1 / 42

The Packet Filter: An Efficient Mechanism for User-level Network code

The Packet Filter: An Efficient Mechanism for User-level Network code. 발표자 : 황영덕 Wireless & Mobile Lab. usei@ihanyang.ac.kr 발표일 : 2003-05-20. 저자 : Jeffrey C. Mogul Digital Equipment Corporation Western research lab. Richard F. Rashid Michael J. Accetta Department of Computer Science

dulcea
Download Presentation

The Packet Filter: An Efficient Mechanism for User-level Network code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Packet Filter:An Efficient Mechanism for User-level Network code 발표자: 황영덕 Wireless & Mobile Lab. usei@ihanyang.ac.kr 발표일 : 2003-05-20 저자: Jeffrey C. Mogul Digital Equipment Corporation Western research lab. Richard F. Rashid Michael J. Accetta Department of Computer Science Carnegie-Mellon University

  2. Contents • Introduction • Motivation • User-level interface abstraction • Implementation • Uses of the packet filter • Performance • Problems and possible improvements • Summary

  3. 1. Introduction • Kernel-resident network code • Harder to implement and maintain • User-level implementation • Terrible performance • Get adequate performance from a user-level protocol implementation • The key : Demultiplexing mechanism • Demultiplexing ? • Can be done either in the kernel, or in a user-level • User-mode demultiplexing is flexible control, but expensive • Kernel demultiplexing is efficient, but criteria

  4. §Demultiplexing ? • Ethernet frame이 수신되면, protocol stack을 올라가며 header의 식별자를 보고 데이터를 전송할 다음 상위 계층을 결정하는 과정 … … Process Process Process User Process TCP 또는 UDP 헤더의 목적지 포트 번호를 기반으로 한 역 다중화 TCP UDP ICMP IGMP IP 헤더의 프로토콜 값을 기반으로 한 역 다중화 IP ARP RARP 이더넷 헤더의 프레임 유형을 기반으로 한 역 다중화 Ethernet Driver Received frame Figure : 역다중화(Demultiplexing)

  5. §Demultiplexing ? • Demultiplexing key • Message Queue • Well-known port Process1 Process2 Process3 Port# 8000 Port# 8001 Port# 8002 8002 UDP

  6. 1. Introduction (Cont.) • Packet filter ? • Part of the operating system kernel • Delivers packets with a system calls and context switches • Result • Reasonably efficient • Easy-to-use abstraction for developing • And running network applications

  7. 2. Motivation • Software to support networking protocols • Tremendously important as a result of use of LAN • Create reliable, efficient code • Kernel source are devoted to networking • 30% of the 4.3BSD Unix • 25% of the TOPS-20 (Version 6.1) • 32% of the V-system • Development of network software • Slow and seldom yields finished systems • Debugging of code

  8. 2. Motivation (Cont.) • Network code resides in the kernel • This makes it much harder to writer and debug • Kernel must be recompiled and rebooted • Bugs in kernel code are system crashes • Kernel modules may have complex interactions over shared resources • Kernel-code debugging cannot be done during normal time sharing • Sophisticated debugging and monitoring facilities • Kernel source code is not always available

  9. 2. Motivation (Cont.) • Context switching and inter-process communication are expensive Demux Process Destination Process Network Kernel Figure 1: Costs of demultiplexing in a user process

  10. 2. Motivation (Cont.) Destination Process Network Kernel Figure 2: Costs of demultiplexing in the kernel

  11. 2. Motivation (Cont.) • Confines these overhead packet to the kernel • Domain-crossing events (section 3) Destination Process Network Kernel Data ACK Data ACK Figure 3: Kernel-resident protocols reduce domain-crossing

  12. 2.1 Historical background • Packet filter first arose in 1976, in the Xerox Alto • Shared a single address space with all processes • First Unix implementation of the packet filter done in 1980

  13. VMTP PUP 3. User-level interface abstraction • Code to implement protocols lives in each process Network Kernel Device Driver Packet Filter Network Monitor User process Figure 4: Relationship between packet filter and other system component

  14. 3. User-level interface abstraction (Cont.) • Implemented inside the kernel Network Kernel Device Driver IP TCP UDP User process Figure 5: 4.3BSD networking model

  15. VMTP 3. User-level interface abstraction (Cont.) Network Kernel Device Driver IP Packet Filter TCP UDP PUP User process Figure 6: Packet filter coexisting with 4.3 BSD networking model

  16. 3. User-level interface abstraction (Cont.) • Three major components • Packet transmission • Simple • write systerm call • Unreliable • Packet reception • Complicated • Queue (port using an ioctl system call ) • Stack based “language” ( filter language 3.1 ) • Control and status information • read system call • non-blocking network I/O ?

  17. 3. User-level interface abstraction (Cont.) Destination Process Network Kernel Data read read read Figure 7: Delivery without received-packet batching

  18. 3. User-level interface abstraction (Cont.) Destination Process Network Kernel Data read Figure 8: Delivery with received-packet batching

  19. §Filter 규칙에 의한 처리과정 Application 패킷 수신 Transport 규칙 적용가능? YES 다음 규칙 NO Network 마지막규칙? NO Datalink YES 패킷 통과 여부 결정 패킷 거부 YES NO NACK 전송

  20. 10 Bits 6 Bits Binary Operator Stack Action First word: 16Bits Literal constant Second word: 3.1 Filter language detail • Interpreter • Array of 16-bit words • stack action field and a binary operation field Stack Action Effect on stack NOPUSH PUSHLIT PUSHONE PUSHFFFF PUSHFF00 PUSH00FF PUSHWORD+n None Following instruction word is pushed Constant one is pushed Constant 0xFFFF is pushed Constant 0xFF00 is pushed Constant 0x00FF is pushed n th word of packet is pushed

  21. 3.1 Filter language detail Figure10: Format of Pup Packet header on 3Mb Ethernet

  22. 3.1 Filter language detail (Cont.) • This filter accepts all Pup packets with Pup types between 1 and 100. struct enfilter f = { 10, 12, /* priority and length */ PUSHWORD+1, PUSHLIT | EQ, 2, /* packet type == PUP */ PUSHWORD+3, PUSH00FF | AND, /* mask low byte */ PUSHZERO | GT, /* Pup type > 0 */ PUSHWORD+3, PUSH00FF | AND, /* mask low byte */ PUSHLIT | LE, 100, /* puptype <=100 */ AND, /* 0 < Puptype <== 100 */ AND /* && PACKET TYPE == pup */ }; Figure 11: Example filter program

  23. 3.1 Filter language detail (Cont.) • This filter accepts Pup packets with a Pup DstSocket filed of 35. struct enfilter f = { 10, 8, /* priority and length */ PUSHWORD+8, PUSHLIT | CAND, 35, /* Low word of socket ==35 */ PUSHWORD+7, PUSHZERO | CAND, /* High word of socket ==0 */ PUSHWORD+1, PUSHLIT | EQ, 2 /* Packet type == pup */ }; Figure 12: Example filter programUsing short-circuit operations

  24. 3.2 Control and status information • The user can control the packet filter’s action • Timeout duration for blocking reads • The signal, packet reception, maximum length of the queue • Information provided by the packet filter • Type of data-link layer, length…, header… • Maximum packet size • Address for incoming packets • Used for data-link layer broadcasts.

  25. 4. Implementation • Implemented in 4.3 BSD Unix as a “character special device” • Character special device • Called from user code open, close, read, write and ioctl system call • The packet filter module is about 2000 lines of C code • Packet filter requires no modification of the Unix Kernel: Well-isolated

  26. §BSD Packet Filter Figure : BSD Packet Filter

  27. 5. Uses of the packet filter • Pup protocols • V-system protocols • Message-based distributed operating system • RARP • Network Monitoring • LANalyzer, sniffer, Lanscan… • NIT vs BPF

  28. 6. Performance • Kernel per-packet processing time • 1.3 million packets • 21% : processed by the packet filter • 69% : IP packet • 10% : ARP • Packet filter • average of 1.57 mSec processing each packet • Kernel-resident IP implementation • IP packet was 1.77 mSec • Prcoessing up to the TCP and UDP : 0.49 mSec

  29. 6. Performance (Cont.) • Total per-Packet processing time

  30. 6. Performance (Cont.) • VMTP Performance

  31. 6. Performance (Cont.) • VMTP Performance : bulk data transfer

  32. 6. Performance (Cont.) • Byte-stream throughput

  33. 6. Performance (Cont.) • Costs of demultiplexing outside the kernel

  34. 8. Summary • The performace of the packet filter is clearly better then that of a user-level demultiplexer, and the performance of protocol code based on the packet filter is clearly worse than that of kernel-resident protocol code.

  35. §A.1 Packet Filter • Host 의 Device driver와 상호 동작할 수 있는 효율적인 기술 • 대부분의 Unix 버전들은 사용자 수준에서 패킷수집 기능을 두어 Network 감시를 할 수 있도록 함 • Monitoring은 패킷의 처음 몇 바이트만 필요하므로 필요한 길이를 지정하여 수집되는 헤더로부터 통계량을 모은다. • Network Interface Tap (NIT) • Bactched read 지원함으로 System call을 줄임 • Stack구조 • BSD Packet Filter (BPF) • 현재까지 알려진 가장 강력한 패킷필터 • Stack구조보다 20배 빠른 register 이용 • Non-shared buffer model

  36. §A.1 Packet Filter - BPF • BPF가 설치되어 있으면 상위 protocol stack으로 올려보내기전에 BPF에게 패킷을 먼저 복사 • 패킷당 읽어들이지 않고 버퍼에서 하나의 단위로 모아서 읽어들임 • 수집된 패킷을 처리하기위한 버퍼 • Store buffer, Hold buffer, Free buffer

  37. §B. tcpdump • 소개 • 조건식을 만족하는 네트웍 인터페이스를 거치는 모든 패킷의 수집 • 침입탐지나 트래픽 분석에 사용 • Download • ftp://ftp.ee.lbl.gov/libpcap.tar.Z • ftp://ftp.ee.lbl.gov/tcpdump.tar.Z

  38. §B. tcpdump - option • -a : Network & Broadcast 주소들을 이름들로 바꾼다. • -c : Number : 제시된 수의 패킷을 받은 후 종료한다. • -dd : packet-matching code를 C program의 일부로 출력한다. • -ddd : packet-matching code를 숫자로 출력한다. • -e : 출력되는 각각의 행에 대해서 link-level 헤더를 출력한다 • -F file : filter 표현의 입력으로 파일을 받아들인다. 커맨드라인에 주어진 추가의 표현들은 모두 무시된다. • -i device : 어느 인터페이스를 경유하는 패킷들을 잡을지 지정한다. • -n : 모든 주소들을 번역하지 않는다(port,host address 등등) • -N : 호스트 이름을 출력할 때, 도메인을 찍지 않는다. • -p 인터페이스를 promiscuous mode로 두지 않는다. • -q 프로토콜에 대한 정보를 덜 출력한다. 따라서 출력되는 라인이 좀 더 짧아진다.

  39. §B. tcpdump - primitive • dst host HOSTpacket의 IP destination 항목이 HOST일때 참이 된다. • src host HOSTpacket의 IP source 항목이 HOST일때 참이 된다. • host HOSTIP source, IP destination 항목 중 어느 하나라도 HOST이면 참이다. • ether dst ehostethernet destination 주소가 ehost일 때 참이다. • ether src ehostethernet source 주소가 ehost일 때 참이다. • ether host ehostethernet source, destination 항목들 중 어느 하나라도 ehost이면 참이다. • dst net NET패킷의 IP destination 주소가 NET의 network number를 가지고 있을 때 참이 다. • src net NET패킷의 IP source 주소가 NET의 network number를 가지고 있을 때 참이다. • net NET패킷의 IP source 주소 혹은 destination 주소가 NET의 network number를 가 지고 있을 때 참이다. • net netmask maskIP 어드레스가 지정된 netmask를 통해서 net과 매칭되면 참이다. • net net/lenIP 어드레스가 netmask와 len 비트만큼 매치되면 참이다.

  40. §B. tcpdump – packet 수집 • 수집크기 • Tcpdump는 수집하는 데이터의 크기 결정가능 • Tcpdump는 보내지는 데이터그램 전체를 수집하지 않고, 일반적으로 수집된 데이터의 길이는 68바이트 • 수집 크기변경 • Tcpdump –s length • Tcpdump –s 1514 • (14바이트 이더넷 프레임 헤더와 1500바이트 이더넷을 위한 최대한의 전송단위 패킷 수집) 20 Byte 20 Byte 14 Byte 14 Byte Ethernet frame IP Datagram 내장된 패킷 TCP, UDP,ICMP

  41. §B. tcpdump – 결과 • 결과 샘플 TCP Flag Timestamp Source host Port Destination host . Port 05:06:35.981443 166.104.114.81.ssh > 218.49.139.135.3752: P 18704:18864(160) ack 161 win 30660 (DF) [tos 0x10] TCP 시작 sequence number : TCP 종료 sequence number(Data bytes) Window size Table : TCP Flag

  42. §B. tcpdump – example

More Related