Deep Packet Inspection as a Service

Anat Bremler-BarrIDC Herzliya

Joint work with Yotam Harchol, David Hay and Yaron Koral The Hebrew University

Appeared at CoNEXT 2014

www.deepness-lab.orgThis work was supported by European Research Council (ERC) Starting Grant no. 259085 and “Neptune” consortium

2

Middlebox : Current Status

• Many Middleboxes (MB) – In some cases even more than switches & routers

• Two revolutions:– Software Defined Networks (SDN): controlling the routing

• Easier to realize Service Chains– Network Function Virtualization(NFV): From HW SW

• Rethinking MB architecture

DDoS protectionFirewall

IDSLoad balancer

Ad insertion

3

NFV: Hardware MB Software MB

• Hardware Middlebox – Not Flexible– Expensive– Hard to manage (many vendors)– Not multi-tenants – Difficult to add new features– Constraining innovation: higher entry

barrier

• Software Middlebox– Performance penalty

• Commodity Servers• VMs • No hardware accelerators

We suggest a new MB architecture that improves

performance and innovation using NFV and SDN

Our approach: MB common modules as a service • Break MB architecture to common modules

- E.g. many MBs use Deep Packet Inspection (DPI)

• Provide modules as a service- A single module provides a service to many different kinds of MBs- In service chain scenario: packets use the service only once and not repeatedly in each MB

• DPI as an example

5

DPI-Based Middleboxes

Intrusion Detection

System

Network Anti-Virus

L7 Firewall L7 Load BalancerLeakage

Prevention System

Network Analytic Traffic Shaper

Lawful Interception

Copyright Enforcement

A MB processes packet header or payload

The latter uses DPI engine

DPI

6

DPI Engine – Complicated Challenge

• Pattern set size varies between 102-105 patterns• DPI engine is considered a system bottleneck in many

of todays MBs (30%-80%)[Laboratory simulations over real deployments of Snort and ClamAV]

• Hundreds of academic papers over recent years

scalability throughput latency power

resiliency updates compression

7

Middleboxes Service Chains

• Each packet is scanned multiple times causing waste of computation resources

• Each MB implements its own DPI engine (higher MB costs, reduced features)

8

Our Solution: DPI as a Service

Contribution:The idea of having

a centralized DPI service instead of multiple instances of it

at each MiddleboxBenefits:• Innovation – Lower entry barriers• Reduced costs – Cheaper MB HW/SW• Improved performance - Scan each packet once• Rich DPI functionality – Invest once for all MB• Enhanced data-plane – Potential to enhance switches

Agenda

• Architecture aspects of DPI as a service– DPI controller– Passing results from the DPI to the MBs

• Scalable algorithm that combines DPI patterns from different MBs

• Experimental Results• Vision & Future Work

10

ARCHITECTURE

Service chain of MBs in NFV

L7 FW1

IDS1

IDS2AV2

AV1 TS

S1S2

S3

S4

VMVM

VM

VM

VMVM

TrafficSteering

SDN Controller

DPI as a Service

L7 FW1 IDS1

DPI

IDS2AV2

AV1 TS

S1S2

S3

S4

AV1 TS IDS1 L7 FW1

Modified Service Chain:

DPI

TrafficSteering

SDN Controller

13

DPI2

Architecture Overview

L7 FW1 IDS1

DPI1

IDS2AV2

AV1 TS

S1S2

S3

S4

SDN Controller

TrafficSteering

DPIController New elements:

• DPI controller• Multiple DPI instances

Details: DPI instance

• MB sends its pattern set to DPI controller• DPI instance receives an aggregated pattern set from DPI controller• DPI instance scans incoming packets against an aggregated pattern

set• Each pattern & each MB has a unique ID • Result: <MB ID> + <Pattern ID> + <Match Offset>• Each packet may contain several pattern matches• All pattern-match results are attached to the packet

14

MB: 1 ID: 139; Offset: 90MB: 2 ID: 14; Offset: 109MB: 3 ID: 723; Offset: 201MB: 4 ID: 221; Offset: 507… DPI

Instance

15

DPI2

Architecture Overview (SDN)

L7 FW1 IDS1

DPI1

IDS2AV2

AV1 TS

S1S2

S3

S4

SDN Controller

TrafficSteering

DPIController

hello

hello

hello

Register PatternsAdd

PatternsUpdate Service Chain

16

Passing Results

• Use a dedicated new header in packet• A common need by many network services• Network Service Header (NSH) – IETF draft (cisco’s vPath)

hello

Results header size• For security apps: mostly 0B (95% normal traffic)• Upon match: 99% use less than 200B

17

Question: Are The DPIalgorithms scalable?

18

Are DPI Algorithms Scalable?

• Yes, each input byte requires a single lookup regardless the number of patterns!!

• But: Lookup can be 1 memory access or 1 cache access • Increasing the number of patterns may result in a

moderate performance reduction• DPI service has a small penalty as compared to its

advantages.

19

String Matching: Aho-Corasick Algorithm • Build a Deterministic Finite Automaton

(basic full-table variant)

• Example:{E, BE, BD, BCD, CDBCAB, BCAA}

• The head of the tree is in the cache (fast memory).

• More patterns - less levels of the tree are in the cache.

s0

s7

s12

s1 s2

s3 s5s4

s14

s13 s6

s8

s9

s10

s11

C

C

E

D

B

E D

D B

C

A

B

A

A

B

E

CB

E

C

BE

C

DE

BC

D

E C

E

BC

E

B

C

E

B C

E

C

B B

B

Input: BCDBCAB

s0

s12

s2

s5

s6s9

s10

s11

Cache

20

Pattern Set Aggregation

MB 0: Pattern Set 0 MB 1: Pattern Set 1

Pattern set 1

Pattern set 2

Both sets

Pattern set 0Pattern set 1Both sets

Regular Expressions Matching• Are regular expression algorithms scalable ? Yes.• Solutions like DFA/NFA are not scalable with repetition operators (e.g. * )

– May cause memory blowout/huge performance penalty– Not commonly implemented in MB today

• Current MB common approach (e.g. Snort) is scalable Implement two-phase approach:

1. String matching over all strings that appeared in the combined set of regular expressions 2. Running single regular expression DFA

21

<\x21DOCTYPE\s+[^>]*SYSTEM[^>]*>.*\x2EparseError

<\x21DOCTYPE SYSTEM \x2EparseError

Multi Regex Matching

Multi String

Matching + Single Regex

Matching

22

Other Middlebox architecture

• MB Consolidation– [Comb, NSDI 2012], [xOMB, ANCS 2012],

[Crossbeam, 2012],[Kekely et al., Infocom 2014]

– One box to rule them all (MBs)

– Unified management & resource sharing

– Our DPI as a service can be also combined internal in MB consolidation solution

• Outsource MB (out-of-network)– [Gibb et al., HotSDN 2012], [Sherry et al., SIGCOMM 2012]– Latency is no more an issue– DDoS mitigation - Prolexic (now part of Akamai)– Our DPI as a service can be also combined in outsource MB

Hypervisor

TSL7 FW1

IDS1

AV1DPI

DPI

DPI

DPI

DPI

23

Experiments

24

Experiment: Proof of Concept

• POX SDN Controller (OpenFlow 1.0)• Static steering mechanism• Separate machines for DPI and Middlebox • Toy middlebox applications: Snort, ClamAV

Toy Snort2

Toy ClamAV

Toy Snort1

VirtualEnvironment

DPIController

StaticSteering

Runs overPOX SDNController

DPI ServiceInstance

Virtual DPI Performance

Number of Patterns

Thro

ughp

ut [M

bps]

• Running DPI as a virtual service has minor implications on performance

DPI on Combined Pattern Set

Total Number of Patterns

Thro

ughp

ut [M

bps]

• The throughput of the combined AC DFA is comparable to the original AC DFA• The number of patterns has moderate effect on the throughput

27

DPI as a Service

Two separate DPIs

IDS1

Performance ResultsService Chain with Two DPIs :

DPI as a Service: Combined DPI instances

IDS1 AV1

IDS1 AV1

DPI1

DPI2

Each using separate machines

AV1

Latency traditional: 21.5us/pLatency DPI as a services: 13.8us/p

Two

Superior Performance

Two separate IDSs:

Combined DPI instances (DPI as a Service):

DPI as a Service

Two separate IDSs

IDS1 IDS2

IDS1

DPI1

IDS2

DPI2

Two

Dynamic Load Balancing

Separate IDSs:Static Load Balancing

DPI as a Service:Dynamic Load Balancing

Two separate IDSs:

Combined DPI instances (DPI as a Service):

IDS1

IDS2

IDS1DPI1

IDS2DPI2

30

Vision & Future work

MB Data plane

Data plane tasks: each MB application performs more or less a set of the same MB modules (in pipeline).

• Wire speed• Module: Software (VM) or

Hardware (Accelerator)• Currently:

– In many cases, companies use home-made modules Limited innovation

– Common modules repeat in many MBs in the service chain Reduced throughput

Packet Classification

Application Classification

Session Reconstruction

Decrypt/Decompress

Traffic Normalizer

DPI

Traffic Measurement

Thin MB with MB Services

MB modules will be implemented as services in the network. Traffic travels between the services.

Example: DDOS protection

IP anti-spoofing

Packet Classification

DPI

Traffic Measurement

The control tasks

• Configure the flow between MB modules

• Configure each of the MB modules

• Dynamic changes due to measurements

• Scale up and scale out of modules (orchestration)

DDOS protection

IP anti-spoofing

Packet Classification

DPI

Traffic Measurement

FIlter ICMP

X is an attacker

Filter X

• Service chain optimization – use the same service one time in a service chain Improved performance

34

Innovation Enabler

• Lower entry barriers– If the modules are services one can tailor a MB by using off-the shelf modules– Cheaper MB HW/SW

• Richer functionality – Companies will specialize in specific MB modules

• Simple MB would be implemented by off-the-shelf services and switches– Enhance Switch: use DPI service to tag packets to drive policies in switches– Enhance MB: SDN switches can perform the packet classification module

35

Related Industry solution: Qosmos

• Application aware classification– The company (Qosmos) suggests a NFV service that

classifies the traffic • Skype/IM/VoIP/FTP/Video/Social Networks…

Application Classification

Anat Bremler-Barr

David Hay Yotam Harchol Yaron Koral

Thank You!!