Stateful Connection Tracking & Stateful NAT



Similar documents
Open vswitch and the Intelligent Edge

The State of Stateful Services. Joe Stringer, Jarno Rajahalme

Linux Firewall. Linux workshop #2.

Programmable Networking with Open vswitch

Netfilter s connection tracking system

Netfilter / IPtables

Fault tolerant stateful firewalling with GNU/Linux. Pablo Neira Ayuso Proyecto Netfilter University of Sevilla

TECHNICAL NOTES. Security Firewall IP Tables

Intro to Linux Kernel Firewall

Stateful Firewalls. Hank and Foo

Scalable Extraction, Aggregation, and Response to Network Intelligence

Software Defined Networking (SDN) OpenFlow and OpenStack. Vivek Dasgupta Principal Software Maintenance Engineer Red Hat

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

Open Source Firewall

Availability Digest. Redundant Load Balancing for High Availability July 2013

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Vuurmuur - iptables manager

Linux Firewalls (Ubuntu IPTables) II

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

Linux Routers and Community Networks

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

An API for dynamic firewall control and its implementation for Linux Netfilter

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Network Security Exercise 10 How to build a wall of fire

Secure use of iptables and connection tracking helpers

Improving DNS performance using Stateless TCP in FreeBSD 9

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

VENKATAMOHAN, BALAJI. Automated Implementation of Stateful Firewalls in Linux. (Under the direction of Ting Yu.)

Software Datapath Acceleration for Stateless Packet Processing

Worksheet 9. Linux as a router, packet filtering, traffic shaping

NetFlow/IPFIX Various Thoughts

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

OpenFlow with Intel Voravit Tanyingyong, Markus Hidell, Peter Sjödin

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Network Security Management

Best Practices Guide: Vyatta Firewall. SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013

Firewalls P+S Linux Router & Firewall 2013

Introduction to Linux Virtual Server and High Availability

Customer Service Description Next Generation Network Firewall

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Firewalls. Chien-Chung Shen

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

Active-Active Servers and Connection Synchronisation for LVS

Bridgewalling - Using Netfilter in Bridge Mode

CS Computer and Network Security: Firewalls

Assessing the Performance of Virtualization Technologies for NFV: a Preliminary Benchmarking

FWSM introduction Intro 5/1

Ulogd2, Advanced firewall logging

Protecting and controlling Virtual LANs by Linux router-firewall

Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose

CS Computer and Network Security: Firewalls

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Main functions of Linux Netfilter

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

2. Are explicit proxy connections also affected by the ARM config?

Firewalls. Pehr Söderman KTH-CSC

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Definition of firewall

Matthew Rossmiller 11/25/03

INTRODUCTION TO FIREWALL SECURITY

How To Understand A Firewall

CIS 433/533 - Computer and Network Security Firewalls

CSC574 - Computer and Network Security Module: Firewalls

CSE543 - Computer and Network Security Module: Firewalls

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

IPv6/IPv4 Automatic Dual Authentication Technique for Campus Network

Formación en Tecnologías Avanzadas

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

DDoS protection. Using Netfilter/iptables. Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat Network-Services-Team DevConf.

ELEN 689: Topics in Network Security: Firewalls. Ellen Mitchell Computing and Information Services 20 April 2006

Bypassing firewalls Another hole in the wall ;-) Présentation pour «La nuit du hack» le 13 Juin 2009

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

How to replicate the fire: HA for netfilter based firewalls

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Chapter 7. Firewalls

TCP Session Load-balancing in Active-Active HA Cluster

Next Generation Network Firewall

OpenFlow - the key standard of Software-Defined Networks. Dmitry Orekhov, Epam Systems

Configuring Static and Dynamic NAT Translation

Load Balancing McAfee Web Gateway. Deployment Guide

FIREWALLS & CBAC. philip.heimer@hh.se

CERN Cloud Infrastructure. Cloud Networking

ClusterLoad ESX Virtual Appliance quick start guide v6.3

+ iptables. packet filtering && firewall

OpenStack: OVS Deep Dive

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Firewalld, netfilter and nftables

Understanding Slow Start

Linux Networking: IP Packet Filter Firewalling

Implementation of Business Linux Routers

Linux Virtual Server Tutorial

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

IPv6 Security from point of view firewalls

Transcription:

Stateful Connection Tracking & Stateful NAT Justin Pettit VMware Thomas Graf Noiro Networks, Cisco

Agenda Connection Tracking NAT Integration of other stateful services

We had a performance problem With some traffic patterns, performance of OVS could be quite bad Last week, we added a post to Network Heresy describing the changes we made to improve performance and the results Focus of past two years was on performance. Now that we feel good about the performance, we're back to looking at features Any addition to OVS must consider its implication on performance

Implementing a Firewall OVS has traditionally only supported stateless matches As an example, currently, two ways to implement a firewall in OVS Match on TCP flags (Enforce policy on SYN, allow ACK RST) Pro: Fast Con: Allows non-established flow through with ACK or RST set, only TCP Use learn action to setup new flow in reverse direction Pro: More correct Con: Forces every new flow to OVS userspace, reducing flow setup by orders of magnitude Neither approach supports related flows or TCP window enforcement

Connection Tracking We are adding the ability to use the conntrack module from Linux Stateful tracking of flows Supports ALGs to punch holes for related data channels FTP, TFTP, SIP Implement a distributed firewall with enforcement at the edge Better performance Better visibility Introduce new OpenFlow extensions: Action to send to conntrack Match fields on state of connection

Netfilter Conntrack Integration Userspace Netlink API 1 4 Recirculation

Conntrack Example Conntrack example that only allows port 2 to respond to TCP traffic initiated from port 1: Match in_port(1),tcp,conn_state=-tracked in_port(2),tcp,conn_state=-tracked in_port(2),tcp,conn_state=+established in_port(2),tcp,conn_state=+new Action conntrack(zone=10),normal conntrack(zone=10,flags=recirc) output:1 drop

Connection Tracking Zones

Flow Caching Works 3 2.5 2 1.5 1 0.5 Pure Forwarding 1 FW Rule 100 FW Rules 1000 FW Rules Preliminary results are quite promising OVS+conntrack uses a nearly consistent rate regardless of number of rules Bridge+iptables uses more CPU as rule count increases 0 Open vswitch Bridge Number of gigacycles per second required to saturate a 10Gbps link with netperf TCP_STREAM. (Lower is better)

Design Goals Performance implications must be thought through Thought needs to be put into API, since OVS and OpenFlow have traditionally been flow-based and stateless While this will only be supported on Linux initially, the API shouldn t be Linux-specific New stateful features being discussed and leveraging kernel: NAT Load-balancing through IPVS DPI

Release Plan Will ship with OVS 2.4 Will include: connmark IP fragment reassembly Hide break in pipeline from userspace Available to try now: https://github.com/justinpettit/ovs/tree/conntrack

Stateful NAT Overview SNAT and DNAT Based on connection tracking work Leverages stateful NAT mechanism of Netfilter Able to do port range and address range mappings to masquerade multiple IPs Mapping Modes Persistent (across reboots) Hash based Fully random

Stateful NAT Flow

NAT Example SNAT all TCP packets on port 1 to the IP range 10.0.0.1/24 with reverse SNAT on port 2: Match in_port(1),tcp in_port(2),tcp,conn_state=-tracked in_port(2),tcp,conn_state=+established in_port(2),tcp,conn_state=+new Action conntrack(zone=10), nat(type=src, min=10.0.0.1, max=10.0.0.255, type=hash) conntrack(zone=10,flags=recirc) nat(reverse) drop

Stateful services integration: NFQUEUE action

NFQUEUE action Can reuse existing Netfilter queueing mechanism and libnfnetlink + libctnetlink Operational Modes: 1. Steal/Drop Async verdict via CT template 2. Reinjection Sync verdict via NFQA_MARK Needed netfilter modifications: Reinjection routine for NFPROTO_BRIDGE back into netif_rx() OVS modifications New nfqueue action

Q&A More Information: http://openvswitch.org/ Code: Conntrack (WIP): https://github.com/justinpettit/ovs/tree/conntrack Stateful NAT (WIP): https://github.com/tgraf/ovs/tree/nat

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information