

Packet classification CAM - matching a (sub)field with a constant value (e.g., IP address, network address, protocol) Processing unit - arithmetic comparison with a constant value (e.g., port, interval of port values) Whenever possible, comparison is done in CAM Pair (C,P) C - CAM row (with “don’t care” bits) P - sequence of comparison (conditional jump) instructions Semantics matching row C of CAM points to an instruction sequence P instruction result: assign packet to a class & stop (packet classified) stop without assigning (not classified) continue with next instruction

Filter language - FL Primitive operation: comparison of an arbitrary header field with a constant Filter specification: expression consisting of primitive operations, ‘and’, ‘or’, ‘not’ and brackets Implementation expression is transformed to DNF example : „ A and (C or D) and (E or F) or G and H“ is equal to „ACE or ACF or ADE or ADF or GH“ each primitive operation or a conjunction of them is translated to max. one pair (C, P) FL expression in DNF is translated to a number of pairs (C, P)

Searching of string CAM with 272 bits wide row Algorithm implemented in hardware: - 16 byte long string stored in 16 rows CAM, shifted by 0,1,2, bytes - comparison with 32 bytes of payload in one CAM - in next cycle, payload is shifted for 16 bytes Implementation in Scampi - search of more then 100 strings simultaneously - designed throughput 3 Gb/s Issues - finds only first occurrence of any string - in case of longer strings lot of false positives -> additional software verification

Open problems Searched string occurs on border of two packets - solution: flow cooking in adapter Dealing with non-disjunctive classes - solution: evaluation of all intersections -> possibly exponential number of new pairs (C, P)