A Full Bandwidth ATM Firewall
A Full Bandwidth ATM Firewall
Olivier Paul, Maryline Laurent, Sylvain Gombault
Olivier Paul, Maryline Laurent, Sylvain Gombault
ENST de Bretagne
ENST de Bretagne
in collaboration with
in collaboration with
France Telecom
France Telecom
R&D
Introduction
Introduction
ATM (Asynchronous Transfer Mode) :
ATM (Asynchronous Transfer Mode) :
–
Specified to transport various kind of flows.
Specified to transport various kind of flows.
–
Allows applications to request Quality of Service.
Allows applications to request Quality of Service.
–
Connection oriented.
Connection oriented.
–
Data transported through small packets (cells).
Data transported through small packets (cells).
–
High Speed (155M->2.4Gb/s).
High Speed (155M->2.4Gb/s).
–
Usage:
Usage:
Directly: Some native ATM applications (ANS, VoD).Directly: Some native ATM applications (ANS, VoD).
Indirectly: IP over ATM (IPOA, LANE, MPOA, MPLS): most Indirectly: IP over ATM (IPOA, LANE, MPOA, MPLS): most
common use. common use.
Which problems ?
Which problems ?
Public Network
Private Network
Protect the Private network from the outside.Protect the Private network from the outside. Control Actions of Private Network users.Control Actions of Private Network users.
Protect the Public Network from customers.Protect the Public Network from customers. Firewall
Which problems ?
Which problems ?
ATM TCP/UDP IP Packet Filter Application ProxyInside
Outside
Access Control Process
Access Control Process
Reassembly Buffer Classification Buffer Fragmentation
Firewall
Classification PolicyClassification Policy
Access Control Process
Access Control Process
Reassembly Buffer Classification Buffer Fragmentation
Firewall
The classification process usually requires a lot of power.The classification process usually requires a lot of power.Access Control Process
Access Control Process
Reassembly Buffer Classification Buffer Fragmentation
Firewall
The classification process is not aware of QoS requirements.The classification process is not aware of QoS requirements.Access Control Process
Access Control Process
Reassembly Buffer Classification Buffer Fragmentation
Firewall
Whole architecture has to be able to deal with high throughputs.Whole architecture has to be able to deal with high throughputs.CARAT - Goals
CARAT - Goals
Security level similar to a stateless packet filter.
Security level similar to a stateless packet filter.
Improving access control on ATM Signalling.
Improving access control on ATM Signalling.
High speed.
High speed.
–
Worst case throughput = 620 Mb/s.
Worst case throughput = 620 Mb/s.
QoS preservation.
QoS preservation.
–
Delay has to be small and bounded.
Delay has to be small and bounded.
Architecture
Architecture
Located between public and Located between public andprivate networks. private networks.
Made of three modules:Made of three modules:
ATM ATM IFT IFT
Signalling Filter Manager SUN Station IFT Driver Demon ATM Switch Solaris PC Internal Network External Network Controler – Manager.Manager.
– Signalling Filter.Signalling Filter. – Cell-Level Filter.Cell-Level Filter.
Integrates to an existing switch.Integrates to an existing switch.
– Signalling flows are directed to Signalling flows are directed to the signalling filter.
the signalling filter.
– User flows are directed to the User flows are directed to the cell-level filter.
Access Control Policy
Access Control Policy
Description
Description
Example:
Example:
Authorize workstation with the 192.165.203.5 address
Authorize workstation with the 192.165.203.5 address
to use external WWW servers:
to use external WWW servers:
1 : IF (IP SRC ADDRESS = 192.165.203.5) AND (IP DST
ADDRESS > 0.0.0.0) AND (TCP SRC PORT > 1023) AND (TCP DST PORT = 80) THEN PERMIT.
2 : IF (IP SRC ADDRESS > 0.0.0.0) AND (IP DST ADDRESS = 192.165.203.5) AND (TCP SRC PORT = 80) AND (TCP DST PORT > 1023) AND (TCP FLAG = SYN) THEN DENY.
3 : IF (IP SRC ADDRESS > 0.0.0.0) AND (IP DST ADDRESS = 192.165.203.5) AND (TCP SRC PORT = 80) AND (TCP DST PORT > 1023) THEN PERMIT.
ATM level access control policy
ATM level access control policy
TCP/IP level access control policy.
TCP/IP level access control policy.
Splitting the Access Control
Splitting the Access Control
Policy
Policy
Manager
signalling Filter Cell-Level Filter
Sig. A.C. Policy TCP/IP static policy
Security Officer
The Signalling Filter
The Signalling Filter
GOAL : Improve signalling GOAL : Improve signallingaccess control parameters.
access control parameters.
– Addressing Information.Addressing Information.
– QoS Descriptors.QoS Descriptors.
– Service Descriptors.Service Descriptors.
Based on a SUN ATM Based on a SUN ATM signalling protocol stack.
signalling protocol stack.
Modifications on the Modifications on the protocol stack.
protocol stack.
Filter (Filter (UNI 3.1 IEs filtering UNI 3.1 IEs filtering capability capability).). Q93B Module SSCOP Module Filter Kernel User Space Signalling messages parsing module Signalling messages construction module
ATM Interface 0 ATM Interface 1 SUN Workstation
Cell-level filter
Cell-level filter
IFT (Internet Fast Translator) NICs:IFT (Internet Fast Translator) NICs:– Designed and manufactured by France Designed and manufactured by France Telecom RD.
Telecom RD.
– Mono-directional.Mono-directional.
– Made of two parts:Made of two parts:
OC 12 (620 Mb/s) Phys. connector.OC 12 (620 Mb/s) Phys. connector. Filtering Process.Filtering Process.
– On the fly configuration modification.On the fly configuration modification. Filtering Process OC 12 Phys. connector OC 12 Phys. connector Solaris PC Filtering Process
IFT DriverIFT Driver
IFT Driver
RPC Demon
RPC demon.RPC demon.
Filtering Process
Filtering Process
Cells Extraction ProcessCells Extraction Process– Extracts the 1st cell of the Extracts the 1st cell of the AAL5 frames.
AAL5 frames.
– Propagates A.C. decision to Propagates A.C. decision to the relevant ATM Cells.
the relevant ATM Cells.
Filtering Process
Interface to IFT driver
Trie Memory Static Part Dynamic
Part
Analysis Automaton
1st Cell Extraction Process 1st Cell
What’s inside the 1st cell ?
What’s inside the 1st cell ?
IP Header TCP/UDP/ICMP TCP/UDP/ICMP IP Header TCP/UDP/ICMP SNAP/LLC IP Header TCP/UDP/ICMP SNAP/LLC AAL5 IP Header TCP/UDP/ICMP SNAP/LLC ATM TCP/UDP/ICMP IP SNAP/LLC AAL5 ATM 53 bytesIP header w options/ v6 TCP/UDP/ICMP SNAP/LLC
1st ATM Cell
Protocols used over ATM
Protocols used over ATM
TCP/UDP/ICMP IP SNAP/LLC AAL5 NULL Encaps SNAP/LLC LANE LANE SNAP/LLC MPOA Native ATM Applications & Services ATM ? Where can we find the usefull
Linking ATM Connections to
Linking ATM Connections to
TCP/IP Access Control Policy
TCP/IP Access Control Policy
Manager
signalling Filter Cell-Level Filter
New connection (encaps,vpi,vci)
Sig. A.C. Policy TCP/IP static policy
Dynamic Part of the A.C. Policy (encaps,vpi,vci) Security Officer
A.C. Policy
Connection Establishment
Manager
Signalling Filter Cell-Level Filter
Connection shutdown(vpi,vci) Clearing (vpi,vci)
Connection Shutdown
Connection Shutdown
Linking ATM Connections to
Linking ATM Connections to
TCP/IP Access Control Policy
Filtering Process
Filtering Process
Cells Extraction ProcessCells Extraction Process– Extracts the 1st cell of the Extracts the 1st cell of the AAL5 frames.
AAL5 frames.
– Propagates A.C. decision to Propagates A.C. decision to the relevant ATM Cells.
the relevant ATM Cells.
Filtering Process
Interface to IFT driver
Trie Memory Static Part Dynamic
Part
Analysis Automaton
1st Cell Extraction Process
A.C. Decision 1st Cell
Analysis AutomatonAnalysis Automaton
– Driven by the Trie Memory Driven by the Trie Memory Content.
Content.
Trie Memory : 2 parts :Trie Memory : 2 parts :
– Dynamic, small : VPI/VCI, Dynamic, small : VPI/VCI, Encaps.
Encaps.
– Static, big : All other fields.Static, big : All other fields.
– Memory Size : 4 M bytes.Memory Size : 4 M bytes.
Classification Algorithm
Classification Algorithm
Classification Algorithm = Content of the Trie Memory
Classification Algorithm = Content of the Trie Memory
Existing Determinist Classification Algorithms
Existing Determinist Classification Algorithms
Algorithms for Algorithms for StaticStatic Policies Policies– Fast.Fast.
– Take advantage of access control Take advantage of access control policies redundancies.
policies redundancies.
– Unbounded temporal & spatial Unbounded temporal & spatial complexities.
complexities.
– Generation & Update of the Generation & Update of the classification structure are slow.
classification structure are slow.
Algorithms for
Algorithms for
Dynamic
Dynamic
Policies
Policies
– Comparatively slow.Comparatively slow.
– Bounded temporal & spatial Bounded temporal & spatial complexities.
complexities.
– Bounded complexities for Bounded complexities for Generation & update of the
Generation & update of the
classification structure.
classification structure.
Trie Memory Configuration
Trie Memory Configuration
Static PartStatic Part– Complexities of the classification algorithm <=> height and size of the Complexities of the classification algorithm <=> height and size of the classification structure stored in trie memory.
classification structure stored in trie memory.
We have developed algorithms that are able to build a classification structure with:We have developed algorithms that are able to build a classification structure with: – Temporal Complexity : O(d).Temporal Complexity : O(d).
– Max. Spatial Complexity : O((2n+1)Max. Spatial Complexity : O((2n+1)dd).).
– d : number of fields to analyse, n number of rules in the policy.d : number of fields to analyse, n number of rules in the policy.Good, independent from number of rulesGood, independent from number of rules Unusable for d = 4 and n = 50 Unusable for d = 4 and n = 50 HOWEVER !
HOWEVER !
In practiceIn practice we succeed to implement large policies by taking advantage: we succeed to implement large policies by taking advantage:
– The redundancy in the expression of A.C. Policies.The redundancy in the expression of A.C. Policies.
Trie Memory Configuration
Trie Memory Configuration
Practical examples, analysis of 9 fields, using 15 ns analysis cycle.Practical examples, analysis of 9 fields, using 15 ns analysis cycle.Type of policy Number of rules Classification capabilities Memory required
[Che94], [Cha95] 40 1,31 Mc/s 17 K bytes
750 1,31 Mc/s 1.2 M bytes
French ISP 7900 1,31 Mc/s 3,4 M bytes
Standing the load ?Standing the load ?
<
1,31 * 53 * 8 = 555 Mb/s
Min. Classification
Capability Cell Size
Min. Classification Capacity :
620 * 26/27= 599 Mb/s
OC 12 Phys. Throughput
Physical layer Overhead
Max. Throughput to classify: Buffering (8192 bytes)
Conclusion
Conclusion
Security
Security
– Similar to a stateless packet filter.Similar to a stateless packet filter.
Good performance
Good performance
– High Speed (577 Mb/s) and small delay (<120 High Speed (577 Mb/s) and small delay (<120
s)s)– Throughput and delay don’t depend on policy and packets sizes.Throughput and delay don’t depend on policy and packets sizes.
Improved ATM signalling access control.
Improved ATM signalling access control.
– Almost all the information provided by signalling IEs can be used.Almost all the information provided by signalling IEs can be used.
Easy to manage
Easy to manage
– Single access control policy definition language.Single access control policy definition language.
However some problems remain to be solved:
However some problems remain to be solved:
Future
Future
Possible evolutions for our prototype
Possible evolutions for our prototype
– Tests in real networks.Tests in real networks.
– Translators for popular router filtering languages.Translators for popular router filtering languages.
– Classification algorithms improvements.Classification algorithms improvements.
Possible evolutions for the IFTs
Possible evolutions for the IFTs
– IP Version (Without ATM support).IP Version (Without ATM support).
– New physical connector (1Gb/s).New physical connector (1Gb/s).
– In deep analysis (255 bytes).In deep analysis (255 bytes).
– New tools to improve classification algorithms.New tools to improve classification algorithms.
QUESTION : Can we still take advantage of rules redundancy with QUESTION : Can we still take advantage of rules redundancy with
application level policies ?