Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Packet Processing Prof. Chu-Sing Yang December, 10, 2014 Aaron Liao

Published byElwin Stevens Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Packet Processing Prof. Chu-Sing Yang December, 10, 2014 Aaron Liao"— Presentation transcript:

1 Introduction to Packet Processing Prof. Chu-Sing Yang December, 10, 2014 Aaron Liao (aaron@netdpi.net)

2 Introduction to TCP/IP - Layering ITlab.ee.ncku.edu.tw2

3 3

4 4

5 OSI Model ITlab.ee.ncku.edu.tw5

6 A private internet ITlab.ee.ncku.edu.tw6

7 Communication at the physical layer ITlab.ee.ncku.edu.tw7

8 Communication at the data link layer - ARP ITlab.ee.ncku.edu.tw8

9 Communication at the network layer – IPv4/IPv6 ITlab.ee.ncku.edu.tw9

10 A connectionless packet-switched network – IPv4/IPv6 ITlab.ee.ncku.edu.tw10

11 Forwarding process in a connectionless network ITlab.ee.ncku.edu.tw11

12 Delay in a connectionless network – ex. Firewall, DPI, etc. ITlab.ee.ncku.edu.tw12

13 Communication at transport layer – TCP/UDP/DCCP/SCTP ITlab.ee.ncku.edu.tw13

14 Communication at application layer – HTTP/TELNET/FTP … ITlab.ee.ncku.edu.tw14

15 Introduction to TCP/IP - Address ITlab.ee.ncku.edu.tw15

16 physical addresses – fake mac address? 07:01:02:01:2C:4B A 6-byte (12 hexadecimal digits) physical address ITlab.ee.ncku.edu.tw16

17 logical addresses - IP ITlab.ee.ncku.edu.tw17

18 port numbers – why do we need? 753 - A 16-bit port address represented as one single number ITlab.ee.ncku.edu.tw18

19 Introduction to TCP/IP - ARP ITlab.ee.ncku.edu.tw19

20 ARP operation – how does ARP spoofing attack work? ITlab.ee.ncku.edu.tw20

21 An ARP request is broadcast; an ARP reply is unicast. Note ITlab.ee.ncku.edu.tw21

22 Encapsulation of ARP packet ITlab.ee.ncku.edu.tw22

23 ITlab.ee.ncku.edu.tw ARP Example 1 23

24 Proxy ARP - transparent ITlab.ee.ncku.edu.tw24

25 ARP components ITlab.ee.ncku.edu.tw25

26 Introduction to TCP/IP - Internet ITlab.ee.ncku.edu.tw26

27 An imaginary part of the Internet ITlab.ee.ncku.edu.tw27

28 Services provided at the source computer ITlab.ee.ncku.edu.tw28

29 ITlab.ee.ncku.edu.tw Processing at each router 29

30 Processing at the destination computer ITlab.ee.ncku.edu.tw30

31 Introduction to TCP/IP - IPv4 ITlab.ee.ncku.edu.tw31

32 Position of IP in TCP/IP protocol suite ITlab.ee.ncku.edu.tw32

33 IP header ITlab.ee.ncku.edu.tw33

34 Multiplexing ITlab.ee.ncku.edu.tw34

35 A datagram can travel through different networks. Each router decapsulates the IP datagram from the frame it receives, processes it, and then encapsulates it in another frame. The format and size of the received frame depend on the protocol used by the physical network through which the frame has just traveled. The format and size of the sent frame depend on the protocol used by the physical network through which the frame is going to travel. Fragmentation ITlab.ee.ncku.edu.tw35

36 MTU – each router has different MTU ITlab.ee.ncku.edu.tw36

37 Flags field in IP header ITlab.ee.ncku.edu.tw37

38 Fragmentation example ITlab.ee.ncku.edu.tw38

39 Detailed fragmentation example ITlab.ee.ncku.edu.tw39

40 IP components – Linux kernel is similar ITlab.ee.ncku.edu.tw40

41 Introduction to TCP/IP - NAT(Network Address Translation) ITlab.ee.ncku.edu.tw41

42 NAT – IP sharing box, Linux ITlab.ee.ncku.edu.tw42

43 Address resolution ITlab.ee.ncku.edu.tw43

44 Translation ITlab.ee.ncku.edu.tw44

45 NAT Table with IP address & Port # (1) Must be unique ITlab.ee.ncku.edu.tw45

46 NAT Table with IP address & Port # (2) ITlab.ee.ncku.edu.tw46

47 Introduction to TCP/IP - DHCP ITlab.ee.ncku.edu.tw47

48 Client and server on the same network ITlab.ee.ncku.edu.tw48

49 ITlab.ee.ncku.edu.tw DHCP packet format – Could iptables filter this? 49

50 Introduction to TCP/IP - DNS ITlab.ee.ncku.edu.tw50

51 Purpose of DNS – many attacks, for example? ITlab.ee.ncku.edu.tw51

52 Introduction to TCP/IP - TCP ITlab.ee.ncku.edu.tw52

53 TCP/IP protocol suite ITlab.ee.ncku.edu.tw53

54 Stream delivery ITlab.ee.ncku.edu.tw54

55 Port numbers ITlab.ee.ncku.edu.tw55

56 IP addresses versus port numbers ITlab.ee.ncku.edu.tw56

57 ITlab.ee.ncku.edu.tw Multiplexing and demultiplexing 57

58 Introduction to TCP/IP - UDP ITlab.ee.ncku.edu.tw58

59 Position of UDP in the TCP/IP protocol suite ITlab.ee.ncku.edu.tw59

60 User datagram format ITlab.ee.ncku.edu.tw60

61 ITlab.ee.ncku.edu.tw61

62 Encapsulation and decapsulation ITlab.ee.ncku.edu.tw62

63 Introduction to TCP/IP - SCTP ITlab.ee.ncku.edu.tw63

64 TCP/IP Protocol suite ITlab.ee.ncku.edu.tw64

65 Introduction  Stream Control Transmission Protocol (SCTP)  Multi-streaming  Multi-homing  Heartbeat  Chunk type (payload)  Control chunk  Data chunk  Sequence Number  TSN, Transmission Sequence Number  SSN, Stream Sequence Number  SACK ITlab.ee.ncku.edu.tw65

66 Motivation  Issues of TCP  Strict order delivery and single stream  Head of Line Blocking (HoLB)  DoS attack  Not support multi-homing ITlab.ee.ncku.edu.tw66

67 Related work (1/11)  Initiation of the TCP connection and SCTP association  TCP SYN Flooding ITlab.ee.ncku.edu.tw67

68 Related work (2/11)  SCTP Packet ITlab.ee.ncku.edu.tw68

69 Related work (3/11) SCTP 多重串流示意圖 ITlab.ee.ncku.edu.tw69

70 Related work (4/11)  Multi-streaming  Meixner and Grinnemo  HoL Blocking  Use more streams to improve the delay of HoLB.  Natarajan  Use the Multi-streaming to increase the throughput of file transfer with FTP. ITlab.ee.ncku.edu.tw70

71 Related work (5/11)  Multi-homing SCTP 路徑多宿示意圖 ITlab.ee.ncku.edu.tw71

72 Related work (6/11)  Unordered delivery  How to handle the SSN field of data chunk by the receiver node and sender node  How to handle the fragmented segment  Set U bit as 1 to be Unordered mode.  Grinnemo  They found that the Unordered delivery mode could reduce the delay of 0~18 % in HoLB. ITlab.ee.ncku.edu.tw72

73 Related work (7/11)  Path MTU Discovery ITlab.ee.ncku.edu.tw73

74 Related work (8/11)  SCTP API - Performance LKSCTP 之堆疊架構圖 SCTPLIB 之堆疊架構圖 ITlab.ee.ncku.edu.tw74

75 Related work (9/11) TCP 與 SCTP 通訊協定之比較 ProtocolTCPSCTP Initialize a connection Three-way handshake Four-way handshake Close a connection Four-way handshake Three-way handshake Ordered deliveryStrict orderedOrdered within the stream Unordered delivery NOYES Multi-homingNOYES Multi-streamingNOYES SACKCustomDefault Keep-alive heartbeat OptionMUST ITlab.ee.ncku.edu.tw75

76 Related work (10/11)  SCTPGate SCTPGate 網路堆疊圖 ITlab.ee.ncku.edu.tw76

77 Related work (11/11)  TCP/SCTP translator 1.TCP/SCTP translator 網路堆疊圖 2.Kernel space 3.Hard to implement ITlab.ee.ncku.edu.tw77

78 Deep Packet Inspection

79 Motivation  DPI is applied on these topics  Network Service Control  Intercept the payload  Traffic Classification  Rate Limiting for bandwidth  Network Security  Defense of network threat  Disadvantage ITlab.ee.ncku.edu.tw79

80 Terminology (1/6)  Deep Packet Inspection  View the payload of the packet  Classify the network traffic  Implementation technology  Software  Kernel space (Linux kernel Netfilter framework)  User space (Snort)  Hardware  FPGA  CAM (Content Addressable Memory) ITlab.ee.ncku.edu.tw80

81 Terminology (2/6)  Snaplen  95% of network traffic is classified before the first 300 bytes in a payload  99% of network traffic is classified before the first 600 bytes in a payload ITlab.ee.ncku.edu.tw81

82 Terminology (3/6)  Pattern  A pattern is also called a signature  DPI technology use signatures to classify the type of a packet ITlab.ee.ncku.edu.tw82

83 Terminology (4/6)  Netfilter  The core of Linux Firewall  Be implemented in Linux kernel  Be able to …  Filter packet  Modify packet  NAT (Network Address Translation) ITlab.ee.ncku.edu.tw83

84 Terminology (5/6)  Port Mirror (Offline mode) ITlab.ee.ncku.edu.tw84

85 Terminology (6/6)  Online mode ITlab.ee.ncku.edu.tw85

86 NetDPI System ITlab.ee.ncku.edu.tw86

87 System Architecture ITlab.ee.ncku.edu.tw87

88 Type of Patterns ITlab.ee.ncku.edu.tw88

89 Type of Patterns  Fixed offset pattern  The pattern is located at fixed offset  Zero offset pattern (a case of fixed offset patterns whose offset locates at zero)  Variable offset pattern  The location of the pattern is not fixed  Arithmetic pattern ITlab.ee.ncku.edu.tw89

90 Sample of a Arithmetic Pattern if (“Size” equal “Edonkey message length” ) { return PatternMatched; }  Arithmetic pattern for edonkey ITlab.ee.ncku.edu.tw90

91 Flow Chart of getting Service Type ITlab.ee.ncku.edu.tw91

92 Trie based pattern table ITlab.ee.ncku.edu.tw92

93 Trie-based pattern matching ITlab.ee.ncku.edu.tw93

94 Role of Rule Matching ITlab.ee.ncku.edu.tw94

95 Rule Matching Algorithm  if( value>= Pattern num of R) return (matched rule id); ITlab.ee.ncku.edu.tw95

96 References  TCP/IP Protocol Suite, 4 th ed. ITlab.ee.ncku.edu.tw96

Download ppt "Introduction to Packet Processing Prof. Chu-Sing Yang December, 10, 2014 Aaron Liao"

Similar presentations

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA TCP/IP Protocol Suite and IP Addressing Halmstad University Olga Torstensson 035-167575

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA TCP/IP Protocol Suite and IP Addressing Halmstad University Olga Torstensson
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis
CCNA – Network Fundamentals

CCNA – Network Fundamentals
1 Computer Networks IP: The Internet Protocol. 2 IP is a connection-less, unreliable network layer protocol IP provides best effort services in the sense.

1 Computer Networks IP: The Internet Protocol. 2 IP is a connection-less, unreliable network layer protocol IP provides best effort services in the sense.
Stream Control Transmission Protocol 網路前瞻技術實驗室 陳旻槿.

Stream Control Transmission Protocol 網路前瞻技術實驗室 陳旻槿.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.

Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.
1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.

1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Www.ciscopress.com Copyright 2003 CCNA 1 Chapter 7 TCP/IP Protocol Suite and IP Addressing By Your Name.

Copyright 2003 CCNA 1 Chapter 7 TCP/IP Protocol Suite and IP Addressing By Your Name.
CS 356 Systems Security Spring 2015 Dr. Indrajit Ray

CS 356 Systems Security Spring Dr. Indrajit Ray
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing.
Process-to-Process Delivery:

Process-to-Process Delivery:
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 03_a

TCOM 509 – Internet Protocols (TCP/IP) Lecture 03_a
NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.

NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.

Similar presentations

Ads by Google