bpc: a language for packet classification
DESCRIPTION
BPC: A language for packet classification. Haiyong Wang [email protected]. What is classification. Classification is a mechanism that inspects incoming network packets, and based on the values found in selected header fields, determines how each to be processed. - PowerPoint PPT PresentationTRANSCRIPT
What is classification
Classification is a mechanism that inspects incoming network packets, and based on the values found in selected header fields, determines how each to be processed.
Usually, specifications are expressed as rules.
Packets satisfying the same rule are classify into one flow.
Classification: an example
ISP1
ISP2
ISP3
Router
Classifier
Flow1
Flow2
Flow3
net 202.128.201.0/24
net 202.128.202.0/24
net 202.128.203.0/24
Why Classification
Essential to QoS (admission control, resource
reservation, per-flow queuing and fair scheduling)Necessary to many advanced services
( load balancing and content-based routing)ISP ( Accounting, billing and network monitoring )Network Security
What has been done?
Networking community: extend IP lookup Focus on performance Very limited specifications, no language. Only work on Layer 3/4 header
OS community: packet demultiplexing machine-code level specification(difficult to
develop and test) Filter composition issues
My work
Based on a high-level packet filter language(BPF)
Filter compositionLook deeper and smarterKeep status
Why high-level language?
Tcp port HTTP
(((12:16 == 0x8 ) && #IP?
Shift(6 + 6 + 2)&& #skip Ethernet header
(9:8== 6)&& #TCP?
Shift(20)&& #skip IP header
(0:16 == 80)&& #src port 80
(2:16 == 80) #dst port 80
Easy to use and error-free
Short!
You can not express this in low level language!Source network ==
Destination network
Tcp port HTTP
(((12:16 == 0x8 ) && #IP?
Shift(6 + 6 + 2)&& #skip Ethernet header
(9:8== 6)&& #TCP?
Shift(20)&& #skip IP header
(0:16 == 80)&& #src port 80
(2:16 == 80) #dst port 80
Filter Composition
Syntax $1 filter expression1 $2 filter expression2 … $n filter expression n
Priority is used to resolve conflict
A Real Scenario
UserA: Online chat
UserB: Napster fan
UserC: Real player Stream
Low Delay
Low Bandwidth
Greedy Source
Constant BW
Low delay
Low Jitter ISP
BPC solution
$1 host user A and port A
$2 host user B and port B
$3 host user C and port C
Flow A: the highest priority
Flow B:the lowest priority
Flow C: reserve bandwidth
UserB: Napster fan
UserA: Online chat
UserC: Real player Stream
Look Deeper and Smarter
Why TCP/IP does not specify what to transmit Many application-layer protocols put
keywords at the beginning of the payload
How Search Regular Expression Allow User to define their own criteria
Syntax
Include “Regular String” from Len1 to Len2
Ethernet Header IP Header TCP Header Application protocol
Include “Regular String”
From Len1 to Len2
Ethernet Header IP Header TCP Header Application protocol
Invoke “user routine”
many protocols are case insensitive
Limit the range can reduce the expense
boolean user_routine( void *packet, int len)
“I love you”
I Love youI Love you
I Love you
“I love you” (con’d)
$include “I *Love*You” from 20 to 100 and port mail port
I Love you
I Love you
I Love you
Why keep status
Enable us to classify packets dynamically according to the connections
Provide uniform services to all the packets in the same connection
Resource Reservation (allocation and de-allocation)
How to do that: Syntax
trigger ( start expression ) remove ( end expression ) satisfy ( match expression ) identify by ( key words )
Keep status: an example
Example: TCP connection trigger (tcp[13]&2 = 2) #SYN packet remove tcp[13]&1 = 1 ) #FIN packet satisfy ( tcp ) identify (src host, src port, dst host, dst
port)
DDOS
Intruder
Master Master
D
Web Server
D D D D D
Packet Classifier
Is Everything all right
Analogy
luxury, spacious, but slow carriage
economy, crowded and even unsafe,
but super-fast rocketWhat’s the moral
Performance!!!
How to run fast
Replace interpreter with native codeSpecial hardware (hash table,
parallel computation)Compiler Optimization
Intra-filter Inter-filter
Inter-filter Optimization
ether.type== IP
ip.src ==host1
True False
No
No
Yes
Yes
ether.type== IP
ip.dst ==host2
True False
No
No
Yes
Yes
Ip src host1 Ip dst host2
Optimization( con’d )
Yes
ether.type== IP
ip.dst ==host2
False#1
NoNo
ip.src ==host1
Yes
#2Yes No
Summary
Work has been done Design a packet classification language
by extending BPF Implement a working system.( You are
welcomed to take a look after class )Future Work
Integrate BPC into BPF Performance issues