1 10 Gbit Hardware Packet Filtering Using Commodity Network Adapters Luca Deri Joseph Gasparakis
2 10 Gbit Monitoring Challenges [1/2] High number of packets to be analyzed (10 times as much as 1 Gbit). CPU-based traffic analysis is not feasible at these speeds as it will result in severe packet loss. Packet filtering is very important, in particular on WANs, in order to early discard those packets that are not supposed to be analyzed.
3 10 Gbit Monitoring Challenges [2/2] Operating systems handle 10 Gbit adapters as legacy 10 Mbit adapters (use ethx for any speed). Modern computing architectures are grounded on multicore, where multiple threads of execution process data concurrently. The outcome is that basically only one core can handle incoming traffic.
4 OS Networking Limitations Capture Thread Capture Thread Capture Thread Capture Thread User space Kernel space Network Stack Single Resource Competition Merge and Split NIC Driver RX 0 RX 1 RX 2 RX 3 Sequential Polling RSS (Resource Side Scaling) 1-10 Gbit PHY
5 Hardware-based NICs FPGA-based Network Adapters Endace DAG Napatech Pros: ability to operate at wire rate Cons High cost (> 10k USD) Limited number of filtering rules (~32)
6 What about OpenFlow? Network protocol that allows to remotely control the forwarding plane in switches Traffic To Analyze Pros: Moves filtering in switches Monitor Probe Cons: OpenFlow Controller 10 Gbit OpenFlow switches are costly Complex architecture (cables & wires)
7 Why is Hw Filtering Important? It prevents unwanted traffic to reach the computer hence to waste CPU cycles. Filtering in software can lead to packet loss, thus having a negative drawback on analysis. Packet filtering is the cornerstone of efficiently dispatching incoming packets to available cores, that it s the only way to exploit modern computing architectures.
10 Intel Ethernet Controller [1/3] Latest generation of Intel 10 Gbit Ethernet Controller. Ability do define up to perfect rules per port (unlimited hashing rules). Commodity adapter (<350 USD/port). Hardware support for virtualization (i.e. in- NIC L2 Switch) and multi RX/TX queues. Limitation: OSs exploits only basic NIC capabilities.
11 Intel Ethernet Controller [2/3] In packet filtering is performed in hardware at wire rate. Filtering is necessary to decide to which RX queue a packet must be assigned. Assigning a packet to a non-existing RX queue (<= number of available CPU cores) drops the packet.
12 Intel Ethernet Controller [3/3]
13 PF_RING with Support RX Packet Match 5-tuple Filter No Match Flow Director Filter No Yes Yes RX defined by 5- tuple Filter RX defined by Flow Director Filter RSS RX Assigned RX RX RX RX RX PF_RING-aware Driver PF_RING # echo "+(1,1,1,tcp, /32,25, /16,0)" > proc/net/pf_ring/dev/eth2/rules # echo "+(2,2,tcp, ,25, ,0)" > proc/net/pf_ring/dev/eth2/rules
14 Using Filters in Real Life Signaling-based realtime multimedia (e.g. VoIP, IPTV) monitoring. Network Troubleshooting: Wireshark. Traffic Classification and Balancing. Lawful Interception of IP Traffic. 10 Gbit Firewalling.
15 10 Gbit Snorting User space Kernel space PF_RING RX 0 RX 1 RX 2 RX Packets Filtering Rules (via PF_RING DAQ) RSS (Resource Side Scaling) 1-10 Gbit PHY
16 Divide et Impera Network Monitoring Servers Selective Packet Drop on Gbit Traffic Splitter / Switch 10 Gbit Ingress Stream
17 Performance Figures [1/2] Single filtering rule matching all packets % Capture Rate vs- Packet sizes 100 % 75 % 50 % SW Filter HW Filter Note: Using multiple filters increases significantly CPU usage when SW filters are used (Butterfly Effect), whereas filter number does not affect HW filters % 0 %
18 Performance Figures [2/2] Single filtering rule dropping all packets % CPU Load 100 % 75 % 50 % SW Filter HW Filter % 0 % Note: As expected CPU is not loaded at all when HW filters are used.
19 Final Remarks Using hardware-assisted packet filtering and balancing allows network administrators to monitor and troubleshoot 10 Gbit networks using commodity hardware. Available at no cost (GNU GPL) from L. Deri, J. Gasparakis and F. Fusco Wire-Speed Hardware Assisted Traffic Filtering with Mainstream Adapters Proceedings of NEMA 2010, October 2010
Wire-Speed Hardware-Assisted Traffic Filtering with Mainstream Network Adapters Luca Deri 1, Joseph Gasparakis 2, Peter Waskiewicz Jr 3, Francesco Fusco 4 5 1 ntop, Pisa, Italy 2 Intel Corporation, Embedded
Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software Luca Deri, NETikos S.p.A. Abstract Passive network monitoring is a complex activity that mainly consists
Network Monitoring on Multicores with Algorithmic Skeletons M. Danelutto, L. Deri, D. De Sensi Computer Science Department University of Pisa, Italy Abstract. Monitoring network traffic on 10 Gbit networks
Wireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University Napatech - Sharkfest 2009 1 Presentation Overview About Napatech
Ntop: beyond Ping and Traceroute Luca Deri 1 2 and Stefano Suin 2 The task of network management is becoming increasingly complex due to the increasing number of networked computers running different operating
Foundation for High-Performance, Open and Flexible Software and Services in the Carrier Network Sandeep Shah Director, Systems Architecture EZchip Linley Carrier Conference June 10, 2015 1 EZchip Overview
Traffic Monitoring in a Switched Environment InMon Corp. 1404 Irving St., San Francisco, CA 94122 www.inmon.com 1. SUMMARY This document provides a brief overview of some of the issues involved in monitoring
Design of an Application Programming Interface for IP Network Monitoring Michalis Polychronakis, Kostas Anagnostakis, Arne Øslebø, Evangelos P. Markatos Institute of Computer Science Foundation for Research
A Passive Network Appliance for Real-Time Network Monitoring Michael J. Schultz, Ben Wun, and Patrick Crowley email@example.com, firstname.lastname@example.org, email@example.com Washington University in Saint Louis
Annals of Telecommunications manuscript No. (will be inserted by the editor) Virtual Networks: Isolation, Performance, and Trends Natalia C. Fernandes Marcelo D. D. Moreira Igor M. Moraes Lyno Henrique
Network monitoring in high-speed links Algorithms and challenges Pere Barlet-Ros Advanced Broadband Communications Center (CCABA) Universitat Politècnica de Catalunya (UPC) http://monitoring.ccaba.upc.edu
3. MONITORING AND TESTING THE ETHERNET NETWORK 3.1 Introduction The following parameters are covered by the Ethernet performance metrics: Latency (delay) the amount of time required for a frame to travel
Network Monitoring and Analysis Techniques Using Taps and SPAN Switches Networks have evolved into complex structures supporting critical business processes and communications. As this complexity has increased,
Extensible and Scalable Network Monitoring Using OpenSAFE Jeffrey R. Ballard firstname.lastname@example.org Ian Rae email@example.com Aditya Akella firstname.lastname@example.org Abstract Administrators of today s networks are
Design and Implementation of a Consolidated Middlebox Architecture Vyas Sekar, Norbert Egi, Sylvia Ratnasamy, Michael K. Reiter, Guangyu Shi Intel Labs, UC Berkeley, UNC Chapel Hill, Huawei Abstract Network
Promiscuous Monitoring in Ethernet and Wi-Fi Networks Executive Summary This white paper examines the problems related to the deployment and usage of software-based network monitoring solutions in wired
LOAD BALANCING FOR HIGH-SPEED PARALLEL NETWORK INTRUSION DETECTION A Thesis Submitted to the Graduate School of the University of Notre Dame in Partial Fulfillment of the Requirements for the Degree of
WHITE PAPER Securing the Intelligent Network Securing the Intelligent Network New Threats Demand New Strategies The network is the door to your organization for both legitimate users and would-be attackers.
I1: Best Practices for Packet Collection, Aggregation & Distribution in the Enterprise J. Scott Haugdahl Architect, Blue Cross Blue Shield MN; email@example.com Formerly Asst. VP, Architect,
Any-to-any switching with aggregation and filtering reduces monitoring costs Summary Physical Layer Switches can filter and forward packet data to one or many monitoring devices. With intuitive graphical
UNIVERSITY OF OSLO Department of Informatics Performance Measurement of Web Services Linux Virtual Server Muhammad Ashfaq Oslo University College May 19, 2009 Performance Measurement of Web Services Linux
Windows Server 2008 R2 Hyper-V Live Migration Table of Contents Overview of Windows Server 2008 R2 Hyper-V Features... 3 Dynamic VM storage... 3 Enhanced Processor Support... 3 Enhanced Networking Support...
Network Monitoring with Software Defined Networking Towards OpenFlow network monitoring Vassil Nikolaev Gourov Master of Science Thesis Network Architectures and Services Faculty of Electrical Engineering,
xpf: Packet Filtering for Low-Cost Network Monitoring S. Ioannidis K. G. Anagnostakis J. Ioannidis A. D. Keromytis CIS Department, University of Pennsylvania anagnost,sotiris @dsl.cis.upenn.edu AT&T Labs