Toward an ebpf-based clone of iptables
|
|
- Blaise Shields
- 5 years ago
- Views:
Transcription
1 Toward an ebpf-based clone of iptables Matteo Bertrone, Sebastiano Miano, Jianwen Pi, Fulvio Risso, Massimo Tumolo Netdev 0x12, Montréal (Canada), July 12th, 2018
2 Objective Started in Nov 2017, with a (applied) research mindset Objective: create a complex network software with ebpf, to assess strengths and weaknesses of the above technology Earlier and, in some sense, orthogonal to bpfilter Create a (partial) clone of iptables, exploiting the ebpf technology Understand the challenges Provide hints about the feasibility of this project Characterize performance of the prototype Possibly use vanilla Linux kernels (no extensions) Identify possible future improvements/directions in ebpf/linux kernel 2
3 TURIN POLYTECHNIC Part I
4 Key objective #1: Preserving iptables semantic Local processes iptables netfilter hooks PREROUTING INPUT FORWARD OUTPUT POSTROUTING TC hooks FILTER Routing Decision XDP hooks NAT ebpf code Routing Decision FILTER FILTER ebpf code NAT netfilter Routing Decision NAT netdev (e.g., eth0) 4 netdev (e.g., eth1)
5 Key objective #1: Preserving iptables semantic We need to support existing services (e.g., security orchestrators) that are based on iptables, which is a different approach compared to bpfilter Two (TC_INGRESS/XDP_INGRESS and TC_EGRESS) hooks, which must emulate three chains No hooks available in ebpf to easily intercept locally terminated/generated traffic The ebpf code has to process only the packets that would hit each specific chain (INPUT, FORWARD, OUTPUT) We have to guess very early which chain will be hit XDP alone is not enough (no support for egress traffic) ebpf code PREROUTING INPUT FORWARD OUTPUT POSTROUTING iptables netfilter hooks TC hooks XDP hooks FILTER Routing Decision Local processes FILTER Routing Decision NAT FILTER ebpf code NAT netfilter Routing Decision NAT netdev (e.g., eth0) 5 netdev (e.g., eth1)
6 bpf-iptables filtering architecture To Linux Stack From Linux Stack TC/XDP Ingress hook TC Egress hook Netfilter Netfilter Ingress Chain Selector [local dst] INGRESS CHAIN Egress Chain Selector [local src] OUTPUT CHAIN FORWARD CHAIN [remote src] From netdev (e.g., eth0) Selects the right chain based on the IP dst/src address in the incoming packet (path prediction). Selection logic is dynamically configured with all IP addresses visible from the root namespace (intercepts NETLINK messages). 6 To netdev (e.g., eth1)
7 Key objective #2: Fast matching algorithm iptables uses a linear search Constraints for the selection of the algorithm: Feasible with available ebpf data structures (maps) Possibility to rearrange the code in multiple ebpf programs to overcome the limitation of the maximum number of instructions per program Chosen Linear Bit Vector Search [1] [1] T. Lakshman and D.Stidialis. High speed policy-based packet forwarding using efficient multi-dimensional range matching. In Proc. ACM Sigcomm 98, Sept
8 Linear Bit Vector Search: Overview Rule #1: iptables A INPUT Rule #2: iptables A INPUT Rule #3: iptables A INPUT Rule #4: iptables A INPUT Rule #5: iptables A INPUT d /8 p tcp --dport 80 j ACCEPT --dport 80 j ACCEPT p udp --dport 53 j ACCEPT p tcp --dport 53 j ACCEPT j ACCEPT Input packet: ip.dst= ip.proto= TCP tcp.dport= Values Dest. IP Protocol Dest. port Matched rules 0/ / Value Matched rules * TCP UDP Value Matched rules * & & = Rule #1 8
9 tail call tail call Linear Bit Vector Search: implementation LBVS is implemented with a chain of ebpf programs, connected through tail calls. Each ebpf program is injected only if there are rules operating on that field. FILTERING (INPUT/OUTPUT/FORWARD) CHAIN percpu_array shared across the entire program chain Packet header offsets Each ebpf program can exploit a different matching algorithm (e.g., exact match, longest prefix match, etc). ebpf program #1 ebpf program #2 ebpf program #3 ebpf program #N Map keeping the action for each rule Headers parsing Header parsing is done once and results are kept in a shared map for performance reasons. ip.dst lookup ip1 bitv1 ip2 bitv2 ip3 bitv3 ip.proto lookup Bitwise AND bitvectors * bitv1 udp bitv2 tcp bitv3 Search first matching rule Update counters ACTION (drop / accept) rule1 act1 rule2 act2 rule3 act3 rule1 cnt1 rule2 cnt2 Packet From ebpf hook The loop required to perform the bitwise-and is unrolled; currently supported ~8K rules ( bit words). Bitvector with temporary result percpu_array shared across the entire program chain [Packet] To ebpf hook 9
10 Implementation details Currently supported fields: IP src/dst: Longest Prefix Match (LPM TRIE MAPS) E.g. s /8 d /32 L4 protocol: Exact Match (HASH MAPS) E.g. proto tcp; proto 0x02; proto icmp TCP/UDP ports src/dst: Exact match (HASH MAPS) E.g. sport 80 dport 8080 TCP flags: Set, NotSet and Wildcard (ARRAY MAP, with all combinations) E.g. tcp-flags SYN,ACK SYN Conntrack state (more later) More fields can be added (e.g., netdev where traffic comes from/goes to) Possible future work: dynamically select the best algorithm per each field 10
11 Linear Bit Vector Search: Comments Good Good overall performance, particularly when an high number of rules is involved Feasible with current vanilla ebpf Bad Rule update time could be critical, as it may require second(s) Still linear in the number of rules (timed the number of fields), although executed with x64 parallelism Future steps Among the many options (e.g., HiCuts, Efficuts, etc.) Tuple Merge[1] could be an interesting algorithm to look at Fast online rule update time Should be doable with ebpf In our opinion this is not the most critical point right now. [1] James Daly and Eric Torng. TupleMerge: Building Online Packet Classifiers by Omitting Bits. Proceedings of the 26th International Conference on Computer Communication and Networks (ICCCN). IEEE,
12 Key objective #3: Connection tracking Enable rules operating on connection state E.g., -A INPUT m conntrack ctstate=established j ACCEPT E.g., -A INPUT -s /16 m conntrack ctstate=new j ACCEPT Prototypal ebpf-based implementation, with basic support for TCP/UDP/ICMP 12
13 Filtering architecture with conntrack TC/XDP Ingress hook Netfilter To Linux Stack From Linux Stack Netfilter TC Egress hook Connection tracking Ingress Chain Selector [local dst] Update session Label Packet INGRESS CHAIN Store session Update session Label Packet FORWARD CHAIN Store session Egress Chain Selector [local src] Update session Label Packet OUTPUT CHAIN Store session [remote src] From netdev (e.g., eth0) 13 To netdev (e.g., eth1)
14 Pro and con Limitations No support for the massive validation checks (e.g. on TCP window) performed by Linux conntrack, as well as IP de-fragmentation, which could not be straightforward in ebpf No support for (application-layer) RELATED connections RELATED : the packet belongs to a new connection, but is associated to an existing connection (e.g., FTP data transfer, a VoIP RTP stream) Access to L7 fields and handle upper layer protocols with ebpf could not be doable at the time maing Instead, ICMP errors are recognized and handled Advantages Available also when the ebpf program is attached to XDP hooks 14
15 Key objective #4: Preserving iptables syntax iptables A INPUT p tcp \ --dport 53 j ACCEPT bpf-iptables A INPUT p tcp \ --dport 53 j ACCEPT iptables (vanilla) libiptc (vanilla) bpf-iptables (almost vanilla) libiptc (modified) Rule interceptor and translator shell script netlink netlink ebpf system calls bpf-iptablesd (REST-based daemon) Kernel (netfilter) Kernel (netfilter) Kernel (ebpf) 15
16 iptables vs. bpf-iptables Allow both executables to coexist on the same machine User can choose the one he likes based on a different executable name, all supporting the same command line bpf-iptables supports a subset of the iptables commands Examples of unsupported cases: Negation: -proto tcp sport!80 Range: -proto tcp dport An unsupported command triggers an error on the command line Probably does not make sense to support all the features of iptables 16
17 PRELIMINARY PERFORMANCE EVALUATION Part II
18 UDP throughput (Mpps) Throughput (packets per second) 1,6 1,4 iptables bpf-iptables 1,2 1 0,8 0,6 0,4 Testing conditions Two Intel i servers, 32GB RAM Two direct 10GbE links (A B A) Server 1: pktgen-dpdk traffic generator (UDP traffic, 64B Ethernet frames) Traffic measured when losses < 1% Server 2: iptables + IP forwarding enabled 0, Number of filtering rules 18
19 # connections per second # connections per second Throughput (TCP connections per second) Page size: 87bytes baseline iptables Testing conditions Number of concurrent connections (apache benchmark) Page size: 11Kbytes bpf-iptables baseline iptables bpf-iptables Two Intel i servers, 32GB RAM One bidirectional direct 10GbE link (A B) 1000 filtering rules active Server 1: traffic generator (ab, different degrees of parallelism) Server 2: iptables + apache web server (iptables forced to run on a single CPU core by configuring interrupt affinity) Number of concurrent connections (apache benchmark) 19
20 Latency (ms) Processing latency (ms) 1,6 1,4 1,2 1,0 0,8 0,6 0,4 0,2 0,0 iptables bpf-iptables Number of filtering rules Testing conditions Two Intel i servers, 32GB RAM Two direct 10GbE links (A B A) Server 1: traffic generator (ping, one ICMP echo req. per second) Server 2: iptables + IP forwarding enabled 20
21 FUTURE WORK Part III
22 #1. Integration with NAT iptables netfilter hooks iptables nat hooks Local processes PREROUTING INPUT FORWARD OUTPUT POSTROUTING TC hooks FILTER Routing Decision XDP hooks NAT ebpf code Routing Decision FILTER FILTER ebpf code NAT netfilter Routing Decision NAT netdev (e.g., eth0) 22 netdev (e.g., eth1)
23 #1. Integration with NAT Netfilter NAT is no longer semantically equivalent when filtering is done with ebpf E.g., in INPUT packets would cross filter and then NAT, while in vanilla Linux they do the opposite We do not have any hook to get packets after the netfilter NAT Hence, we have to implement both NAT and filtering in ebpf Integration for PREROUTING and POSTROUTING is simple, just put a NAT module in front of the ebpf filtering chain OUTPUT NAT is rarely used (as far as we now), so we re not investigating that part Should we really need to add NAT as well? It depends, but even simple apps (e.g., Docker) make use of NAT 23
24 #2. Integration with bpfilter bpfilter has two main objectives Provides a way to intercept iptables command when being injected in the kernel Defines a mechanism that can evaluate some policy rules as early as possible bpfilter does not have a way to preserve the semantic of iptables rules Our work is largely orthogonal to bpfilter We can easily get rid of our code that intercepts policy rules and move to the mechanism provided by bpfilter Possible nice direction to explore: moving the evaluation of some rules as early as possible (while preserving the iptables semantic) 24
25 #3. Improving time for updating rules Rather high compared to other solutions (~1s) Two reasons We should optimize our control plane algorithms ebpf code injection time is not that small, particularly when an high number of programs and maps need to de changed 25
26 LESSONS LEARNED (OR IDEAS FOR DISCUSSION) Part IV
27 #1. ebpf vs. Netfilter: Cooperation or Competition? Local processes iptables netfilter hooks TC hooks XDP hooks Future hooks PREROUTING INPUT FORWARD OUTPUT POSTROUTING FILTER Routing Decision NAT ebpf code Routing Decision FILTER FILTER ebpf code NAT netfilter Routing Decision NAT netdev (e.g., eth0) 27 netdev (e.g., eth1)
28 #1. ebpf vs. Netfilter: Cooperation or Competition? Difficult to enhance netfilter by adding individual components based on ebpf E.g., cannot replace filtering while using the netfilter NAT Adding more hooks around would simplify the integration and coexistence of both technologies From competition Cannot have both technologies at the same time... to cooperation Use the best of both worlds Local processes PREROUTING INPUT FORWARD OUTPUT POSTROUTING E.g., an ebpf hook to intercept local traffic would remove the necessity of the Chain Selector block ebpf code iptables netfilter hooks TC hooks XDP hooks FILTER Routing Decision FILTER Routing Decision NAT FILTER ebpf code NAT netfilter Routing Decision NAT netdev (e.g., eth0) 28 netdev (e.g., eth1)
29 #2. A way for the perfect matching algorithm Hard to find a one size fits all algorithm We chose LBVS because of its run-time performance Other people need an algorithm supporting high frequency rule updates And more ebpf can enable different people to implement the matching algorithm that is the best fits for their objectives Difficult to achieve with other technologies (e.g., current iptables) 29
30 #3. Replacing or offloading iptables? Our work so far has been in the direction of replacing iptables A (almost) fully compatible clone People in our group are even working on NAT Is this the right way to go? What about offloading some iptables rules, e.g., in a dedicated BPF program executed in XDP? E.g., rules that filter traffic coming from a huge set of malicious hosts Preserving the iptables semantic is definitely a must 30
31 #4. Need more work on Connection Tracking We implemented our own minimal conntrack Other people did the same, e.g., Cilium folks But no advanced features, e.g., IP reassembly, related connections, etc, which are currently not feasible in ebpf Is it the right choice to have conntrack as ebpf? Difficult to have all the features of the existing (native) connection tracking We probably need to investigate more 31
32 CONCLUDING REMARKS Part V
33 Conclusions 100% compatible version of iptables does not look a good idea What about ip6tables, arptables and ebtables? A reduced (and faster) version looks more appealing Enables best of both words (command line compatibility, features, performance) Performance characterization Excellent results when an high number of rules are configured Below iptables with a few rules (or none) Rule update not so fast (~ 10 seconds for a database of 1000 rules) Under investigation if new ebpf hooks/helpers could improve the performance For sure, it may enable a better cooperation between the ebpf world and netfilter 33
34 34
A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso
A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso What is Netfilter? Not just iptables Image from Wikipedia (J. Engelhardt, 2018)
More informationWorksheet 8. Linux as a router, packet filtering, traffic shaping
Worksheet 8 Linux as a router, packet filtering, traffic shaping Linux as a router Capable of acting as a router, firewall, traffic shaper (so are most other modern operating systems) Tools: netfilter/iptables
More informationIPtables and Netfilter
in tables rely on IPtables and Netfilter Comp Sci 3600 Security Outline in tables rely on 1 2 in tables rely on 3 Linux firewall: IPtables in tables rely on Iptables is the userspace module, the bit that
More informationnetfilters connection tracking subsystem
netfilters connection tracking subsystem Florian Westphal 4096R/AD5FF600 fw@strlen.de 80A9 20C5 B203 E069 F586 AE9F 7091 A8D9 AD5F F600 Red Hat netdev 2.1, Montreal, April 2017 connection tracking flow
More informationCertification. Securing Networks
Certification Securing Networks UNIT 9 Securing Networks 1 Objectives Explain packet filtering architecture Explain primary filtering command syntax Explain Network Address Translation Provide examples
More informationLinux Network Programming with P4. Linux Plumbers 2018 Fabian Ruffy, William Tu, Mihai Budiu VMware Inc. and University of British Columbia
Linux Network Programming with P4 Linux Plumbers 2018 Fabian Ruffy, William Tu, Mihai Budiu VMware Inc. and University of British Columbia Outline Introduction to P4 XDP and the P4 Compiler Testing Example
More informationNetfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso
Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso What does this cover? Not a tutorial Incremental updates already upstream Ongoing development
More informationNetfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso
Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso What does this cover? Not a tutorial Incremental updates already upstream Ongoing development
More informationNetfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006
Netfilter Fedora Core 5 setting up firewall for NIS and NFS labs June 2006 Netfilter Features Address Translation S NAT, D NAT IP Accounting and Mangling IP Packet filtering (Firewall) Stateful packet
More informationBringing the Power of ebpf to Open vswitch. Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.
Bringing the Power of ebpf to Open vswitch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project OVS-AF_XDP
More informationLinux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples
Linux Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 14 October 2013 Common/Reports/-introduction.tex, r715 1/14 Contents 2/14 Linux, netfilter and netfilter:
More informationiptables and ip6tables An introduction to LINUX firewall
7 19-22 November, 2017 Dhaka, Bangladesh iptables and ip6tables An introduction to LINUX firewall Imtiaz Rahman SBAC Bank Ltd AGENDA iptables and ip6tables Structure Policy (DROP/ACCEPT) Syntax Hands on
More informationAccelerating Load Balancing programs using HW- Based Hints in XDP
Accelerating Load Balancing programs using HW- Based Hints in XDP PJ Waskiewicz, Network Software Engineer Neerav Parikh, Software Architect Intel Corp. Agenda Overview express Data path (XDP) Software
More informationFirewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense
FIREWALLS 3 Firewalls Firewall means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense administered network public Internet firewall
More informationIPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy
IPv6 NAT Open Source Days 9th-10th March 2013 Copenhagen, Denmark Patrick McHardy Netfilter and IPv6 NAT historically http://lists.netfilter.org/pipermail/netfilter/2005-march/059463.html
More informationThe Challenges of XDP Hardware Offload
FOSDEM 18 Brussels, 2018-02-03 The Challenges of XDP Hardware Offload Quentin Monnet @qeole ebpf and XDP Q. Monnet XDP Hardware Offload 2/29 ebpf, extended Berkeley Packet
More informationThis is Google's cache of http://www.rigacci.org/wiki/lib/exe/fetch.php/doc/appunti/linux/sa/iptables/conntrack.html. It is a snapshot of the page as it appeared on 24 Oct 2012 08:53:12 GMT. The current
More informationComputer Security Spring Firewalls. Aggelos Kiayias University of Connecticut
Computer Security Spring 2008 Firewalls Aggelos Kiayias University of Connecticut Idea: Monitor inbound/ outbound traffic at a communication point Firewall firewall Internet LAN A firewall can run on any
More informationThis material is based on work supported by the National Science Foundation under Grant No
Source: http://en.wikipedia.org/wiki/file:firewall.png This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations
More informationFirewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng
Firewalls IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response: Recovery, Forensics
More informationNAT Router Performance Evaluation
University of Aizu, Graduation Thesis. Mar, 22 17173 1 NAT Performance Evaluation HAYASHI yu-ichi 17173 Supervised by Atsushi Kara Abstract This thesis describes a quantitative analysis of NAT routers
More informationCS Computer and Network Security: Firewalls
CS 5410 - Computer and Network Security: Firewalls Professor Patrick Traynor Fall 2017 Reminders Monday: Change of Plans Recording lecture - turn in your rules. Friday: Project Abstract The hardest paragraph
More informationCS 5114 Network Programming Languages Data Plane. Nate Foster Cornell University Spring 2013
CS 5114 Network Programming Languages Data Plane http://www.flickr.com/photos/rofi/2097239111/ Nate Foster Cornell University Spring 2013 Based on lecture notes by Jennifer Rexford and Michael Freedman
More informationRFC 4301 Populate From Packet (PFP) in Linux
RFC 4301 Populate From Packet (PFP) in Linux Sowmini Varadhan (sowmini.varadhan@oracle.com) Linux IPsec workshop, March 2018, Dresden Germany Agenda Problem description: what is this and why do we need
More informationLinux Firewalls. Frank Kuse, AfNOG / 30
Linux Firewalls Frank Kuse, AfNOG 2017 1 / 30 About this presentation Based on a previous talk by Kevin Chege and Chris Wilson, with thanks! You can access this presentation at: Online: http://afnog.github.io/sse/firewalls/
More informationNDN iptables match extension
NDN iptables match extension L. Bracciale, A. Detti, P. Loreti, G. Rossi, N. Blefari Melazzi May 3, 2017 This module implements a match extension for netfilter 1 to match only certain NDN packets according
More informationDesign and Performance of the OpenBSD Stateful Packet Filter (pf)
Usenix 2002 p.1/22 Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.2/22 Introduction part of a firewall, working on IP packet
More informationReliably Scalable Name Prefix Lookup! Haowei Yuan and Patrick Crowley! Washington University in St. Louis!! ANCS 2015! 5/8/2015!
Reliably Scalable Name Prefix Lookup! Haowei Yuan and Patrick Crowley! Washington University in St. Louis!! ANCS 2015! 5/8/2015! ! My Topic for Today! Goal: a reliable longest name prefix lookup performance
More informationsottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi
Titolo presentazione Piattaforme Software per la Rete sottotitolo Firewall and NAT Milano, XX mese 20XX A.A. 2016/17, Alessandro Barenghi Outline 1) Packet Filtering 2) Firewall management 3) NAT review
More informationUniversità Ca Foscari Venezia
Firewalls Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Networks are complex (image from https://netcube.ru) 2 Example: traversal control Three subnetworks:
More informationOVS Acceleration using Network Flow Processors
Acceleration using Network Processors Johann Tönsing 2014-11-18 1 Agenda Background: on Network Processors Network device types => features required => acceleration concerns Acceleration Options (or )
More informationContainers Do Not Need Network Stacks
s Do Not Need Network Stacks Ryo Nakamura iijlab seminar 2018/10/16 Based on Ryo Nakamura, Yuji Sekiya, and Hajime Tazaki. 2018. Grafting Sockets for Fast Networking. In ANCS 18: Symposium on Architectures
More informationDefinition of firewall
Internet Firewalls Definitions: firewall, policy, router, gateway, proxy NAT: Network Address Translation Source NAT, Destination NAT, Port forwarding NAT firewall compromise via UPnP/IGD Packet filtering
More informationNetwork Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013
Network Security: Firewalls Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2013 2 Firewalls: Stateless packet filter Firewall Perimeter defence: Divide the world into the good/safe inside
More informationFirewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.
Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization
More informationEvaluation of virtualization and traffic filtering methods for container networks
Evaluation of virtualization and traffic filtering methods for container networks Łukasz Makowski Cees de Laat Paola Grosso makowski@uva.nl delaat@uva.nl pgrosso@uva.nl Our goal: Improving on scientific
More informationBe Fast, Cheap and in Control with SwitchKV. Xiaozhou Li
Be Fast, Cheap and in Control with SwitchKV Xiaozhou Li Goal: fast and cost-efficient key-value store Store, retrieve, manage key-value objects Get(key)/Put(key,value)/Delete(key) Target: cluster-level
More informationXDP: 1.5 years in production. Evolution and lessons learned. Nikita V. Shirokov
XDP: 1.5 years in production. Evolution and lessons learned. Nikita V. Shirokov Facebook Traffic team Goals of this talk: Show how bpf infrastructure (maps/helpers) could be used for building networking
More informationModule: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Firewalls Professor Patrick McDaniel Fall 2008 1 Midterm results!"#$%&'()*'+,)*-./('-!* +" *" )" (" '" &" %" $" #"!" #!!,*!"-./0" )+,)("-.,0"
More informationSuricata IDPS and Nftables: The Mixed Mode
Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 1 Netfilter Nftables
More informationFundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,
Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin, ydlin@cs.nctu.edu.tw Chapter 1: Introduction 1. How does Internet scale to billions of hosts? (Describe what structure
More informationFirewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A
Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y 2 01 6 / 2 017 P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer
More informationNetwork security Exercise 9 How to build a wall of fire Linux Netfilter
Network security Exercise 9 How to build a wall of fire Linux Netfilter Tobias Limmer Computer Networks and Communication Systems Dept. of Computer Sciences, University of Erlangen-Nuremberg, Germany 2.2.
More informationECE 435 Network Engineering Lecture 23
ECE 435 Network Engineering Lecture 23 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 4 December 2018 Announcements HW#9 graded Don t forget projects next week Presentation schedule
More informationHost Dataplane Acceleration: SmartNIC Deployment Models
Host Dataplane Acceleration: SmartNIC Deployment Models Simon Horman 20 August 2018 2018 NETRONOME SYSTEMS, INC. Agenda Introduction Hardware and Software Switching SDN Programmability Host Datapath Acceleration
More informationSmartNIC Programming Models
SmartNIC Programming Models Johann Tönsing 206--09 206 Open-NFP Agenda SmartNIC hardware Pre-programmed vs. custom (C and/or P4) firmware Programming models / offload models Switching on NIC, with SR-IOV
More informationOpenFlow Software Switch & Intel DPDK. performance analysis
OpenFlow Software Switch & Intel DPDK performance analysis Agenda Background Intel DPDK OpenFlow 1.3 implementation sketch Prototype design and setup Results Future work, optimization ideas OF 1.3 prototype
More informationMonitoring the Update Time of Virtual Firewalls in the Cloud. Abstract
Monitoring the Update Time of Virtual Firewalls in the Cloud Hyunwook Baek, Eric Eide, Robert Ricci and Jacobus Van der Merwe UUCS-18-005 School of Computing University of Utah Salt Lake City, UT 84112
More informationHistory Page. Barracuda NextGen Firewall F
The Firewall > History page is very useful for troubleshooting. It provides information for all traffic that has passed through the Barracuda NG Firewall. It also provides messages that state why traffic
More informationSmartNIC Programming Models
SmartNIC Programming Models Johann Tönsing 207-06-07 207 Open-NFP Agenda SmartNIC hardware Pre-programmed vs. custom (C and/or P4) firmware Programming models / offload models Switching on NIC, with SR-IOV
More informationDecision Forest: A Scalable Architecture for Flexible Flow Matching on FPGA
Decision Forest: A Scalable Architecture for Flexible Flow Matching on FPGA Weirong Jiang, Viktor K. Prasanna University of Southern California Norio Yamagaki NEC Corporation September 1, 2010 Outline
More informationECE 435 Network Engineering Lecture 23
ECE 435 Network Engineering Lecture 23 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 30 November 2017 HW#11 will be posted Announcements Don t forget projects next week Presentation
More informationSlicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)
Slicing a Network Advanced! Computer Networks Sherwood, R., et al., Can the Production Network Be the Testbed? Proc. of the 9 th USENIX Symposium on OSDI, 2010 Reference: [C+07] Cascado et al., Ethane:
More informationCSCI 680: Computer & Network Security
CSCI 680: Computer & Network Security Lecture 21 Prof. Adwait Nadkarni Fall 2017 Derived from slides by William Enck, Micah Sherr and Patrick McDaniel 1 Filtering: Firewalls Filtering traffic based on
More informationFulvio Risso, Matteo Bertrone, Mauricio Vasquez Bernal
Fulvio Risso, Matteo Bertrone, Mauricio Vasquez Bernal Politecnico di Torino, Italy COUPLING THE FLEXIBILITY OF OVN WITH THE EFFICIENCY OF IOVISOR: ARCHITECTURE AND DEMO 1 Datacenter Networking Datacenter
More informationpython-iptables Documentation
python-iptables Documentation Release 0.4.0-dev Vilmos Nebehaj Oct 05, 2017 Contents 1 Introduction 3 1.1 About python-iptables.......................................... 3 1.2 Installing via pip.............................................
More informationIntroduction to Firewalls using IPTables
Introduction to Firewalls using IPTables The goal of this lab is to implement a firewall solution using IPTables, and to write and to customize new rules to achieve security. You will need to turn in your
More informationMichael Rash DEFCON 12 07/31/2004
Advanced Netfilter: Content Replacement (ala Snort_inline) and Combining Port Knocking with p0f Michael Rash DEFCON 12 07/31/2004 http://www.enterasys.com http://www.cipherdyne.org Introduction Port knocking
More informationSuper Fast Packet Filtering with ebpf and XDP Helen Tabunshchyk, Systems Engineer, Cloudflare
Super Fast Packet Filtering with ebpf and XDP Helen Tabunshchyk, Systems Engineer, Cloudflare @advance_lunge Agenda 1. Background. 2. A tiny bit of theory about routing. 3. Problems that have to be solved.
More informationAssignment 3 Firewalls
LEIC/MEIC - IST Alameda LEIC/MEIC IST Taguspark Network and Computer Security 2013/2014 Assignment 3 Firewalls Goal: Configure a firewall using iptables and fwbuilder. 1 Introduction This lab assignment
More informationPVPP: A Programmable Vector Packet Processor. Sean Choi, Xiang Long, Muhammad Shahbaz, Skip Booth, Andy Keep, John Marshall, Changhoon Kim
PVPP: A Programmable Vector Packet Processor Sean Choi, Xiang Long, Muhammad Shahbaz, Skip Booth, Andy Keep, John Marshall, Changhoon Kim Fixed Set of Protocols Fixed-Function Switch Chip TCP IPv4 IPv6
More informationKernel Korner. Analysis of the HTB Queuing Discipline. Yaron Benita. Abstract
1 of 9 6/18/2006 7:41 PM Kernel Korner Analysis of the HTB Queuing Discipline Yaron Benita Abstract Can Linux do Quality of Service in a way that both offers high throughput and does not exceed the defined
More informationERSPAN in Linux. A short history and review. Presenters: William Tu and Greg Rose
ERSPAN in Linux A short history and review. Presenters: William Tu and Greg Rose 1 What is Port Mirroring? Port mirroring is one of the most common network troubleshooting techniques. SPAN - Switch Port
More informationAccelerating VM networking through XDP. Jason Wang Red Hat
Accelerating VM networking through XDP Jason Wang Red Hat Agenda Kernel VS userspace Introduction to XDP XDP for VM Use cases Benchmark and TODO Q&A Kernel Networking datapath TAP A driver to transmit
More informationIX: A Protected Dataplane Operating System for High Throughput and Low Latency
IX: A Protected Dataplane Operating System for High Throughput and Low Latency Belay, A. et al. Proc. of the 11th USENIX Symp. on OSDI, pp. 49-65, 2014. Reviewed by Chun-Yu and Xinghao Li Summary In this
More informationDevoFlow: Scaling Flow Management for High Performance Networks
DevoFlow: Scaling Flow Management for High Performance Networks SDN Seminar David Sidler 08.04.2016 1 Smart, handles everything Controller Control plane Data plane Dump, forward based on rules Existing
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET1343BU NSX Performance Samuel Kommu #VMworld #NET1343BU Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no
More informationAdvanced Computer Networks. End Host Optimization
Oriana Riva, Department of Computer Science ETH Zürich 263 3501 00 End Host Optimization Patrick Stuedi Spring Semester 2017 1 Today End-host optimizations: NUMA-aware networking Kernel-bypass Remote Direct
More informationUNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER NETWORKS AND SECURITY SEMESTER TWO EXAMINATIONS 2017/2018 NETWORK SECURITY
[CRT11] UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER NETWORKS AND SECURITY SEMESTER TWO EXAMINATIONS 2017/2018 NETWORK SECURITY MODULE NO: CPU6004 Date: Tuesday 22 nd May 2018 Time: 14:00
More informationHow to use IP Tables
How to use IP Tables ******************************************************************* *** IPTABLES TUTORIAL I. Definitions and similarities to ipchains II. Chain types and options III. Command line
More informationCSC 4900 Computer Networks: Network Layer
CSC 4900 Computer Networks: Network Layer Professor Henry Carter Fall 2017 Chapter 4: Network Layer 4. 1 Introduction 4.2 What s inside a router 4.3 IP: Internet Protocol Datagram format 4.4 Generalized
More informationSoftware Datapath Acceleration for Stateless Packet Processing
June 22, 2010 Software Datapath Acceleration for Stateless Packet Processing FTF-NET-F0817 Ravi Malhotra Software Architect Reg. U.S. Pat. & Tm. Off. BeeKit, BeeStack, CoreNet, the Energy Efficient Solutions
More informationA practical introduction to XDP
A practical introduction to XDP Jesper Dangaard Brouer (Red Hat) Andy Gospodarek (Broadcom) Linux Plumbers Conference (LPC) Vancouver, Nov 2018 1 What will you learn? Introduction to XDP and relationship
More informationBringing the Power of ebpf to Open vswitch
Bringing the Power of ebpf to Open vswitch William Tu 1 Joe Stringer 2 Yifeng Sun 1 Yi-Hung Wei 1 u9012063@gmail.com joe@cilium.io pkusunyifeng@gmail.com yihung.wei@gmail.com 1 VMware Inc. 2 Cilium.io
More informationInternet Protocol and Transmission Control Protocol
Internet Protocol and Transmission Control Protocol CMSC 414 November 13, 2017 Internet Protcol Recall: 4-bit version 4-bit hdr len 8-bit type of service 16-bit total length (bytes) 8-bit TTL 16-bit identification
More informationPacket Sniffing and Spoofing
Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Packet Sniffing and Spoofing Chester Rebeiro IIT Madras Shared Networks Every network packet reaches every
More informationTCP Tuning for the Web
TCP Tuning for the Web Jason Cook - @macros - jason@fastly.com Me Co-founder and Operations at Fastly Former Operations Engineer at Wikia Lots of Sysadmin and Linux consulting The Goal Make the best use
More informationUsing NAT in Overlapping Networks
Using NAT in Overlapping Networks Document ID: 13774 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify Troubleshoot Related Information
More informationLinux System Administration, level 2
Linux System Administration, level 2 IP Tables: the Linux firewall 2004 Ken Barber Some Rights Reserved This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License. To
More informationDatagram. Source IP address. Destination IP address. Options. Data
Datagram Version H. len Service Datagram length Datagram identifier FR-FR FR-FR-FR-FR Time-to-live Transp. prot. H. Checksum Source IP address Destination IP address Options Data Each line represents a
More informationIP Packet. Deny-everything-by-default-policy
IP Packet Deny-everything-by-default-policy IP Packet Accept-everything-by-default-policy iptables syntax iptables -I INPUT -i eth0 -p tcp -s 192.168.56.1 --sport 1024:65535 -d 192.168.56.2 --dport 22
More informationANIC Host CPU Offload Features Overview An Overview of Features and Functions Available with ANIC Adapters
ANIC Host CPU Offload Features Overview An Overview of Features and Functions Available with ANIC Adapters ANIC Adapters Accolade s ANIC line of FPGA-based adapters/nics help accelerate security and networking
More informationNetronome 25GbE SmartNICs with Open vswitch Hardware Offload Drive Unmatched Cloud and Data Center Infrastructure Performance
WHITE PAPER Netronome 25GbE SmartNICs with Open vswitch Hardware Offload Drive Unmatched Cloud and NETRONOME AGILIO CX 25GBE SMARTNICS SIGNIFICANTLY OUTPERFORM MELLANOX CONNECTX-5 25GBE NICS UNDER HIGH-STRESS
More informationGateware Defined Networking (GDN) for Ultra Low Latency Trading and Compliance
Gateware Defined Networking (GDN) for Ultra Low Latency Trading and Compliance STAC Summit: Panel: FPGA for trading today: December 2015 John W. Lockwood, PhD, CEO Algo-Logic Systems, Inc. JWLockwd@algo-logic.com
More informationAgilio CX 2x40GbE with OVS-TC
PERFORMANCE REPORT Agilio CX 2x4GbE with OVS-TC OVS-TC WITH AN AGILIO CX SMARTNIC CAN IMPROVE A SIMPLE L2 FORWARDING USE CASE AT LEAST 2X. WHEN SCALED TO REAL LIFE USE CASES WITH COMPLEX RULES TUNNELING
More informationSome of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras
Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Firewalls Chester Rebeiro IIT Madras Firewall Block unauthorized traffic flowing from one network to another
More informationCOMP211 Chapter 4 Network Layer: The Data Plane
COMP211 Chapter 4 Network Layer: The Data Plane All material copyright 1996-2016 J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking: A Top Down Approach 7 th edition Jim Kurose, Keith Ross
More informationHybrid Information-Centric Networking
Hybrid Information-Centric Networking ICN inside the Internet Protocol Luca Muscariello, Principal Engineer Giovanna Carofiglio, Distinguished Engineer Jordan Augé, Michele Papalini, Mauro Sardara, Alberto
More informationA Study on Intrusion Detection Techniques in a TCP/IP Environment
A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the
More informationSupporting Fine-Grained Network Functions through Intel DPDK
Supporting Fine-Grained Network Functions through Intel DPDK Ivano Cerrato, Mauro Annarumma, Fulvio Risso - Politecnico di Torino, Italy EWSDN 2014, September 1st 2014 This project is co-funded by the
More informationFast packet processing in the cloud. Dániel Géhberger Ericsson Research
Fast packet processing in the cloud Dániel Géhberger Ericsson Research Outline Motivation Service chains Hardware related topics, acceleration Virtualization basics Software performance and acceleration
More informationLaboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing
Introduction Laboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing Static routing has the advantage that it is simple, requires no computing power in router for determining routes (this
More informationWritten by Muhammad Kamran Azeem Wednesday, 02 July :48 - Last Updated Saturday, 25 December :45
Assalam-u-alaikum, I have been receiving many mails for few years now to provide with a firewall script. Lately I received one such mail and I decided to publish, what I replied him with. The names and
More informationSirindhorn International Institute of Technology Thammasat University
Name.............................. ID............... Section...... Seat No...... Sirindhorn International Institute of Technology Thammasat University Course Title: IT Security Instructor: Steven Gordon
More informationENG. WORKSHOP: PRES. Linux Networking Greatness (part II). Roopa Prabhu/Director Engineering Linux Software/Cumulus Networks.
ENG. WORKSHOP: PRES. Linux Networking Greatness (part II). Roopa Prabhu/Director Engineering Linux Software/Cumulus Networks. 3 4 Disaggregation Native Linux networking (= server/host networking) Linux
More informationMedianet Metadata. Finding Feature Information. Restrictions for Medianet Metadata
This module provides an overview of medianet metadata. It also describes how metadata is used by different components of a network to make policy decisions. Finding Feature Information, page 1 Restrictions
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationCSC 401 Data and Computer Communications Networks
CSC 401 Data and Computer Communications Networks Network Layer ICMP (5.6), Network Management(5.7) & SDN (5.1, 5.5, 4.4) Prof. Lina Battestilli Fall 2017 Outline 5.6 ICMP: The Internet Control Message
More informationSuricata Performance with a S like Security
Suricata Performance with a S like Security É. Leblond Stamus Networks July. 03, 2018 É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 1 / 31 1 Introduction Features
More informationOpen-NFP Summer Webinar Series: Session 4: P4, EBPF And Linux TC Offload
Open-NFP Summer Webinar Series: Session 4: P4, EBPF And Linux TC Offload Dinan Gunawardena & Jakub Kicinski - Netronome August 24, 2016 1 Open-NFP www.open-nfp.org Support and grow reusable research in
More information