Fulvio Risso, Politecnico di Torino – ICNC 2013

Filtering Network Traffic Based on Protocol Encapsulation Rules Fulvio Risso, Politecnico di Torino, Italy http://fulvio.frisso.net

1/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Evolution of the protocol stack

Payload

• Number of application-layer protocols decreases • Surprisingly, more complexity at the lower end of the protocol Payload stack

Payload

Ethertype C-Tag TPID=0x8100

Payload Ethertype

C-Src address

C-Dst address Flags, VNI

Ethertype

C-Tag TPID=0x8100

UDP (VXLAN)

C-Tag TPID=0x8100

C-Src address

Outer IP Src Address

C-Src address

C-Dst address

Outer IP Dst Address

Payload

Ethertype

C-Dst address

Payload

Ethertype

C-Tag TPID=0x8100

I-SID, Flags TPID=0x88e7

Flags, Ingress / Egress Nicknames TPID=TRILL

Ethertype

C-Tag TPID=0x8100

S-Tag TPID=0x88a8

B-Tag TPID=0x88a8

B-Tag TPID=0x8100

B-Tag TPID=0x8100

Src address

Src address

Src address

B-Src address

B-Src address

B-Src address

Dst address

Dst address

Dst address

B-Dst address

B-Dst address

B-Dst address

802.3 Around 1980

802.1Q 1998

802.1ad (QinQ) 2005

802.1ah (MACinMAC) 2008

Ethertype 0x0800

TRILL VXLAN 2011 2012 Slide adapted from Gary Berger, 2012

2/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Two problems in packet filtering

How can I filter my traffic independently from encapsulations used?

(1) The NetPDL language (2) dynamic creation of the actual packet filtering code

How can I select exactly the encapsulations I want for filtering my traffic?

(1) The NetPDL language (2) NetPFL language (3) dynamic creation of the actual packet filtering code

[ICC08 paper]

[Globecom10 paper + this paper]

3/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

The overall filter compilation process The NetPDL language (protocol definitions)

The NetPFL language (filtering string)



tcp in ip* in ethernet

Some (very complex) magic...

; Packet buffer base in ecx 001 mov ax,word ptr [ecx+0Ch] 002 xchg ah,al 003 cmp ax,800h 004 je 006 005 ret ...

; load 2 bytes from packet buffer at offset 12 ; swap byte-order (packet is BE, x86 is LE) ; compare the 2 values ; if equals, jump to 6 and continue ; if not equal, return 0

4/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

The idea • Let’s model the protocol encapsulation graph with a direct, potentially cyclic graph

startproto

ipv6

tcp

http

ip

udp

dns

ethernet

tcp in ip* in ipv6 in ethernet

• Let’s model the filtering string with an automaton

• Let’s put the two together and create a new automaton that models our filter S0

[start]

in ethernet

in ipv6

Q1

Q2

Q0

in ip*

ε

tcp

Q3

Q4

{ip-ip}

S3

{ipv6-ip}

[ip]

{ip-tcp} *

{start-eth}

S1

[eth]

{eth-ipv6}

S2

[ipv6]

S4

{ipv6-tcp}

[tcp]

5/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Why is so difficult? • Isn’t enough to take the protocol encapsulation graph and prune the necessary transitions/protocols, and transform it into an FSA?

Unfortunately no... • For instance, what about if we want to have TCP encapsulated in exactly two IP headers? tcp in ip in ip ipv6 startproto

tcp

http

ethernet

[anything]

ip

udp

ip

ip

tcp

dns

Here we can have any protocol, not necessarily Ethernet and Startproto 6/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Challenges •

Model the NetPFL filter with a FSA [simple]



Create a new FSA that models the actual filtering code – Define the FSA alphabet  each encapsulation relationship is a symbol [simple] – Associate each state to a protocol [not so simple] • Transform states that may be associated to multiple protocols into a set of states each one associated to a single protocol

– Determine which symbols can be received in each state and simplify the FSA accordingly [not so simple] • E.g., the symbol that represents the IP->UDP transition cannot be received if we’re inspecting the Ethernet header



Use classical algorithms to transform the FSA into a DFA and allow FSA composition (union, etc.) [simple, but only in theory]

7/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Details of the algorithm in the

paper

8/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Results: NetPFL filters and NetPDL database #

1

NetPFL filters tcp in ip

2

tcp in ip in ethernet

3

tcp in ip in ethernet in startproto

4

tcp in any+ in ethernet

5

http notin {tcp,udp}

6

tcp

NetPDL database

startproto

ipv6

tcp

http

ip

udp

dns

ethernet

gre

ppp 9/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Results: filtering creation time

Average time [ms]

1000

949.6

70.4

100

978.2

844.0 68.2

Automaton 7.3

10 2.4

3.5

3.2

2.6

Total 2.3

1.1

1 #1

#2

#3 #4 #filter

#5

#6

10/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Results: filtering performance @ run-time

Average time [CPU ticks]

140

129 119

120

100 80

(a)

60

49 45

40 20

(a)

(a) (a)

(a)

(r)

(a)

(a) (r)

(r) (r) (r)

filter #6 filter #1

filter #4 filter #2 21 19 19

9

20 20 18

9

filter #3

filter #5

0 ethernet-ip-tcp-http

ethernet-ip-gre-ppp-ip-tcp-http Packet

11/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Conclusions (the sad news) • The method looks promising but... – It operates only on protocols, not on conditions based on protocol fields • E.g., tcp in ip.src==10.1.1.1

– The algorithm is not very efficient in case of a specific instance of a protocol is required • E.g., tcp in ip%4 in ipv6

– It does not support optimization in case of filtering/actions couples • E.g., tcp in ip%2 extractfields(ip%2.src,ip%2.dst)

• The implementation should be improved – Huge time for filter computation time in case of complex filters

12/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Conclusions (the good news) • Almost all those problems are now solved – A more sophisticated algorithm has been defined – A much more efficient implementation is on the way

• We can filter traffic and select the encapsulations we want – Very powerful filtering language

• The generated filter is optimal – Interesting in case of very complex filters or multiple filters merged together

• We support also actions such as the capability to extract the value of specific fields http in any in ip extractfields(ip.src, ip.dst)

13/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

For further information

Code, samples, tools

http://www.nbee.org

14/15

Fulvio Risso, Politecnico di Torino – ICNC 2013

Questions?

15/15

Filtering Network Traffic Based on Protocol Encapsulation Rules

Fulvio Risso, Politecnico di Torino – ICNC 2013. 1/15. Filtering Network Traffic Based on. Protocol Encapsulation Rules. Fulvio Risso, Politecnico di Torino, Italy.
Download PDF
2MB Sizes 1 Downloads 269 Views
Report

Recommend Documents

Filtering Network Traffic Based on Protocol ... - Fulvio Risso
Let's put the two together and create a new automaton that models our filter tcp in ip* in ipv6 in ethernet startproto ethernet ip ipv6 tcp http udp dns. Q0. Q3. Q1.
Traffic dynamics based on local routing protocol on a ...
Feb 10, 2006 - Complex networks can describe a wide range of systems in nature and ..... lations are not well confirmed with the analytic predictions for large .
CT-MAC: A MAC Protocol for Underwater MIMO Based Network ...
tic networks. Although extensive research has been con- ducted at the physical layer for underwater MIMO commu- nications, the corresponding medium access control (MAC) is still largely ... derwater MIMO based network uplink communications. In. CT-MA
Performance Evaluation of IEEE 802.11e based on ON-OFF Traffic ...
Student. Wireless Telecommunication ... for Wireless Local Area Communications, IEEE 802.11 [1], ..... technology-local and metropolitan area networks, part 11:.
Traffic Based Clustering in Wireless Sensor Network
Traffic Based Clustering in Wireless Sensor. Network ... Indian Institute of Information Technology ... Abstract- To increase the lifetime and scalability of a wireless.
Information filtering based on transferring similarity
Jul 6, 2009 - data and sources, people never have time and vigor to find ... clearer, we draw an illustration in Fig. 1. ... Illustration for transferring similarity.
food recommendation system based on content filtering ... - GitHub
the degree of B.Sc. in Computer Science and Information Technology be processed for the evaluation. .... 2.1.2 Limitations of content based filtering algorithm .
Energy-Efficiency and Reliable Protocol based on Virtual ... - IJEECS
entity. Thus, sensor nodes are equipped with irreplaceable batteries in harsh environments, this makes energy a crucial feature in WSN applications. Nodes in a WSN communicate ... based on flat architecture, hierarchical and location-based. Section 3
NETWORK FORMATION GAMES BASED ON ...
networks where the goal of the agents is to strategically pro- duce, disseminate and consume information) have been for- malized and studied for the first time in Zhang and van der. Schaar [6]-[7]. In these works, agents are considered to be heteroge
A Security Enhanced AODV Routing Protocol Based On ...
Abstract—Ad Hoc networks are characterized by open medium, dynamic topology ... provide secure and reliable data forwarding services, nodes should priorly ...
An Improved μTESLA Protocol Based on Queuing Theory and ...
An Improved μTESLA Protocol Based on Queuing Theory and Benaloh-Leichter SSS in WSNs.pdf. An Improved μTESLA Protocol Based on Queuing Theory ...
An Adaptive Protocol Stack for High-Dependability based on ... - EWSN
In Wiselib 802.15.4, pack- ets are limited to 116Bytes and as a result, it may include a maximum of 37 neighbors. If we need to operate on a larger neighborhood we can use the Wiselib Fragmenting Radio and transmit beacons larger than a single messag
Energy-Efficiency and Reliable Protocol based on Virtual ... - IJEECS
(IJEECS) International Journal of Electrical, Electronics and Computer Systems. ... sensor networks. This is classified into three categories based on flat architecture, hierarchical and location-based. Section 3 and 4, describes some assumptions and
General Survey Report on GPS Based Air Traffic ...
In Next Generation Air Transportation System (NextGen) concept for the year 2025 and beyond ... under current and emerging NextGen operating concepts.
Software-based Packet Filtering
ETH | MPLS | IPv6 | TCP. Flexibility as requirement ... high speed. ▫ Need to support un-modified ...... Internet Measurement Conference 2004, pg. 233-238 ...
A Survey on Routing Protocol Routing Protocol Routing ... - IJRIT
The infrastructure less and the dynamic nature .... faster convergence, it employs a unique method of maintaining information regarding the shortest distance to.
Exposing Invisible Timing-based Traffic ... - Semantic Scholar
sible in many scenarios (e.g., a public Web server not controlled by the detection ..... Although, to our best knowledge, the types of traffic to which the existing.
Exposing Invisible Timing-based Traffic ... - Semantic Scholar
Permission to make digital or hard copies of all or part of this work for personal or ... lem, because they do not have a fixed signature. So far, only a few detection ...
Host Measurement of Network Traffic
Host Measurement of Network Traffic. DongJin Lee and Nevil Brownlee. Department of Computer Science. The University of Auckland.
Modified AODV Routing Protocol for Traffic Control in ...
using adaptive routing with congestion control technique for mobile ad hoc networks. .... Energy Management: Energy management is defined as the process of ...