Presentation is loading. Please wait.

Presentation is loading. Please wait.

FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis."— Presentation transcript:

1 FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis Universiteit Leiden Vrije Universiteit Amsterdam u k n http://ffpf.sourceforge.net/

2 Why? ● Traffic characterisation – what % of traffic used by KaZaa, Gnutella, e-Donkey, video streams, FTP data?  difficult due to dynamic ports

3 Why? ● Security: worms – early warning: are there any worms on the loose? – intrusion detection ● Denial of Service attacks spread of CODE-RED in 24 hours

4 Why? ● Security: worms – early warning: are there any worms on the loose? – intrusion detection ● Denial of Service attacks  difficult at high speeds spread of SAPPHIRE in 30 minutes

5 Why? ● traffic engineering ● accounting ● billing ● SLA monitoring  monitoring increasingly important  hypothesis: multiple applications on single host – monitoring nodes (e.g., gateways)

6 Network Monitoring ● Existing solutions: – designed for slow networks or traffic engineering/QoS – not very flexible ● We’re hurting because of – hardware (bus, memory) – software  demand for solution: – scales to high link rates – scalable in no. of apps – flexible -process at lowest possible level -minimise copying -minimise context switching -freedom at the bottom

7 FFPF contributions generalised concept of ‘flow’ copying and context switching are minimised complex processing in kernel or NIC - reduces no. of packets that must be sent to userspace - language neutral - complex packet processing by connecting simple filters (not unlike UNIX pipes) FPL: FFPF Packet Language persistent storage for flow-specific state flow groups - applications sharing buffers

8 Application B reduce copying ● FFPF avoids both ‘horizontal’ and ‘vertical’ copies ● 3 buffers: PBuf, IBuf, and MBuf Application A U K ‘filter’ - no ‘vertical’ copies - no ‘horizontal’ copies within flow group - more than ‘just filtering’ in kernel (e.g.,statistics)

9 Fairly Fast Packet Filters Flow: “a stream of packets that matches arbitrary user criteria” TCP SYN UID 0 eth0 U TCP UDP IP HTTP RTSP RTP “contains worm”

10 ? x ? ? ? kernel userspace network card Efficient ● flowgroups: sharing data ● flowgraphs: sharing computations ● reduced copying and context switches “push filtering tasks as far down the processing hierarchy as possible”

11 (device,eth0) | (device,eth1) -> (sampler,2) -> (FPL-2,”..”) | (BPF,”..”) -> (bytecount) (device,eth0) -> (sampler,2) -> (BPF,”..”) -> (packetcount) Extensible ✔ modular framework ✔ language agnostic ✔ plug-in filters (device,eth0) -> (sampler,2) -> (BPF,”..”) -> (packetcount) (device,eth0) -> (sampler,2) -> (BPF,”..”) -> (strsearch) devicesamplerBPFpktcount strsearch

12 uspace kspace nspace MAPI PCAP ANY APP Compatible processing hierarchy

13 Buffers ● MBuf – unstructured array of bytes ● PBuf – circular buffer with N fixed-size slots – large enough to hold packet ● IBuf – circular buffer with N slots of size ‘sizeof(int)+sizeof(int*)’ – contains classification result  writer (e.g., kernel) writes in circular buffer at write position  reader explicitly advances its read pointer X O O O O O OO W R

14 Buffers ● MBuf – unstructured array of bytes ● PBuf – circular buffer with N fixed-size slots – large enough to hold packet ● IBuf – circular buffer with N slots of size ‘sizeof(int)+sizeof(int*)’ – contains classification result  writer (e.g., kernel) writes in circular buffer at write position  reader explicitly advances its read pointer X O O O O O OO W R

15 ● MBuf – unstructured array of bytes ● PBuf – circular buffer with N fixed-size slots – large enough to hold packet ● IBuf – circular buffer with N slots of size ‘sizeof(int)+sizeof(int*)’ – contains classification result  writer (e.g., kernel) writes in circular buffer at write position  reader explicitly advances its read pointer (typically by >1) X X X X X X OO W R Buffers

16 Buffer management  what to do if writer catches up with slowest reader? ● slow reader preference – drop new packets (traditional way of dealing with this) – overall speed determined by slowest reader ● fast reader preference – overwrite existing packets – application responsible for keeping up ● can check that packets have been overwritten ● different drop rates for different apps O O O O O OO R1 O O O O O O O O O W

17 Languages ● FFPF is language neutral ● Currently support: – BPF – C – OKE Cyclone – FPL-1 – FPL-2 simple to use compiles to C and then to optimised object code resource limited restricted FOR loop access to persistent storage (Mbuf) calls to external functions (e.g., fast C functions or hardware assists) compiler for uspace, kspace, and nspace (ixp1200) IF (PKT.IP_PROTO == PROTO_TCP) THEN // reg.0 = hash over flow fields R[0] = Hash (14,12,256) // increment pkt counter at this // location in MBuf MEM[ R[0] ]++ FI

18 Authorisation and third-party code ● client requests need to be approved by authd – may check that: ● X only looks at packets destined to itself ● Y never applies a string search ● string search only occurs after sampling ● FPL-2 filter really are what they claims they are ● FFPF allows third party code in the lowest levels – based on Open Kernel Environment http://www.cs.vu.nl/~herbertb/projects/oke/

19 Performance results

20

21 NIC-FIX: FFPF on IXPs uspace kspace nspace bottom of the processing hierarchy eliminates mem & bus bottlenecks

22 Network Processors “programmable NIC” zero copy copy once on-demand copy

23 Performance

24 More Information http://ffpf.sourceforge.net/

25 microbenchmarks

Download ppt "FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis."

Similar presentations

Categories of I/O Devices

Categories of I/O Devices
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Computer Organization and Architecture

Computer Organization and Architecture
01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel

01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel
Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.

Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.
Computer Organization and Architecture

Computer Organization and Architecture
Computer Organization and Architecture

Computer Organization and Architecture
CS-334: Computer Architecture

CS-334: Computer Architecture
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
RDMA ENABLED WEB SERVER Rajat Sharma. Objective  To implement a Web Server serving HTTP client requests through RDMA replacing the traditional TCP/IP.

RDMA ENABLED WEB SERVER Rajat Sharma. Objective  To implement a Web Server serving HTTP client requests through RDMA replacing the traditional TCP/IP.
OS support for (flexible) high-speed networking Herbert Bos Vrije Universiteit Amsterdam uspace kspace nspace u k n monitoring intrusion detection packet.

OS support for (flexible) high-speed networking Herbert Bos Vrije Universiteit Amsterdam uspace kspace nspace u k n monitoring intrusion detection packet.
FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.

FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.
An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, FFPF: Fairly Fast Packet Filters Herbert Bos Vrije Universiteit.

An IST Projecthttp:// 1 Herbert Bos, VU, FFPF: Fairly Fast Packet Filters Herbert Bos Vrije Universiteit.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
September 2008 - 1 RTC-Mon Enabling High-Speed and Extensible Real-Time Communications Monitoring Diego Costantini, Felipe Huici

September RTC-Mon Enabling High-Speed and Extensible Real-Time Communications Monitoring Diego Costantini, Felipe Huici

Similar presentations

Ads by Google