Experience at Auckland with SRL and NetFlowMet Nevil Brownlee The University of Auckland Chicago IETF, August 1998

SRL / NetFlowMet 1 The University of Auckland RTFM Architecture network meter reader * ** * * * manager meter analysis application rule set

SRL / NetFlowMet 2 The University of Auckland ICMP Smurf Attacks

SRL / NetFlowMet 3 The University of Auckland

M M MMM R R R M R R R M M M Auckland Massey Lincoln Canterbury Otago Waikato Cache NZIX Test Meter Kawaihiko Network August Internet

SRL / NetFlowMet 5 The University of Auckland NetFlowMet Test Setup network nifty * ** * * * NetFlowMet router

SRL / NetFlowMet 6 The University of Auckland

SRL / NetFlowMet 7 The University of Auckland NetFlowMet Summary Provides access to traffic data from up to five Cisco routers NetFlow sums packet and bytes - less work for NetFlowMet meter => higher metering capacity NetFlow flows are uni-directional. NetFlowMet matches them up to give RTFM-style flow data Time resolution for flows is determined by NetFlow. The algorithm used for sending out information from the NetFlow cache are not documented

SRL / NetFlowMet 8 The University of Auckland SRL: the language A Language for Describing Traffic Flows and Specifying Actions for Flow Groups For creating RTFM rulesets. Should also be useful for other work involving traffic flows RTFM rulesets have three goals: – Decide whether or not a flow is of interest – Save values of requested attributes for flow – Specify direction for metered flows High-level language takes away the need for users to understand the meter’s Packet Matching Engine (PME)

SRL / NetFlowMet 9 The University of Auckland Language Elements Operands: value & mask or value / width AND and OR expressions on operand lists Compound statements in braces { } IF-THEN-ELSE statement Variables and Store statements SAVE statements COUNT, IGNORE, NOMATCH statements SUBROUTINE statements Simple DEFINEs (no parameters)

SRL / NetFlowMet 10 The University of Auckland Prog 1: Watch ICMP packets if SourcePeerType == IP && SourceTransType == ICMP save, { if SourceTransAddress == 0 # Echo reply store FlowKind := ’E'; else if SourceTransAddress == 3 # Destination unreachable store FlowKind := 'U'; ~ ~ ~ else store FlowKind := '?'; save SourceTransAddress; # ICMP type save DestTransAddress; # ICMP dest save SourcePeerAddress; save DestPeerAddress; count; } else ignore; # Not an ICMP packet

SRL / NetFlowMet 11 The University of Auckland Prog 2: Watch Kawaihiko network define Waikato_B = /16, 163.7/16, /16; define Kawaihiko_B = Auckland_B, AIT_B, Waikato_B, Canterbury_B, Lincoln_B, Otago_B; if SourcePeerType == IP save; else ignore; if DestPeerAddress == (Kawaihiko_B) nomatch; # We want the Kawaihiko site as source if SourcePeerAddress == (Auckland_B) save, store FlowKind := 'A'; else if SourcePeerAddress == (Otago_B) save, store FlowKind := 'O'; else { save SourcePeerAddress; store FlowKind := '?'; } save DestPeerAddress; count;

SRL / NetFlowMet 12 The University of Auckland Prog 3: Overlapping networks define test_nets = /16, /24, # overlapped /20, /24; # duplicate Nevil's SRL compiler, version 4.2b1 16:36:44 Thu 13 Aug 1998: Compiling k5.srl k5.srl 17: if SourcePeerAddress == (test_nets) count; WARNING >>>> & value has bits not covered by mask WARNING >>>> & is duplicated in OR group WARNING >>>> & contains & WARNING >>>> & contains & WARNING >>>> & contains &

SRL / NetFlowMet 13 The University of Auckland SRL Summary The compiler has been carefully tested. SRL programs are in production use at Auckland It wasn’t difficult to translate old rulesets into SRL. The resulting SRL programs are a lot smaller and much easier to understand The language seems well-suited to its immediate goals, i.e. for writing RTFM rulesets Using DEFINEs is one good way to write ‘generic’ programs which can be easily converted for use in other people’s networks srl (the compiler) is available with NeTraMet everyone should use it!