1 / 47

Detecting and Resolving Packet Filter Conflicts

Detecting and Resolving Packet Filter Conflicts. Adiseshu Hari, Bell Laboratories Subhash Suri and Guru Parulkar, Washington University. Advanced Topics in IP Networks. Presented by Yaron Gvili. Outline. Packet filtering concepts The filter conflict problem

justine-roy
Download Presentation

Detecting and Resolving Packet Filter Conflicts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Detecting and Resolving Packet Filter Conflicts Adiseshu Hari, Bell Laboratories Subhash Suri and Guru Parulkar, Washington University Advanced Topics in IP Networks Presented by Yaron Gvili

  2. Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions

  3. Packet Filtering Concepts • Classification of packets based on their header fields • Actions taken according to packet class • Forwarding, QoS, VPN, Firewall • Rules applied to millions of packets per second

  4. Packet Filters • Are sets of packets • Are defined in terms of header fields • Source IP prefix, destination IP prefix • Protocol type set • Source port range, destination port range • compose the router state

  5. Example: Simple Router State

  6. Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions

  7. Problem: Filter Conflicts • A packet may match overlapping filters with different actions • Traffic loss, poor bandwidth utilization, security holes • A packet may match many filters, requiring a linear filter base scan or special hardware • Performance, cost

  8. The Geometric Connection • A 1-tuple corresponds to a segment in a line; a 2-tuple to a rectangle in a plane 232 0 232 0 232

  9. Solution: Implicit Conflict Resolution • First matching filter (FMF) • Best matching filter (BMF) • Highest priority field matching filter (HPFMF)

  10. Example: Implicit Conflict Resolution • Consider the following rule base and packets

  11. Implicit Conflict Resolution Shortcomings • FMF requires careful rule base ordering • BMF may still leave conflicts • HPFMF is not scalable for large rule bases • Rule bases exist for which no filter prioritization scheme achieves the desired behavior

  12. Example: Unresolvable Conflicts • Consider the following rule base and desired behavior for overlapping areas

  13. G F C A B D E H Example: Unresolvable Conflicts • A circular priority constraints graph is formed, for which no prioritization suits

  14. Solution: Resolve Filters • Prefixes cannot partially overlap, hence • Add resolve filters to the rule base to break the circular constraints graph • Now BMF resolution is unambiguous

  15. Resulting Theorems • If the priority constraints graph contains a directed cycle, then the set of filters cannot be made conflict-free by filter reordering (or prioritizing) alone • Finding the smallest number of resolve filters that will make the graph conflict-free is equivalent to the smallest feedback arc problem and is NP-complete

  16. Implications of Resolve Filters • Any cycle breaking heuristics is good, though here we will add all resolve filters • Explicit conflict resolution • O(|B|) of resolve filters for rule base B • No need for linear rule base scan or special hardware • O(w) time for finding the longest prefix of a bit string of length w

  17. Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions

  18. Towards a General Algorithm • Define a filter F=(F[1],F[2],…,F[k]) where F[i] is a prefix bit string • Define a bit string S to match F[i], if F[i] is a prefix of S • Define a packet P=(P[1],P[2],…,P[k]) to match F, if P[i] matches F[i] for all i.

  19. Relations between Prefixes • Define prefixes F[i] and G[i] as disjoint, if no bit string S matches them both • Define F[i] a prefix of G[i], if S matches G[i] implies S matches F[i] for all S • Define F[i] a strict prefix of G[i], if F[i] is a prefix of G[i] and F[i]G[i]

  20. General Conflict Detection • Filters F  G are conflict-free iff • F and G are disjoint, i.e. F[i] and G[i] are disjoint for some i, or • F is a prefix or G, i.e. F[i] is a prefix of G[i] for all i, or G is a prefix of F

  21. 2 Filter Conflict Detection Algorithm 2FilterConflict(F,G) (* Determine whether F and G conflict *) 1. For i = 1 to k do 2. If F[i] and G[i] are disjoint thenreturn “No Conflict”; 3. Set flag = 1; 4. For i = 1 to k do 5. If F[i] is not a prefix of G[i] thenset flag = 0; 6. If flag = 1 thenreturn “No Conflict”; 7. Set flag = 1 8. For i = 1 to k do 9. If g[i] is not a prefix of f[i] thenset flag = 0; 10.If flag = 1 thenreturn “No Conflict”; 11.Return “Conflict”; end Algorithm

  22. Computing the Resolve Filter • When filters F and G conflict, the overlapping area is defined by the longer of the two prefixes for each filter field • The resolve filter of F and G is equal to the overlapping area between them

  23. Computing the Resolve Filter Algorithm ResolveFilter(F,G) (* Computes the filter resolving the conflict of F and G *) 1. For I = 1 to k do 2. Let X[i] be the longer of the two prefixes F[i] and G[i]; 3. Return (X[1], X[2], …, X[k]); end Algorithm

  24. Adding Resolve Filters • Define C(F) the set of filters in a conflict-free rule base B={F1,F2,…,Fn} that conflict with filter F • The resolve filters of F introduce no new conflicts (relative to F) with B, and can therefore be added safely to B

  25. Maintaining a Conflict-free Rule Base Algorithm AddNewFilter(F,B) (* Insert a new filter into B *) 1. Initialize C(F) = {F}; 2. For i = 1 to |B| do 3. If 2FilterConflict(F,Fi) = “Conflict” then add Fi to C(F); 4. For each filter F’  C(F) do 5. Add ResolveFilter(F,F’) to B; end Algorithm • Worst case running time O(|B|+|C(F)|)

  26. Example: Maintaining a Conflict-free Rule Base

  27. Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions

  28. Motivations for Optimizations • The handling of filter updates in the router control path must be fast • Routers with large rule bases cannot afford the linear general algorithms described • The majority of internet filters are 2- or 5-tupled

  29. 2-tuple Filter Conflict Detection • Since 2-tuple filters F, G conflict iff • G[1] prefixes F[1] and F[2] prefixes g[2], or • F[1] prefixes G[1] and G[2] prefixes F[2] • Then for rule base B, we construct a 2-level recursive trie for each case • The recursive source trie S(B) • The recursive destination trie D(B)

  30. Recursive Source Trie Construction • Construct a first level trie for the source prefixes of the filters in B • Define s(u) the associated prefix of node u in the first level trie of S(B) • Define X(u) the set of filters in B with source prefix equal to s(u)X(u) = {F  B | F[1] = s(u) }

  31. Recursive Source Trie Construction • For every node u in the first level trie, construct a second level trie D(u) for the destination prefixes of X(u) • Let u point to D(u) • D(B) is similarly constructed • The first level trie holds destination prefixes • The second level tries hold source prefixes

  32. Example: 2-tuple Filters • Consider the following rule base

  33. b c 1 a 0 0 1 d 0 1 F8 0 0 1 1 0 1 Legend Src/Dst trie node Src/Dst trie arc Arc to Dst trie Filter 0 F4 F6 F5 0 1 0 1 1 1 0 F1 F7 F3 F2 F1 Example: The Recursive Source Trie

  34. Fast Conflict Detection using the Recursive Source Trie • Find the longest matching prefix of F[1] noted u, and let v1,…,vm be the proper prefixes nodes of F[1], possibly v1=u=* • For each destination trie D(Vi) locate the longest matching prefix for F[2], noted z • If z is a leaf there is no conflict, otherwise all descendants filters of z conflict with F

  35. Legend Src/Dst trie node Src/Dst trie arc Arc to Dst trie Filter Src prefix node Src/Dst prefix arc Arc from Src prefixnode to Dst trie Conflicting filter F6 F5 F1 F1 Example: Fast Filter Conflict Detection for (10*,1*) b c 1 a 0 0 1 d 0 1 F8 0 0 1 1 0 1 0 F4 F6 F5 0 1 0 1 1 1 0 F7 F3 F2 F1

  36. 3-tuple Filter Conflict Detection • Restrict the protocol to be either TCP or UDP or OTHER or * • We need 3 separate 2-tuple detection data structures • A wildcarded protocol filter will be placed in all three data structures

  37. 5-tuple Filter Conflict Detection • Restrict the protocol as in the 3-tuple case • Restrict the source and destination port to be either stated or *, thus dividing filter into four groups in each node • (*,*) (si,*) (*,di) (si,di)

  38. Tracking Prefixes Length While Traversing S(B) • Define SrcPrefixLen as shorter or equal or longer, depending on the length of the new filter source prefix relative to the length of the current source trie node • Define DstPrefixLen similarly, but depending on the destination prefix • Track prefixes length for D(B) similarly

  39. Example: 5-tuple Filter Conflict Detection • IPs conflict and ports are joint; IPs are prefixes-of and ports are prefixed-by the node’s filters (or vice versa) > > ! > = < > %,= ! %,<

  40. 5-tuple Conflict Detection in Other Cases • Cases are symmetric, e.g. • Shorter/longer behaves like longer/shorter • Shorter/equal behaves like equal/shorter • Tables may similarly be constructed for filters of type (*,*) (*,di) and (si,di) • The shorter/shorter case is handled with exhaustive search

  41. Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions

  42. Result: Firewall Conflict Detection • Filter conflicts that are potential security holes have been discovered in all 3 inspected Firewalls

  43. Result: Conflict Detection Time • Fast Detect quickly out performs linear conflict detection

  44. Result: Conflicts per Filter • Conflict histogram (1000 separate runs) increases by an order of magnitude when filter DB increases from 1K to 10K

  45. Result: Conflict Enumeration • Enumeration time quickly diverges relative to detection time

  46. Conclusions and Remarks • General and specific 2-,3-,5-tuple filter conflict detection and resolution • Forwarding, QoS, VPN, Firewall, signaling • Conflict free rule bases are desirable • 2-tuple filter base compaction • faster packet classification

  47. Conclusions and Remarks • The tries may be reused for the router data path • K-bit tries reduce time by a factor of K and increase memory by a factor of 2K • Supports port ranges and protocol sets

More Related