Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 1-10 Gbps IPv6 Programmable IDS/IPS Livio Ricciulli (408) 835-5005 *Supported by the Division of Design Manufacturing and Industrial.

Published byNorman Patterson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 1-10 Gbps IPv6 Programmable IDS/IPS Livio Ricciulli (408) 835-5005 *Supported by the Division of Design Manufacturing and Industrial."— Presentation transcript:

1 1 1-10 Gbps IPv6 Programmable IDS/IPS Livio Ricciulli livio@force10networks.com (408) 835-5005 *Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Awards #0339343, 0521902) and the Air Force Rome Laboratories. Rome Laboratories

2 2 Active Networks (DARPA Program) –Change behavior of network components (routers) dynamically (add new protocols, flow control algorithms, monitoring, etc..) –Discrete. Update network through separate management operations –Integrated. Packets cause network to update itself –Broad scope did not result in industry adoption –Lack of “killer application” –Lack of tight industry interaction –Tried to change too much too soon Our bottom-up approach –Achieve programmability while reusing current infrastructure –Augment networks with new, non-invasive technology –Application-driven rather than design-driven –Work closely with users/operators –Revisit hardware computational model Brief History

3 3 Open architecture to leverage open source software –More robust, more flexible, promotes composability –Directly support Snort signatures –Abstract hardware as a network interface from OS prospective Retain high-degree of programmability –New threat models (around the corner) –Extend to application beyond IDS/IPS Line-speed/low latency to allow integration in production networks –Unanchored payload string search –Support analysis across packets –Gracefully handle state exhaustion Hardware support for adaptive information management –Detailed reporting when reporting bandwidth is available –Dynamically switch to more compact representations when necessary –Support the insertion of application-specific analysis code in the fast path 1-10 Gbps IDS/IPS Hardware

4 4 MemoryProcessor Memory Instructions Get packet Compare to rules Alert Data Flynn’s Computer Taxonomy Processor Memory Instructions Get packet Compare to rules Alert Data P0.. P1Pn Reduction Network Data Alert Instructions P0.. P1Pn Reduction Network Alert Data Instructions SISD MIMD MISD SIMD

5 5 Block Direction 1 Block Direction 2 Monitoring System AND PHY RxData RxEnable PHY RxEnable RxData AND Layer-1 Filtering

6 6 Product Architecture PHY FPGA L-1 RAM IPS/ IDS Synthesis + firmware update Dynamic rules PHY Static rules Runtime update Packets State Read Only Block + Latency = 1.3 μs 100Mb-10Gb 2-8M Concurrent Flows

7 7 Flexible Deployment Options CPU IDS/IPS CPU IDS/IPS Router/Switch Multiple Mirrors Inline Passive CPU IDS/IPS Mirror Port Passive Inline To other passive device –IPS application –Chain multiple cards inline for additional rule capacity –IDS and other passive monitoring –Up to 4 cards/8 ports in Force10 appliance –Mix of 1G and 10G –Extend passive capacity –Can hang multiple passive devices off 1 TAP or Mirror

8 8 Stateful Content Inspection Performance Comparison

9 9 Intuitive Management Tools Interface –Card operates as a standard NIC –Reuse all existing Unix-based utilities/applications –Policies implemented rule by rule for block, forward, ignore and capture

10 10 IPv6 Security Hardware IPv6 options provide a covert channel –Ex. Joe 6 pack (http://people.suug.ch/~tgr/misc/j6p- 1.0.tar.gz) uses IPv6 Destination option for transporthttp://people.suug.ch/~tgr/misc/j6p- 1.0.tar.gz Want to see what are IPv6 options used for (for example source routing) –Extend hardware payload match semantics to Ipv6 header Tunneling –Want to inspect headers of multiple tunnels

11 11 Technical Approach (continued) Anchored and unanchored matching –Ipv4 matching requires the following 2 offsets –IPv4 Header start (fixed 14 bytes from the start of the frame) –Payload start (variable due to Transmission Control Protocol (TCP) options) –IPv6 capable hardware modified to work with multiple variable offsets provided by the decoding phase –IPv4-IPv6 Header starts (variable due to tunneling) –Option starts (variable due to tunneling + IP options) –HLP start (variable due to tunneling + IP options) –Payload start (variable due to tunneling + IP options + TCP options) Matching through variable offsets

12 12 Technical Approach IPv6 Decoding according to RFC2460 + IPv4 Decoding –Extract from header a set of offset pointers into the packet starting from the first Internet Protocol (IP) byte –The following offsets are memorized for each packet –Header start V6 –Header start V4 –High-Level Protocol (HLP) start –Payload Start –Hop-by-Hop –Routing –Fragment –Destination –Authentication –Security Payload –Tunneling counter from 0 to N indicating which tunnel level

13 13 Additions to IPv6 API 8-bit “parse” value indicating which section of the packet is being clocked in –Unknown –IPV4 = 0x4 –Payload = 0xFE –TCP = 0x6 –ICMPV4 = 0x1 –UDP = 0x11 –IPV6 = 41 –Routing = 43 –Fragment = 44 –Destination = 60 –Authentication = 51 –Security Payload = 50 –ICMPv6 = 58 –Hop by Hop = 0 Counters –Tunnel “tcnt” counter –Length offset within section pointed to by “parse”

14 14 memory mem(.c1(clk),.a1(dstp[15:0]),.di1(newval),.do1(oldvalout),.w(write),.c2(cnfclk),.a2(address[15:0]),.do2(valout)); always@(posedge clk) begin if(offset==1) begin proto<=data[7:0]; end else if(offset==2 && (proto==06 || proto==17)) begin dstp<=data[31:16]; end else if(offset==4 && dstp!=0) begin newval<=oldvalout+1; write<=1; end else begin write<=0; end TopN destination ports

15 15 Reuse existing Opens Source

16 16 Available Today P10 PCI Card (10 GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 20G-in/20G-out –650 static rule capacity 65 dynamic rules; (currently being increased); –8 million concurrent flows P1 PCI Card (GbE interface) –High speed PCI card in 1U chassis –Wire-speed stateful deep packet inspection; 2G-in/2G-out –1000 static rule capacity; up to 200 dynamic; (currently being increased); –2 million concurrent flows P1/P10 Appliance –1U host embeds a P1 or P10 PCI card –Software and drivers pre-installed and pre-configured

17 17 Extremely low latency design enables a wide variety of deployment options Leverage Open Source software 1G and 10G available today Processing paradigm lends itself to ad-hoc application level programmability Livio Ricciulli livio@force10networks.com (408) 835-5005 www.metanetworks.org Summary

18 18 Thank You

Download ppt "1 1-10 Gbps IPv6 Programmable IDS/IPS Livio Ricciulli (408) 835-5005 *Supported by the Division of Design Manufacturing and Industrial."

Similar presentations

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
P4: specifying data planes

P4: specifying data planes
ENGINEERING WORKSHOP Compute Engineering Workshop P4: specifying data planes Mihai Budiu San Jose, March 11, 2015.

ENGINEERING WORKSHOP Compute Engineering Workshop P4: specifying data planes Mihai Budiu San Jose, March 11, 2015.
CSCI 4550/8556 Computer Networks Comer, Chapter 22: The Future IP (IPv6)

CSCI 4550/8556 Computer Networks Comer, Chapter 22: The Future IP (IPv6)
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
SDN and Openflow.

SDN and Openflow.
By Aaron Thomas. Quick Network Protocol Intro. Layers 1- 3 of the 7 layer OSI Open System Interconnection Reference Model  Layer 1 Physical Transmission.

By Aaron Thomas. Quick Network Protocol Intro. Layers 1- 3 of the 7 layer OSI Open System Interconnection Reference Model  Layer 1 Physical Transmission.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
t Popularity of the Internet t Provides universal interconnection between individual groups that use different hardware suited for their needs t Based.

t Popularity of the Internet t Provides universal interconnection between individual groups that use different hardware suited for their needs t Based.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker 2008-11-17.

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
WAN Technologies.

WAN Technologies.
Chapter 4 Queuing, Datagrams, and Addressing

Chapter 4 Queuing, Datagrams, and Addressing
Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA 95030 Voice: (408) 399-2284 Fax (408) 356-9446 Demonstration of 10 Gbps IDS/IPS.

Joint Techs 2005 Metanetworks Inc. 647 N. Santa Cruz Suite E, Los Gatos, CA Voice: (408) Fax (408) Demonstration of 10 Gbps IDS/IPS.
Semester 1 Module 8 Ethernet Switching Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology

Semester 1 Module 8 Ethernet Switching Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology
LECTURE 9 CT1303 LAN. LAN DEVICES Network: Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and.

LECTURE 9 CT1303 LAN. LAN DEVICES Network: Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and.
ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.

ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.
Advisor: Quincy Wu Speaker: Kuan-Ta Lu Date: Aug. 19, 2010

Advisor: Quincy Wu Speaker: Kuan-Ta Lu Date: Aug. 19, 2010

Similar presentations

Ads by Google