Timothy WhelanSupervisor: Mr Barry IrwinSecurity and Networks Research GroupDepartment of Computer ScienceRhodes University

Hardware based packet filtering using FPGA’s (Part 2!)

What’s happened since last time?

•Started my literature review

•WORKED FOR FESTIVAL

•Finished my literature review

•(Ordered a new toy)

But first – my toy :D

Presentation plan

•The packet classification problem

•Overview of literature review

•Classification algorithms

•Deep packet inspection algorithms

•Plan of action

The packet classification problem

Most packets contain the basic 5-tuple (Source/Destination IP addresses, Source/Destination Port numbers, protocol).

The 5-tuple can determine much of packet routing and how packets should be handled (dropped, ignored, allowed etc.).

Different combinations of values of fields in the 5-tuple require different actions i.e. match different filters.

Reactions to packets can also be based on the contents of the packet’s payload; may depend on packet’s context/classification.

The packet classification problem aims to determine what response a packet should elicit given its field properties and payload contents.

(Packet classification tends to ignore deep packet inspection)

Classification Algorithms

•Linear/Parallel search

•Grid-of-tries

•Cross-producting

•Bit-vector

•Example: The BV-TCAM Architecture

Linear/Parallel search

Linear vs Parallel

Easy to implement Very fast

Reliable Very fast (and reliable)

Not very fast Resource expensive

Parallel search – TCAM technology

Pros

•Performs parallel address look-ups

•Searches for content in memory instead of locating an address

•Can store a ternary value – ‘*’

Cons

•Expensive, inefficient, requires extra over-head, “doesn’t scale well”

Grid-of-tries

Useful for prefix ranges

Good for 2D filters, worse for >2D

Will probably use this approach for IP address filters

Cross-producting

Initial field matching can be performed in parallel

Uses one more look-up in the cross-product table

Requires large memory to perform cross-producting

Bit vector

A geometric approach to packet classification

1. Determine the set of applicable filters for each field

2. Intersection of filters yields applicable filters for whole packet

Also lends itself to parallelism

Address 10; port 7: yield 10010000010 AND 00001000110 -> 00000000010

(will probably also use this technique to combine results of port range matching)

The BV-TCAM architecture

•Song and Lockwood observed that in a filter set there are few unique IP addresses or address masks but varying protocols and port numbers

•Used TCAM’s for IP address matching – small variety of unique addresses

•TCAM output was encoded in a bit vector

•Grid-of-tries used for protocol matching – protocol determined which set of tries to search

•Output also in the form of a bit vector

•Intersection of bit vectors yielded final set of matched filters

•Designed achieved 2.5 Gbps

Deep packet inspection

•Simple N parallel rule check

•Deterministic finite state automata

N parallel rule checks

N comparators each search for a string at each offset within the packet

•Header processing and payload inspection can be pipelined to increase throughput

•Sourdis and Pnevmatikatos achieved 10Gbps throughput

Deterministic finite state automata

Deterministic automata were created using software tools and then mapped to FPGAs. Each DFA searched for a separate string.

Comments on literature

Packet classification is a well rehearsed problem with many different solutions that leverage the well known structure of received packets.

Deep packet inspection is a much harder problem to solve efficiently due to the obfuscated appearance of most packet payloads hence there is a greater need for raw processing power and parallelized implementations.

Multi-gigabit implementations of packet processors are viable options and have been proven to work on FPGA platforms.

Future project progress

•Waiting for new FPGA development board

•Browsing through Xilinx SDK to familiarise myself with Ethernet interfacing on the FPGA

•Searching the Internet for other open-source TCP/IP or Ethernet processing code segments

Still to do:

•Finish implementation of complete system

•Testing and timings of final system

•Write report