Gbps IPv6 Programmable IDS/IPS Livio Ricciulli (408) *Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Awards # , ) and the Air Force Rome Laboratories. Rome Laboratories

2 Active Networks (DARPA Program) –Change behavior of network components (routers) dynamically (add new protocols, flow control algorithms, monitoring, etc..) –Discrete. Update network through separate management operations –Integrated. Packets cause network to update itself –Broad scope did not result in industry adoption –Lack of “killer application” –Lack of tight industry interaction –Tried to change too much too soon Our bottom-up approach –Achieve programmability while reusing current infrastructure –Augment networks with new, non-invasive technology –Application-driven rather than design-driven –Work closely with users/operators –Revisit hardware computational model Brief History

3 Open architecture to leverage open source software –More robust, more flexible, promotes composability –Directly support Snort signatures –Abstract hardware as a network interface from OS prospective Retain high-degree of programmability –New threat models (around the corner) –Extend to application beyond IDS/IPS Line-speed/low latency to allow integration in production networks –Unanchored payload string search –Support analysis across packets –Gracefully handle state exhaustion Hardware support for adaptive information management –Detailed reporting when reporting bandwidth is available –Dynamically switch to more compact representations when necessary –Support the insertion of application-specific analysis code in the fast path 1-10 Gbps IDS/IPS Hardware

4 MemoryProcessor Memory Instructions Get packet Compare to rules Alert Data Flynn’s Computer Taxonomy Processor Memory Instructions Get packet Compare to rules Alert Data P0.. P1Pn Reduction Network Data Alert Instructions P0.. P1Pn Reduction Network Alert Data Instructions SISD MIMD MISD SIMD

5 Block Direction 1 Block Direction 2 Monitoring System AND PHY RxData RxEnable PHY RxEnable RxData AND Layer-1 Filtering

6 Product Architecture PHY FPGA L-1 RAM IPS/ IDS Synthesis + firmware update Dynamic rules PHY Static rules Runtime update Packets State Read Only Block + Latency = 1.3 μs 100Mb-10Gb 2-8M Concurrent Flows

7 Flexible Deployment Options CPU IDS/IPS CPU IDS/IPS Router/Switch Multiple Mirrors Inline Passive CPU IDS/IPS Mirror Port Passive Inline To other passive device –IPS application –Chain multiple cards inline for additional rule capacity –IDS and other passive monitoring –Up to 4 cards/8 ports in Force10 appliance –Mix of 1G and 10G –Extend passive capacity –Can hang multiple passive devices off 1 TAP or Mirror

8 Stateful Content Inspection Performance Comparison

9 Intuitive Management Tools Interface –Card operates as a standard NIC –Reuse all existing Unix-based utilities/applications –Policies implemented rule by rule for block, forward, ignore and capture

10 IPv6 Security Hardware IPv6 options provide a covert channel –Ex. Joe 6 pack ( 1.0.tar.gz) uses IPv6 Destination option for transporthttp://people.suug.ch/~tgr/misc/j6p- 1.0.tar.gz Want to see what are IPv6 options used for (for example source routing) –Extend hardware payload match semantics to Ipv6 header Tunneling –Want to inspect headers of multiple tunnels

11 Technical Approach (continued) Anchored and unanchored matching –Ipv4 matching requires the following 2 offsets –IPv4 Header start (fixed 14 bytes from the start of the frame) –Payload start (variable due to Transmission Control Protocol (TCP) options) –IPv6 capable hardware modified to work with multiple variable offsets provided by the decoding phase –IPv4-IPv6 Header starts (variable due to tunneling) –Option starts (variable due to tunneling + IP options) –HLP start (variable due to tunneling + IP options) –Payload start (variable due to tunneling + IP options + TCP options) Matching through variable offsets

12 Technical Approach IPv6 Decoding according to RFC IPv4 Decoding –Extract from header a set of offset pointers into the packet starting from the first Internet Protocol (IP) byte –The following offsets are memorized for each packet –Header start V6 –Header start V4 –High-Level Protocol (HLP) start –Payload Start –Hop-by-Hop –Routing –Fragment –Destination –Authentication –Security Payload –Tunneling counter from 0 to N indicating which tunnel level

13 Additions to IPv6 API 8-bit “parse” value indicating which section of the packet is being clocked in –Unknown –IPV4 = 0x4 –Payload = 0xFE –TCP = 0x6 –ICMPV4 = 0x1 –UDP = 0x11 –IPV6 = 41 –Routing = 43 –Fragment = 44 –Destination = 60 –Authentication = 51 –Security Payload = 50 –ICMPv6 = 58 –Hop by Hop = 0 Counters –Tunnel “tcnt” counter –Length offset within section pointed to by “parse”

14 memory mem(.c1(clk),.a1(dstp[15:0]),.di1(newval),.do1(oldvalout),.w(write),.c2(cnfclk),.a2(address[15:0]),.do2(valout)); clk) begin if(offset==1) begin proto<=data[7:0]; end else if(offset==2 && (proto==06 || proto==17)) begin dstp<=data[31:16]; end else if(offset==4 && dstp!=0) begin newval<=oldvalout+1; write<=1; end else begin write<=0; end TopN destination ports

15 Reuse existing Opens Source

16 Available Today P10 PCI Card (10 GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 20G-in/20G-out –650 static rule capacity 65 dynamic rules; (currently being increased); –8 million concurrent flows P1 PCI Card (GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 2G-in/2G-out –1000 static rule capacity; up to 200 dynamic; (currently being increased); –2 million concurrent flows P1/P10 Appliance –1U host embeds a P1 or P10 PCI card –Software and drivers pre-installed and pre-configured

17 Extremely low latency design enables a wide variety of deployment options Leverage Open Source software 1G and 10G available today Processing paradigm lends itself to ad-hoc application level programmability Livio Ricciulli (408) Summary

18 Thank You