A Tunnel-Aware Language for Network Packet Filtering

IEEE/ACM Trans. Networking

Ciminiera

2015

Self Cite

Designing an efficient and scalable packet filter for modern computer networks becomes more challenging each day: Faster link speeds, the steady increase in the number of encapsulation rules (e.g., tunneling), and the necessity to precisely isolate a given subset of traffic cause filtering expressions to become more complex than in the past. Most current packet filtering mechanisms cannot deal with those requirements because their optimization algorithms either cannot scale with the increased size of the filtering code or exploit simple domain-specific optimizations that cannot guarantee to operate properly in case of complex filters. This paper presents pFSA, a new model that transforms packet filters into finite state automata and guarantees the optimal number of checks on the packet, also in case of multiple filters composition, hence enabling efficiency and scalability without sacrificing filtering computation time.Index Terms-Finite state automata, packet filters, pFSA.

Section: Methodsmentioning

confidence: 99%

Modeling Complex Packet Filters With Finite State Automata

Leogrande

IEEE/ACM Trans. Networking

Ciminiera

2015

Self Cite

“…The adoption of a mid-level assembly language helps making the NetVM general enough to be independent from any specific high-level language. In fact, NetIL can be an excellent target for several high-level languages, ranging from declarative (e.g., rule based such as NetPFL [9]) to imperative ones (e.g., C).…”

Section: Network Processing Elementmentioning

confidence: 99%

Creating portable and efficient packet processing applications

Morandi

Rolando

et al. 2011

Des Autom Embed Syst

Self Cite

Network processors are special-purpose programmable units deployed in many modern high-speed network devices, which combine flexibility and high performance. However, software development for these platforms is traditionally cumbersome due both to the lack of adequate programming abstractions and to the impossibility of reusing the same software on different hardware platforms.In this context, the Network Virtual Machine (NetVM) aims at defining an abstraction layer for the development of portable and efficient data-plane packet processing applications. Portability and efficiency are achieved altogether by virtualizing the hardware and by capturing in the programming model the peculiar characteristics of the application domain.This paper validates the NetVM model, demonstrating that the proposed abstraction coupled with a proper implementation of the NetVM Framework is able to provide generality (i.e., capability to support a wide range of applications), software portability across heterogeneous network processor architectures, and efficiency of the generated code, often exceeding the one obtained using state-of-the-art compilers.

“…However, the capability to follow any possible encapsulation may result into slower processing (as the filtering code is forced to check for any possible encapsulation path) and this additional cost may not always be acceptable. A possible solution to this issue is provided by the NetPFL language [2], which allows to define packet filtering rules including which encapsulation paths have to be followed (e.g., ip in vlan in ethernet), without modifying the NetPDL protocol definitions.…”

Section: Introductionmentioning

confidence: 99%

“…While the NetPFL language is very flexible, so far only a partial implementation is available [2], which does not support the explicit filtering on protocol chains; consequently the possible optimizations were not taken into consideration at all. This paper extends the initial work by presenting an algorithm that can generate efficient filtering code based on NetPFL header chains, that can select traffic based on one or more encapsulation rules specified at run-time.…”

Section: Introductionmentioning

confidence: 99%

Filtering network traffic based on protocol encapsulation rules

Cerrato

Leogrande

2013 International Conference on Computing, Networking and Communications (ICNC)

2013

Packet filtering is a technology at the foundation of many traffic analysis tasks. While languages and tools for packet filtering have been available for many years, none of them supports filters operating on the encapsulation relationships found in each packet. This represents a problem as the number of possible encapsulations used to transport traffic is steadily increasing and we cannot define exactly which packets have to be captured. This paper presents our early work on an algorithm that models protocol filtering patterns (including encapsulation constraints) as Finite State Automata and supports the composition of multiple expressions within the same filter. The resulting, optimized filter is then translated into executable code. The above filtering algorithms are available in the NetBee open source library, which provides some basic tools for handling network packets (e.g., a tcpdump-like program) and APIs to build more advanced tools.