The Packet Filter:The Packet Filter:An Efficient Mechanism for User-level An Efficient Mechanism for User-level
Network codeNetwork code
저자 : Jeffrey C. MogulDigital Equipment Corporation
Western research lab.
Richard F. Rashid
Michael J. AccettaDepartment of Computer Science
Carnegie-Mellon University
발표자 : 황영덕Wireless & Mobile [email protected]
발표일 : 2003-05-20
2
ContentsContents
1. Introduction
2. Motivation
3. User-level interface abstraction
4. Implementation
5. Uses of the packet filter
6. Performance
7. Problems and possible improvements
8. Summary
3
1. 1. IntroductionIntroduction
Kernel-resident network code Harder to implement and maintain
User-level implementation Terrible performance
Get adequate performance from a user-level protocol implementation The key : Demultiplexing mechanism
Demultiplexing ? Can be done either in the kernel, or in a user-level User-mode demultiplexing is flexible control, but expensive Kernel demultiplexing is efficient, but criteria
4
§Demultiplexing ?§Demultiplexing ?
Ethernet frame 이 수신되면 , protocol stack 을 올라가며 header 의 식별자를 보고 데이터를 전송할 다음 상위 계층을 결정하는 과정
User Process Process
TCPIGMPICMP
IPARP RARP
EthernetDriver
UDP
… …
Received frame
TCP 또는 UDP 헤더의 목적지 포트 번호를 기반으로 한 역 다중화
IP 헤더의 프로토콜 값을 기반으로 한 역 다중화
이더넷 헤더의 프레임 유형을 기반으로 한 역 다중화
Figure : 역다중화 (Demultiplexing)
Process Process
5
§Demultiplexing ?§Demultiplexing ?
Demultiplexing key Message Queue Well-known port
UDP
Process 1
Port# 8000
Process 3
Port# 8002
Process 2
Port# 8001
8002
6
1. 1. Introduction (Cont.)Introduction (Cont.)
Packet filter ? Part of the operating system kernel Delivers packets with a system calls and context switches
Result Reasonably efficient Easy-to-use abstraction for developing And running network applications
7
2. 2. MotivationMotivation
Software to support networking protocols Tremendously important as a result of use of LAN
Create reliable, efficient code Kernel source are devoted to networking
30% of the 4.3BSD Unix 25% of the TOPS-20 (Version 6.1) 32% of the V-system
Development of network software Slow and seldom yields finished systems Debugging of code
8
2. 2. Motivation (Cont.)Motivation (Cont.)
Network code resides in the kernel This makes it much harder to writer and debug
• Kernel must be recompiled and rebooted
• Bugs in kernel code are system crashes
• Kernel modules may have complex interactions over shared resources
• Kernel-code debugging cannot be done during normal time sharing
• Sophisticated debugging and monitoring facilities
• Kernel source code is not always available
9
2. 2. Motivation (Cont.)Motivation (Cont.)
Context switching and inter-process communication are expensive
DemuxProcess Network Kernel
DestinationProcess
Figure 1: Costs of demultiplexing in a user process
10
2. 2. Motivation (Cont.)Motivation (Cont.)
Network KernelDestinationProcess
Figure 2: Costs of demultiplexing in the kernel
11
2. 2. Motivation (Cont.)Motivation (Cont.)
Confines these overhead packet to the kernel Domain-crossing events (section 3)
Network KernelDestinationProcess
Figure 3: Kernel-resident protocols reduce domain-crossing
Data
Data
ACK
ACK
12
2.1 Historical background2.1 Historical background
Packet filter first arose in 1976, in the Xerox Alto Shared a single address space with all processes
First Unix implementation of the packet filter done in 1980
13
3. User-level interface abstraction3. User-level interface abstraction
Code to implement protocols lives in each process
PUP VMTP Network
Monitor
Device Driver
Packet Filter
Figure 4: Relationship between packet filter and other system component
Network
Kernel
User process
14
3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)
Implemented inside the kernel
Device Driver
Figure 5: 4.3BSD networking model
Network
Kernel
User process
IP
TCP UDP
15
3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)
Device Driver
Figure 6: Packet filter coexisting with 4.3 BSD networking model
Network
Kernel
User process
IP
TCP UDP
Packet
Filter
VMTPPUP
16
3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)
Three major components Packet transmission
• Simple
• write systerm call
• Unreliable
Packet reception• Complicated
• Queue (port using an ioctl system call )
• Stack based “language” ( filter language 3.1 )
Control and status information• read system call
non-blocking network I/O ?
17
3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)
Network KernelDestinationProcess
Figure 7: Delivery without received-packet batching
Data
read
read
read
18
3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)
Network KernelDestinationProcess
Figure 8: Delivery with received-packet batching
Data
read
19
§Filter §Filter 규칙에 의한 처리과정규칙에 의한 처리과정
Application
Datalink
Network
Transport
패킷 수신
다음 규칙
패킷 거부
마지막규칙 ?
규칙적용가능 ?
NACK 전송
패킷 통과여부 결정
YES
YES
NO
NO
NO
YES
20
3.1 Filter language detail3.1 Filter language detail
Interpreter Array of 16-bit words stack action field and a binary operation field
First word:
Second word:
Binary Operator Stack Action
Literal constant
10 Bits 6 Bits
16Bits
Stack Action Effect on stackNOPUSH
PUSHLIT
PUSHONE
PUSHFFFF
PUSHFF00
PUSH00FF
PUSHWORD+n
None
Following instruction word is pushed
Constant one is pushed
Constant 0xFFFF is pushed
Constant 0xFF00 is pushed
Constant 0x00FF is pushed
n th word of packet is pushed
21
3.1 Filter language detail3.1 Filter language detail
Figure10: Format of Pup Packet header on 3Mb Ethernet
22
3.1 Filter language detail (Cont.)3.1 Filter language detail (Cont.)
This filter accepts all Pup packets with Pup types between 1 and 100.
struct enfilter f = {10, 12, /* priority and length */PUSHWORD+1, PUSHLIT | EQ, 2, /* packet type == PUP */PUSHWORD+3, PUSH00FF | AND, /* mask low byte */PUSHZERO | GT, /* Pup type > 0 */PUSHWORD+3, PUSH00FF | AND, /* mask low byte */PUSHLIT | LE, 100, /* puptype <=100 */AND, /* 0 < Puptype <== 100 */AND /* && PACKET TYPE == pup */
};
Figure 11: Example filter program
23
3.1 Filter language detail (Cont.)3.1 Filter language detail (Cont.)
This filter accepts Pup packets with a Pup DstSocket filed of 35.
struct enfilter f = {10, 8, /* priority and length */PUSHWORD+8, PUSHLIT | CAND, 35, /* Low word of socket
==35 */PUSHWORD+7, PUSHZERO | CAND, /* High word of socket
==0 */PUSHWORD+1, PUSHLIT | EQ, 2 /* Packet type == pup */
}; Figure 12: Example filter programUsing short-circuit operations
24
3.2 Control and status information3.2 Control and status information
The user can control the packet filter’s action Timeout duration for blocking reads The signal, packet reception, maximum length of the queue
Information provided by the packet filter Type of data-link layer, length…, header… Maximum packet size Address for incoming packets Used for data-link layer broadcasts.
25
4. Implementation4. Implementation
Implemented in 4.3 BSD Unix as a “character special device”
Character special device Called from user code open, close, read, write and ioctl
system call
The packet filter module is about 2000 lines of C code
Packet filter requires no modification of the Unix Kernel: Well-isolated
27
5. Uses of the packet filter5. Uses of the packet filter
Pup protocols V-system protocols
Message-based distributed operating system
RARP Network Monitoring
LANalyzer, sniffer, Lanscan…
NIT vs BPF
28
6. Performance6. Performance
Kernel per-packet processing time 1.3 million packets 21% : processed by the packet filter 69% : IP packet 10% : ARP Packet filter
• average of 1.57 mSec processing each packet
Kernel-resident IP implementation• IP packet was 1.77 mSec
• Prcoessing up to the TCP and UDP : 0.49 mSec
34
8. Summary8. Summary
The performace of the packet filter is clearly better then that of a user-level demultiplexer, and the performance of protocol code based on the packet filter is clearly worse than that of kernel-resident protocol code.
35
§A.1 Packet Filter§A.1 Packet Filter
Host 의 Device driver 와 상호 동작할 수 있는 효율적인 기술 대부분의 Unix 버전들은 사용자 수준에서 패킷 수집 기능을
두어 Network 감시를 할 수 있도록 함 Monitoring 은 패킷의 처음 몇 바이트만 필요하므로 필요한
길이를 지정하여 수집되는 헤더로부터 통계량을 모은다 . Network Interface Tap (NIT)
Bactched read 지원함으로 System call 을 줄임 Stack 구조
BSD Packet Filter (BPF) 현재까지 알려진 가장 강력한 패킷필터 Stack 구조보다 20 배 빠른 register 이용 Non-shared buffer model
36
§A.1 Packet Filter - BPF§A.1 Packet Filter - BPF
BPF 가 설치되어 있으면 상위 protocol stack 으로 올려보내기전에 BPF 에게 패킷을 먼저 복사
패킷당 읽어들이지 않고 버퍼에서 하나의 단위로 모아서 읽어들임
수집된 패킷을 처리하기위한 버퍼 Store buffer, Hold buffer, Free buffer
37
§B. tcpdump§B. tcpdump
소개 조건식을 만족하는 네트웍 인터페이스를 거치는 모든 패킷의
수집 침입탐지나 트래픽 분석에 사용
Download ftp://ftp.ee.lbl.gov/libpcap.tar.Z ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
38
§B. tcpdump - option§B. tcpdump - option
-a : Network & Broadcast 주소들을 이름들로 바꾼다 . -c : Number : 제시된 수의 패킷을 받은 후 종료한다 . -dd : packet-matching code 를 C program 의 일부로 출력한다 . -ddd : packet-matching code 를 숫자로 출력한다 . -e : 출력되는 각각의 행에 대해서 link-level 헤더를 출력한다 -F file : filter 표현의 입력으로 파일을 받아들인다 .
커맨드라인에 주어진 추가의 표현들은 모두 무시된다 . -i device : 어느 인터페이스를 경유하는 패킷들을 잡을지
지정한다 . -n : 모든 주소들을 번역하지 않는다 (port,host address 등등 ) -N : 호스트 이름을 출력할 때 , 도메인을 찍지 않는다 . -p 인터페이스를 promiscuous mode 로 두지 않는다 . -q 프로토콜에 대한 정보를 덜 출력한다 . 따라서 출력되는
라인이 좀 더 짧아진다 .
39
§B. tcpdump - primitive§B. tcpdump - primitive dst host HOST
packet 의 IP destination 항목이 HOST 일때 참이 된다 . src host HOST
packet 의 IP source 항목이 HOST 일때 참이 된다 . host HOST
IP source, IP destination 항목 중 어느 하나라도 HOST 이면 참이다 . ether dst ehost
ethernet destination 주소가 ehost 일 때 참이다 . ether src ehost
ethernet source 주소가 ehost 일 때 참이다 . ether host ehost
ethernet source, destination 항목들 중 어느 하나라도 ehost 이면 참이다 . dst net NET
패킷의 IP destination 주소가 NET 의 network number 를 가지고 있을 때 참이 다 . src net NET
패킷의 IP source 주소가 NET 의 network number 를 가지고 있을 때 참이다 . net NET
패킷의 IP source 주소 혹은 destination 주소가 NET 의 network number 를 가 지고 있을 때 참이다 .
net netmask maskIP 어드레스가 지정된 netmask 를 통해서 net 과 매칭되면 참이다 .
net net/lenIP 어드레스가 netmask 와 len 비트만큼 매치되면 참이다 .
40
§B. tcpdump – packet §B. tcpdump – packet 수집수집
수집크기 Tcpdump 는 수집하는 데이터의 크기 결정가능 Tcpdump 는 보내지는 데이터그램 전체를 수집하지 않고 ,
일반적으로 수집된 데이터의 길이는 68 바이트 수집 크기변경
Tcpdump –s length Tcpdump –s 1514
• (14 바이트 이더넷 프레임 헤더와 1500 바이트 이더넷을 위한 최대한의 전송단위 패킷 수집 )
Frame Header IP Header Protocol Header Protocol Data
14 Byte20 Byte 20 Byte
Ethernet frame
IP Datagram
내장된 패킷 TCP, UDP,ICMP
14 Byte
41
§B. tcpdump – §B. tcpdump – 결과결과 결과 샘플
05:06:35.981443 166.104.114.81.ssh > 218.49.139.135.3752: P 18704:18864(160) ack 161 win 30660 (DF) [tos 0x10]
Timestamp Source host Port Destination host . Port
TCP Flag
TCP 시작 sequence number : TCP 종료 sequence number(Data bytes)Window size
Table : TCP Flag
TCP flag flag 표현 flag 의미
SYN “S” Session 연결 요청
ACK “ack” 잘 받았음에 대한 응답표시
FIN “F” 정상적인 연결종료
RESET “R” 비정상적인 즉시 연결종료
PUSH “P” 데이터를 즉시 어플리케이션으로 전달
URGENT “urg” 긴급한 데이터에 우선순위를 높게 줌
Placeholder “.” SYN, FIN, RESET, PUSH 가 아닌 경우