• Tidak ada hasil yang ditemukan

Design and Performance of the OpenBSD Stateful Packet Filter (pf) pdf pdf

N/A
N/A
Info
Unduh - Bebas
Protected

Academic year: 2019

Membagikan "Design and Performance of the OpenBSD Stateful Packet Filter (pf) pdf pdf"

Copied!
33
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 33 Halaman )

Teks penuh

(1)

Design and Performance of the

OpenBSD Stateful Packet Filter (pf)

Daniel Hartmeier

dhartmei@openbsd.org

(2)

Introduction

part of a firewall, working on IP packet level (vs. application level proxies or ethernet level bridges) packet filter intercepting each IP packet that passes through the kernel (in and out on each interface), passing or blocking it

stateless inspection based on the fields of each packet

stateful filtering keeping track of connections, additional information makes filtering more

powerful (sequence number checks) and easier (replies, random client ports)

(3)

Motivation

OpenBSD included IPFilter in the default install

what appeared to be a BSD license turned out to be non-free

unlike other license problems discovered by the

ongoing license audit, this case couldn’t be resolved, IPFilter removed from the tree

existing alternatives were considered (ipfw), larger code base, kernel dependencies

(4)

Overview

Introduction Motivation

Filter rules, skip steps

State table, trees, lookups, translations (NAT, redirections)

Benchmarks Conclusions

(5)

Filter rules

linear linked list, evaluated top to bottom for each packet (unlike netfilter’s chains tree)

rules contain parameters that match/mismatch a packet

rules pass or block a packet

last matching rule wins (except for ’quick’, which aborts rule evaluation)

(6)

Skip steps

transparent optimization of rule set evaluation,

improve performance without affecting semantics

example: ten consecutive rules apply only to packets from source address X, packet has source address Y, first rule evaluated, next nine skipped

skipping is done on most parameters, in pre-defined order

parameters like direction (in, out), interface or

address family (IPv4/IPv6) partition the rule set a lot, performance increase is significant

worst case: consecutive rules have no equal parameters, every rule must be evaluated, no

(7)

State table

TCP (sequence number checks on each packet), ICMP error messages match referred to packet (simplifies rules without breaking PMTU etc.) UDP, ICMP queries/replies, other protocols, pseudo-connections with timeouts

adjustable timeouts, pseudo-connections for non-TCP protocols

binary search tree (AVL, now Red-Black), O(log n) even in worst-case

(8)

Translations (NAT, redirections)

translating source addresses: NAT/PAT to one address using proxy ports

translating destination: redirections (based on addresses/ports)

mapping stored in state table

application level proxies (ftp) in userland

(9)

State table keys

one state entry per connection, stored in two trees example: 10.1.1.1:20000 -> 62.65.145.30:50001 -> 129.128.5.191:80

outgoing packets: 10.1.1.1:20000 ->

129.128.5.191:80, replace source address/port with gateway

incoming packets: 129.128.5.191:80 -> 62.65.145.30:50001, replace destination address/port with local host

three address/port pairs of one connection: lan, gwy, ext

(10)

State table keys

two trees: tree-lan-ext (outgoing) and tree-ext-gwy (incoming), contain the same state pointers

no addition translation map (and lookup) needed

(11)

Normalization

IP normalization (scrubbing) to remove

interpretation ambiguities, like overlapping fragments (confusing IDSs)

reassembly (caching) of fragments before filtering, only complete packets are filtered

(12)

Logging

through bpf, virtual network interface pflog0

link layer header used for pf related information (rule, action)

binary log files, readable with tcpdump and other tools

(13)

Benchmarks: Setup

two (old) i386 machines with two network interface cards each, connected with two crosswire Cat5

cables, 10 mbit/s unidirectional

tester: generate TCP packets on ethernet level

through first NIC, capture incoming ethernet frames on second NIC

firewall: OpenBSD and GNU/Linux (equal

hardware), IP forwarding enabled, packet filter

(14)

Benchmarks: Packet generation

TCP packets of variable size, random source/destination addresses and ports

embedded timestamp to calculate latency,

incremental serial number to detect packet loss send packets of specified size at specified rate for several seconds, print throughput, latency and loss verify that setup can handle maximum link rate

correctly

(15)

Local, reaching link limit

receiving rate (packets/s)

sending rate (packets/s)

(16)

Local, reaching link limit

receiving rate (packets/s)

sending rate (packets/s)

812

812 1518 bytes/packet

(17)

Local, varying packet sizes

0 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06

0 2000 4000 6000 8000 10000 12000 14000 16000

throughput (bytes/s)

sending rate (packets/s) 812

(18)

Local, varying packet sizes

0 2000 4000 6000 8000 10000 12000 14000 16000

throughput (bytes/s)

sending rate (packets/s) 961

1280 bytes

(19)

Local, varying packet sizes

0 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06

0 2000 4000 6000 8000 10000 12000 14000 16000

throughput (bytes/s)

sending rate (packets/s) 1197

(20)

Local, varying packet sizes

0 2000 4000 6000 8000 10000 12000 14000 16000

throughput (bytes/s)

sending rate (packets/s) 1586

768 bytes

(21)

Local, varying packet sizes

0 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06

0 2000 4000 6000 8000 10000 12000 14000 16000

throughput (bytes/s)

sending rate (packets/s) 2349

(22)

Local, varying packet sizes

0 2000 4000 6000 8000 10000 12000 14000 16000

throughput (bytes/s)

sending rate (packets/s) 4528

256 bytes

(23)

Local, varying packet sizes

0 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06

0 2000 4000 6000 8000 10000 12000 14000 16000

throughput (bytes/s)

sending rate (packets/s) 8445

(24)

Local, varying packet sizes

0 2000 4000 6000 8000 10000 12000 14000 16000

throughput (bytes/s)

sending rate (packets/s)

14880 64 bytes

(25)

Local, varying packet sizes

0 2000 4000 6000 8000 10000 12000 14000 16000

throughput (bytes/s)

sending rate (packets/s)

(26)

Stateless, 100 rules, throughput

0 1000 2000 3000 4000 5000

throughput (packets/s)

sending rate (packets/s)

iptables

(27)

Stateless, 100 rules, throughput

0 1000 2000 3000 4000 5000

throughput (packets/s)

sending rate (packets/s)

(28)

Stateless, 100 rules, throughput

0 1000 2000 3000 4000 5000

throughput (packets/s)

sending rate (packets/s)

iptables ipf pf

(29)

Maximum throughput vs. rules

maximum throughput (packets/s)

number of rules

(30)

Maximum throughput vs. states

0 5000 10000 15000 20000

maximum throughput (packets/s)

number of states

ipf pf

(31)

Conclusions

rule set evaluation is expensive. State lookups are cheap

filtering statefully not only improves filter decision quality, it actually increases performance

memory cost: 64000 states with 64MB RAM (without tuning), increasing linearly

(32)

Production results

Duron 700MHz, 128MB RAM, 3x DEC 21143 NICs

25000-40000 concurrent states average of 5000 packets/s

fully stateful filtering (no stateless passing) CPU load doesn’t exceed 10 percent

(same box and filter policy with IPFilter was 90 percent load average)

(33)

Questions?

Referensi

Unduh sekarang ( PDF - 33 Halaman - 255.46 KB )

Dokumen terkait

S PSIPS 1205732 Bibliography

PERANAN PROGRAM ADIWIYATA DALAM MENINGKATKAN ECOLITERACY SISWA DI SMP NEGERI 48 BANDUNG Universitas Pendidikan Indonesia | repository.upi.edu | perpustakaan.upi.edu..

v15 no3 d 25 ludi 118 121

Furthermore, transgenic aquatic animals may have better growth, better metabolism, tolerance from extreme temperature, and disease resistance than the original organism..

Kemitraan Bidan dan Dukun Bayi

a) Belum ada pembagian tugas yang jelas dan kongkrit tentang kemitraan antara BDD dengan Dukun Bayi. Tetapi yang berlangsung selama ini adalah memberi bimbingan dalam

The conceptual model of the socket API

Construct a datagram packet for sending packets of length length to the socket bound to the specified port number on the specified host ; data received will be stored in the

Fungsi dan Pendekatan dan pembahasan

Bimbingan dan Konseling, pada intinya merupakan bagian daari komponen yang ada dalam sistem pendidikan di sekolah yang sangat mempunyai peranan penting

Peningkatan Produktivitas Kacang Tanah Melalui Penerapan Komponen Teknologi Kunci

Di lahan kering Tuban, perbaikan teknologi dengan pengolahan tanah lebih dalam (20 cm), pembuatan bedengan selebar 2 m, jarak tanam 40 cm x 10 cm, pemupukan 50 kg urea+75 kg TSP+50

RANCANG BANGUN SISTEM INFORMASI KATALOG BERBASIS ANDROID DI PERPUSTAKAAN UMUM DAERAH SURABAYA SKRIPSI

“RANCANG BANGUN SISTEM INFORMASI KATALOG BERBASIS ANDROID DI PERPUSTAKAAN UMUM DAERAH SURABAYA”.. Laporan Tugas Akhir (SKRIPSI) disusun sebagai syarat

BAB V PEMBAHASAN - 12.40.0033 Anna Triprasidhani Juniasri BAB V

mengerjakan tugas rumah tangga dengan baik karena tidak fokus saat. mengerjakan

Image