7,959 research outputs found
Packet Filtering Module For PFQ Packet Capturing Engine.
The evolution of commodity hardware is pushing parallelism forward as the key factor that can allow software to attain hardware-class performance while still retaining its advantages. On one side, commodity CPUs are providing more and more cores (the next-generation Intel Xeon E 7500 CPUs will soon make 10 cores processors a commodity product), with a complex cache hierarchy which makes aware data placement crucial to good performance. On the other side, server NIC‘s are adapting to these new trends by increasing themselves their level of parallelism. While traditional 1Gbps NICs exchanged data with the CPU through a single ring of shared memory buffers, modern 10Gbps cards support multiple queues: multiple cores can therefore receive and transmit packets in parallel. In particular, incoming packets can be de-multiplexed across CPUs based on a hash function (the so-called RSS technology) or on the MAC address (the VMD-q technology, designed for servers hosting multiple virtual machines). The Linux kernel has recently begun to support these new technologies. Though there is lot of network monitoring software‘s, most of them have not yet been designed with high parallelism in mind. Therefore a novel packet capturing engine, named PFQ was designed, that allows efficient capturing and in-kernel aggregation, as well as connection-aware load balancing. Such an engine is based on a novel lockless queue and allows parallel packet capturing to let the user-space application arbitrarily define its degree of parallelism. Therefore, both legacy applications and natively parallel ones can benefit from such capturing engine. In addition, PFQ outperforms its competitors both in terms of captured packets and CPU consumption. In this thesis, a new packet filtering block is designed implemented and added to the existing PFQ capture engine which helps in dropping out unnecessary packets before they are copied into the kernel space thus improves the overall performance of the engine considerably. Because network monitors often want only a small subset of network traffic, a dramatic performance gain is realized by filtering out unwanted packets in interrupt context
Firewall strategies using network processors
The emergence of network processors provides a broad range of new applications, particularly in the field of network security. Firewalls have become one of the basic building blocks of implementing a network\u27s security policy; however, the security of a firewall can potentially lead to a bottleneck in the network. Therefore, improving the performance of the firewall means also improving the performance of the protected network. With the ability to direcdy monitor and modify packet information at wire speeds, the network processor provides a new avenue for the pursuit of faster, more efficient firewall products. This paper describes the implementation of two simulated network processor based firewalls. The first architecture, a basic packet filtering firewall, utilizes tree-based structures for manipulating IP and transport level firewall rules while also utilizing parallelism available in the network processor during firewall rule look-ups. In the second architecture, a parallel firewall is created using a network processor based, load-balancing switch along with two network processor based firewall machines, both utilizing the basic packet filter operations of the first architecture. When added to existing routing software, these implementations demonstrate the feasibility of creating dynamic packet-filtering routers using network processor technology
OSCAR: A Collaborative Bandwidth Aggregation System
The exponential increase in mobile data demand, coupled with growing user
expectation to be connected in all places at all times, have introduced novel
challenges for researchers to address. Fortunately, the wide spread deployment
of various network technologies and the increased adoption of multi-interface
enabled devices have enabled researchers to develop solutions for those
challenges. Such solutions aim to exploit available interfaces on such devices
in both solitary and collaborative forms. These solutions, however, have faced
a steep deployment barrier.
In this paper, we present OSCAR, a multi-objective, incentive-based,
collaborative, and deployable bandwidth aggregation system. We present the
OSCAR architecture that does not introduce any intermediate hardware nor
require changes to current applications or legacy servers. The OSCAR
architecture is designed to automatically estimate the system's context,
dynamically schedule various connections and/or packets to different
interfaces, be backwards compatible with the current Internet architecture, and
provide the user with incentives for collaboration. We also formulate the OSCAR
scheduler as a multi-objective, multi-modal scheduler that maximizes system
throughput while minimizing energy consumption or financial cost. We evaluate
OSCAR via implementation on Linux, as well as via simulation, and compare our
results to the current optimal achievable throughput, cost, and energy
consumption. Our evaluation shows that, in the throughput maximization mode, we
provide up to 150% enhancement in throughput compared to current operating
systems, without any changes to legacy servers. Moreover, this performance gain
further increases with the availability of connection resume-supporting, or
OSCAR-enabled servers, reaching the maximum achievable upper-bound throughput
- …