1 / 14

HARDWARE BASED PACKET FILTERING USING FPGAs

HARDWARE BASED PACKET FILTERING USING FPGAs. (or “How hardware is better than software at judging a book by its cover”). Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University. Problem Description FPGA Pros FPGA Cons

teal
Download Presentation

HARDWARE BASED PACKET FILTERING USING FPGAs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HARDWARE BASED PACKET FILTERING USING FPGAs (or “How hardware is better than software at judging a book by its cover”) Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University

  2. Problem Description • FPGA Pros • FPGA Cons • Theory of Operation • Lessons Learned • Future Extensions Contents Overview

  3. 1 2 • Network nodes receive a lot of packets. • Not all packets are good. • Some packets are better. Wouldn’t it be nice to be able to accept/reject packets based on who the sender is and what they are sending? Problem Description VS 3 And let’s try to do that as fast as possible!

  4. Goals • Be able to classify packets according to basic 5-tuple. • (source/destination IP/port and transport protocol used) • Provides a basic context in which further decisions can be made. • Be able to alter classification rules with relative ease. • Times change; classification rules will need to change too. • Assess feasibility of using FPGA’s. • Can they do the job? • Are they worth it? Problem Description - Goals

  5. Ultimately they are circuits. • They are also re-configurable circuits. • Useful for changing classification rules. • Dedicated to the application. • Won’t waste time on “other stuff”. • Xilinx support is HUGE. • IP cores, code generators, user guides, application notes, case studies, reference designs, step-by-step tutorials. FPGA Pros

  6. Unfamiliar platform. • Xilinx support is HUGE! • Too large to quickly learn how to use tools – ChipScope, CoreGenerator. • Provide best worse-case performance. • A dedicated IC will always out perform an FPGA. • Ultra low level. • But voltage level conversions are normally provided. • No default I/O for debugging. • Have to create a form of basic I/O to use as debugging. FPGA Cons

  7. RS-232 interface Ethernet cable Theory of Operation RX_clk RX_dv Rule count RX_data (nybble)

  8. Theory of Operation: Locating fields

  9. Extracting packet data • Extracting protocol number and IP address Theory of Operation: Stripping fields

  10. Theory of Operation: Bit-for-bit AND 0011001100 0101010101 and 0001000100

  11. To get rule counts from the device the user pushes a button on the board. • The device then reads each rule count stored in memory and transmits it over a serial RS-232 interface to a connected computer. Theory of Operation: Data output

  12. Require much experience one does. • Inference engine can destroy synchronized signals. • FPGA’s are extremely versatile. • Range of applications: DSP – video processing – network computing. • RTFM • If you can’t figure out how it works, read the manual. • It might actually work! • The full process can be simulated and synthesized without timing warnings. (And the literature says so). Lessons Learned

  13. Output counts over the network • Can monitor device from anywhere. • Implement the RAM interface. • Board has a 512MB DDR2 RAM chip. • Add functionality. • Provide more rule matching e.g. TCP flags • Board as a LCD screen built on it and has a VGA output. Future extensions

  14. Thanks for your attention

More Related