The Packet Filter:The Packet Filter:An Efficient Mechanism for User-level An Efficient Mechanism for User-level

Network codeNetwork code

저자 : Jeffrey C. MogulDigital Equipment Corporation

Western research lab.

Richard F. Rashid

Michael J. AccettaDepartment of Computer Science

Carnegie-Mellon University

발표자 : 황영덕Wireless & Mobile Lab.usei@ihanyang.ac.kr

발표일 : 2003-05-20

2

ContentsContents

1. Introduction

2. Motivation

3. User-level interface abstraction

4. Implementation

5. Uses of the packet filter

6. Performance

7. Problems and possible improvements

8. Summary

3

1. 1. IntroductionIntroduction

Kernel-resident network code Harder to implement and maintain

User-level implementation Terrible performance

Get adequate performance from a user-level protocol implementation The key : Demultiplexing mechanism

Demultiplexing ? Can be done either in the kernel, or in a user-level User-mode demultiplexing is flexible control, but expensive Kernel demultiplexing is efficient, but criteria

4

§Demultiplexing ?§Demultiplexing ?

Ethernet frame 이 수신되면 , protocol stack 을 올라가며 header 의 식별자를 보고 데이터를 전송할 다음 상위 계층을 결정하는 과정

User Process Process

TCPIGMPICMP

IPARP RARP

EthernetDriver

UDP

… …

Received frame

TCP 또는 UDP 헤더의 목적지 포트 번호를 기반으로 한 역 다중화

IP 헤더의 프로토콜 값을 기반으로 한 역 다중화

이더넷 헤더의 프레임 유형을 기반으로 한 역 다중화

Figure : 역다중화 (Demultiplexing)

Process Process

5

§Demultiplexing ?§Demultiplexing ?

Demultiplexing key Message Queue Well-known port

UDP

Process 1

Port# 8000

Process 3

Port# 8002

Process 2

Port# 8001

8002

6

1. 1. Introduction (Cont.)Introduction (Cont.)

Packet filter ? Part of the operating system kernel Delivers packets with a system calls and context switches

Result Reasonably efficient Easy-to-use abstraction for developing And running network applications

7

2. 2. MotivationMotivation

Software to support networking protocols Tremendously important as a result of use of LAN

Create reliable, efficient code Kernel source are devoted to networking

30% of the 4.3BSD Unix 25% of the TOPS-20 (Version 6.1) 32% of the V-system

Development of network software Slow and seldom yields finished systems Debugging of code

8

2. 2. Motivation (Cont.)Motivation (Cont.)

Network code resides in the kernel This makes it much harder to writer and debug

• Kernel must be recompiled and rebooted

• Bugs in kernel code are system crashes

• Kernel modules may have complex interactions over shared resources

• Kernel-code debugging cannot be done during normal time sharing

• Sophisticated debugging and monitoring facilities

• Kernel source code is not always available

9

2. 2. Motivation (Cont.)Motivation (Cont.)

Context switching and inter-process communication are expensive

DemuxProcess Network Kernel

DestinationProcess

Figure 1: Costs of demultiplexing in a user process

10

2. 2. Motivation (Cont.)Motivation (Cont.)

Network KernelDestinationProcess

Figure 2: Costs of demultiplexing in the kernel

11

2. 2. Motivation (Cont.)Motivation (Cont.)

Confines these overhead packet to the kernel Domain-crossing events (section 3)

Network KernelDestinationProcess

Figure 3: Kernel-resident protocols reduce domain-crossing

Data

Data

ACK

ACK

12

2.1 Historical background2.1 Historical background

Packet filter first arose in 1976, in the Xerox Alto Shared a single address space with all processes

First Unix implementation of the packet filter done in 1980

13

3. User-level interface abstraction3. User-level interface abstraction

Code to implement protocols lives in each process

PUP VMTP Network

Monitor

Device Driver

Packet Filter

Figure 4: Relationship between packet filter and other system component

Network

Kernel

User process

14

3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)

Implemented inside the kernel

Device Driver

Figure 5: 4.3BSD networking model

Network

Kernel

User process

IP

TCP UDP

15

3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)

Device Driver

Figure 6: Packet filter coexisting with 4.3 BSD networking model

Network

Kernel

User process

IP

TCP UDP

Packet

Filter

VMTPPUP

16

3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)

Three major components Packet transmission

• Simple

• write systerm call

• Unreliable

Packet reception• Complicated

• Queue (port using an ioctl system call )

• Stack based “language” ( filter language 3.1 )

Control and status information• read system call

non-blocking network I/O ?

17

3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)

Network KernelDestinationProcess

Figure 7: Delivery without received-packet batching

Data

read

read

read

18

3. User-level interface abstraction (Cont.)3. User-level interface abstraction (Cont.)

Network KernelDestinationProcess

Figure 8: Delivery with received-packet batching

Data

read

19

§Filter §Filter 규칙에 의한 처리과정규칙에 의한 처리과정

Application

Datalink

Network

Transport

패킷 수신

다음 규칙

패킷 거부

마지막규칙 ?

규칙적용가능 ?

NACK 전송

패킷 통과여부 결정

YES

YES

NO

NO

NO

YES

20

3.1 Filter language detail3.1 Filter language detail

Interpreter Array of 16-bit words stack action field and a binary operation field

First word:

Second word:

Binary Operator Stack Action

Literal constant

10 Bits 6 Bits

16Bits

Stack Action Effect on stackNOPUSH

PUSHLIT

PUSHONE

PUSHFFFF

PUSHFF00

PUSH00FF

PUSHWORD+n

None

Following instruction word is pushed

Constant one is pushed

Constant 0xFFFF is pushed

Constant 0xFF00 is pushed

Constant 0x00FF is pushed

n th word of packet is pushed

21

3.1 Filter language detail3.1 Filter language detail

Figure10: Format of Pup Packet header on 3Mb Ethernet

22

3.1 Filter language detail (Cont.)3.1 Filter language detail (Cont.)

This filter accepts all Pup packets with Pup types between 1 and 100.

struct enfilter f = {10, 12, /* priority and length */PUSHWORD+1, PUSHLIT | EQ, 2, /* packet type == PUP */PUSHWORD+3, PUSH00FF | AND, /* mask low byte */PUSHZERO | GT, /* Pup type > 0 */PUSHWORD+3, PUSH00FF | AND, /* mask low byte */PUSHLIT | LE, 100, /* puptype <=100 */AND, /* 0 < Puptype <== 100 */AND /* && PACKET TYPE == pup */

};

Figure 11: Example filter program

23

3.1 Filter language detail (Cont.)3.1 Filter language detail (Cont.)

This filter accepts Pup packets with a Pup DstSocket filed of 35.

struct enfilter f = {10, 8, /* priority and length */PUSHWORD+8, PUSHLIT | CAND, 35, /* Low word of socket

==35 */PUSHWORD+7, PUSHZERO | CAND, /* High word of socket

==0 */PUSHWORD+1, PUSHLIT | EQ, 2 /* Packet type == pup */

}; Figure 12: Example filter programUsing short-circuit operations

24

3.2 Control and status information3.2 Control and status information

The user can control the packet filter’s action Timeout duration for blocking reads The signal, packet reception, maximum length of the queue

Information provided by the packet filter Type of data-link layer, length…, header… Maximum packet size Address for incoming packets Used for data-link layer broadcasts.

25

4. Implementation4. Implementation

Implemented in 4.3 BSD Unix as a “character special device”

Character special device Called from user code open, close, read, write and ioctl

system call

The packet filter module is about 2000 lines of C code

Packet filter requires no modification of the Unix Kernel: Well-isolated

26

§BSD Packet Filter§BSD Packet Filter

Figure : BSD Packet Filter

27

5. Uses of the packet filter5. Uses of the packet filter

Pup protocols V-system protocols

Message-based distributed operating system

RARP Network Monitoring

LANalyzer, sniffer, Lanscan…

NIT vs BPF

28

6. Performance6. Performance

Kernel per-packet processing time 1.3 million packets 21% : processed by the packet filter 69% : IP packet 10% : ARP Packet filter

• average of 1.57 mSec processing each packet

Kernel-resident IP implementation• IP packet was 1.77 mSec

• Prcoessing up to the TCP and UDP : 0.49 mSec

29

6. Performance (Cont.)6. Performance (Cont.)

Total per-Packet processing time

30

6. Performance (Cont.)6. Performance (Cont.)

VMTP Performance

31

6. Performance (Cont.)6. Performance (Cont.)

VMTP Performance : bulk data transfer

32

6. Performance (Cont.)6. Performance (Cont.)

Byte-stream throughput

33

6. Performance (Cont.)6. Performance (Cont.)

Costs of demultiplexing outside the kernel

34

8. Summary8. Summary

The performace of the packet filter is clearly better then that of a user-level demultiplexer, and the performance of protocol code based on the packet filter is clearly worse than that of kernel-resident protocol code.

35

§A.1 Packet Filter§A.1 Packet Filter

Host 의 Device driver 와 상호 동작할 수 있는 효율적인 기술 대부분의 Unix 버전들은 사용자 수준에서 패킷 수집 기능을

두어 Network 감시를 할 수 있도록 함 Monitoring 은 패킷의 처음 몇 바이트만 필요하므로 필요한

길이를 지정하여 수집되는 헤더로부터 통계량을 모은다 . Network Interface Tap (NIT)

Bactched read 지원함으로 System call 을 줄임 Stack 구조

BSD Packet Filter (BPF) 현재까지 알려진 가장 강력한 패킷필터 Stack 구조보다 20 배 빠른 register 이용 Non-shared buffer model

36

§A.1 Packet Filter - BPF§A.1 Packet Filter - BPF

BPF 가 설치되어 있으면 상위 protocol stack 으로 올려보내기전에 BPF 에게 패킷을 먼저 복사

패킷당 읽어들이지 않고 버퍼에서 하나의 단위로 모아서 읽어들임

수집된 패킷을 처리하기위한 버퍼 Store buffer, Hold buffer, Free buffer

37

§B. tcpdump§B. tcpdump

소개 조건식을 만족하는 네트웍 인터페이스를 거치는 모든 패킷의

수집 침입탐지나 트래픽 분석에 사용

Download ftp://ftp.ee.lbl.gov/libpcap.tar.Z ftp://ftp.ee.lbl.gov/tcpdump.tar.Z

38

§B. tcpdump - option§B. tcpdump - option

-a : Network & Broadcast 주소들을 이름들로 바꾼다 . -c : Number : 제시된 수의 패킷을 받은 후 종료한다 . -dd : packet-matching code 를 C program 의 일부로 출력한다 . -ddd : packet-matching code 를 숫자로 출력한다 . -e : 출력되는 각각의 행에 대해서 link-level 헤더를 출력한다 -F file : filter 표현의 입력으로 파일을 받아들인다 .

커맨드라인에 주어진 추가의 표현들은 모두 무시된다 . -i device : 어느 인터페이스를 경유하는 패킷들을 잡을지

지정한다 . -n : 모든 주소들을 번역하지 않는다 (port,host address 등등 ) -N : 호스트 이름을 출력할 때 , 도메인을 찍지 않는다 . -p 인터페이스를 promiscuous mode 로 두지 않는다 . -q 프로토콜에 대한 정보를 덜 출력한다 . 따라서 출력되는

라인이 좀 더 짧아진다 .

39

§B. tcpdump - primitive§B. tcpdump - primitive dst host HOST

packet 의 IP destination 항목이 HOST 일때 참이 된다 . src host HOST

packet 의 IP source 항목이 HOST 일때 참이 된다 . host HOST

IP source, IP destination 항목 중 어느 하나라도 HOST 이면 참이다 . ether dst ehost

ethernet destination 주소가 ehost 일 때 참이다 . ether src ehost

ethernet source 주소가 ehost 일 때 참이다 . ether host ehost

ethernet source, destination 항목들 중 어느 하나라도 ehost 이면 참이다 . dst net NET

패킷의 IP destination 주소가 NET 의 network number 를 가지고 있을 때 참이 다 . src net NET

패킷의 IP source 주소가 NET 의 network number 를 가지고 있을 때 참이다 . net NET

패킷의 IP source 주소 혹은 destination 주소가 NET 의 network number 를 가 지고 있을 때 참이다 .

net netmask maskIP 어드레스가 지정된 netmask 를 통해서 net 과 매칭되면 참이다 .

net net/lenIP 어드레스가 netmask 와 len 비트만큼 매치되면 참이다 .

40

§B. tcpdump – packet §B. tcpdump – packet 수집수집

수집크기 Tcpdump 는 수집하는 데이터의 크기 결정가능 Tcpdump 는 보내지는 데이터그램 전체를 수집하지 않고 ,

일반적으로 수집된 데이터의 길이는 68 바이트 수집 크기변경

Tcpdump –s length Tcpdump –s 1514

• (14 바이트 이더넷 프레임 헤더와 1500 바이트 이더넷을 위한 최대한의 전송단위 패킷 수집 )

Frame Header IP Header Protocol Header Protocol Data

14 Byte20 Byte 20 Byte

Ethernet frame

IP Datagram

내장된 패킷 TCP, UDP,ICMP

14 Byte

41

§B. tcpdump – §B. tcpdump – 결과결과 결과 샘플

05:06:35.981443 166.104.114.81.ssh > 218.49.139.135.3752: P 18704:18864(160) ack 161 win 30660 (DF) [tos 0x10]

Timestamp Source host Port Destination host . Port

TCP Flag

TCP 시작 sequence number : TCP 종료 sequence number(Data bytes)Window size

Table : TCP Flag

TCP flag flag 표현 flag 의미

SYN “S” Session 연결 요청

ACK “ack” 잘 받았음에 대한 응답표시

FIN “F” 정상적인 연결종료

RESET “R” 비정상적인 즉시 연결종료

PUSH “P” 데이터를 즉시 어플리케이션으로 전달

URGENT “urg” 긴급한 데이터에 우선순위를 높게 줌

Placeholder “.” SYN, FIN, RESET, PUSH 가 아닌 경우

42

§B. tcpdump – example§B. tcpdump – example