Deep Packet Inspection as a Service Yaron Koral
- Slides: 29
Deep Packet Inspection as a Service Yaron Koral† Joint work with Anat Bremler-Barr‡, Yotam Harchol† and David Hay† †The Hebrew University, Israel ‡IDC Herzliya, Israel This work was supported by European Research Council (ERC) Starting Grant no. 259085
NFV and Innovation • NFV enables virtualizing network building blocks such as: FW, NAT, IDS, Monitoring, LB, Network AV, WAN Optimizer, etc. … • Increases network deployment flexibility, and also product introduction times. • Opens market for new vendors for network functions (Middleboxes) • About 400 SDN-NFV listed companies 2
Middleboxes Policy Chains SDN allows building policy chain via traffic steering 3
DPI Based Middleboxes Intrusion Detection System Network Anti-Virus L 7 Firewall Network Analytic Traffic Shaper A MB processes packet header or payload Lawful Copyright Enforcement Interception L 7 Load Balancer Leakage Prevention System The latter uses DPI engine 4
DPI Pattern Examples Snort (NIDS/NIPS) – Intrusion Detection Microsoft XML Core Services cross-site information disclosure attempt <x 21 DOCTYPEs+[^>]*SYSTEM[^>]*>. *x 2 Eparse. Error Clam. AV (Anti Virus) – Virus Detection Cabir. A computer worm signature 886 f 1 f 10123 a 001019040010 e 5 f 79547 e 6 ad 0100 bd 006 f 0064007500630074 004900440054003200200052005300330041005300789 c (binary) Bro (NIDS) - Application Classification MS Office 2007 XML documents x 50x 4 Bx 03x 04x 14x 00x 06x 00 5
DPI Engine – Complicated Challenge • Hundreds of academic papers over recent years scalability resiliency throughput fast updates latency low power compression • Pattern set size varies between 102 -105 patterns per MB • DPI Engine is considered a system bottleneck in many of todays MBs (30%-80%) [*Laboratory simulations over real deployments of Snort and Clam. AV] 6
Middleboxes Policy Chains DPI • Each MB implements its own DPI engine (higher MB costs, reduced features) • Each packet is scanned multiple times causing waste of computation resources 7
Our Solution: DPI as a Service DPI Contribution: The idea of having a centralized DPI service instead of multiple instances of it at each Middlebox • • Innovation – Lower entry barriers Rich Functionality – Invest once for all MB Reduced Costs – Cheaper MB HW/SW Improved performance - Scan each packet once 8
ARCHITECTURE 9
Architecture Overview (SDN) Register DPI Controller Traffic Steering Update Policy Chain Add Patterns Rules SDN Controller AV 1 TS DPI 1 hello DPI 2 S 1 S 4 hello S 3 hello IDS 1 L 7 FW 1 AV 2 IDS 2 10
Architecture: Data Plane • DPI Service Instance Scans incoming packets against an aggregated pattern set • Each pattern has a unique ID • Result: <Pattern ID> + <Match Offset> • Each packet may contain several pattern matches • All pattern-match results are attached to the packet ID: ID: … 139; Offset: 90 14; Offset: 109 723; Offset: 201 221; Offset: 507 DPI Service Instance 11
Passing Results • Match results header: usually 0 B; up to 200 B (99%) hello • Using existing tag-fields (i. e. VLAN / MPLS) does not suffice 12
Passing Results Alternative 1 • Network Service Header (NSH) – Supports a header per network service – Not limited in size – Resize MTU hello 13
Passing Results Alternative 2 • Separate result-packet – Mark original packet upon match (set ECN) – Delay packet until result-packet arrives hello 14
Middle. Box Support Payload MB with internal DPI engine Result structure Packet Decode (≈100 lines) MB with external DPI service 15
QUESTION: ARE THE DPI ALGORITHMS SCALABLE? 16
Are DPI Algorithms Scalable? • Short Answer: YES! • What are the DPI Algorithms? String Matching 886 f 1 f 10123 a 001019040010 e 5 f 79547 e 6 ad 0100 bd 006 f 00640075006300740049004400540032002000520053 00330041005300789 c Regex Matching <x 21 DOCTYPEs+[^>]*SYSTEM[^>]*>. *x 2 Eparse. Error 17
String Matching: Aho-Corasick Algorithm • Build a Deterministic Finite Automaton (basic full-table variant) E E • Each input byte requires single lookup regardless the number of patterns!! BE • $ Cost Function: 1 Mem. access per input byte E B • More patterns may results in a marginal performance reduction (cache) B D C s 4 s 13 A s 14 B C D B D D s 6 C BCDBCAB C s 8 C B D B C E E • Example: {E, BD, BCD, CDBCAB, BCAA} C s 7 s 5 A E C B s 2 s 3 B C B B s 1 E E s 0 E E B s 9 C s 10 A C s 11 B C s 12 18
Pattern Set Aggregation Pattern set 1 Pattern set 2 Pattern Set 1 Pattern Set 2 Both sets 19
Regular Expressions Matching • Repetition operators (e. g. Kleen star) may cause memory blowout Multi Regex Matching Multi String Matching + Single Regex Matching • Common approach: string matching w/global DFA >> single regex DFA <x 21 DOCTYPEs+[^>]*SYSTEM[^>]*>. *x 2 Eparse. Error <x 21 DOCTYPE SYSTEM x 2 Eparse. Error 20
DPI is Scalable, not Trivial… Encode DFA in TCAM Compact. DFA, To. N 2014 ACCH, To. N 2012 Resilient Multi-Core DPI over Compressed Traffic MCA 2, ANCS 2012 21
DPI AS A SERVICE & DIFFERENT MIDDLEBOXES LAYOUTS 22
Related Network-Functions Layouts • SDN + NFV VM TS ETSI. Network functions virtualization Gember et al. , Hot. Nets 2012 Rajagopalan et al. , NSDI 2013 • MB Consolidation Comb, NSDI 2012 x. OMB, ANCS 2012 Crossbeam, 2012 Kekely et al. , Infocom 2014 AV 1 IDS 1 L 7 FW 1 TS Hypervisor • Outsource MB (out-of-network) Gibb et al. , Hot. SDN 2012 Sherry et al. , SIGCOMM 2012 23
EXPERIMENTAL RESULTS 24
Experimental Environment • POX SDN Controller (Open. Flow 1. 0) • • Static steering mechanism DPI Service and Middlebox using separate machines Toy middlebox applications: Snort, Clam. AV Functionality: Tested in virtual environments DPI Controller Runs over POX SDN Controller Static Steering (Mininet, VMWare) • Performance: no Mininet (overhead) Toy Snort 1 DPI Service Instance Toy Clam. AV Toy Snort 2 Virtual 25 Environment
Performance Results Policy Chain with Two DPIs : IDS 1 AV 1 DPI as a Service Each using separate machines Two sep Combined DPI instances (DPI as a Service): arate DP Is DPI 1 IDS 1 DPI 2 AV 1 Patterns Space Throughput Latency Snort 4356 71. 18 MB 807. 7 Mbps 9. 69 us/p Clam. AV 31827 1. 87 GB 668. 4 Mbps 11. 91 us/p DPI 1 36183 1. 94 GB 563. 3 Mbps 13. 82 us/p DPI 2 36183 1. 94 GB 563. 3 Mbps 13. 82 us/p Overall Throughput Overall Latency 668. 4 Mbps 21. 5 us/p 1126 Mbps 26 13. 8 us/p
Future Work • Potential tasks to be “outsourced” as a service: – Payload Processing (Decryption/Decompression) • Retrieve raw data – Session reconstruction (Connection Tracking) • For session processing rather than packet processing – Header/protocol analysis • For protocol aware network functions • Use the DPI to extend Open. Flow based switches – Use the tags created by the DPI service to drive policies in conventional switches. 28
Conclusions • DPI is a common service used by today’s MB • Thanks to its scalability it may be easily exported as a stand-alone network service • DPI as a Service provides: – Innovation (Lower entry barriers) – Network scalability – Lower costs (Cheaper MB Hardware) 29
Thank You!!
- Applesauce with raspberry puree mre
- Deep packet inspection definition
- Deep packet inspection architecture
- Deep packet inspection encrypted traffic
- Deep packet inspection wireshark
- Deep packet inspection architecture
- Graves hastalığı
- Kanp koral
- Yaron shohat
- Yaron ernst
- Stateless packet filtering definition
- Deep packet injection
- Deep pocket inspection
- Deep asleep deep asleep it lies
- Deep forest towards an alternative to deep neural networks
- 深哉深哉
- Food safety and inspection service definition
- In service inspection
- Itil service transition definition
- Itil lifecycle phases
- Continual service improvement 7 steps
- Factors that influence desired service
- Evolution of soa
- Mpls class of service
- New service development process cycle
- Service owner vs service manager
- Help desk improvement plan
- Adp self pay
- The label side of the dental film packet
- Reed yorke umd