20060208-highspipv6-ricciulli

Download Report

Transcript 20060208-highspipv6-ricciulli

1-10 Gbps IPv6
Programmable IDS/IPS
Livio Ricciulli
[email protected]
(408) 835-5005
Rome Laboratories
1
*Supported by the Division of Design Manufacturing and Industrial Innovation of the National Science Foundation (Awards #0339343,
0521902) and the Air Force Rome Laboratories.
Brief History

Active Networks (DARPA Program)
– Change behavior of network components (routers) dynamically (add
new protocols, flow control algorithms, monitoring, etc..)
– Discrete. Update network through separate management operations
– Integrated. Packets cause network to update itself
– Broad scope did not result in industry adoption
– Lack of “killer application”
– Lack of tight industry interaction
– Tried to change too much too soon

Our bottom-up approach
–
–
–
–
–
2
Achieve programmability while reusing current infrastructure
Augment networks with new, non-invasive technology
Application-driven rather than design-driven
Work closely with users/operators
Revisit hardware computational model
1-10 Gbps IDS/IPS Hardware

Open architecture to leverage open source software
–
–
–

Retain high-degree of programmability
–
–

Unanchored payload string search
Support analysis across packets
Gracefully handle state exhaustion
Hardware support for adaptive information management
–
–
–
3
New threat models (around the corner)
Extend to application beyond IDS/IPS
Line-speed/low latency to allow integration in production networks
–
–
–

More robust, more flexible, promotes composability
Directly support Snort signatures
Abstract hardware as a network interface from OS prospective
Detailed reporting when reporting bandwidth is available
Dynamically switch to more compact representations when necessary
Support the insertion of application-specific analysis code in the fast path
Flynn’s Computer Taxonomy
MIMD
Instructions
P1
....
Pn
Data
Alert
Instructions
Get packet
Compare
to rules
Reduction Network
P0
Processor
Alert
P1
Data
Alert
Data
....
Pn
Instructions
Instructions
4
P0
SIMD
SISD
Memory
Reduction Network
Compare
to rules
Processor
Processor
Processor
Processor
Alert
MISD
Data
Memory
Memory
Memory
Memory
Get packet
Layer-1 Filtering
Monitoring System
RxData
RxEnable
Block Direction 2
PHY
AND
RxData
RxEnable
Block Direction 1
5
PHY
AND
Product Architecture
100Mb-10Gb
PHY
+
RAM
Block
State
L-1
Read
Only
RAM
FPGA
PHY
Static
rules
Synthesis +
firmware update
6
IPS/
IDS
Dynamic
rules
Runtime update
Flexible Deployment Options
Router/Switch
Inline
IDS/IPS
Multiple Mirrors
Passive
IDS/IPS
– IPS application
– Chain multiple cards inline for
additional rule capacity
– IDS and other passive
monitoring
– Up to 4 cards/8 ports in
Force10 appliance
– Mix of 1G and 10G
Mirror Port
Passive Inline
IDS/IPS
To other passive
device
7
– Extend passive capacity
– Can hang multiple passive
devices off 1 TAP or Mirror
Stateful Content Inspection
Performance Comparison
Pe rce natge of Ale rt Los s
M bps
0
1000
2000
% of alert loss
100.00%
80.00%
60.00%
40.00%
20.00%
0.00%
-20.00%
8
darpa no MTP
w eb1 no MTP
w eb2 no MTP
darpa w ith MTP
w eb1 w ith MTP
w eb2 w ith MTP
3000
Intuitive Management Tools

Interface
– Card operates as a standard NIC
– Reuse all existing Unix-based utilities/applications
– Policies implemented rule by rule for block, forward, ignore and
capture
9
IPv6 Security Hardware

IPv6 options provide a covert channel
– Ex. Joe 6 pack (http://people.suug.ch/~tgr/misc/j6p1.0.tar.gz) uses IPv6 Destination option for
transport

Want to see what are IPv6 options used for
(for example source routing)
– Extend hardware payload match semantics to Ipv6
header

Tunneling
– Want to inspect headers of multiple tunnels
10
Technical Approach (continued)

Anchored and unanchored matching
–
–

11
Ipv4 matching requires the following 2 offsets
– IPv4 Header start (fixed 14 bytes from the start of the frame)
– Payload start (variable due to Transmission Control Protocol (TCP) options)
IPv6 capable hardware modified to work with multiple variable offsets provided by the
decoding phase
– IPv4-IPv6 Header starts (variable due to tunneling)
– Option starts (variable due to tunneling + IP options)
– HLP start (variable due to tunneling + IP options)
– Payload start (variable due to tunneling + IP options + TCP options)
Matching through variable offsets
Technical Approach

IPv6 Decoding according to RFC2460 + IPv4
Decoding
–
–
–
12
Extract from header a set of offset pointers into the packet starting from the first Internet Protocol (IP)
byte
The following offsets are memorized for each packet
– Header start V6
– Header start V4
– High-Level Protocol (HLP) start
– Payload Start
– Hop-by-Hop
– Routing
– Fragment
– Destination
– Authentication
– Security Payload
Tunneling counter from 0 to N indicating which tunnel level
Additions to IPv6 API

8-bit “parse” value indicating which section of the
packet is being clocked in
–
–
–
–
–
–
–
–
–
–
–
–
–
–

Unknown
IPV4 = 0x4
Payload = 0xFE
TCP = 0x6
ICMPV4 = 0x1
UDP = 0x11
IPV6 = 41
Routing = 43
Fragment = 44
Destination = 60
Authentication = 51
Security Payload = 50
ICMPv6 = 58
Hop by Hop = 0
Counters
– Tunnel “tcnt” counter
– Length offset within section pointed to by “parse”
13
TopN destination ports
memory mem(.c1(clk),.a1(dstp[15:0]),.di1(newval),.do1(oldvalout),.w(write),.c2(cnfclk),.a2(address[15:0]),.do2(valout));
always@(posedge clk)
begin
if(offset==1) begin
proto<=data[7:0];
end else
if(offset==2 && (proto==06 || proto==17)) begin
dstp<=data[31:16];
end else
if(offset==4 && dstp!=0) begin
newval<=oldvalout+1;
write<=1;
end else
begin
write<=0;
end
end
14
Reuse existing Opens Source
15
Available Today

P10 PCI Card (10 GbE interface)
– High speed PCI card in 1U
chassis
– Wire-speed stateful deep packet
inspection; 20G-in/20G-out
– 650 static rule capacity 65
dynamic rules; (currently being
increased);
– 8 million concurrent flows

P1 PCI Card (GbE interface)
– High speed PCI card in 1U
chassis
– Wire-speed stateful deep packet
inspection; 2G-in/2G-out
– 1000 static rule capacity; up to
200 dynamic; (currently being
increased);
– 2 million concurrent flows

P1/P10 Appliance
– 1U host embeds a P1 or P10 PCI
card
– Software and drivers pre-installed
and pre-configured
16
Summary




Extremely low latency design enables a wide variety of deployment
options
Leverage Open Source software
1G and 10G available today
Processing paradigm lends itself to ad-hoc application level
programmability
Livio Ricciulli
[email protected]
(408) 835-5005
www.metanetworks.org
17
Thank You
18