Presentation is loading. Please wait.

Presentation is loading. Please wait.

Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University Hardware based packet filtering.

Published byAmbrose Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University Hardware based packet filtering."— Presentation transcript:

1 Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University Hardware based packet filtering using FPGA’s (Part 2!)

2 What’s happened since last time? Started my literature review WORKED FOR FESTIVAL Finished my literature review (Ordered a new toy)

3 But first – my toy :D

4 Presentation plan The packet classification problem Overview of literature review Classification algorithms Deep packet inspection algorithms Plan of action

5 The packet classification problem Most packets contain the basic 5-tuple (Source/Destination IP addresses, Source/Destination Port numbers, protocol). The 5-tuple can determine much of packet routing and how packets should be handled (dropped, ignored, allowed etc.). Different combinations of values of fields in the 5-tuple require different actions i.e. match different filters. Reactions to packets can also be based on the contents of the packet’s payload; may depend on packet’s context/classification. The packet classification problem aims to determine what response a packet should elicit given its field properties and payload contents. (Packet classification tends to ignore deep packet inspection)

6 Classification Algorithms Linear/Parallel search Grid-of-tries Cross-producting Bit-vector Example: The BV-TCAM Architecture

7 Linear/Parallel search LinearvsParallel Easy to implementVery fast ReliableVery fast (and reliable) Not very fastResource expensive

8 Parallel search – TCAM technology Pros Performs parallel address look-ups Searches for content in memory instead of locating an address Can store a ternary value – ‘*’ Cons Expensive, inefficient, requires extra over-head, “doesn’t scale well”

9 Grid-of-tries Useful for prefix ranges Good for 2D filters, worse for >2D Will probably use this approach for IP address filters

10 Cross-producting Initial field matching can be performed in parallel Uses one more look-up in the cross-product table Requires large memory to perform cross-producting

11 Bit vector A geometric approach to packet classification 1.Determine the set of applicable filters for each field 2.Intersection of filters yields applicable filters for whole packet Also lends itself to parallelism Address 10; port 7: yield 10010000010 AND 00001000110 -> 00000000010 (will probably also use this technique to combine results of port range matching)

12 The BV-TCAM architecture Song and Lockwood observed that in a filter set there are few unique IP addresses or address masks but varying protocols and port numbers Used TCAM’s for IP address matching – small variety of unique addresses TCAM output was encoded in a bit vector Grid-of-tries used for protocol matching – protocol determined which set of tries to search Output also in the form of a bit vector Intersection of bit vectors yielded final set of matched filters Designed achieved 2.5 Gbps

13 Deep packet inspection Simple N parallel rule check Deterministic finite state automata

14 N parallel rule checks N comparators each search for a string at each offset within the packet Header processing and payload inspection can be pipelined to increase throughput Sourdis and Pnevmatikatos achieved 10Gbps throughput

15 Deterministic finite state automata Deterministic automata were created using software tools and then mapped to FPGAs. Each DFA searched for a separate string.

16 Comments on literature Packet classification is a well rehearsed problem with many different solutions that leverage the well known structure of received packets. Deep packet inspection is a much harder problem to solve efficiently due to the obfuscated appearance of most packet payloads hence there is a greater need for raw processing power and parallelized implementations. Multi-gigabit implementations of packet processors are viable options and have been proven to work on FPGA platforms.

17 Future project progress Waiting for new FPGA development board Browsing through Xilinx SDK to familiarise myself with Ethernet interfacing on the FPGA Searching the Internet for other open-source TCP/IP or Ethernet processing code segments Still to do: Finish implementation of complete system Testing and timings of final system Write report

Download ppt "Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University Hardware based packet filtering."

Similar presentations

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.

1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.
CSCI 4550/8556 Computer Networks Comer, Chapter 18: IP: Internet Protocol Addresses.

CSCI 4550/8556 Computer Networks Comer, Chapter 18: IP: Internet Protocol Addresses.
A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:

A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
CSIE NCKU High-performance router architecture 高效能路由器的架構與設計.

CSIE NCKU High-performance router architecture 高效能路由器的架構與設計.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.

CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.
Two stage packet classification using most specific filter matching and transport level sharing Authors: M.E. Kounavis *,A. Kumar,R. Yavatkar,H. Vin Presenter:

Two stage packet classification using most specific filter matching and transport level sharing Authors: M.E. Kounavis *,A. Kumar,R. Yavatkar,H. Vin Presenter:
SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.

SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.
Packet Classification George Varghese. Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail.

Packet Classification George Varghese. Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail.
Algorithms for Advanced Packet Classification with TCAMs Karthik Lakshminarayanan UC Berkeley Joint work with Anand Rangarajan and Srinivasan Venkatachary.

Algorithms for Advanced Packet Classification with TCAMs Karthik Lakshminarayanan UC Berkeley Joint work with Anand Rangarajan and Srinivasan Venkatachary.
Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.

Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
March 1, 2004 1 Packet Classification and Filtering for Network Processors JC Ho.

March 1, Packet Classification and Filtering for Network Processors JC Ho.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.

Similar presentations

Ads by Google