Download presentation
Presentation is loading. Please wait.
Published byAmy Henderson Modified over 8 years ago
1
Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany quittek@ccrle.nec.de Georg Carle GMD FOKUS, Berlin, Germany carle@fokus.gmd.de http://www.fokus.gmd.de/usr/carle
2
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 2 Overview 1. Motivation and Objective 2. Packet Merging Fragment Merge (FM), TCP Socket merge (TS), UDP Socket merge (US), Peer Pair merge (PP), Source Merge (SM), Destination Merge (DM), Source Peer merge (SP), Destination Peer merge (DP) 3. Packet Filtering 4. Extended Captured Packet Encapsulation Header, Actions bit field,Number of merged packets, Total length of packets, Time Stamp (last), Filter Identifier 5. Packet Capturing Configuration Record 6. Security Issues 7. Summary
3
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 3 Distributed Metering RTFM Meter RMON Probe Etc. Router rpcap Measurement Application Accounting QoS Auditing Testing,... config
4
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 4 Motivation Traffic Metering requires some kind of packet capturing Experiences with existing metering technologies: problems with high-speed links: packet loss Several interface cards / packet capturing devices have (unused) filtering and merging capabilities Exploiting these capabilities simplified meter increased performance: splitting functionality between capturing (fast path), and more complex (software) RTFM processing
5
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 5 Extended Remote Packet Capturing Draft for remote packet capturing by Carter Bullard: draft-bullard-pcap-00.txt Proposed extensions: –additional fields in captured packet encapsulation header functions for merging of headers with common properties –configuration of packet capturing devices using a configuration record. Rationale: Review of draft-bullard-pcap-00.txt –captured packet encapsulation header for transporting parts of captured packet (IP header, transport header, and parts of application layer) –each packet portion transported separately
6
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 6 Goal: Versatile Remote Packet Capturing (1) Allow for packet header pre-processing: –merging of packets –filtering of packets –generation of information on packet aggregation (e.g. aggregated data volume) defining additional parameter: flow idle time defining extended captured packet encapsulation header for additional information (2) Support automated remote configuration –Define messages for remote configuration of packet capturing devices: packet capturing configuration record
7
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 7 Packet Merging Actions Fragment Merge (FM): merge all fragments of same original IP packet TCP Socket merge (TS): merge all packets belonging to same TCP socket UDP Socket merge (US): merge all packets belonging to same UDP socket Peer Pair merge (PP): merge all packets between same pair of IP addresses Source Merge (SM): merge all packets with same source IP address and port number Destination Merge (DM): merge all packets with same destination IP address and port number Source Peer merge (SP): merge all packets with same source IP address Destination Peer merge (DP): merge all packets with same destination IP address
8
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 8 Packet Filtering Possible requirement: –capture only subset of packets support filtering functionality –Filtering mechanisms will be provided in packet capturing devices (probably rather simple ones) Different filter specification techniques exist, e.g.: – Meter MIB [RFC2720] – RMON MIB [RFC2819] – DiffServ MIB [draft-ietf-diffserv-mib-05.txt] Goal: –Reporting what filter was applied in capturing a packet –Filter spec might be too complex to include in captured packet encapsulation header include only filter identifier
9
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 9 Extended Captured Packet Encapsulation Header Extending captured packet encapsulation header of draft-bullard-pcap-00.txt additional fields Approach: -set bits to indicate aggregation or filtering actions -further fields specify details of applied actions
10
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 10 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ifIndex | Interface Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Stamp (sec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Stamp (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |F B T U P S D S D F| Number of merged packets | |M D S S P M M P P A| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Total length of all packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Stamp (last) (sec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Stamp (last) (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Filter Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Captured Packet Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Extended Captured Packet Encapsulation Header
11
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 11 New Fields Actions Bit Field (16 bit field): specifies applied merge and applied filter actions –FM flag: Fragment Merge –TS, US, SM, DM, SP and DP flags accordingly –Bi-Directional (BD) bit: bi-directional mode for TS, US, and PP (otherwise: uni-directional mode) –FA flag: Filter Applied Number of merged packets (16 bit field) Total length of all packets (32 bit field) Time Stamp (two 32 bit fields) –first and last merged packet Filter Identifier (32 bit field)
12
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 12 Packet Capturing Configuration Record specify functions for merging and filtering specify parameters –flow idle timeouts for specific flows specify transport of captured packets: –transport with IP encapsulation –transport with UDP encapsulation –transport with TCP
13
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 13 Packet Capturing Configuration Record 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |F B T U P S D S D | Number of filters specified | |M D S S P M M P P | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Filter Identifier 1 | transport | | | type 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IP address 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IP address 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source port 1 | Destination port 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source address| Dest. address | Source address| Dest. address | | mask 1 mask 1 mask 1 mask 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Filter Identifier 2 | transport | | | type 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |... | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
14
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 14 Security Issues Security threats: Unauthorized access, modification or disclosure of remotely captured packets –Protecting privacy of captured data being transmitted protection via IPsec possible –Protecting privacy of captured data against unauthorized initiators of capturing instructions policy control (authorisation needed to perform remote packet capturing)
15
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 15 Security Issues Authorization control: -Intra-domain scenarios authorization using SNMPv3 suitable -Inter-domain scenarios –services such as third party measurement, or accounting services –inter-domain authorization control needed solution with AAA protocol and servers suitable -Authorization schemes -Simple authorization: distinguishing authorized and non-authorized users - Complex authorization schemes: policy-based authorization control e.g. specify which user is allowed to capture which part of the packet (which attributes) depending on flow specifications e.g. unprivileged users may capture remotely only packets with own source or destination address
16
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 16 Summary Remote packet capturing: key building block for distributed high performance metering Need for standardized, versatile remote packet capturing with functional extensions for merging, filtering etc. draft-quittek-pcap-ext-00.txt proposes such extension based on remote packet capturing by Carter Bullard draft-bullard-pcap-00.txt Proposed extensions: –additional information fields in captured packet encapsulation header functions for merging of headers with common properties –configuration of packet capturing devices using a configuration record.
17
14 Dec 2000 IETF49, RTFM2 BOF: draft-quittek-pcap-ext-00.txt 17 Direction of Future Work Additional work should include –Evaluate structuring of merging functionality: Options for specifying L4 merging, app. specific merging –Distinguish simple and enhanced instantiations of remote packet capturing. –Develop details for security –Develop usage scenarios: Traffic engineering usage scenario Accounting and QoS validation usage scenario We hope that RTFM2 WG will be chartered, because we see the need for versatile, configurable, high-performance metering –We believe our requirements can be addressed adequately by enhancements to the RTFM Traffic Measurement Architecture
18
Thank You! Let‘s discuss and work together in the RTFM-2 Working Group
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.