FFPF: Fairly Fast Packet Filters

FFPF: Fairly Fast Packet Filters

uspace

kspace

nspace

Vrije Universiteit Amsterdam

Herbert Bos Willem de BruijnTrung NguyenMihai Cristea Georgios Portokalidis

Universiteit Leiden

Vrije Universiteit Amsterdamu

k

n

http://ffpf.sourceforge.net/

Why?

● Traffic characterisation– what % of traffic used by

KaZaa, Gnutella, e-Donkey,video streams, FTP data?

difficult due to dynamic ports

Why?

● Security: worms– early warning: are there

any worms on the loose?– intrusion detection

● Denial of Service attacksspread of CODE-RED in 24 hours

Why?

● Security: worms– early warning: are there

any worms on the loose?– intrusion detection

● Denial of Service attacks

difficult at high speeds

spread of SAPPHIRE in 30 minutes

Why?

● traffic engineering● accounting● billing● SLA monitoring

monitoring increasingly important

hypothesis: multiple applications on single host– monitoring nodes (e.g., gateways)

Network Monitoring

● Existing solutions:– designed for slow networks

or traffic engineering/QoS– not very flexible

● We’re hurting because of– hardware (bus, memory)– software

demand for solution: – scales to high link rates– scalable in no. of apps– flexible

-process at lowest possible level-minimise copying -minimise context switching-freedom at the bottom

FFPF contributionsgeneralised concept of ‘flow’

copying and context switching are minimised

complex processing in kernel or NIC

- reduces no. of packets that must be sent to userspace- language neutral- complex packet processing by connecting simple filters (not unlike UNIX pipes)

FPL: FFPF Packet Language

persistent storage for flow-specific state

flow groups

- applications sharing buffers

Application B

reduce copying● FFPF avoids both ‘horizontal’ and ‘vertical’

copies● 3 buffers: PBuf, IBuf, and MBuf

Application A

U

K

‘filter’- no ‘vertical’

copies

- no ‘horizontal’ copies

within flow group

- more than ‘just filtering’

in kernel (e.g.,statistics)

Fairly Fast Packet Filters

Flow: “a stream of packets that matches arbitrary user criteria”

TCP SYN

UID 0

eth0

U TCP

UDP

IP

HTTP RTSP

RTP

“contains worm”

?

x

?

?

?

kernel

userspace

network card

Efficient

● flowgroups: sharing data● flowgraphs: sharing computations● reduced copying and context switches

“push filtering tasks as far down the processing hierarchy as possible”

(device,eth0) | (device,eth1) -> (sampler,2) -> (FPL-2,”..”) | (BPF,”..”) -> (bytecount)

(device,eth0) -> (sampler,2) -> (BPF,”..”) -> (packetcount)

Extensible

✔ modular framework✔ language agnostic✔ plug-in filters

(device,eth0) -> (sampler,2) -> (BPF,”..”) -> (packetcount)

(device,eth0) -> (sampler,2) -> (BPF,”..”) -> (strsearch)

device sampler BPF pktcount

strsearch

uspace

kspace

nspace

MAPI

PCAP

ANYAPP

Compatibleprocessing hierarchy

Buffers● MBuf

– unstructured array of bytes● PBuf

– circular buffer with N fixed-size slots– large enough to hold packet

● IBuf– circular buffer with N slots of size ‘sizeof(int)+sizeof(int*)’– contains classification result

writer (e.g., kernel) writes in circular buffer at write position

reader explicitly advances its read pointerX

O

O

O

O

OO O

W

R

Buffers● MBuf

– unstructured array of bytes● PBuf

– circular buffer with N fixed-size slots– large enough to hold packet

● IBuf– circular buffer with N slots of size ‘sizeof(int)+sizeof(int*)’– contains classification result

writer (e.g., kernel) writes in circular buffer at write position

reader explicitly advances its read pointerX

O

O

O

O

OO O

WR

● MBuf– unstructured array of bytes

● PBuf – circular buffer with N fixed-size slots– large enough to hold packet

● IBuf– circular buffer with N slots of size ‘sizeof(int)+sizeof(int*)’– contains classification result

writer (e.g., kernel) writes in circular buffer at write position

reader explicitly advances its read pointer (typically by >1) X

X

X

X

X

XO O

WR

Buffers

Buffer management what to do if writer catches

up with slowest reader?● slow reader preference

– drop new packets (traditional way of dealing with this)

– overall speed determined by slowest reader● fast reader preference

– overwrite existing packets– application responsible for keeping up

● can check that packets have been overwritten● different drop rates for different apps

O

O

O

O

OO O

R1

OO O

O

O

O

O

O

O

W

R1

Languages

● FFPF is language neutral● Currently support:

– BPF– C– OKE Cyclone– FPL-1– FPL-2

•simple to use•compiles to C and then to optimised object code•resource limited•restricted FOR loop•access to persistent storage (Mbuf)•calls to external functions (e.g., fast C functions or hardware assists)•compiler for uspace, kspace, and nspace (ixp1200)

IF (PKT.IP_PROTO == PROTO_TCP)THEN // reg.0 = hash over flow fields R[0] = Hash (14,12,256)

// increment pkt counter at this // location in MBuf MEM[ R[0] ]++FI

Authorisation and third-party code

● client requests need to be approved by authd– may check that:

● X only looks at packets destined to itself● Y never applies a string search● string search only occurs after sampling● FPL-2 filter really are what they claims they are

● FFPF allows third party code in the lowest levels– based on Open Kernel Environment

http://www.cs.vu.nl/~herbertb/projects/oke/

Performance results

Performance results

NIC-FIX: FFPF on IXPs

uspace

kspace

nspace

bottom of the processing hierarchy

eliminates mem & bus bottlenecks

Network Processors

“programmable NIC”

zero copy

copy once

on-demand copy

regular copy copy once zero copy0

10

20

30

40

50

60

70

80

90

100

Copy Strategiesreference

drop

accept

pro

cess

ed (in

%)

Performance

More Information

http://ffpf.sourceforge.net/

microbenchmarks