NetFlow probe on NetFPGA



Similar documents
Autonomous NetFlow Probe

A low-cost, connection aware, load-balancing solution for distributing Gigabit Ethernet traffic between two intrusion detection systems

Open Flow Controller and Switch Datasheet

Configuring Flexible NetFlow

ACHILLES CERTIFICATION. SIS Module SLS 1508

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Appendix A Remote Network Monitoring

Cisco IOS NetFlow Version 9 Flow-Record Format

基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器

Introduction to Cisco IOS Flexible NetFlow

Using IPM to Measure Network Performance

Data Center Quantized Congestion Notification (QCN): Implementation and Evaluation on NetFPGA June 14th

C-GEP 100 Monitoring application user manual

CS 78 Computer Networks. Internet Protocol (IP) our focus. The Network Layer. Interplay between routing and forwarding

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

UltraFlow -Cisco Netflow tools-

Integrated Traffic Monitoring

NetFlow/IPFIX Various Thoughts

Cisco IOS Flexible NetFlow Command Reference

Transport Layer Protocols

A Review of the Measuring Platform

10/100/1000Mbps Ethernet MAC with Protocol Acceleration MAC-NET Core with Avalon Interface

Router Architectures

Technical Bulletin. Enabling Arista Advanced Monitoring. Overview

Integrated Traffic Monitoring

Network Layer: Network Layer and IP Protocol

Enabling NetFlow on Virtual Switches ESX Server 3.5

Configuring NetFlow Switching

8. 網路流量管理 Network Traffic Management

A VoIP Traffic Monitoring System based on NetFlow v9

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

HANIC 100G: Hardware accelerator for 100 Gbps network traffic monitoring

Introduction to Routing and Packet Forwarding. Routing Protocols and Concepts Chapter 1

PANDORA FMS NETWORK DEVICE MONITORING

Cisco IOS NetFlow Version 9 Flow-Record Format

Network layer: Overview. Network layer functions IP Routing and forwarding

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Communications and Computer Networks

Exam 1 Review Questions

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

How-To Configure NetFlow v5 & v9 on Cisco Routers

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Based on Computer Networking, 4 th Edition by Kurose and Ross

MPLS Environment. To allow more complex routing capabilities, MPLS permits attaching a

Flow Analysis Versus Packet Analysis. What Should You Choose?

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

Exploiting Stateful Inspection of Network Security in Reconfigurable Hardware

Von der Hardware zur Software in FPGAs mit Embedded Prozessoren. Alexander Hahn Senior Field Application Engineer Lattice Semiconductor

NetFlow-Lite offers network administrators and engineers the following capabilities:

Wireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University

NfSen Plugin Supporting The Virtual Network Monitoring

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

What is LOG Storm and what is it useful for?

Stateful Firewalls. Hank and Foo

Internet on Chip. Dr. Johannes Wolkerstorfer Gigabit Ethernet and Programmable Hardware. x Face. Realraum Graz, January 26th 2010

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

Virtual Fragmentation Reassembly

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Software Defined Networking (SDN) - Open Flow

Data Communication Networks and Converged Networks

Software Defined Networking and the design of OpenFlow switches

Cisco Configuring Commonly Used IP ACLs

Cisco IOS Flexible NetFlow Technology

ECE 358: Computer Networks. Solutions to Homework #4. Chapter 4 - The Network Layer

The BSN Hardware and Software Platform: Enabling Easy Development of Body Sensor Network Applications

Internet Control Protocols Reading: Chapter 3

The Lagopus SDN Software Switch. 3.1 SDN and OpenFlow. 3. Cloud Computing Technology

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

04 Internet Protocol (IP)

Accurate and Flexible Flow-Based Monitoring for High-Speed Networks

Introduction to Netflow

Sample Configuration Using the ip nat outside source static

Instructor Notes for Lab 3

Agenda. sflow intro. sflow architecture. sflow config example. Summary

Network Management & Monitoring

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam

The internetworking solution of the Internet. Single networks. The Internet approach to internetworking. Protocol stacks in the Internet

Network Defense Tools

- Nishad Nerurkar. - Aniket Mhatre

OpenFlow and Software Defined Networking presented by Greg Ferro. OpenFlow Functions and Flow Tables

Chapter 9. IP Secure

CISCO IOS NETFLOW AND SECURITY

VegaStream Information Note Considerations for a VoIP installation

and reporting Slavko Gajin

UPPER LAYER SWITCHING

PANDORA FMS NETWORK DEVICES MONITORING

CHAPTER 3 STATIC ROUTING

An overview of traffic analysis using NetFlow

How To Monitor And Test An Ethernet Network On A Computer Or Network Card

Internet Packets. Forwarding Datagrams

Netflow Overview. PacNOG 6 Nadi, Fiji

Spirent TestCenter PACKET GENERATOR AND ANALYZER BASE PACKAGE

Network Traffic Monitoring an architecture using associative processing.

Subnetting,Supernetting, VLSM & CIDR

Internetworking and IP Address

Transcription:

Verze #1.00, 2008-12-12 NetFlow probe on NetFPGA Introduction With ever-growing volume of data being transferred over the Internet, the need for reliable monitoring becomes more urgent. Monitoring devices should be able to provide accurate information such as traffic patterns, statistics and various anomalies. This technical report describes an implementation of a network flow monitoring system using a dedicated hardware platform cooperating with the host PC. By exploiting the hardware-software codesign principle, we implemented time-critical functions in hardware and the rest in software. This way, the NetFlow probe offers good performance at low cost. NetFlow as a protocol for flow monitoring, first implemented in Cisco routers, is the most widely used measurement solution in a form of NetFlow v5. Statistics on IP traffic flows provide information about who communicates with whom, how long, how often, using what protocol and service and also how much data was transfered. Following part of this report describes the implementation of NetFlow v5 probe firmware itself. System Architecture Hardware of NetFlow probe consits of host computer and NetFPGA network card. The measurement process is completely implemented on the NetFPGA whereas control, configuration and collecting process are implemented as a user software running in the host computer. The main parameters of the probe are as follows: Measurement of four 1 Gbps interfaces at the line rate Memory for up to 60000 concurrent flows Indexing of flow records using hash and 8 additional parallel lookups Export of flowrecords using NetFlow v5 export protocol Application Firmware The firmware part of NetFlow probe is composed of several units chained in a pipeline (see Fig. 1). The pipeline is instantiated as a user data path module into NetFPGA firmware. Each unit in the pipeline has its specific task which usually consists of processing of arriving data and adding the result in the output data. The interconnection of units is provided by netfpga interconnection protocol, i.e., data bus, control bus, write and ready signals. in(0) in(1)... Input Arbiter L3L4 Extract Time Stamp Gen Flow LookUp Flow Proc Record Wrapper in(7) Figure 1: Processing pipeline of NetFlow firmware CESNET, z.s.p.o. 1

L3L4 Header Parser Parser extracts significant fields of the packet header for monitoring which forms a so called Packet Record (later referred to as PR). Rest of the packet payload is discarded. The and outpu of unit is dipslayed on Fig. 2. The unit identifies the type of packet encapsulated in the frame and extract information to create the Packet Record. Supported packets are: TCP/IPv4 UDP/IPv4 ICMP Other packets are discarded as not relevant to NetFlow measurement. The unit consists of two independent processes, one is to parse the packet header and the second one is to create correct output stream. CTRL DATA L3L4extract 0xff InputPort PktByteLen Identify 0x00 Ethernet Frame without preamble and FCS LABEL remainder Drop LABEL Extract Figure 2: Extracting L3 and L4 information from the packet Table 1: Address space of L3l4extract module. NFLOW L3L4EXTRACT TOTAL PACKETS REG R Total number of seen packets NFLOW L3L4EXTRACT ACCEPTED PACKETS REG R Packets that were accepted for NetFlow measurement Unit unit inserts current timestamp value from the timestamp counter into the packet record. The timestamp represents SysUpTime time from the start of the NetFlow monitoring. The timestamp is held in milliseconds. The timestamp counter is 32 bit and overflows after 49 days and 17 hours. The timestamp is inserted in the packet record, see Fig. 3. The speed of counter is adjusted by the increment value. The increment value represents the number of clock cycles in one millisecond, i.e., the length of one millisecond. This value can be set by software in order to speed up or slow down the counter which allows to synchronize time domain of the firmware with the time domain of local host. TIMESTAMP COUNTER INCREMENT Figure 3: unit CESNET, z.s.p.o. 2

Table 2: Address space of module. NFLOW TIMESTAMP INCREMENT REG RW The length of millisecond in number of clock cycles NFLOW TIMESTAMP TIMESTAMP REG R Current value of the timestamp, i.e., SysUp- Time NFLOW TIMESTAMP FRACTIMESTAMP REG R Fraction of current timestamp in number of clock cycles Generator Generator computes a -bit hash value (CRC-) and inserts it into the packet record, Fig 4. The hash value is computed only from following fields: Input Input Interface Protocol Figure 4: Unit The probability that two different flows share the same hash result (supposing the uniform distribution of hash) is: m! p collision (n) = 1 m n (m n)! 1 n e 2 2 m (1) where in our case c = 2 48 (only 48 bits of CRC-) which is the number of possible CRC- values and n = 4000 is number of active flows. The probability of collision is very low, p collision = 10 13. Table 3: Address space of Gen module. NFLOW HASHGEN INITSEED0 REG RW Low 32 bits of hash init seed. NFLOW HASHGEN INITSEED1 REG RW High 32 bits of hash init seed. CESNET, z.s.p.o. 3

FlowLookUp Unit FlowLookUp splits the hash value into two parts. First part is used to address a line which contains 8 hash values of 8 different flow records (8 fingerprints). These fingerprints are compared to the second part of the splitted hash. If there is a match with one of the hash values in the line then the flow record is already in the flow memory. Its address is acquired as the join of first part of the hash and the rank of the matched fingerprint. If there is no match and number of flow records in the set is lower than 8 then the free space is used to enter new fingerprint. If there is no match and no space then an arbitrary flowrecord in the set is expired and replaced with new one. from FlowProc FlowLookUp to FlowProc CMD Address HASH(11:0) MEMORY MODULE CMD Address from HASH HASH MEMORY MODULE MEMORY MODULE DECODER CMD & ADDR Pkt Length SINGLE LINE OF MEMORY Pkt Length Figure 5: Flow Lookup Unit When a flow record is about to be expired the FlowLookUp receives command from FlowProc unit to delete the corresponding fingerprint from the hash table. Immidiately after this command is executed it is send back to a FlowProc unit. Table 4: Address space of FlowLookUp module. NFLOW FLOWLOOKUP DEBUG REG RW Debug register with arbitrary information. Flow Processing Unit Flow processing unit controls initialization of new flow records, updates of existing flow records, and expiration of inactive flow records. The expiration process runs in parallel with create/update process, it is displayed on Fig. 6. The mutual exclusion is not necesary as it is implicitly quaranteed by following protocol. 1. When the expiration process identifies inactive flow record then it sends a delete command to the FlowLookUp unit. 2. The FlowLookUp unit deletes the index of the flow record and sends the delete command back to the FlowProc unit. 3. The FlowProc unit retrieves and deteles correspoding flow record from its memory and send the expired flow record to its output. FlowProc Cmd Address CMD Start End ADDRESS PACKET RECORD Flow ALU dpkts Pkt Length MEM A B MEM A B... Control Process Cmd Address Figure 6: Flow Processing Unit CESNET, z.s.p.o. 4

The computation of values in flow record depends on the previous values of the flow record and command issued by the FlowLookUp process. Following commands are specified: Create (Init) flow record Update flow record Delete flow record no operation is performed upon values The FlowALU implements following operations to support Init and Update commands: fr.start = init? pr.timestamp : fr.start ; fr.end = pr.timestamp; fr. = init? pr.pktbytelen : ( fr. + pr.pktbytelen ) ; fr.dpkts = init? 1 : ( fr.dpkts + 1 ) ; fr.ttl = pr.ttl; fr.tcpflags = init? pr.tcpflags : ( fr.tcpflags pr.tcpflags ) ; fr.srcipaddr = pr.srcipaddr; fr.dstipaddr = pr.dstipaddr; fr.srcport = pr.srcport; fr.dstport = pr.dstport; fr. = pr.; fr.proto = pr.proto; fr.tos = pr.tos; Table 5: Address space of FlowProc module. NFLOW FLOWPROC CNT ITEMS REG R Number of flow records in memory. NFLOW FLOWPROC CNT NEW REG R Number of received commands to create a flow record. NFLOW FLOWPROC CNT UPDATE REG R Number of received commands to update a flow record. NFLOW FLOWPROC CNT DELETE REG R Number of received commands to delete a flow record. NFLOW FLOWPROC ACTIVE TIMEOUT REG RW Active timeout in milliseconds. NFLOW FLOWPROC INACTIVE TIMEOUT REG RW Inactive timeout in milliseconds. Record Wrapper The released flow records are temporarily stored in a Record Wrapper module. As soon as the following conditions are met the stored flow records are reformated to NetFlow v5 format and wrapped into NetFlow v5 protocola and and written into output queue module of NetFPGA platform. 15 records arrived in the buffer The first record in the buffer is more than 20 ms old The NetFlow v5 datagram is sent to the output interface specified by software register. There could be more output interfaces specified as the output interface is one-hot encoded. CESNET, z.s.p.o. 5

Table 6: Address space of RecordWrapper module. NFLOW RECORDWRAPPER SRC IP REG RW Souce IP address of NetFlow probe. NFLOW RECORDWRAPPER DST IP REG RW Destination IP address of collector. NFLOW RECORDWRAPPER SRCDST PORT REG RW Source and destination ports. NFLOW RECORDWRAPPER EPOCH SECONDS REG RW Number of seconds between the epoch and the time when UDP packet was sent. NFLOW RECORDWRAPPER OUTPUT PORT REG RW One-hot encoded output interface. Application Software The application software of NetFlow probe consists primarily of configuration and statistical interface and a simple collector. The concept is displayed on Fig. 7. Java gui Collector control path Java libraries NetFPGA driver Perl libraries NetFlow v5 NetFPGA card Network traffic NetFlow v5 Figure 7: Architecture of Software Conclusion The goal of NetFPGA NetFlow probe is to show a potential of network FPGA cards to gather NetFlow data. It allows further improvement for example increasing the memory (using SSRAM or DRAM modules). Next the timestamp could be enhanced to bits or the indexing scheme could be modified. CESNET, z.s.p.o. 6

References CESNET, z.s.p.o. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information