design and performance of the openbsd stateful packet
play

Design and Performance of the OpenBSD Stateful Packet Filter (pf) - PowerPoint PPT Presentation

May 06, 2023 •114 likes •455 views

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.1/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet

  1. Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 – p.1/22

  2. Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet level bridges) packet filter intercepting each IP packet that passes through the kernel (in and out on each interface), passing or blocking it stateless inspection based on the fields of each packet stateful filtering keeping track of connections, additional information makes filtering more powerful (sequence number checks) and easier (replies, random client ports) Usenix 2002 – p.2/22

  3. Motivation OpenBSD included IPFilter in the default install what appeared to be a BSD license turned out to be non-free unlike other license problems discovered by the ongoing license audit, this case couldn’t be resolved, IPFilter removed from the tree existing alternatives were considered (ipfw), larger code base, kernel dependencies rewrite offers additional options, integrates better with existing kernel features Usenix 2002 – p.3/22

  4. Overview Introduction Motivation Filter rules, skip steps State table, trees, lookups, translations (NAT, redirections) Benchmarks Conclusions Usenix 2002 – p.4/22

  5. Filter rules linear linked list, evaluated top to bottom for each packet (unlike netfilter’s chains tree) rules contain parameters that match/mismatch a packet rules pass or block a packet last matching rule wins (except for ’quick’, which aborts rule evaluation) rules can create state, further state matching packets are passed without rule set evaluation Usenix 2002 – p.5/22

  6. Skip steps transparent optimization of rule set evaluation, improve performance without affecting semantics example: ten consecutive rules apply only to packets from source address X, packet has source address Y, first rule evaluated, next nine skipped skipping is done on most parameters, in pre-defined order parameters like direction (in, out), interface or address family (IPv4/IPv6) partition the rule set a lot, performance increase is significant worst case: consecutive rules have no equal parameters, every rule must be evaluated, no additional cost (linked list traversal) Usenix 2002 – p.6/22

  7. State table TCP (sequence number checks on each packet), ICMP error messages match referred to packet (simplifies rules without breaking PMTU etc.) UDP, ICMP queries/replies, other protocols, pseudo-connections with timeouts adjustable timeouts, pseudo-connections for non-TCP protocols binary search tree (AVL, now Red-Black), O(log n) even in worst-case key is two address/port pairs Usenix 2002 – p.7/22

  8. Translations (NAT, redirections) translating source addresses: NAT/PAT to one address using proxy ports translating destination: redirections (based on addresses/ports) mapping stored in state table application level proxies (ftp) in userland Usenix 2002 – p.8/22

  9. State table keys one state entry per connection, stored in two trees example: 10.1.1.1:20000 -> 62.65.145.30:50001 -> 129.128.5.191:80 outgoing packets: 10.1.1.1:20000 -> 129.128.5.191:80, replace source address/port with gateway incoming packets: 129.128.5.191:80 -> 62.65.145.30:50001, replace destination address/port with local host three address/port pairs of one connection: lan, gwy, ext without translation, two pairs are equal Usenix 2002 – p.9/22

  10. State table keys two trees: tree-lan-ext (outgoing) and tree-ext-gwy (incoming), contain the same state pointers no addition translation map (and lookup) needed Usenix 2002 – p.10/22

  11. Normalization IP normalization (scrubbing) to remove interpretation ambiguities, like overlapping fragments (confusing IDSs) reassembly (caching) of fragments before filtering, only complete packets are filtered sequence number modulation Usenix 2002 – p.11/22

  12. Logging through bpf, virtual network interface pflog0 link layer header used for pf related information (rule, action) binary log files, readable with tcpdump and other tools Usenix 2002 – p.12/22

  13. Benchmarks: Setup two (old) i386 machines with two network interface cards each, connected with two crosswire Cat5 cables, 10 mbit/s unidirectional tester: generate TCP packets on ethernet level through first NIC, capture incoming ethernet frames on second NIC firewall: OpenBSD and GNU/Linux (equal hardware), IP forwarding enabled, packet filter enabled, no other services, no other network traffic (static arp table) Usenix 2002 – p.13/22

  14. Benchmarks: Packet generation TCP packets of variable size, random source/destination addresses and ports embedded timestamp to calculate latency, incremental serial number to detect packet loss send packets of specified size at specified rate for several seconds, print throughput, latency and loss verify that setup can handle maximum link rate correctly Usenix 2002 – p.14/22

  15. Local, reaching link limit 900 1518 bytes/packet 800 700 receiving rate (packets/s) 600 500 400 300 200 100 0 0 100 200 300 400 500 600 700 800 900 sending rate (packets/s) Usenix 2002 – p.15/22

  16. Local, reaching link limit 900 1518 bytes/packet 812 800 700 receiving rate (packets/s) 600 500 400 300 200 100 812 0 0 100 200 300 400 500 600 700 800 900 sending rate (packets/s) Usenix 2002 – p.15/22

  17. Local, varying packet sizes 1.4e+06 1518 bytes 1.2e+06 1e+06 throughput (bytes/s) 800000 600000 400000 200000 812 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) Usenix 2002 – p.16/22

  18. Local, varying packet sizes 1.4e+06 1280 bytes 1.2e+06 1e+06 throughput (bytes/s) 800000 600000 400000 200000 961 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) Usenix 2002 – p.16/22

  19. Local, varying packet sizes 1.4e+06 1024 bytes 1.2e+06 1e+06 throughput (bytes/s) 800000 600000 400000 200000 1197 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) Usenix 2002 – p.16/22

  20. Local, varying packet sizes 1.4e+06 768 bytes 1.2e+06 1e+06 throughput (bytes/s) 800000 600000 400000 200000 1586 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) Usenix 2002 – p.16/22

  21. Local, varying packet sizes 1.4e+06 512 bytes 1.2e+06 1e+06 throughput (bytes/s) 800000 600000 400000 200000 2349 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) Usenix 2002 – p.16/22

  22. Local, varying packet sizes 1.4e+06 256 bytes 1.2e+06 1e+06 throughput (bytes/s) 800000 600000 400000 200000 4528 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) Usenix 2002 – p.16/22

  23. Local, varying packet sizes 1.4e+06 1.2e+06 128 bytes 1e+06 throughput (bytes/s) 800000 600000 400000 200000 8445 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) Usenix 2002 – p.16/22

  24. Local, varying packet sizes 1.4e+06 1.2e+06 1e+06 64 bytes throughput (bytes/s) 800000 600000 400000 200000 14880 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) Usenix 2002 – p.16/22

  25. Local, varying packet sizes 1.4e+06 Local OpenBSD GNU/Linux 1.2e+06 1e+06 throughput (bytes/s) 800000 600000 400000 200000 0 0 2000 4000 6000 8000 10000 12000 14000 16000 sending rate (packets/s) Usenix 2002 – p.16/22

  26. Stateless, 100 rules, throughput 5000 iptables 4500 4000 throughput (packets/s) 3500 3000 2500 2000 1500 1000 500 0 0 1000 2000 3000 4000 5000 sending rate (packets/s) Usenix 2002 – p.17/22

  27. Stateless, 100 rules, throughput 5000 iptables ipf 4500 4000 throughput (packets/s) 3500 3000 2500 2000 1500 1000 500 0 0 1000 2000 3000 4000 5000 sending rate (packets/s) Usenix 2002 – p.17/22

  28. Stateless, 100 rules, throughput 5000 iptables ipf 4500 pf 4000 throughput (packets/s) 3500 3000 2500 2000 1500 1000 500 0 0 1000 2000 3000 4000 5000 sending rate (packets/s) Usenix 2002 – p.17/22

  29. Maximum throughput vs. rules 5000 iptables ipf 4500 pf maximum throughput (packets/s) 4000 3500 3000 2500 2000 1500 1000 500 0 200 400 600 800 1000 number of rules Usenix 2002 – p.18/22

  30. Maximum throughput vs. states 7500 ipf pf 7000 maximum throughput (packets/s) 6500 6000 5500 5000 4500 4000 3500 3000 0 5000 10000 15000 20000 number of states Usenix 2002 – p.19/22

  31. Conclusions rule set evaluation is expensive. State lookups are cheap filtering statefully not only improves filter decision quality, it actually increases performance memory cost: 64000 states with 64MB RAM (without tuning), increasing linearly binary search tree for states scales with O(log n) Usenix 2002 – p.20/22

  32. Production results Duron 700MHz, 128MB RAM, 3x DEC 21143 NICs 25000-40000 concurrent states average of 5000 packets/s fully stateful filtering (no stateless passing) CPU load doesn’t exceed 10 percent (same box and filter policy with IPFilter was 90 percent load average) Usenix 2002 – p.21/22

  33. Questions? The OpenBSD Project: http://www.openbsd.org/ Paper and slides: http://www.benzedrine.cx/pf.html dhartmei@openbsd.org Usenix 2002 – p.22/22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37,

Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37,

Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37, Manchester Caveats I am not pushing 80Gbits yet (sorry if you were expecting Netflix levels of awesome) See: Sort of Who am I? Gareth Llewellyn

424 views • 38 slides
Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org> OpenCON, 2005 Outline 1 Porting OpenBSD What It Takes Preparation Cross-Development The Boot Loader Building The Kernel Adapting Startup

1.59k views • 88 slides
GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework Giorgos Vasiliadis, FORTH-ICS, Greece Lazaros Koromilas, FORTH-ICS, Greece Michalis Polychronakis,

949 views • 56 slides
SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang , Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Kevin Chan, and Tracy Braun What is DPI (Deep Packet Inspection)?

205 views • 19 slides
SNAP: Stateful Network-Wide Abstractions for Packet Processing Mina Tahmasbi Arashloo 1 , Yaron

SNAP: Stateful Network-Wide Abstractions for Packet Processing Mina Tahmasbi Arashloo 1 , Yaron

SNAP: Stateful Network-Wide Abstractions for Packet Processing Mina Tahmasbi Arashloo 1 , Yaron Koral 1 , Michael Greenberg 2 , Jennifer Rexford 1 , and David Walker 1 1 Princeton University, 2 Pomona College Early SDN Switch Interfaces

711 views • 35 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

What did exist before? How does it work? What are the findings? What is the Conclusion? Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019 What did exist before? How does it work? What are the

491 views • 48 slides
Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD BSDConTr, Istanbul, Turkey Agenda 1 Introduction 2 Radio Clocks 3 Architectural Overview 4 Support for GPS-Receivers 5 Support for Time Signal

745 views • 35 slides
Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org BSDCan, May 2019 What did

Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org BSDCan, May 2019 What did

What did exist before? How does it work? What are the findings? What is the Conclusion? Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org BSDCan, May 2019 What did exist before? How does it work? What are the findings?

475 views • 43 slides
Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Reflections|Projections 2007 Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org Overview of OpenBSD History Berkeley Software Distribution (BSD) First freely distributable BSD was released in June

810 views • 24 slides
Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit - PaaS Team, Huawei Contents Why Abstraction Available solution in Kubernetes Available solution in Mesos Mesos Go Stateful Design

492 views • 25 slides
Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in

668 views • 15 slides
Stateful packet processing with eBPF: An implementation of OpenState interface Quentin Monnet

Stateful packet processing with eBPF: An implementation of OpenState interface Quentin Monnet

FOSDEM17 Brussels, 2017-02-04 Stateful packet processing with eBPF: An implementation of OpenState interface Quentin Monnet < quentin.monnet@6wind.com > @qeole Quentin Monnet (6WIND) | BEBA OpenState and eBPF Agenda 2/34 Ill

558 views • 34 slides
Zero-Copy Socket Splicing Alexander Bluhm bluhm@openbsd.org Sunday, 29. September 2013

Zero-Copy Socket Splicing Alexander Bluhm bluhm@openbsd.org Sunday, 29. September 2013

Motivation Kernel MBuf Packet Processing Socket Splicing Interface Implementation Applications Zero-Copy Socket Splicing Alexander Bluhm bluhm@openbsd.org Sunday, 29. September 2013 Motivation Kernel MBuf Packet Processing Socket

736 views • 38 slides
Stateful Dataflow Multigraphs: A Data-Centric Model for Performance Portability on Heterogeneous

Stateful Dataflow Multigraphs: A Data-Centric Model for Performance Portability on Heterogeneous

spcl.inf.ethz.ch @spcl_eth Tal Ben-Nun , Johannes de Fine Licht, Alexandros-Nikolaos Ziogas, Timo Schneider, Torsten Hoefler Stateful Dataflow Multigraphs: A Data-Centric Model for Performance Portability on Heterogeneous Architectures This

738 views • 42 slides
New Initiatives taken for Flood Reduction and Management after Super Flood of 2014 in Chenab River

New Initiatives taken for Flood Reduction and Management after Super Flood of 2014 in Chenab River

New Initiatives taken for Flood Reduction and Management after Super Flood of 2014 in Chenab River Speaker (Day 1) Habib Ullah Bodla Chief PMIU/FRAU Aug 30, 2017 Punjab Irrigation Department, Pakistan Sequence Example With 7 Parts 07 03

941 views • 53 slides
Two-Phase Flow Numerical Modeling : Application to a Geological Nuclear Waste Disposal Sylvie

Two-Phase Flow Numerical Modeling : Application to a Geological Nuclear Waste Disposal Sylvie

Two-Phase Flow Numerical Modeling : Application to a Geological Nuclear Waste Disposal Sylvie Granet Sylvie Granet Sylvie Granet Sylvie Granet Clment Clment Chavant Clment Clment Chavant Chavant Chavant EDF

324 views • 19 slides
6. Site investigation 6. 1 st semester - 2011-2012 Manual on Subsurface Investigations Eng.

6. Site investigation 6. 1 st semester - 2011-2012 Manual on Subsurface Investigations Eng.

Engineering Geology Engineering Geology Engineering Geology is backbone of civil engineering 6. Site investigation 6. 1 st semester - 2011-2012 Manual on Subsurface Investigations Eng. Iqbal Marie by Paul W. Mayne, Barry R. Christopher, and

472 views • 25 slides
King Edward Memorial Park Foreshore Community Liaison Working Group 6 February 2019 Staff

King Edward Memorial Park Foreshore Community Liaison Working Group 6 February 2019 Staff

King Edward Memorial Park Foreshore Community Liaison Working Group 6 February 2019 Staff Tideway Jeff Alchin Project Manager Tideway Allen Summerskill Stakeholder & Consents Tideway Rebecca Major Communications Tideway CVB

484 views • 30 slides
IDS Active Response Mechanisms: Countermeasure Subsytem for Prelude IDS Krzysztof Zaraska July

IDS Active Response Mechanisms: Countermeasure Subsytem for Prelude IDS Krzysztof Zaraska July

IDS Active Response Mechanisms: Countermeasure Subsytem for Prelude IDS Krzysztof Zaraska July 9, 2002 1 Introduction The number of security vulnerabilities in popular software forces system ad- ministrators to constantly keep track of new

586 views • 19 slides
Deborah McCullough Cliff Sadof Richard Hauer Professor Professor Professor University of

Deborah McCullough Cliff Sadof Richard Hauer Professor Professor Professor University of

Second Wednesdays | 1:00 2:00 pm ET www.fs.fed.us/research/urban-webinars This meeting is being recorded. If you do not wish to be recorded, please disconnect now. USDA is an equal opportunity provider and employer. Deborah McCullough

754 views • 14 slides
Expressing Measurements and Chemical Systems for Physical Property Data Peter Linstrom National

Expressing Measurements and Chemical Systems for Physical Property Data Peter Linstrom National

Expressing Measurements and Chemical Systems for Physical Property Data Peter Linstrom National Institute of Standards and Technology Gaithersburg, MD, USA Outline Nature of physical property data Historical record or interpretation

597 views • 25 slides
Research Data Management LabTrove: A Researcher Centric Electronic Laboratory Notebook

Research Data Management LabTrove: A Researcher Centric Electronic Laboratory Notebook

Research Data Management LabTrove: A Researcher Centric Electronic Laboratory Notebook www.labtrove.org 25 Feb 2014 IDCC 2014 Methods are as important as the data Methods are as important as the data StructureGate The academics media

726 views • 23 slides

More recommend