Kawaihiko Network
Download
Report
Transcript Kawaihiko Network
Experience at Auckland
with
SRL and NetFlowMet
Nevil Brownlee
The University of Auckland
Chicago IETF, August 1998
RTFM Architecture
manager
meter
rule set
meter
reader
network
SRL / NetFlowMet 1
*
*
analysis
application
* *
*
*
The University of Auckland
ICMP Smurf Attacks
SRL / NetFlowMet 2
The University of Auckland
SRL / NetFlowMet 3
The University of Auckland
Kawaihiko Network
Test
Meter
M
Internet
R
Waikato
M
M
512
M
Cache
Auckland
R
M
NZIX
128
R
Massey
M
R
128
R
August 97
256
512
Lincoln
M
R
M
M
Canterbury
Otago
NetFlowMet Test Setup
NetFlowMet
router
*
*
* *
*
*
network
nifty
SRL / NetFlowMet 5
The University of Auckland
SRL / NetFlowMet 6
The University of Auckland
NetFlowMet Summary
• Provides access to traffic data from up to five
Cisco routers
• NetFlow sums packet and bytes - less work for
NetFlowMet meter => higher metering capacity
• NetFlow flows are uni-directional. NetFlowMet
matches them up to give RTFM-style flow data
• Time resolution for flows is determined by
NetFlow. The algorithm used for sending out
information from the NetFlow cache are not
documented
SRL / NetFlowMet 7
The University of Auckland
SRL: the language
• A Language for Describing Traffic Flows and
Specifying Actions for Flow Groups
• For creating RTFM rulesets. Should also be
useful for other work involving traffic flows
• RTFM rulesets have three goals:
– Decide whether or not a flow is of interest
– Save values of requested attributes for flow
– Specify direction for metered flows
• High-level language takes away the need
for users to understand the meter’s
Packet Matching Engine (PME)
SRL / NetFlowMet 8
The University of Auckland
Language Elements
• Operands: value & mask or value / width
• AND and OR expressions on operand lists
• Compound statements in braces { }
• IF-THEN-ELSE statement
• Variables and Store statements
• SAVE statements
• COUNT, IGNORE, NOMATCH statements
• SUBROUTINE statements
• Simple DEFINEs (no parameters)
SRL / NetFlowMet 9
The University of Auckland
Prog 1: Watch ICMP packets
if SourcePeerType == IP && SourceTransType == ICMP save, {
if SourceTransAddress == 0
store FlowKind := ’E';
else if SourceTransAddress ==
store FlowKind := 'U';
# Echo reply
3
# Destination unreachable
~ ~ ~
else store FlowKind := '?';
save SourceTransAddress;
save DestTransAddress;
save SourcePeerAddress;
save DestPeerAddress;
count;
}
else ignore;
# ICMP type
# ICMP dest
# Not an ICMP packet
SRL / NetFlowMet 10
The University of Auckland
Prog 2: Watch Kawaihiko network
define Waikato_B =
130.217/16, 163.7/16, 166.83/16;
define Kawaihiko_B =
Auckland_B, AIT_B, Waikato_B, Canterbury_B, Lincoln_B, Otago_B;
if SourcePeerType == IP save;
else ignore;
if DestPeerAddress == (Kawaihiko_B) nomatch;
# We want the Kawaihiko site as source
if SourcePeerAddress == (Auckland_B)
save, store FlowKind := 'A';
else if SourcePeerAddress == (Otago_B)
save, store FlowKind := 'O';
else {
save SourcePeerAddress;
store FlowKind := '?';
}
save DestPeerAddress;
count;
SRL / NetFlowMet 11
The University of Auckland
Prog 3: Overlapping networks
define test_nets =
130.216/16,
130.216.7/24, # overlapped
130.216.9/20,
130.216.7/24; # duplicate
Nevil's SRL compiler, version 4.2b1
16:36:44 Thu 13 Aug 1998: Compiling k5.srl
k5.srl
17:
if SourcePeerAddress == (test_nets) count;
WARNING >>>>
130.216.9 & 255.255.240
value has bits not covered by mask
130.216.7 & 255.255.255
is duplicated in OR group
130.216 & 255.255
contains 130.216.9 & 255.255.240
130.216 & 255.255
contains 130.216.7 & 255.255.255
130.216.9 & 255.255.240
contains 130.216.7 & 255.255.255
WARNING >>>>
WARNING >>>>
WARNING >>>>
WARNING >>>>
SRL / NetFlowMet 12
The University of Auckland
SRL Summary
• The compiler has been carefully tested. SRL
programs are in production use at Auckland
• It wasn’t difficult to translate old rulesets into SRL.
The resulting SRL programs are a lot smaller and
much easier to understand
• The language seems well-suited to its immediate
goals, i.e. for writing RTFM rulesets
• Using DEFINEs is one good way to write ‘generic’
programs which can be easily converted for use in
other people’s networks
• srl (the compiler) is available with NeTraMet 4.2
. . . everyone should use it!
SRL / NetFlowMet 13
The University of Auckland