Filtering Network Traffic Based on Protocol Encapsulation Rules

Packet filtering is a technology at the foundation of many traffic analysis tasks. While languages and tools for packet filtering have been available for many years, none of them supports filters operating on the encapsulation relationships found in each packet. This represents a problem as the number of possible encapsulations used to transport traffic is steadily increasing and we cannot define exactly which packets have to be captured. This paper presents our early work on an algorithm that models protocol filtering patterns (including encapsulation constraints) as Finite State Automata and supports the composition of multiple expressions within the same filter. The resulting, optimized filter is then translated into executable code. The above filtering algorithms are available in the NetBee open source library, which provides some basic tools for handling network packets (e.g., a tcpdump-like program) and APIs to build more advanced tool

GNFC: Towards Network Function Cloudification

An increasing demand is seen from enterprises to host and dynamically manage middlebox services in public clouds in order to leverage the same benefits that network functions provide in traditional, in-house deployments. However, today's public clouds provide only a limited view and programmability for tenants that challenges flexible deployment of transparent, software-defined network functions. Moreover, current virtual network functions can't take full advantage of a virtualized cloud environment, limiting scalability and fault tolerance. In this paper we review and evaluate the current infrastructural limitations imposed by public cloud providers and present the design and implementation of GNFC, a cloud-based Network Function Virtualization (NFV) framework that gives tenants the ability to transparently attach stateless, container-based network functions to their services hosted in public clouds. We evaluate the proposed system over three public cloud providers (Amazon EC2, Microsoft Azure and Google Compute Engine) and show the effects on end-to-end latency and throughput using various instance types for NFV hosts

A Tunnel-aware Language for Network Packet Filtering

Abstract—While in computer networks the number of possible protocol encapsulations is growing day after day, network administrators face ever increasing difficulties in selecting accurately the traffic they need to inspect. This is mainly caused by the limited number of encapsulations supported by currently available tools and the difficulty to exactly specify which packets have to be analyzed, especially in presence of tunneled traffic. This paper presents a novel packet processing language that, besides Boolean filtering predicates, introduces special constructs for handling the more complex situations of tunneled and stacked encapsulations, giving the user a finer control over the semantics of a filtering expression. Even though this language is principally focused on packet filters, it is designed to support other advanced packet processing mechanisms such as traffic classification and field extraction. I

Throughput Performance Comparison of MPT-GRE and MPTCP in the Fast Ethernet IPv4/IPv6 Environment, Journal of Telecommunications and Information Technology, 2018, nr 2

This paper presents the MPT-GRE software, a novel multipath communication technology founded on the Generic Routing Encapsulation (GRE) protocol in UDP tunneling RFC specification. It enables the creation of a GRE protocolbased UDP tunnel built on several communication channels. On the other hand, MPTCP is one of the most typical representatives among multipath communication technologies, basing its operation on the utilization of TCP subflows. The authors compare the path-aggregation capabilities of these two technologies using four Fast Ethernet channels. The tests were carried out with the iperf3 network bandwidth measurement tool, and while transferring data using the FTP protocol over both IPv4 and IPv6

Hybrid IP/SDN networking: open implementation and experiment management tools

The introduction of SDN in large-scale IP provider networks is still an open issue and different solutions have been suggested so far. In this paper we propose a hybrid approach that allows the coexistence of traditional IP routing with SDN based forwarding within the same provider domain. The solution is called OSHI - Open Source Hybrid IP/SDN networking as we have fully implemented it combining and extending Open Source software. We discuss the OSHI system architecture and the design and implementation of advanced services like Pseudo Wires and Virtual Switches. In addition, we describe a set of Open Source management tools for the emulation of the proposed solution using either the Mininet emulator or distributed physical testbeds. We refer to this suite of tools as Mantoo (Management tools). Mantoo includes an extensible web-based graphical topology designer, which provides different layered network "views" (e.g. from physical links to service relationships among nodes). The suite can validate an input topology, automatically deploy it over a Mininet emulator or a distributed SDN testbed and allows access to emulated nodes by opening consoles in the web GUI. Mantoo provides also tools to evaluate the performance of the deployed nodes.Comment: Accepted for publication in IEEE Transaction of Network and Service Management - December 2015 http://dx.doi.org/10.1109/TNSM.2015.250762

Enabling precise traffic filtering based on protocol encapsulation rules

Current packet filters have a limited support for expressions based on protocol encapsulation relationships and some constraints are not supported at all, such as the value of the IP source address in the inner header of an IP-in-IP packet. This limitation may be critical for a wide range of packet filtering applications, as the number of possible encapsulations is steadily increasing and network operators cannot define exactly which packets they are interested in. This paper proposes a new formalism, called eXtended Finite State Automata with Predicates (xpFSA), that provides an efficient implementation of filtering expressions, supporting both constraints on protocol encapsulations and the composition of multiple filtering expressions. Furthermore, it defines a novel algorithm that can be used to automatically detect tunneled packets. Our algorithms are validated through a large set of tests assessing both the performance of the filtering generation process and the efficiency of the actual packet filtering code when dealing with real network packets

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

This paper deals with tunneled IPv6 traffic monitoring and describing IPv6 transition issues. The contribution is a possibility of monitoring what is inside IPv6 tunnels. This gives network administrators a way to detect security threats which would be otherwise considered as harmless IPv4 traffic. This approach is also suitable for long term network monitoring. This is achieved by the usage of IPFIX (IP Flow Information Export) as the information carrying format. The proposed approach also allows to monitor traffic on 10 Gb/s links because it supports hardware-accelerated packet distribution to multiple processors.Článek pojednává o monitorování tunelovaného provozu IPv6, rozbalením paketů a exportu pomocí protokolu IPFIX. V článku je diskutována problematika tunelovacích přechodových mechanismů protokolu IPv6 a prezentováno řešení, které je tento provoz schopno monitorovat i na páteřních linkách o rychlosti 10Gb/s

De-ossifying the Internet Transport Layer : A Survey and Future Perspectives

ACKNOWLEDGMENT The authors would like to thank the anonymous reviewers for their useful suggestions and comments.Peer reviewedPublisher PD