Design and Performance of the OpenBSD Stateful Packet Filter (pf)

Similar documents
Robust Firewalls with OpenBSD and PF

CSCI 680: Computer & Network Security

CSC 474/574 Information Systems Security

Information About NAT

Network Address Translation (NAT)

History Page. Barracuda NextGen Firewall F

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Switching & ARP Week 3

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Network Address Translation (NAT)

ICS 451: Today's plan

NAT Router Performance Evaluation

Internet Control Message Protocol (ICMP)

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Securing Grid Data Transfer Services with Active Network Portals

Lecture 2: Basic routing, ARP, and basic IP

The Network 15 Layer IPv4 and IPv6 Part 3

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

H

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

The Netwok 15 Layer IPv4 and IPv6 Part 3

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

IPtables and Netfilter

Each ICMP message contains three fields that define its purpose and provide a checksum. They are TYPE, CODE, and CHECKSUM fields.

Network Address Translation (NAT)

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

Configuring Advanced Firewall Settings

Università Ca Foscari Venezia

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

Implementing Firewall Technologies

Cisco Cisco Certified Network Associate (CCNA)

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Index. ACK flag, 31 action, 29 activating PF, 5

Configuring attack detection and prevention 1

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Computer Networks A Simple Network Analyzer Decoding Ethernet and IP headers

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Network layer: Overview. Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing

Configuring attack detection and prevention 1

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Table of Contents. Cisco How NAT Works

NAT Examples and Reference

General Firewall Configuration

Network layer: Overview. Network Layer Functions

Configure. Version: Copyright ImageStream Internet Solutions, Inc., All rights Reserved.

Linux Security & Firewall

NAT Examples and Reference

Optimizing TCP Receive Performance

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

H

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Lecture 18 Overview. Last Lecture. This Lecture. Next Lecture. Internet Protocol (1) Internet Protocol (2)

DHCP Dynamic Host Configuration Protocol

Digi Connect WAN / ConnectPort WAN Cellular Setup of Surelink

Computer Networks A Simple Network Analyzer PART A undergraduates and graduates PART B graduate students only

Grandstream Networks, Inc. GWN Firewall Features Advanced NAT Configuration Guide

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Router Architecture Overview

EEC-684/584 Computer Networks

Network Layer PREPARED BY AHMED ABDEL-RAOUF

Operation Manual IP Addressing and IP Performance H3C S5500-SI Series Ethernet Switches. Table of Contents

Information About NAT

ARP Inspection and the MAC Address Table

Computer Networks. More on Standards & Protocols Quality of Service. Week 10. College of Information Science and Engineering Ritsumeikan University

Introduction to Firewalls using IPTables

Configuring Static and Dynamic NAT Translation

Networking interview questions

Table of Contents 1 IP Addressing Configuration IP Performance Configuration 2-1

Growth. Individual departments in a university buy LANs for their own machines and eventually want to interconnect with other campus LANs.

Accelerating Load Balancing programs using HW- Based Hints in XDP

Best Practices with StarWind Replication

Networking midterm. 5. As a data unit moves up from one protocol layer to another, control headers are:

Chapter 5: Ethernet. Introduction to Networks - R&S 6.0. Cisco Networking Academy. Mind Wide Open

Internet Security: Firewall

Switching and Forwarding Reading: Chapter 3 1/30/14 1

CS475 Networks Lecture 8 Chapter 3 Internetworking. Ethernet or Wi-Fi).

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Applications and Performance Analysis of Bridging with L3 Forwarding on Wireless LANs

ICS 351: Networking Protocols

Lecture 3. The Network Layer (cont d) Network Layer 1-1

CS 268: Route Lookup and Packet Classification

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

To make a difference between logical address (IP address), which is used at the network layer, and physical address (MAC address),which is used at

Introduction to Cisco ASA Firewall Services

Performance Characteristics on Fast Ethernet, Gigabit and 10 Gigabits networks

CS 458 Internet Engineering Spring First Exam

Welcome to PHOENIX CONTACT Routing

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Computer Networking. IP Packets, IPv6 & NAT. Some Slides from Internet

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

Packet Sniffing and Spoofing

Transcription:

Usenix 2002 p.1/22 Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG

Usenix 2002 p.2/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet level bridges) packet filter intercepting each IP packet that passes through the kernel (in and out on each interface), passing or blocking it stateless inspection based on the fields of each packet stateful filtering keeping track of connections, additional information makes filtering more powerful (sequence number checks) and easier (replies, random client ports)

Usenix 2002 p.3/22 Motivation OpenBSD included IPFilter in the default install what appeared to be a BSD license turned out to be non-free unlike other license problems discovered by the ongoing license audit, this case couldn t be resolved, IPFilter removed from the tree existing alternatives were considered (ipfw), larger code base, kernel dependencies rewrite offers additional options, integrates better with existing kernel features

Usenix 2002 p.4/22 Overview Introduction Motivation Filter rules, skip steps State table, trees, lookups, translations (NAT, redirections) Benchmarks Conclusions

Usenix 2002 p.5/22 Filter rules linear linked list, evaluated top to bottom for each packet (unlike netfilter s chains tree) rules contain parameters that match/mismatch a packet rules pass or block a packet last matching rule wins (except for quick, which aborts rule evaluation) rules can create state, further state matching packets are passed without rule set evaluation

Skip steps transparent optimization of rule set evaluation, improve performance without affecting semantics example: ten consecutive rules apply only to packets from source address X, packet has source address Y, first rule evaluated, next nine skipped skipping is done on most parameters, in pre-defined order parameters like direction (in, out), interface or address family (IPv4/IPv6) partition the rule set a lot, performance increase is significant worst case: consecutive rules have no equal parameters, every rule must be evaluated, no additional cost (linked list traversal) Usenix 2002 p.6/22

Usenix 2002 p.7/22 State table TCP (sequence number checks on each packet), ICMP error messages match referred to packet (simplifies rules without breaking PMTU etc.) UDP, ICMP queries/replies, other protocols, pseudo-connections with timeouts adjustable timeouts, pseudo-connections for non-tcp protocols binary search tree (AVL, now Red-Black), O(log n) even in worst-case key is two address/port pairs

Usenix 2002 p.8/22 Translations (NAT, redirections) translating source addresses: NAT/PAT to one address using proxy ports translating destination: redirections (based on addresses/ports) mapping stored in state table application level proxies (ftp) in userland

Usenix 2002 p.9/22 State table keys one state entry per connection, stored in two trees example: 10.1.1.1:20000 -> 62.65.145.30:50001 -> 129.128.5.191:80 outgoing packets: 10.1.1.1:20000 -> 129.128.5.191:80, replace source address/port with gateway incoming packets: 129.128.5.191:80 -> 62.65.145.30:50001, replace destination address/port with local host three address/port pairs of one connection: lan, gwy, ext without translation, two pairs are equal

Usenix 2002 p.10/22 State table keys two trees: tree-lan-ext (outgoing) and tree-ext-gwy (incoming), contain the same state pointers no addition translation map (and lookup) needed

Usenix 2002 p.11/22 Normalization IP normalization (scrubbing) to remove interpretation ambiguities, like overlapping fragments (confusing IDSs) reassembly (caching) of fragments before filtering, only complete packets are filtered sequence number modulation

Usenix 2002 p.12/22 Logging through bpf, virtual network interface pflog0 link layer header used for pf related information (rule, action) binary log files, readable with tcpdump and other tools

Usenix 2002 p.13/22 Benchmarks: Setup two (old) i386 machines with two network interface cards each, connected with two crosswire Cat5 cables, 10 mbit/s unidirectional tester: generate TCP packets on ethernet level through first NIC, capture incoming ethernet frames on second NIC firewall: OpenBSD and GNU/Linux (equal hardware), IP forwarding enabled, packet filter enabled, no other services, no other network traffic (static arp table)

Usenix 2002 p.14/22 Benchmarks: Packet generation TCP packets of variable size, random source/destination addresses and ports embedded timestamp to calculate latency, incremental serial number to detect packet loss send packets of specified size at specified rate for several seconds, print throughput, latency and loss verify that setup can handle maximum link rate correctly

Usenix 2002 p.15/22 Local, reaching link limit 900 800 1518 bytes/packet receiving rate (packets/s) 700 600 500 400 300 200 100 0 0 100 200 300 400 500 600 700 800 900 sending rate (packets/s)

Usenix 2002 p.15/22 Local, reaching link limit 900 800 812 1518 bytes/packet receiving rate (packets/s) 700 600 500 400 300 200 100 0 0 100 200 300 400 500 600 700 800 900 sending rate (packets/s) 812

Usenix 2002 p.16/22 Local, varying packet sizes 1.4e+06 1.2e+06 1518 bytes throughput (bytes/s) 1e+06 800000 600000 400000 200000 0 812 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s)

Usenix 2002 p.16/22 Local, varying packet sizes 1.4e+06 1.2e+06 1280 bytes throughput (bytes/s) 1e+06 800000 600000 400000 200000 0 961 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s)

Usenix 2002 p.16/22 Local, varying packet sizes 1.4e+06 1.2e+06 1024 bytes throughput (bytes/s) 1e+06 800000 600000 400000 200000 0 1197 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s)

Usenix 2002 p.16/22 Local, varying packet sizes 1.4e+06 1.2e+06 768 bytes throughput (bytes/s) 1e+06 800000 600000 400000 200000 0 1586 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s)

Usenix 2002 p.16/22 Local, varying packet sizes 1.4e+06 1.2e+06 512 bytes throughput (bytes/s) 1e+06 800000 600000 400000 200000 0 2349 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s)

Usenix 2002 p.16/22 Local, varying packet sizes 1.4e+06 1.2e+06 256 bytes throughput (bytes/s) 1e+06 800000 600000 400000 200000 0 4528 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s)

Usenix 2002 p.16/22 Local, varying packet sizes 1.4e+06 1.2e+06 128 bytes throughput (bytes/s) 1e+06 800000 600000 400000 200000 0 8445 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s)

Usenix 2002 p.16/22 Local, varying packet sizes 1.4e+06 1.2e+06 throughput (bytes/s) 1e+06 800000 600000 400000 64 bytes 200000 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) 14880

Usenix 2002 p.16/22 Local, varying packet sizes 1.4e+06 1.2e+06 Local OpenBSD GNU/Linux throughput (bytes/s) 1e+06 800000 600000 400000 200000 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s)

Usenix 2002 p.17/22 Stateless, 100 rules, throughput 5000 4500 iptables 4000 throughput (packets/s) 3500 3000 2500 2000 1500 1000 500 0 0 1000 2000 3000 4000 5000 sending rate (packets/s)

Usenix 2002 p.17/22 Stateless, 100 rules, throughput 5000 4500 iptables ipf 4000 throughput (packets/s) 3500 3000 2500 2000 1500 1000 500 0 0 1000 2000 3000 4000 5000 sending rate (packets/s)

Usenix 2002 p.17/22 Stateless, 100 rules, throughput 5000 4500 4000 iptables ipf pf throughput (packets/s) 3500 3000 2500 2000 1500 1000 500 0 0 1000 2000 3000 4000 5000 sending rate (packets/s)

Usenix 2002 p.18/22 Maximum throughput vs. rules maximum throughput (packets/s) 5000 4500 4000 3500 3000 2500 2000 1500 1000 500 0 200 400 600 800 1000 number of rules iptables ipf pf

Usenix 2002 p.19/22 Maximum throughput vs. states 7500 7000 ipf pf maximum throughput (packets/s) 6500 6000 5500 5000 4500 4000 3500 3000 0 5000 10000 15000 20000 number of states

Usenix 2002 p.20/22 Conclusions rule set evaluation is expensive. State lookups are cheap filtering statefully not only improves filter decision quality, it actually increases performance memory cost: 64000 states with 64MB RAM (without tuning), increasing linearly binary search tree for states scales with O(log n)

Usenix 2002 p.21/22 Production results Duron 700MHz, 128MB RAM, 3x DEC 21143 NICs 25000-40000 concurrent states average of 5000 packets/s fully stateful filtering (no stateless passing) CPU load doesn t exceed 10 percent (same box and filter policy with IPFilter was 90 percent load average)

Usenix 2002 p.22/22 Questions? The OpenBSD Project: http://www.openbsd.org/ Paper and slides: http://www.benzedrine.cx/pf.html dhartmei@openbsd.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback