19 research outputs found
eBPF-based Content and Computation-aware Communication for Real-time Edge Computing
By placing computation resources within a one-hop wireless topology, the
recent edge computing paradigm is a key enabler of real-time Internet of Things
(IoT) applications. In the context of IoT scenarios where the same information
from a sensor is used by multiple applications at different locations, the data
stream needs to be replicated. However, the transportation of parallel streams
might not be feasible due to limitations in the capacity of the network
transporting the data. To address this issue, a content and computation-aware
communication control framework is proposed based on the Software Defined
Network (SDN) paradigm. The framework supports multi-streaming using the
extended Berkeley Packet Filter (eBPF), where the traffic flow and packet
replication for each specific computation process is controlled by a program
running inside an in-kernel Virtual Ma- chine (VM). The proposed framework is
instantiated to address a case-study scenario where video streams from multiple
cameras are transmitted to the edge processor for real-time analysis. Numerical
results demonstrate the advantage of the proposed framework in terms of
programmability, network bandwidth and system resource savings.Comment: This article has been accepted for publication in the IEEE
International Conference on Computer Communications (INFOCOM Workshops), 201
Arbitrary Packet Matching in OpenFlow
OpenFlow has emerged as the de facto control
protocol to implement Software-Defined Networking (SDN). In
its current form, the protocol specifies a set of fields on which
it matches packets to perform actions, such as forwarding,
discarding or modifying specific protocol header fields at a switch.
The number of match fields has increased with every version of
the protocol to extend matching capabilities, however, it is still
not flexible enough to match on arbitrary packet fields which
limits innovation and new protocol development with OpenFlow.
In this paper, we argue that a fully flexible match structure
is superior to continuously extending the number of fields
to match upon. We use Berkeley Packet Filters (BPF) for
packet classification to provide a protocol-independent, flexible
alternative to today’s OpenFlow fixed match fields. We have
implemented a prototype system and evaluated the performance
of the proposed match scheme, with a focus on the time it takes
to execute and the memory required to store different match
filter specifications. Our prototype implementation demonstrates
that line-rate arbitrary packet classification can be achieved with
complex BPF programs
IPv6 Network Monitoring Tool
IPv6 is a new version of the internetworking protocol designed to address the scalability
and service shortcomings of the current standard, IPv4.Unfortunately, IPv4 and IPv6 are
not directly compatible, so programs and systems designed to one standard can not
communicate with those designed to the other. Consequently, it is necessary to develop
smooth transition mechanisms that enable applications to continue working while the
network is being upgraded. In this paper the author presents the design and
implementation of a network monitoring tool for the latest Internet Protocol; IPv6
which is designed for Microsoft Windows platform. The development of network has
increased the need to monitor the nodes that is operating across the same network. The
network monitoring tool aims to capture and analyze IP related packets (IPv6 packets)
before executing report on the results found
Using IDDs for Packet Filtering
Firewalls are one of the key technologies used to control the traffic going in and out of a network. A central feature of the firewall is the packet filter. In this paper, we propose a complete framework for packet classification. Through two applications we demonstrate that both performance and security can be improved. We show that a traditional ordered rule set can always be expressed as a first-order logic formula on integer variables. Moreover, we emphasize that, with such specification, the packet filtering problem is known to be constant time. We propose to represent the first-order logic formula as Interval Decision Diagrams. This structure has several advantages. First, the algorithm for removing redundancy and unnecessary tests is very simple. Secondly, it allows us to handle integer variables which makes it efficient on a generic CPUs. And, finally, we introduce an extension of IDDs called Multi-Terminal Interval Decision Diagrams in order to deal with any number of policies. In matter of efficiency, we evaluate the performance our framework through a prototype toolkit composed by a compiler and a packet filter. The results of the experiments shows that this method is efficient in terms of CPU usage and has a low storage requirements. Finally, we outline a tool, called Network Access Verifier. This tool demonstrates how the IDD representation can be used for verifying access properties of a network. In total, potentially improving the security of a network
Implementation and Evaluation of Fast Packet Filters
パケットフィルタリング処理はあらゆる種類のネットワーク機器に必要な機能になってきている.ハイエンドのルータやファイアウォールであればハードウェアベースの実装も可能である.さもなくば柔軟かつ安価な実現のために汎用CPUを使ってソフトウェア的に実装されるが,その場合には処理の高速性に欠点がある.そこで本研究ではパケットフィルタプログラムにコード最適化手法,特に条件分岐を含むループのためのソフトウェア・パイプライン化手法を適用し,インテルIA-64 Itanium 2プロセッサ上での高速化を試みる.著者らはすでにパケットモニタ・ツールtcpdumpについて高速化の効果を確認している.本研究ではその手法を一部変更して適用し,商用Cコンパイラによって最適化した場合の4倍の高速化,ソフトウェア・パイプライン化を用いない最適化の2倍の高速化を達成した.今回開発した最も高速なフィルタプログラムはItanium 2プロセッサの上限性能で動作する.Packet filters are essential for most areas of recent network technologies. While high-end expensive routers and firewalls are implemented in hardwarebased, flexible and cost-effective ones are usually in software-based solutions using general-purpose CPUs but have less performance. In order to solve this performace problem, we apply code optimization techniques to packet filter implementations, in particular the software pipelining techniques for a loop with conditional branches, on Intel IA-64 Itanium 2 processor. The authors have studied the method of applying the techniques to the packet monitoring tool tcpdump and reported their high effects. Using the revised method, we can obtain a software-pipelined packet filter implemetation which is four times faster than a C compiler based one and two times faster than an optimized code without software pipelining. The fastest filter program developed in this research can execute at the maximum speed of Itanium 2 processo
Enabling precise traffic filtering based on protocol encapsulation rules
Current packet filters have a limited support for expressions based on protocol encapsulation relationships and some constraints are not supported at all, such as the value of the IP source address in the inner header of an IP-in-IP packet. This limitation may be critical for a wide range of packet filtering applications, as the number of possible encapsulations is steadily increasing and network operators cannot define exactly which packets they are interested in. This paper proposes a new formalism, called eXtended Finite State Automata with Predicates (xpFSA), that provides an efficient implementation of filtering expressions, supporting both constraints on protocol encapsulations and the composition of multiple filtering expressions. Furthermore, it defines a novel algorithm that can be used to automatically detect tunneled packets. Our algorithms are validated through a large set of tests assessing both the performance of the filtering generation process and the efficiency of the actual packet filtering code when dealing with real network packets