master thesis supporting ipv6 host-based multihoming ... · master thesis supporting ipv6...
TRANSCRIPT
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Master Thesis
Supporting IPv6 host-based multihoming (shim6)in Linux Firewalls
Christoph Paasch
December 20, 2010
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
1 Theoretic overview
2 Shim6 and Firewalls: Problem statement
3 Implementation
4 Performance evaluation
5 Configuring a shim6-firewall
6 Conclusion
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
1 Theoretic overviewMultihomingShim6Statefull firewall
2 Shim6 and Firewalls: Problem statementDesign of the shim6 firewall
3 ImplementationShim6-firewall architecture
4 Performance evaluation
5 Configuring a shim6-firewall
6 Conclusion
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Multihoming
Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Multihoming
Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Multihoming
Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Shim6
Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Shim6
Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Shim6
Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Shim6
Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Shim6
Separate Locators from Identifiers.
Identifier Identifies a connection and is passed to the upper layerprotocols.
Locators Used inside the packet.
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Shim6
Shim6 control messagesEstablish the shim6 sessionAssure connectivitySwitch locators
Shim6 payload messagesTransport payload-data, tagged with the context tag
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Statefull firewall
Supporting IPv6 host-based multihoming(shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Statefull firewall
Supporting IPv6 host-based multihoming(shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Statefull firewall
Supporting IPv6 host-based multihoming(shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
MultihomingShim6Statefull firewall
Statefull firewall
Supporting IPv6 host-based multihoming(shim6) in Linux Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Design of the shim6 firewall
1 Theoretic overviewMultihomingShim6Statefull firewall
2 Shim6 and Firewalls: Problem statementDesign of the shim6 firewall
3 ImplementationShim6-firewall architecture
4 Performance evaluation
5 Configuring a shim6-firewall
6 Conclusion
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Design of the shim6 firewall
Shim6 vs. Stateful Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Design of the shim6 firewall
Shim6 vs. Stateful Firewalls
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Design of the shim6 firewall
Solution
Associate the new flow to the original state
Track shim6 context establishment
Map Context Tag to the pair of identifiers
ProblemsShim6 does not allow support of each feature in stateful firewalls.Shim6 needs to be changed.
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Shim6-firewall architecture
1 Theoretic overviewMultihomingShim6Statefull firewall
2 Shim6 and Firewalls: Problem statementDesign of the shim6 firewall
3 ImplementationShim6-firewall architecture
4 Performance evaluation
5 Configuring a shim6-firewall
6 Conclusion
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Shim6-firewall architecture
Shim6-Firewall architecture
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Shim6-firewall architecture
Shim6-Firewall architecture
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
1 Theoretic overviewMultihomingShim6Statefull firewall
2 Shim6 and Firewalls: Problem statementDesign of the shim6 firewall
3 ImplementationShim6-firewall architecture
4 Performance evaluation
5 Configuring a shim6-firewall
6 Conclusion
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Test Setup
Creation of a huge number of firewall-states
Delay measured that the firewall introduces
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Session Initiation messages
10
20
30
40
50
60
70
80
90
100
0 50000 100000 150000 200000 250000 300000
Del
ay in
mic
ro-s
econ
ds
Number of states created
Delay introduced by the firewall for shim6/TCP state initiation messages
TCP-syn on shim6-firewallI1-message on shim6-firewall
TCP-syn on clean Kernel
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
1 Theoretic overviewMultihomingShim6Statefull firewall
2 Shim6 and Firewalls: Problem statementDesign of the shim6 firewall
3 ImplementationShim6-firewall architecture
4 Performance evaluation
5 Configuring a shim6-firewall
6 Conclusion
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Express consistent rules
Filter on identifiers rather than on locators.
Avoid locator-specific rules.
Avoid per-locators rate-limiting rules.
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
1 Theoretic overviewMultihomingShim6Statefull firewall
2 Shim6 and Firewalls: Problem statementDesign of the shim6 firewall
3 ImplementationShim6-firewall architecture
4 Performance evaluation
5 Configuring a shim6-firewall
6 Conclusion
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Conclusion
Most parts of shim6 are supported in the Linux firewall.
Performs very well even with a huge number of states.
Configuring the firewall needs to be done carfully.
Future WorkMinor modifications to the shim6 protocol.
Adapt firewall to these changes.
Tweak the firewall to achieve best performance.
Christoph Paasch Master Thesis - Shim6-firewall
Theoretic overviewShim6 and Firewalls: Problem statement
ImplementationPerformance evaluation
Configuring a shim6-firewallConclusion
Questions?
Christoph Paasch Master Thesis - Shim6-firewall