470 likes | 594 Views
Detecting and Resolving Packet Filter Conflicts. Adiseshu Hari, Bell Laboratories Subhash Suri and Guru Parulkar, Washington University. Advanced Topics in IP Networks. Presented by Yaron Gvili. Outline. Packet filtering concepts The filter conflict problem
E N D
Detecting and Resolving Packet Filter Conflicts Adiseshu Hari, Bell Laboratories Subhash Suri and Guru Parulkar, Washington University Advanced Topics in IP Networks Presented by Yaron Gvili
Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions
Packet Filtering Concepts • Classification of packets based on their header fields • Actions taken according to packet class • Forwarding, QoS, VPN, Firewall • Rules applied to millions of packets per second
Packet Filters • Are sets of packets • Are defined in terms of header fields • Source IP prefix, destination IP prefix • Protocol type set • Source port range, destination port range • compose the router state
Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions
Problem: Filter Conflicts • A packet may match overlapping filters with different actions • Traffic loss, poor bandwidth utilization, security holes • A packet may match many filters, requiring a linear filter base scan or special hardware • Performance, cost
The Geometric Connection • A 1-tuple corresponds to a segment in a line; a 2-tuple to a rectangle in a plane 232 0 232 0 232
Solution: Implicit Conflict Resolution • First matching filter (FMF) • Best matching filter (BMF) • Highest priority field matching filter (HPFMF)
Example: Implicit Conflict Resolution • Consider the following rule base and packets
Implicit Conflict Resolution Shortcomings • FMF requires careful rule base ordering • BMF may still leave conflicts • HPFMF is not scalable for large rule bases • Rule bases exist for which no filter prioritization scheme achieves the desired behavior
Example: Unresolvable Conflicts • Consider the following rule base and desired behavior for overlapping areas
G F C A B D E H Example: Unresolvable Conflicts • A circular priority constraints graph is formed, for which no prioritization suits
Solution: Resolve Filters • Prefixes cannot partially overlap, hence • Add resolve filters to the rule base to break the circular constraints graph • Now BMF resolution is unambiguous
Resulting Theorems • If the priority constraints graph contains a directed cycle, then the set of filters cannot be made conflict-free by filter reordering (or prioritizing) alone • Finding the smallest number of resolve filters that will make the graph conflict-free is equivalent to the smallest feedback arc problem and is NP-complete
Implications of Resolve Filters • Any cycle breaking heuristics is good, though here we will add all resolve filters • Explicit conflict resolution • O(|B|) of resolve filters for rule base B • No need for linear rule base scan or special hardware • O(w) time for finding the longest prefix of a bit string of length w
Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions
Towards a General Algorithm • Define a filter F=(F[1],F[2],…,F[k]) where F[i] is a prefix bit string • Define a bit string S to match F[i], if F[i] is a prefix of S • Define a packet P=(P[1],P[2],…,P[k]) to match F, if P[i] matches F[i] for all i.
Relations between Prefixes • Define prefixes F[i] and G[i] as disjoint, if no bit string S matches them both • Define F[i] a prefix of G[i], if S matches G[i] implies S matches F[i] for all S • Define F[i] a strict prefix of G[i], if F[i] is a prefix of G[i] and F[i]G[i]
General Conflict Detection • Filters F G are conflict-free iff • F and G are disjoint, i.e. F[i] and G[i] are disjoint for some i, or • F is a prefix or G, i.e. F[i] is a prefix of G[i] for all i, or G is a prefix of F
2 Filter Conflict Detection Algorithm 2FilterConflict(F,G) (* Determine whether F and G conflict *) 1. For i = 1 to k do 2. If F[i] and G[i] are disjoint thenreturn “No Conflict”; 3. Set flag = 1; 4. For i = 1 to k do 5. If F[i] is not a prefix of G[i] thenset flag = 0; 6. If flag = 1 thenreturn “No Conflict”; 7. Set flag = 1 8. For i = 1 to k do 9. If g[i] is not a prefix of f[i] thenset flag = 0; 10.If flag = 1 thenreturn “No Conflict”; 11.Return “Conflict”; end Algorithm
Computing the Resolve Filter • When filters F and G conflict, the overlapping area is defined by the longer of the two prefixes for each filter field • The resolve filter of F and G is equal to the overlapping area between them
Computing the Resolve Filter Algorithm ResolveFilter(F,G) (* Computes the filter resolving the conflict of F and G *) 1. For I = 1 to k do 2. Let X[i] be the longer of the two prefixes F[i] and G[i]; 3. Return (X[1], X[2], …, X[k]); end Algorithm
Adding Resolve Filters • Define C(F) the set of filters in a conflict-free rule base B={F1,F2,…,Fn} that conflict with filter F • The resolve filters of F introduce no new conflicts (relative to F) with B, and can therefore be added safely to B
Maintaining a Conflict-free Rule Base Algorithm AddNewFilter(F,B) (* Insert a new filter into B *) 1. Initialize C(F) = {F}; 2. For i = 1 to |B| do 3. If 2FilterConflict(F,Fi) = “Conflict” then add Fi to C(F); 4. For each filter F’ C(F) do 5. Add ResolveFilter(F,F’) to B; end Algorithm • Worst case running time O(|B|+|C(F)|)
Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions
Motivations for Optimizations • The handling of filter updates in the router control path must be fast • Routers with large rule bases cannot afford the linear general algorithms described • The majority of internet filters are 2- or 5-tupled
2-tuple Filter Conflict Detection • Since 2-tuple filters F, G conflict iff • G[1] prefixes F[1] and F[2] prefixes g[2], or • F[1] prefixes G[1] and G[2] prefixes F[2] • Then for rule base B, we construct a 2-level recursive trie for each case • The recursive source trie S(B) • The recursive destination trie D(B)
Recursive Source Trie Construction • Construct a first level trie for the source prefixes of the filters in B • Define s(u) the associated prefix of node u in the first level trie of S(B) • Define X(u) the set of filters in B with source prefix equal to s(u)X(u) = {F B | F[1] = s(u) }
Recursive Source Trie Construction • For every node u in the first level trie, construct a second level trie D(u) for the destination prefixes of X(u) • Let u point to D(u) • D(B) is similarly constructed • The first level trie holds destination prefixes • The second level tries hold source prefixes
Example: 2-tuple Filters • Consider the following rule base
b c 1 a 0 0 1 d 0 1 F8 0 0 1 1 0 1 Legend Src/Dst trie node Src/Dst trie arc Arc to Dst trie Filter 0 F4 F6 F5 0 1 0 1 1 1 0 F1 F7 F3 F2 F1 Example: The Recursive Source Trie
Fast Conflict Detection using the Recursive Source Trie • Find the longest matching prefix of F[1] noted u, and let v1,…,vm be the proper prefixes nodes of F[1], possibly v1=u=* • For each destination trie D(Vi) locate the longest matching prefix for F[2], noted z • If z is a leaf there is no conflict, otherwise all descendants filters of z conflict with F
Legend Src/Dst trie node Src/Dst trie arc Arc to Dst trie Filter Src prefix node Src/Dst prefix arc Arc from Src prefixnode to Dst trie Conflicting filter F6 F5 F1 F1 Example: Fast Filter Conflict Detection for (10*,1*) b c 1 a 0 0 1 d 0 1 F8 0 0 1 1 0 1 0 F4 F6 F5 0 1 0 1 1 1 0 F7 F3 F2 F1
3-tuple Filter Conflict Detection • Restrict the protocol to be either TCP or UDP or OTHER or * • We need 3 separate 2-tuple detection data structures • A wildcarded protocol filter will be placed in all three data structures
5-tuple Filter Conflict Detection • Restrict the protocol as in the 3-tuple case • Restrict the source and destination port to be either stated or *, thus dividing filter into four groups in each node • (*,*) (si,*) (*,di) (si,di)
Tracking Prefixes Length While Traversing S(B) • Define SrcPrefixLen as shorter or equal or longer, depending on the length of the new filter source prefix relative to the length of the current source trie node • Define DstPrefixLen similarly, but depending on the destination prefix • Track prefixes length for D(B) similarly
Example: 5-tuple Filter Conflict Detection • IPs conflict and ports are joint; IPs are prefixes-of and ports are prefixed-by the node’s filters (or vice versa) > > ! > = < > %,= ! %,<
5-tuple Conflict Detection in Other Cases • Cases are symmetric, e.g. • Shorter/longer behaves like longer/shorter • Shorter/equal behaves like equal/shorter • Tables may similarly be constructed for filters of type (*,*) (*,di) and (si,di) • The shorter/shorter case is handled with exhaustive search
Outline • Packet filtering concepts • The filter conflict problem • General algorithms for filter conflict detection and resolution • Optimizations for specific cases • Results and conclusions
Result: Firewall Conflict Detection • Filter conflicts that are potential security holes have been discovered in all 3 inspected Firewalls
Result: Conflict Detection Time • Fast Detect quickly out performs linear conflict detection
Result: Conflicts per Filter • Conflict histogram (1000 separate runs) increases by an order of magnitude when filter DB increases from 1K to 10K
Result: Conflict Enumeration • Enumeration time quickly diverges relative to detection time
Conclusions and Remarks • General and specific 2-,3-,5-tuple filter conflict detection and resolution • Forwarding, QoS, VPN, Firewall, signaling • Conflict free rule bases are desirable • 2-tuple filter base compaction • faster packet classification
Conclusions and Remarks • The tries may be reused for the router data path • K-bit tries reduce time by a factor of K and increase memory by a factor of 2K • Supports port ranges and protocol sets