Presentation is loading. Please wait.

Presentation is loading. Please wait.

Experience at Auckland with SRL and NetFlowMet Nevil Brownlee The University of Auckland Chicago IETF, August 1998.

Published byRalf Scott Modified over 9 years ago

Similar presentations

Presentation on theme: "Experience at Auckland with SRL and NetFlowMet Nevil Brownlee The University of Auckland Chicago IETF, August 1998."— Presentation transcript:

1 Experience at Auckland with SRL and NetFlowMet Nevil Brownlee The University of Auckland Chicago IETF, August 1998

2 SRL / NetFlowMet 1 The University of Auckland RTFM Architecture network meter reader * ** * * * manager meter analysis application rule set

3 SRL / NetFlowMet 2 The University of Auckland ICMP Smurf Attacks

4 SRL / NetFlowMet 3 The University of Auckland

5 M M MMM R R R M R R R M M M Auckland Massey Lincoln Canterbury Otago Waikato Cache NZIX Test Meter Kawaihiko Network August 97 128 512 256 512 Internet

6 SRL / NetFlowMet 5 The University of Auckland NetFlowMet Test Setup network nifty * ** * * * NetFlowMet router

7 SRL / NetFlowMet 6 The University of Auckland

8 SRL / NetFlowMet 7 The University of Auckland NetFlowMet Summary Provides access to traffic data from up to five Cisco routers NetFlow sums packet and bytes - less work for NetFlowMet meter => higher metering capacity NetFlow flows are uni-directional. NetFlowMet matches them up to give RTFM-style flow data Time resolution for flows is determined by NetFlow. The algorithm used for sending out information from the NetFlow cache are not documented

9 SRL / NetFlowMet 8 The University of Auckland SRL: the language A Language for Describing Traffic Flows and Specifying Actions for Flow Groups For creating RTFM rulesets. Should also be useful for other work involving traffic flows RTFM rulesets have three goals: – Decide whether or not a flow is of interest – Save values of requested attributes for flow – Specify direction for metered flows High-level language takes away the need for users to understand the meter’s Packet Matching Engine (PME)

10 SRL / NetFlowMet 9 The University of Auckland Language Elements Operands: value & mask or value / width AND and OR expressions on operand lists Compound statements in braces { } IF-THEN-ELSE statement Variables and Store statements SAVE statements COUNT, IGNORE, NOMATCH statements SUBROUTINE statements Simple DEFINEs (no parameters)

11 SRL / NetFlowMet 10 The University of Auckland Prog 1: Watch ICMP packets if SourcePeerType == IP && SourceTransType == ICMP save, { if SourceTransAddress == 0 # Echo reply store FlowKind := ’E'; else if SourceTransAddress == 3 # Destination unreachable store FlowKind := 'U'; ~ ~ ~ else store FlowKind := '?'; save SourceTransAddress; # ICMP type save DestTransAddress; # ICMP dest save SourcePeerAddress; save DestPeerAddress; count; } else ignore; # Not an ICMP packet

12 SRL / NetFlowMet 11 The University of Auckland Prog 2: Watch Kawaihiko network define Waikato_B = 130.217/16, 163.7/16, 166.83/16; define Kawaihiko_B = Auckland_B, AIT_B, Waikato_B, Canterbury_B, Lincoln_B, Otago_B; if SourcePeerType == IP save; else ignore; if DestPeerAddress == (Kawaihiko_B) nomatch; # We want the Kawaihiko site as source if SourcePeerAddress == (Auckland_B) save, store FlowKind := 'A'; else if SourcePeerAddress == (Otago_B) save, store FlowKind := 'O'; else { save SourcePeerAddress; store FlowKind := '?'; } save DestPeerAddress; count;

13 SRL / NetFlowMet 12 The University of Auckland Prog 3: Overlapping networks define test_nets = 130.216/16, 130.216.7/24, # overlapped 130.216.9/20, 130.216.7/24; # duplicate Nevil's SRL compiler, version 4.2b1 16:36:44 Thu 13 Aug 1998: Compiling k5.srl k5.srl 17: if SourcePeerAddress == (test_nets) count; WARNING >>>> 130.216.9 & 255.255.240 value has bits not covered by mask WARNING >>>> 130.216.7 & 255.255.255 is duplicated in OR group WARNING >>>> 130.216 & 255.255 contains 130.216.9 & 255.255.240 WARNING >>>> 130.216 & 255.255 contains 130.216.7 & 255.255.255 WARNING >>>> 130.216.9 & 255.255.240 contains 130.216.7 & 255.255.255

14 SRL / NetFlowMet 13 The University of Auckland SRL Summary The compiler has been carefully tested. SRL programs are in production use at Auckland It wasn’t difficult to translate old rulesets into SRL. The resulting SRL programs are a lot smaller and much easier to understand The language seems well-suited to its immediate goals, i.e. for writing RTFM rulesets Using DEFINEs is one good way to write ‘generic’ programs which can be easily converted for use in other people’s networks srl (the compiler) is available with NeTraMet 4.2... everyone should use it!

Download ppt "Experience at Auckland with SRL and NetFlowMet Nevil Brownlee The University of Auckland Chicago IETF, August 1998."

Similar presentations

Introduction to IP Routing Geoff Huston

Introduction to IP Routing Geoff Huston
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Internet Control Message Protocol (ICMP) Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Internet Control Message Protocol (ICMP) Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.
Internet Command Message Protocol (ICMP) CS-431 Dick Steflik.

Internet Command Message Protocol (ICMP) CS-431 Dick Steflik.
Chapter Overview TCP/IP Protocols IP Addressing.

Chapter Overview TCP/IP Protocols IP Addressing.
Computer Networks Layering and Routing Dina Katabi

Computer Networks Layering and Routing Dina Katabi
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.

Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.
Access Control Lists Written by Bill Reed 03/11/05.

Access Control Lists Written by Bill Reed 03/11/05.
1 Figure 3-33: Internet Control Message Protocol (ICMP) ICMP is for Supervisory Messages at the Internet Layer ICMP and IP  An ICMP message is delivered.

1 Figure 3-33: Internet Control Message Protocol (ICMP) ICMP is for Supervisory Messages at the Internet Layer ICMP and IP  An ICMP message is delivered.
TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.

TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.
Module 4 – Learning about other Devices Testing network connections.

Module 4 – Learning about other Devices Testing network connections.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
Guide to TCP/IP, Third Edition

Guide to TCP/IP, Third Edition
Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.
Effective Uses of Packet- Filtering Devices. Filtering Based on Source Address: The Cisco Standard ACL 1.One of the things that packet-filtering technology.

Effective Uses of Packet- Filtering Devices. Filtering Based on Source Address: The Cisco Standard ACL 1.One of the things that packet-filtering technology.

Similar presentations

Ads by Google