Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Packet Filter: An Efficient Mechanism for User-level Network code 저자 : Jeffrey C. Mogul Digital Equipment Corporation Western research lab. Richard.

Similar presentations

Presentation on theme: "The Packet Filter: An Efficient Mechanism for User-level Network code 저자 : Jeffrey C. Mogul Digital Equipment Corporation Western research lab. Richard."— Presentation transcript:

1 The Packet Filter: An Efficient Mechanism for User-level Network code 저자 : Jeffrey C. Mogul Digital Equipment Corporation Western research lab. Richard F. Rashid Michael J. Accetta Department of Computer Science Carnegie-Mellon University 발표자 : 황영덕 Wireless & Mobile Lab. 발표일 :

2 2 Contents 1.Introduction 2.Motivation 3.User-level interface abstraction 4.Implementation 5.Uses of the packet filter 6.Performance 7.Problems and possible improvements 8.Summary

3 3 1. Introduction  Kernel-resident network code  Harder to implement and maintain  User-level implementation  Terrible performance  Get adequate performance from a user-level protocol implementation  The key : Demultiplexing mechanism  Demultiplexing ?  Can be done either in the kernel, or in a user-level  User-mode demultiplexing is flexible control, but expensive  Kernel demultiplexing is efficient, but criteria

4 4 §Demultiplexing ?  Ethernet frame 이 수신되면, protocol stack 을 올라가며 header 의 식별자를 보고 데이터를 전송할 다음 상위 계층을 결정하는 과정 User Process Process TCP IGMPICMP IP ARP RARP Ethernet Driver UDP …… Received frame TCP 또는 UDP 헤더의 목적지 포트 번호를 기반으로 한 역 다중화 IP 헤더의 프로토콜 값을 기반으로 한 역 다중화 이더넷 헤더의 프레임 유형을 기반으로 한 역 다중화 Figure : 역다중화 (Demultiplexing) Process

5 5 §Demultiplexing ?  Demultiplexing key  Message Queue  Well-known port UDP Process 1 Port# 8000 Process 3 Port# 8002 Process 2 Port#

6 6 1. Introduction (Cont.)  Packet filter ?  Part of the operating system kernel  Delivers packets with a system calls and context switches  Result  Reasonably efficient  Easy-to-use abstraction for developing  And running network applications

7 7 2. Motivation  Software to support networking protocols  Tremendously important as a result of use of LAN  Create reliable, efficient code  Kernel source are devoted to networking  30% of the 4.3BSD Unix  25% of the TOPS-20 (Version 6.1)  32% of the V-system  Development of network software  Slow and seldom yields finished systems  Debugging of code

8 8 2. Motivation (Cont.)  Network code resides in the kernel  This makes it much harder to writer and debug Kernel must be recompiled and rebooted Bugs in kernel code are system crashes Kernel modules may have complex interactions over shared resources Kernel-code debugging cannot be done during normal time sharing Sophisticated debugging and monitoring facilities Kernel source code is not always available

9 9 2. Motivation (Cont.)  Context switching and inter-process communication are expensive Demux Process NetworkKernel Destination Process Figure 1: Costs of demultiplexing in a user process

10 10 2. Motivation (Cont.) NetworkKernel Destination Process Figure 2: Costs of demultiplexing in the kernel

11 11 2. Motivation (Cont.)  Confines these overhead packet to the kernel  Domain-crossing events (section 3) NetworkKernel Destination Process Figure 3: Kernel-resident protocols reduce domain-crossing Data ACK

12 Historical background  Packet filter first arose in 1976, in the Xerox Alto  Shared a single address space with all processes  First Unix implementation of the packet filter done in 1980

13 13 3. User-level interface abstraction  Code to implement protocols lives in each process PUPVMTP Network Monitor Device Driver Packet Filter Figure 4: Relationship between packet filter and other system component Network Kernel User process

14 14 3. User-level interface abstraction (Cont.)  Implemented inside the kernel Device Driver Figure 5: 4.3BSD networking model Network Kernel User process IP TCP UDP

15 15 3. User-level interface abstraction (Cont.) Device Driver Figure 6: Packet filter coexisting with 4.3 BSD networking model Network Kernel User process IP TCP UDP Packet Filter VMTP PUP

16 16 3. User-level interface abstraction (Cont.)  Three major components  Packet transmission Simple write systerm call Unreliable  Packet reception Complicated Queue (port using an ioctl system call ) Stack based “language” ( filter language 3.1 )  Control and status information read system call  non-blocking network I/O ?

17 17 3. User-level interface abstraction (Cont.) NetworkKernel Destination Process Figure 7: Delivery without received-packet batching Data read

18 18 3. User-level interface abstraction (Cont.) NetworkKernel Destination Process Figure 8: Delivery with received-packet batching Data read

19 19 §Filter 규칙에 의한 처리과정 Application Datalink Network Transport 패킷 수신 다음 규칙 패킷 거부 마지막 규칙 ? 규칙 적용가능 ? NACK 전송 패킷 통과 여부 결정 YES NO YES

20 Filter language detail  Interpreter  Array of 16-bit words  stack action field and a binary operation field First word: Second word: Binary OperatorStack Action Literal constant 10 Bits6 Bits 16Bits Stack Action Effect on stack NOPUSH PUSHLIT PUSHONE PUSHFFFF PUSHFF00 PUSH00FF PUSHWORD+n None Following instruction word is pushed Constant one is pushed Constant 0xFFFF is pushed Constant 0xFF00 is pushed Constant 0x00FF is pushed n th word of packet is pushed

21 Filter language detail Figure10: Format of Pup Packet header on 3Mb Ethernet

22 Filter language detail (Cont.)  This filter accepts all Pup packets with Pup types between 1 and 100. struct enfilter f = { 10, 12,/* priority and length */ PUSHWORD+1, PUSHLIT | EQ, 2,/* packet type == PUP */ PUSHWORD+3, PUSH00FF | AND, /* mask low byte */ PUSHZERO | GT, /* Pup type > 0 */ PUSHWORD+3, PUSH00FF | AND, /* mask low byte */ PUSHLIT | LE, 100, /* puptype <=100 */ AND, /* 0 < Puptype <== 100 */ AND/* && PACKET TYPE == pup */ }; Figure 11: Example filter program

23 Filter language detail (Cont.)  This filter accepts Pup packets with a Pup DstSocket filed of 35. struct enfilter f = { 10, 8,/* priority and length */ PUSHWORD+8, PUSHLIT | CAND, 35,/* Low word of socket ==35 */ PUSHWORD+7, PUSHZERO | CAND, /* High word of socket ==0 */ PUSHWORD+1, PUSHLIT | EQ, 2 /* Packet type == pup */ }; Figure 12: Example filter program Using short-circuit operations

24 Control and status information  The user can control the packet filter’s action  Timeout duration for blocking reads  The signal, packet reception, maximum length of the queue  Information provided by the packet filter  Type of data-link layer, length…, header…  Maximum packet size  Address for incoming packets  Used for data-link layer broadcasts.

25 25 4. Implementation  Implemented in 4.3 BSD Unix as a “character special device”  Character special device  Called from user code open, close, read, write and ioctl system call  The packet filter module is about 2000 lines of C code  Packet filter requires no modification of the Unix Kernel: Well-isolated

26 26 §BSD Packet Filter Figure : BSD Packet Filter

27 27 5. Uses of the packet filter  Pup protocols  V-system protocols  Message-based distributed operating system  RARP  Network Monitoring  LANalyzer, sniffer, Lanscan…  NIT vs BPF

28 28 6. Performance  Kernel per-packet processing time  1.3 million packets  21% : processed by the packet filter  69% : IP packet  10% : ARP  Packet filter average of 1.57 mSec processing each packet  Kernel-resident IP implementation IP packet was 1.77 mSec Prcoessing up to the TCP and UDP : 0.49 mSec

29 29 6. Performance (Cont.)  Total per-Packet processing time

30 30 6. Performance (Cont.)  VMTP Performance

31 31 6. Performance (Cont.)  VMTP Performance : bulk data transfer

32 32 6. Performance (Cont.)  Byte-stream throughput

33 33 6. Performance (Cont.)  Costs of demultiplexing outside the kernel

34 34 8. Summary  The performace of the packet filter is clearly better then that of a user-level demultiplexer, and the performance of protocol code based on the packet filter is clearly worse than that of kernel-resident protocol code.

35 35 §A.1 Packet Filter  Host 의 Device driver 와 상호 동작할 수 있는 효율적인 기술  대부분의 Unix 버전들은 사용자 수준에서 패킷 수집 기능을 두어 Network 감시를 할 수 있도록 함  Monitoring 은 패킷의 처음 몇 바이트만 필요하므로 필요한 길이 를 지정하여 수집되는 헤더로부터 통계량을 모은다.  Network Interface Tap (NIT)  Bactched read 지원함으로 System call 을 줄임  Stack 구조  BSD Packet Filter (BPF)  현재까지 알려진 가장 강력한 패킷필터  Stack 구조보다 20 배 빠른 register 이용  Non-shared buffer model

36 36 §A.1 Packet Filter - BPF  BPF 가 설치되어 있으면 상위 protocol stack 으로 올려 보내기전에 BPF 에게 패킷을 먼저 복사  패킷당 읽어들이지 않고 버퍼에서 하나의 단위로 모아 서 읽어들임  수집된 패킷을 처리하기위한 버퍼  Store buffer, Hold buffer, Free buffer

37 37 §B. tcpdump  소개  조건식을 만족하는 네트웍 인터페이스를 거치는 모든 패킷의 수집  침입탐지나 트래픽 분석에 사용  Download  

38 38 §B. tcpdump - option  -a : Network & Broadcast 주소들을 이름들로 바꾼다.  -c : Number : 제시된 수의 패킷을 받은 후 종료한다.  -dd : packet-matching code 를 C program 의 일부로 출력한다.  -ddd : packet-matching code 를 숫자로 출력한다.  -e : 출력되는 각각의 행에 대해서 link-level 헤더를 출력한다  -F file : filter 표현의 입력으로 파일을 받아들인다. 커맨드라인에 주어진 추가의 표현들은 모두 무시된다.  -i device : 어느 인터페이스를 경유하는 패킷들을 잡을지 지정한 다.  -n : 모든 주소들을 번역하지 않는다 (port,host address 등등 )  -N : 호스트 이름을 출력할 때, 도메인을 찍지 않는다.  -p 인터페이스를 promiscuous mode 로 두지 않는다.  -q 프로토콜에 대한 정보를 덜 출력한다. 따라서 출력되는 라인이 좀 더 짧아진다.

39 39 §B. tcpdump - primitive  dst host HOST packet 의 IP destination 항목이 HOST 일때 참이 된다.  src host HOST packet 의 IP source 항목이 HOST 일때 참이 된다.  host HOST IP source, IP destination 항목 중 어느 하나라도 HOST 이면 참이다.  ether dst ehost ethernet destination 주소가 ehost 일 때 참이다.  ether src ehost ethernet source 주소가 ehost 일 때 참이다.  ether host ehost ethernet source, destination 항목들 중 어느 하나라도 ehost 이면 참이다.  dst net NET 패킷의 IP destination 주소가 NET 의 network number 를 가지고 있을 때 참이 다.  src net NET 패킷의 IP source 주소가 NET 의 network number 를 가지고 있을 때 참이다.  net NET 패킷의 IP source 주소 혹은 destination 주소가 NET 의 network number 를 가 지고 있을 때 참 이다.  net netmask mask IP 어드레스가 지정된 netmask 를 통해서 net 과 매칭되면 참이다.  net net/len IP 어드레스가 netmask 와 len 비트만큼 매치되면 참이다.

40 40 §B. tcpdump – packet 수집  수집크기  Tcpdump 는 수집하는 데이터의 크기 결정가능  Tcpdump 는 보내지는 데이터그램 전체를 수집하지 않고, 일 반적으로 수집된 데이터의 길이는 68 바이트  수집 크기변경  Tcpdump –s length  Tcpdump –s 1514 (14 바이트 이더넷 프레임 헤더와 1500 바이트 이더넷을 위한 최 대한의 전송단위 패킷 수집 ) Frame HeaderIP HeaderProtocol HeaderProtocol Data 14 Byte 20 Byte Ethernet frame IP Datagram 내장된 패킷 TCP, UDP,ICMP 14 Byte

41 41 §B. tcpdump – 결과  결과 샘플 05:06: ssh > : P 18704:18864(160) ack 161 win (DF) [tos 0x10] Timestamp Source host PortDestination host. Port TCP Flag TCP 시작 sequence number : TCP 종료 sequence number(Data bytes) Window size Table : TCP Flag TCP flag flag 표현 flag 의미 SYN“S” Session 연결 요청 ACK“ack” 잘 받았음에 대한 응답표시 FIN“F” 정상적인 연결종료 RESET“R” 비정상적인 즉시 연결종료 PUSH“P” 데이터를 즉시 어플리케이션으로 전달 URGENT“urg” 긴급한 데이터에 우선순위를 높게 줌 Placeholder“.” SYN, FIN, RESET, PUSH 가 아닌 경우

42 42 §B. tcpdump – example

Download ppt "The Packet Filter: An Efficient Mechanism for User-level Network code 저자 : Jeffrey C. Mogul Digital Equipment Corporation Western research lab. Richard."

Similar presentations

Ads by Google