eBPF-based Content and Computation-aware Communication for Real-time Edge Computing

By placing computation resources within a one-hop wireless topology, the recent edge computing paradigm is a key enabler of real-time Internet of Things (IoT) applications. In the context of IoT scenarios where the same information from a sensor is used by multiple applications at different locations, the data stream needs to be replicated. However, the transportation of parallel streams might not be feasible due to limitations in the capacity of the network transporting the data. To address this issue, a content and computation-aware communication control framework is proposed based on the Software Defined Network (SDN) paradigm. The framework supports multi-streaming using the extended Berkeley Packet Filter (eBPF), where the traffic flow and packet replication for each specific computation process is controlled by a program running inside an in-kernel Virtual Ma- chine (VM). The proposed framework is instantiated to address a case-study scenario where video streams from multiple cameras are transmitted to the edge processor for real-time analysis. Numerical results demonstrate the advantage of the proposed framework in terms of programmability, network bandwidth and system resource savings.Comment: This article has been accepted for publication in the IEEE International Conference on Computer Communications (INFOCOM Workshops), 201

Arbitrary Packet Matching in OpenFlow

OpenFlow has emerged as the de facto control protocol to implement Software-Defined Networking (SDN). In its current form, the protocol specifies a set of fields on which it matches packets to perform actions, such as forwarding, discarding or modifying specific protocol header fields at a switch. The number of match fields has increased with every version of the protocol to extend matching capabilities, however, it is still not flexible enough to match on arbitrary packet fields which limits innovation and new protocol development with OpenFlow. In this paper, we argue that a fully flexible match structure is superior to continuously extending the number of fields to match upon. We use Berkeley Packet Filters (BPF) for packet classification to provide a protocol-independent, flexible alternative to today’s OpenFlow fixed match fields. We have implemented a prototype system and evaluated the performance of the proposed match scheme, with a focus on the time it takes to execute and the memory required to store different match filter specifications. Our prototype implementation demonstrates that line-rate arbitrary packet classification can be achieved with complex BPF programs

IPv6 Network Monitoring Tool

IPv6 is a new version of the internetworking protocol designed to address the scalability and service shortcomings of the current standard, IPv4.Unfortunately, IPv4 and IPv6 are not directly compatible, so programs and systems designed to one standard can not communicate with those designed to the other. Consequently, it is necessary to develop smooth transition mechanisms that enable applications to continue working while the network is being upgraded. In this paper the author presents the design and implementation of a network monitoring tool for the latest Internet Protocol; IPv6 which is designed for Microsoft Windows platform. The development of network has increased the need to monitor the nodes that is operating across the same network. The network monitoring tool aims to capture and analyze IP related packets (IPv6 packets) before executing report on the results found

Using IDDs for Packet Filtering

Firewalls are one of the key technologies used to control the traffic going in and out of a network. A central feature of the firewall is the packet filter. In this paper, we propose a complete framework for packet classification. Through two applications we demonstrate that both performance and security can be improved. We show that a traditional ordered rule set can always be expressed as a first-order logic formula on integer variables. Moreover, we emphasize that, with such specification, the packet filtering problem is known to be constant time. We propose to represent the first-order logic formula as Interval Decision Diagrams. This structure has several advantages. First, the algorithm for removing redundancy and unnecessary tests is very simple. Secondly, it allows us to handle integer variables which makes it efficient on a generic CPUs. And, finally, we introduce an extension of IDDs called Multi-Terminal Interval Decision Diagrams in order to deal with any number of policies. In matter of efficiency, we evaluate the performance our framework through a prototype toolkit composed by a compiler and a packet filter. The results of the experiments shows that this method is efficient in terms of CPU usage and has a low storage requirements. Finally, we outline a tool, called Network Access Verifier. This tool demonstrates how the IDD representation can be used for verifying access properties of a network. In total, potentially improving the security of a network

Implementation and Evaluation of Fast Packet Filters

パケットフィルタリング処理はあらゆる種類のネットワーク機器に必要な機能になってきている．ハイエンドのルータやファイアウォールであればハードウェアベースの実装も可能である．さもなくば柔軟かつ安価な実現のために汎用CPUを使ってソフトウェア的に実装されるが，その場合には処理の高速性に欠点がある．そこで本研究ではパケットフィルタプログラムにコード最適化手法，特に条件分岐を含むループのためのソフトウェア・パイプライン化手法を適用し，インテルIA-64 Itanium 2プロセッサ上での高速化を試みる．著者らはすでにパケットモニタ・ツールtcpdumpについて高速化の効果を確認している．本研究ではその手法を一部変更して適用し，商用Cコンパイラによって最適化した場合の4倍の高速化，ソフトウェア・パイプライン化を用いない最適化の2倍の高速化を達成した．今回開発した最も高速なフィルタプログラムはItanium 2プロセッサの上限性能で動作する．Packet filters are essential for most areas of recent network technologies. While high-end expensive routers and firewalls are implemented in hardwarebased, flexible and cost-effective ones are usually in software-based solutions using general-purpose CPUs but have less performance. In order to solve this performace problem, we apply code optimization techniques to packet filter implementations, in particular the software pipelining techniques for a loop with conditional branches, on Intel IA-64 Itanium 2 processor. The authors have studied the method of applying the techniques to the packet monitoring tool tcpdump and reported their high effects. Using the revised method, we can obtain a software-pipelined packet filter implemetation which is four times faster than a C compiler based one and two times faster than an optimized code without software pipelining. The fastest filter program developed in this research can execute at the maximum speed of Itanium 2 processo

Enabling precise traffic filtering based on protocol encapsulation rules

Current packet filters have a limited support for expressions based on protocol encapsulation relationships and some constraints are not supported at all, such as the value of the IP source address in the inner header of an IP-in-IP packet. This limitation may be critical for a wide range of packet filtering applications, as the number of possible encapsulations is steadily increasing and network operators cannot define exactly which packets they are interested in. This paper proposes a new formalism, called eXtended Finite State Automata with Predicates (xpFSA), that provides an efficient implementation of filtering expressions, supporting both constraints on protocol encapsulations and the composition of multiple filtering expressions. Furthermore, it defines a novel algorithm that can be used to automatically detect tunneled packets. Our algorithms are validated through a large set of tests assessing both the performance of the filtering generation process and the efficiency of the actual packet filtering code when dealing with real network packets