stateful packet processing with ebpf an implementation of
play

Stateful packet processing with eBPF: An implementation of OpenState - PowerPoint PPT Presentation

Feb 03, 2023 •213 likes •558 views

FOSDEM17 Brussels, 2017-02-04 Stateful packet processing with eBPF: An implementation of OpenState interface Quentin Monnet < quentin.monnet@6wind.com > @qeole Quentin Monnet (6WIND) | BEBA OpenState and eBPF Agenda 2/34 Ill

  1. FOSDEM’17 Brussels, 2017-02-04 Stateful packet processing with eBPF: An implementation of OpenState interface Quentin Monnet < quentin.monnet@6wind.com > @qeole

  2. Quentin Monnet (6WIND) | BEBA — OpenState and eBPF Agenda 2/34 I’ll speak at FOSDEM Will talk about: ⋅ OpenState, 40% ⋅ eBPF, 60% Me

  3. Quentin Monnet (6WIND) | BEBA — OpenState and eBPF Agenda 3/34 Coming too! I’ll speak at FOSDEM I’ll have a talk Will talk about: on eBPF! ⋅ OpenState, 40% ⋅ eBPF, 60% Daniel B. Me

  4. Quentin Monnet (6WIND) | BEBA — OpenState and eBPF Agenda 4/34 Coming too! I’ll speak at FOSDEM I’ll have a talk Will talk about: on eBPF! ⋅ OpenState, 40% 70% ⋅ eBPF, 60% 30% Daniel B. Me

  5. Quentin Monnet (6WIND) | BEBA — OpenState and eBPF SDN: hosts, VMs, programmable switches, controllers… 5/34 Controller Internet Switch Router Hypervisor

  6.  Most packets goes through the “shortcut” dataplane Two paths for dataplane  Some packets are sent as exceptions—this generally includes stateful processing Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 6/34 SDN controller Switch Standard path Shortcut

  7.  Can we make the switch “smarter”, without loosing SDN benefits? What about: bringing back some control into the switch?  How could we abstract stateful packet processing, in such a way the controller can easily set up the switches? Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 7/34 SDN controller Switch Standard path OpenState path

  8. Objectives:  Wire-speed-reactive control/processing tasks inside the switches  Centralized control  Scalability  Platform-independent From January 2015 to March 2017 (27 months) Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 8/34 Horizon 2020 More info at http://www.beba-project.eu/

  9. BEBA: Who? Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 9/34

  10. BEBA switch Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 10/34 Open Packet Processor BEBA (registers and boolean conditions) switch OpenState InSP (stateful processing) (packet generation)

  11. OpenState: stateful packet processing Forwarding depends on traffic previously observed 1 Lookup for flow state 2 Lookup for action associated to flow state, perform action 3 Update state to new value So we need two tables: a state table and a table for actions: XFSM table (eXtended Finite State Machine) Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 11/34 State update Packet pattern State Action State table XFSM table

  12. Case study: port knocking  Clients see port 22 of the server as closed  To access port 22, they first have to send a secret packet sequence to that port Our example secret sequence: UDP packet on port 1111, 2222, 3333 then 4444 Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 12/34 10.2.2.2 10.1.1.1 Clients Switch Server 10.3.3.3

  13. Case study: port knocking Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 13/34 Initial state Any other packet; UDP or timeout packet on port 1111 Step 1 Step 2 Step 3 UDP UDP packet packet on port 2222 on port 3333 UDP packet on port 4444 All TCP packets to Connection on port 22 are forwarded. TCP port 22 Packets to other is open ports are dropped.

  14. State table  Tracks current state for each flow Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 14/34 Flow matching pattern State … … IP src = any DEFAULT Packet pattern State State table

  15. XFSM table  To state and “event” pattern, associates action and “next state” Quentin Monnet (6WIND) | BEBA — OpenState and eBPF  “Next state” is used to update the entry for this flow in the state table 15/34 Flow matching pattern Actions State Event Action Next state … … … … DEFAULT UDP dst port = 1111 Drop STEP_1 STEP_1 UDP dst port = 2222 Drop STEP_2 STEP_2 UDP dst port = 3333 Drop STEP_3 STEP_3 UDP dst port = 4444 Drop OPEN OPEN TCP dst port 22 Forward OPEN OPEN Port = * Drop OPEN … … … … * Port = * Drop DEFAULT State Action XFSM table

  16. State table update  The state of the flow is updated for each packet, thus unrolling the Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 16/34 port knocking sequence Flow matching pattern State … … IP src = 10.3.3.3, IP dst = 10.1.1.1 STEP_1 … … IP src = any DEFAULT State update State table XFSM table

  17. Can we implement that with eBPF? Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 17/34

  18. eBPF ~ extended Berkeley Packet Filter  Assembly-like language, based on cBPF (packet filtering) Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 18/34  Programs come from user space, run in the kernel C source code ELF-compiled BPF bpf_prog.c bpf_prog.o tc LLVM/clang User program Userspace bpf() syscall Kernel cls_bpf Maps JIT Network stack Packets tc ingress tc egress Net device Net device

  19. Stateful eBPF  Default behavior: program is run to process a packet, no state preserved on exit  However: eBPF Maps (kernel 3.18+): helpers → Let’s use hash maps for OpenState tables! ( https://github.com/qmonnet/pkpoc-bpf ) Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 19/34 • Memory area accessible from eBPF program through specific kernel • Arrays, hash maps (and several other kinds) • Persistent across multiple runs of an eBPF program • Can be shared with other eBPF programs • Can be shared with userspace applications

  20. openstate.h state; Quentin Monnet (6WIND) | BEBA — OpenState and eBPF }; int32_t next_state; int32_t action; struct XFSMTableVal { }; uint16_t dst_port; uint16_t src_port; l4_proto; uint8_t int32_t /* State table */ struct XFSMTableKey { /* XFSM table */ }; int32_t state; struct StateTableVal { }; uint32_t ip_dst; uint32_t ip_src; uint16_t ether_type; struct StateTableKey { 20/34

  21. portknocking.c : State table lookup if (state_val) { Quentin Monnet (6WIND) | BEBA — OpenState and eBPF goto end_of_program; } goto xfsmlookup; */ * for current event. /* If we found a state, go on and search XFSM table for this state and current_state = state_val->state; struct StateTableVal *state_val = map_lookup_elem(&state_table, &state_idx); /* [Truncated] /* State table lookup */ state_idx.ip_dst = ntohl(ip->dst); state_idx.ip_src = ntohl(ip->src); struct StateTableKey state_idx; state_idx.ether_type = ntohs(ethernet->type); */ * ports. * addresses; since we will need it at next step, also extract UDP src and dst * Parse headers and make sure we have an IP packet, extract src and dst 21/34

  22. portknocking.c : XFSM table lookup, state table update, action /* Return action code */ Quentin Monnet (6WIND) | BEBA — OpenState and eBPF } } return TC_ACT_UNSPEC; default : return TC_ACT_OK; case ACTION_FORWARD: return TC_ACT_SHOT; case ACTION_DROP: switch (xfsm_val->action) { map_update_elem(&state_table, &state_idx, &new_state, BPF_ANY); /* Set up the key */ struct StateTableVal new_state = { xfsm_val->next_state }; /* Update state table entry with new state value */ if (xfsm_val) { struct XFSMTableVal *xfsm_val = map_lookup_elem(&xfsm_table, &xfsm_idx); /* Lookup */ xfsm_idx.dst_port = dst_port; xfsm_idx.l4_proto = ip->next_protocol; = current_state; xfsm_idx.state 22/34 xfsm_idx.src_port = 0;

  23. Compile and run  One would compile the complete program into eBPF with: $ clang -O2 -emit-llvm -c openstate.c -o - | \ llc -march=bpf -filetype=obj -o openstate.o  … and attach it with, for example: # tc qdisc add dev eth0 clsact # tc filter add dev eth0 ingress bpf da obj openstate.o  One more thing: initialize the maps (user-space program with bpf() syscall)  Alternative method: bcc’s Python wrappers provide an easier way to initialize maps, to compile and to inject programs Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 23/34

  24. Result Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 24/34

  25. Second case study: token bucket Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 25/34

  26. Token bucket algorithm Quentin Monnet (6WIND) | BEBA — OpenState and eBPF 26/34 Bucket capacity: 4 tokens Packet Token generation: 1/Q Q W T0 Case 1 (normal traf fi c) time Forward Tmin Tmax W_next Packet W Case 2 (light traf fi c) time Forward Tmin Tmax W_next Packet W Case 3 (heavy load) time Drop Tmin Tmax W_next

  27. Model side: Open Packet Processor  Extension of OpenState: Quentin Monnet (6WIND) | BEBA — OpenState and eBPF ( https://github.com/qmonnet/tbpoc-bpf ) → Case 3 → Case 1 cond2 = (t ≤ Tmax) conditions:  For token bucket: registers for Tmin and Tmax , then evaluate 27/34 • With global and per-flow registers • Registers evaluated with a set of conditions • XFSM table lookup must also match on conditions • cond1 = (t ≥ Tmin); • cond1 == true && cond2 == true • cond1 == true && cond2 == false → Case 2 • cond1 == false

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework Giorgos Vasiliadis, FORTH-ICS, Greece Lazaros Koromilas, FORTH-ICS, Greece Michalis Polychronakis,

949 views • 56 slides
eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why eBPF? Target architecture (NFP based NIC) RX Path Flow of eBPF Packet The Flow Processing Core (Fully Programmable) Mapping eBPF -&gt; NFP

668 views • 24 slides
SNAP: Stateful Network-Wide Abstractions for Packet Processing Mina Tahmasbi Arashloo 1 , Yaron

SNAP: Stateful Network-Wide Abstractions for Packet Processing Mina Tahmasbi Arashloo 1 , Yaron

SNAP: Stateful Network-Wide Abstractions for Packet Processing Mina Tahmasbi Arashloo 1 , Yaron Koral 1 , Michael Greenberg 2 , Jennifer Rexford 1 , and David Walker 1 1 Princeton University, 2 Pomona College Early SDN Switch Interfaces

711 views • 35 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.1/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet

455 views • 33 slides
SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang , Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Kevin Chan, and Tracy Braun What is DPI (Deep Packet Inspection)?

205 views • 19 slides
Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul

Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Performance Implications of Packet Filtering with Linux eBPF Dominik Scholz , Daniel Raumer, Paul Emmerich, Alexander Kurtz, Krzysztof Lesiak

721 views • 29 slides
Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT, PERFORMANCE The Brief. Extended Berkley Packet Filter (eBPF) is a new Linux feature which allows safe and efficient monitoring of kernel functions.

593 views • 27 slides
PACKET PROCESSING ON GPU Elena Agostini SW Engineer, Nvidia Chetan Tekur - Solution

PACKET PROCESSING ON GPU Elena Agostini SW Engineer, Nvidia Chetan Tekur - Solution

PACKET PROCESSING ON GPU Elena Agostini SW Engineer, Nvidia Chetan Tekur - Solution Architect, Nvidia 03/21/2019 TELEMETRY DATA ANALYSIS 2 RESEARCH PAPERS APUNet: Revitalizing GPU as Packet Processing Accelerator Zero-copy packet

591 views • 34 slides
Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

FOSDEM20 Brussels, 2020-02-01 Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q. Monnet eBPF Update 2/18 eBPF Basics New Features eBPF Universe eBPF Basics Q. Monnet

531 views • 18 slides
DRFQ : Multi-Resource Fair Queueing for Packet Processing Ali Ghodsi 1,3 , Vyas Sekar 2 , Matei

DRFQ : Multi-Resource Fair Queueing for Packet Processing Ali Ghodsi 1,3 , Vyas Sekar 2 , Matei

DRFQ : Multi-Resource Fair Queueing for Packet Processing Ali Ghodsi 1,3 , Vyas Sekar 2 , Matei Zaharia 1 , Ion Stoica 1 1 UC Berkeley, 2 Intel ISTC/Stony Brook, 3 KTH 1 Increasing Network Complexity Packet processing becoming evermore

659 views • 38 slides
Analyzing DPDK applications with eBPF Sharpening the toolset Stephen Hemminger Fosdem, February

Analyzing DPDK applications with eBPF Sharpening the toolset Stephen Hemminger Fosdem, February

Analyzing DPDK applications with eBPF Sharpening the toolset Stephen Hemminger Fosdem, February 1, 2020 Microsoft 1 Table of Contents Introduction Packet Capture Tracing Lttng Bpftrace Performance Conclusion 2 Introduction Ancient

875 views • 60 slides
Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract:

Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract:

Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract: The exposed memory hierarchies employed in many network processors (NPs) are expensive in terms of meeting the worst-case processing requirement.

427 views • 8 slides
ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer Networks Packet Processing Algorithms and Data Structures 9/16/03 Tilman Wolf 1 Packet Processing Packet Processing Software processing of

525 views • 11 slides
Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1 Internet Censorship Key technology: Deep Packet

528 views • 33 slides
eBPF and XDP walkthrough and recent updates Daniel Borkmann &lt;daniel@iogearbox.net&gt; cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann &lt;daniel@iogearbox.net&gt; cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann &lt;daniel@iogearbox.net&gt; cilium project fosdem17, February 4, 2017 Daniel Borkmann eBPF in tcs cls bpf and XDP February 4, 2017 1 / 11 Big Picture: eBPF and Networking eBPF:

476 views • 11 slides
Scheduling Algorithm and Analysis Model and Cyclic Scheduling (Module 27) Yann-Hang Lee Arizona

Scheduling Algorithm and Analysis Model and Cyclic Scheduling (Module 27) Yann-Hang Lee Arizona

Scheduling Algorithm and Analysis Model and Cyclic Scheduling (Module 27) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Task Scheduling

501 views • 8 slides
Jet Vertex Resolution Study What is the ZVertex Algorithm used to pick the Jet Vertex ?

Jet Vertex Resolution Study What is the ZVertex Algorithm used to pick the Jet Vertex ?

Jet Vertex Resolution Study What is the ZVertex Algorithm used to pick the Jet Vertex ? Pros and Cons with respect to Double Parton Analysis. Resolution of the COT Only,SVX Only and COT+SVX Tracks in the Jets Calculating the Jet

326 views • 4 slides
Constituency Parsing CMSC 723 / LING 723 / INST 725 M ARINE C ARPUAT marine@cs.umd.edu T

Constituency Parsing CMSC 723 / LING 723 / INST 725 M ARINE C ARPUAT marine@cs.umd.edu T

Constituency Parsing CMSC 723 / LING 723 / INST 725 M ARINE C ARPUAT marine@cs.umd.edu T odays Agenda Grammar-based parsing with CFGs CKY algorithm Dealing with ambiguity Probabilistic CFGs Strategies for improvement

1.05k views • 68 slides
Principles of Programming Languages h&quot;p://www.di.unipi.it/~andrea/Dida2ca/PLP-15/ Prof.

Principles of Programming Languages h&quot;p://www.di.unipi.it/~andrea/Dida2ca/PLP-15/ Prof.

Principles of Programming Languages h&quot;p://www.di.unipi.it/~andrea/Dida2ca/PLP-15/ Prof. Andrea Corradini Department of Computer Science, Pisa Lesson 7 From DSA to Regular Expression Top-down parsing MoBvaBons: exercise 7(b)

809 views • 42 slides
Making L T X Slides A E Albert.Ornstein@Colorado.EDU 15 July 1998 You can put

Making L T X Slides A E Albert.Ornstein@Colorado.EDU 15 July 1998 You can put

Making L T X Slides A E Albert.Ornstein@Colorado.EDU 15 July 1998 You can put figures and tables into slides, using the picture and epsfig and tabular environments, but you cant use the figure and table environ- ments; L T

195 views • 7 slides
Module Interface Documentation - Using The Trace Function Method Outline (TFM) Review of basic

Module Interface Documentation - Using The Trace Function Method Outline (TFM) Review of basic

Middle Road Software Middle Road Software Module Interface Documentation - Using The Trace Function Method Outline (TFM) Review of basic software documentation principles David Lorge Parnas Modules and how they communicate Marius Dragomiroiu

491 views • 12 slides
DOCUMENT DIGITIZATION Rethinking it with Machine Learning Nischal Harohalli Padmanabha QConAI

DOCUMENT DIGITIZATION Rethinking it with Machine Learning Nischal Harohalli Padmanabha QConAI

DOCUMENT DIGITIZATION Rethinking it with Machine Learning Nischal Harohalli Padmanabha QConAI SFO 2019 The brain sure as hell doesnt work by somebody programming in rule. - Geoffrey Hinton @nischalhp | Document Digitization | QconAI

2.53k views • 34 slides
1/33 David Parnas 2006 August 08 12:15 slides Software Quality Research Laboratory -

1/33 David Parnas 2006 August 08 12:15 slides Software Quality Research Laboratory -

Software Quality Research Laboratory - University of Limerick - Ireland Module Interface Documentation - Using the Trace Function Method (TFM) David Lorge Parnas and Marius Dragomiroiu Software Quality Research Laboratory Faculty of Informatics

495 views • 33 slides

More recommend