1-10 Gbps IPv6 Programmable IDS/IPS - PowerPoint PPT Presentation

Loading...

PPT – 1-10 Gbps IPv6 Programmable IDS/IPS PowerPoint presentation | free to download - id: 181a02-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

1-10 Gbps IPv6 Programmable IDS/IPS

Description:

Supported by the Division of Design Manufacturing and Industrial ... 8-bit 'parse' value indicating which section of the packet is being clocked in. Unknown ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 19
Provided by: jstie6
Learn more at: http://www.internet2.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: 1-10 Gbps IPv6 Programmable IDS/IPS


1
  • 1-10 Gbps IPv6 Programmable IDS/IPS
  • Livio Ricciulli
  • livio_at_force10networks.com
  • (408) 835-5005

Rome Laboratories
Supported by the Division of Design
Manufacturing and Industrial Innovation of the
National Science Foundation (Awards 0339343,
0521902) and the Air Force Rome Laboratories.
2
Brief History
  • Active Networks (DARPA Program)
  • Change behavior of network components (routers)
    dynamically (add new protocols, flow control
    algorithms, monitoring, etc..)
  • Discrete. Update network through separate
    management operations
  • Integrated. Packets cause network to update
    itself
  • Broad scope did not result in industry adoption
  • Lack of killer application
  • Lack of tight industry interaction
  • Tried to change too much too soon
  • Our bottom-up approach
  • Achieve programmability while reusing current
    infrastructure
  • Augment networks with new, non-invasive
    technology
  • Application-driven rather than design-driven
  • Work closely with users/operators
  • Revisit hardware computational model

3
1-10 Gbps IDS/IPS Hardware
  • Open architecture to leverage open source
    software
  • More robust, more flexible, promotes
    composability
  • Directly support Snort signatures
  • Abstract hardware as a network interface from OS
    prospective
  • Retain high-degree of programmability
  • New threat models (around the corner)
  • Extend to application beyond IDS/IPS
  • Line-speed/low latency to allow integration in
    production networks
  • Unanchored payload string search
  • Support analysis across packets
  • Gracefully handle state exhaustion
  • Hardware support for adaptive information
    management
  • Detailed reporting when reporting bandwidth is
    available
  • Dynamically switch to more compact
    representations when necessary
  • Support the insertion of application-specific
    analysis code in the fast path

4
Flynns Computer Taxonomy
Alert
MISD
MIMD
Instructions
Get packet
Reduction Network
Compare to rules
Memory
Processor
Processor
Memory
P0
P1
Pn
Processor
Memory
. . . .
Processor
Memory
Data
Alert
Data
Instructions
SIMD
SISD
Alert
Get packet
Instructions
Reduction Network
Compare to rules
Memory
Processor
P0
P1
Pn
. . . .
Instructions
Alert
Data
Data
5
Layer-1 Filtering
Monitoring System
RxData
PHY
RxEnable
Block Direction 2
RxData
PHY
RxEnable
Block Direction 1
6
Product Architecture
100Mb-10Gb

PHY
RAM
Block
State
2-8M Concurrent Flows
L-1
RAM
Latency 1.3 µs
Read Only
FPGA
Packets
PHY
Dynamicrules
Static rules
IPS/ IDS
Runtime update
Synthesis firmware update
7
Flexible Deployment Options
Router/Switch
Inline
  • IPS application
  • Chain multiple cards inline for additional rule
    capacity
  • IDS and other passive monitoring
  • Up to 4 cards/8 ports in Force10 appliance
  • Mix of 1G and 10G
  • Extend passive capacity
  • Can hang multiple passive devices off 1 TAP or
    Mirror

IDS/IPS
CPU
Multiple Mirrors
Passive
IDS/IPS
CPU
Mirror Port
Passive Inline
IDS/IPS
To other passive device
CPU
8
Stateful Content Inspection Performance Comparison
9
Intuitive Management Tools
  • Interface
  • Card operates as a standard NIC
  • Reuse all existing Unix-based utilities/applicatio
    ns
  • Policies implemented rule by rule for block,
    forward, ignore and capture

10
IPv6 Security Hardware
  • IPv6 options provide a covert channel
  • Ex. Joe 6 pack (http//people.suug.ch/tgr/misc/j6
    p-1.0.tar.gz) uses IPv6 Destination option for
    transport
  • Want to see what are IPv6 options used for (for
    example source routing)
  • Extend hardware payload match semantics to Ipv6
    header
  • Tunneling
  • Want to inspect headers of multiple tunnels

11
Technical Approach (continued)
  • Anchored and unanchored matching
  • Ipv4 matching requires the following 2 offsets
  • IPv4 Header start (fixed 14 bytes from the start
    of the frame)
  • Payload start (variable due to Transmission
    Control Protocol (TCP) options)
  • IPv6 capable hardware modified to work with
    multiple variable offsets provided by the
    decoding phase
  • IPv4-IPv6 Header starts (variable due to
    tunneling)
  • Option starts (variable due to tunneling IP
    options)
  • HLP start (variable due to tunneling IP
    options)
  • Payload start (variable due to tunneling IP
    options TCP options)
  • Matching through variable offsets

12
Technical Approach
  • IPv6 Decoding according to RFC2460 IPv4
    Decoding
  • Extract from header a set of offset pointers into
    the packet starting from the first Internet
    Protocol (IP) byte
  • The following offsets are memorized for each
    packet
  • Header start V6
  • Header start V4
  • High-Level Protocol (HLP) start
  • Payload Start
  • Hop-by-Hop
  • Routing
  • Fragment
  • Destination
  • Authentication
  • Security Payload
  • Tunneling counter from 0 to N indicating which
    tunnel level

13
Additions to IPv6 API
  • 8-bit parse value indicating which section of
    the packet is being clocked in
  • Unknown
  • IPV4 0x4
  • Payload 0xFE
  • TCP 0x6
  • ICMPV4 0x1
  • UDP 0x11
  • IPV6 41
  • Routing 43
  • Fragment 44
  • Destination 60
  • Authentication 51
  • Security Payload 50
  • ICMPv6 58
  • Hop by Hop 0
  • Counters
  • Tunnel tcnt counter
  • Length offset within section pointed to by parse

14
TopN destination ports
memory mem(.c1(clk),.a1(dstp150),.di1(newval),.
do1(oldvalout),.w(write),.c2(cnfclk),.a2(address1
50),.do2(valout)) always_at_(posedge
clk) begin if(offset1) begin protoltdata7
0 end else if(offset2 (proto06
proto17)) begin dstpltdata3116 end
else if(offset4 dstp!0)
begin newvalltoldvalout1 writelt1 end
else begin writelt0 end end
15
Reuse existing Opens Source
16
Available Today
  • P10 PCI Card (10 GbE interface)
  • High speed PCI card in 1U chassis
  • Wire-speed stateful deep packet inspection
    20G-in/20G-out
  • 650 static rule capacity 65 dynamic rules
    (currently being increased)
  • 8 million concurrent flows
  • P1 PCI Card (GbE interface)
  • High speed PCI card in 1U chassis
  • Wire-speed stateful deep packet inspection
    2G-in/2G-out
  • 1000 static rule capacity up to 200 dynamic
    (currently being increased)
  • 2 million concurrent flows
  • P1/P10 Appliance
  • 1U host embeds a P1 or P10 PCI card
  • Software and drivers pre-installed and
    pre-configured

17
Summary
  • Extremely low latency design enables a wide
    variety of deployment options
  • Leverage Open Source software
  • 1G and 10G available today
  • Processing paradigm lends itself to ad-hoc
    application level programmability
  • Livio Ricciulli
  • livio_at_force10networks.com
  • (408) 835-5005
  • www.metanetworks.org

18
Thank You
About PowerShow.com