Firewall strategies using network processors

The emergence of network processors provides a broad range of new applications, particularly in the field of network security. Firewalls have become one of the basic building blocks of implementing a network\u27s security policy; however, the security of a firewall can potentially lead to a bottleneck in the network. Therefore, improving the performance of the firewall means also improving the performance of the protected network. With the ability to direcdy monitor and modify packet information at wire speeds, the network processor provides a new avenue for the pursuit of faster, more efficient firewall products. This paper describes the implementation of two simulated network processor based firewalls. The first architecture, a basic packet filtering firewall, utilizes tree-based structures for manipulating IP and transport level firewall rules while also utilizing parallelism available in the network processor during firewall rule look-ups. In the second architecture, a parallel firewall is created using a network processor based, load-balancing switch along with two network processor based firewall machines, both utilizing the basic packet filter operations of the first architecture. When added to existing routing software, these implementations demonstrate the feasibility of creating dynamic packet-filtering routers using network processor technology

Network Virtual Machine (NetVM): A New Architecture for Efficient and Portable Packet Processing Applications

A challenge facing network device designers, besides increasing the speed of network gear, is improving its programmability in order to simplify the implementation of new applications (see for example, active networks, content networking, etc). This paper presents our work on designing and implementing a virtual network processor, called NetVM, which has an instruction set optimized for packet processing applications, i.e., for handling network traffic. Similarly to a Java Virtual Machine that virtualizes a CPU, a NetVM virtualizes a network processor. The NetVM is expected to provide a compatibility layer for networking tasks (e.g., packet filtering, packet counting, string matching) performed by various packet processing applications (firewalls, network monitors, intrusion detectors) so that they can be executed on any network device, ranging from expensive routers to small appliances (e.g. smart phones). Moreover, the NetVM will provide efficient mapping of the elementary functionalities used to realize the above mentioned networking tasks upon specific hardware functional units (e.g., ASICs, FPGAs, and network processing elements) included in special purpose hardware systems possibly deployed to implement network devices

A practical approach to network-based processing

The usage of general-purpose processors externally attached to routers to play virtually the role of active coprocessors seems a safe and cost-effective approach to add active network capabilities to existing routers. This paper reviews this router-assistant way of making active nodes, addresses the benefits and limitations of this technique, and describes a new platform based on it using an enhanced commercial router. The features new to this type of architecture are transparency, IPv4 and IPv6 support, and full control over layer 3 and above. A practical experience with two applications for path characterization and a transport gateway managing multi-QoS is described.Most of this work has been funded by the IST project GCAP (Global Communication Architecture and Protocols for new QoS services over IPv6 networks) IST-1999-10 504. Further development and application to practical scenarios is being supported by IST project Opium (Open Platform for Integration of UMTS Middleware) IST-2001-36063 and the Spanish MCYT under projects TEL99-0988-C02-01 and AURAS TIC2001-1650-C02-01.Publicad

Mapping DSP algorithms to a reconfigurable architecture Adaptive Wireless Networking (AWGN)

This report will discuss the Adaptive Wireless Networking project. The vision of the Adaptive Wireless Networking project will be given. The strategy of the project will be the implementation of multiple communication systems in dynamically reconfigurable heterogeneous hardware. An overview of a wireless LAN communication system, namely HiperLAN/2, and a Bluetooth communication system will be given. Possible implementations of these systems in a dynamically reconfigurable architecture are discussed. Suggestions for future activities in the Adaptive Wireless Networking project are also given

Strengthening measurements from the edges: application-level packet loss rate estimation

Network users know much less than ISPs, Internet exchanges and content providers about what happens inside the network. Consequently users cannot either easily detect network neutrality violations or readily exercise their market power by knowledgeably switching ISPs. This paper contributes to the ongoing efforts to empower users by proposing two models to estimate -- via application-level measurements -- a key network indicator, i.e., the packet loss rate (PLR) experienced by FTP-like TCP downloads. Controlled, testbed, and large-scale experiments show that the Inverse Mathis model is simpler and more consistent across the whole PLR range, but less accurate than the more advanced Likely Rexmit model for landline connections and moderate PL

Arbitrary Packet Matching in OpenFlow

OpenFlow has emerged as the de facto control protocol to implement Software-Defined Networking (SDN). In its current form, the protocol specifies a set of fields on which it matches packets to perform actions, such as forwarding, discarding or modifying specific protocol header fields at a switch. The number of match fields has increased with every version of the protocol to extend matching capabilities, however, it is still not flexible enough to match on arbitrary packet fields which limits innovation and new protocol development with OpenFlow. In this paper, we argue that a fully flexible match structure is superior to continuously extending the number of fields to match upon. We use Berkeley Packet Filters (BPF) for packet classification to provide a protocol-independent, flexible alternative to today’s OpenFlow fixed match fields. We have implemented a prototype system and evaluated the performance of the proposed match scheme, with a focus on the time it takes to execute and the memory required to store different match filter specifications. Our prototype implementation demonstrates that line-rate arbitrary packet classification can be achieved with complex BPF programs