Introduction
Packet Filters
Packet Filters
Proposed solutions and current trends
Vasileios P. Kemerlis
Network Security Lab
Computer Science Department
Columbia University
New York, NY
04/14/2010
vpk@cs.columbia.edu Columbia University - COMS W6998
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Guidelines and tips
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community
Ask the community for help and clear up your study doubts
University Rankings
Discover the best universities in your country according to Docsity users
Free resources
Our save-the-student-ebooks!
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Packet Filters: Proposed Solutions and Current Trends, Lecture notes of Network Technologies and TCP/IP
Packet filters, their importance, and proposed solutions. It covers various packet filters such as CMU/Stanford Packet Filter, The BSD Packet Filter, The Mach Packet Filter, Dynamic Packet Filters, The BSD Packet Filter+, and xPacket Filter. The document also explains the motivation behind user-level protocol implementations and kernel-level packet demultiplexing. It is authored by Vasileios P. Kemerlis from the Network Security Lab at Columbia University.
Typology: Lecture notes
2019/2020
1 / 62
This page cannot be seen from the preview
Don't miss anything!
Related documents
Partial preview of the text
Download Packet Filters: Proposed Solutions and Current Trends and more Lecture notes Network Technologies and TCP/IP in PDF only on Docsity!
Introduction Packet Filters
Packet Filters
Proposed solutions and current trends
Vasileios P. Kemerlis
Network Security Lab
Computer Science Department
Columbia University
New York, NY
Introduction Packet Filters
Outline
1 Introduction
Overview
Why bother?
2 Packet Filters
CMU/Stanford Packet Filter (CSPF)
The BSD Packet Filter (BPF)
The Mach Packet Filter (MPF)
Dynamic Packet Filters (DPF)
The BSD Packet Filter+ (BPF+)
xPacket Filter (xPF)
Introduction Packet Filters
Overview Why bother?
Packet Filter
What is it anyway?
Kernel-level mechanism (typically, but not always)
Allows direct access to the packets (frames?) received
from the network interface controller (NIC) – “tap” NICs
Integral part of every modern operating system (OS)
Introduction Packet Filters
Overview Why bother?
Outline
1 Introduction
Overview
Why bother?
2 Packet Filters
CMU/Stanford Packet Filter (CSPF)
The BSD Packet Filter (BPF)
The Mach Packet Filter (MPF)
Dynamic Packet Filters (DPF)
The BSD Packet Filter+ (BPF+)
xPacket Filter (xPF)
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter
Outline
1 Introduction
Overview
Why bother?
2 Packet Filters
CMU/Stanford Packet Filter (CSPF)
The BSD Packet Filter (BPF)
The Mach Packet Filter (MPF)
Dynamic Packet Filters (DPF)
The BSD Packet Filter+ (BPF+)
xPacket Filter (xPF)
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter
CSPF
Status in the early 80’s
Historically, the first user-level “packet filter” appeared on
Xerox Alto [1]
Special-purpose process (demux) for deciding where each
packet should go
Multiple context switches and three system calls per
received packet
[1] Butler W. Lampson and Robert F. Sproull. An open operating system for a single-user machine. In Proceedings
of the 7th ACM Symposium on Operating Systems Principles (SOSP), pages 98–105, Pacific Grove, CA, USA,
December 1979.
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter
CSPF
Motivation
User-space packet demultiplexing is expensive
TCP/IP has yet to become the de-facto standard;
experimental network protocols are flourishing
User-level protocol implementations are necessary to allow
experimentation without kernel hacking (tedious,
error-prone, overwhelming) – no fancy kernel-level
debugging facilities!
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter
CSPF
Kernel-level packet demultiplexing
Kernel facility that offers packet demultiplexing services to
user-level network implementations
Avoids the “dashed” part illustrated in Figure 1
Flexible, protocol independent, mechanism for “selecting”
packets
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter
struct enfilter f = {
10, 12, /* priority and length (^) */
PUSHWORD+1, PUSHLIT | EQ, 2, /* packet type == PUP */
PUSHWORD+3, PUSH00FF | AND, /* mask low byte */
PUSHZERO | GT, /* PupType > 0 */
PUSHWORD+3, PUSH00FF | AND, /* mask low byte */
PUSHLIT | LE, 100, /* PupType <= (^100) */
AND, /* 0 < PupType <= (^100) */
AND /* && packet type == PUP */
};
Figure: Example of a filter program for the Pup protocol
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter
CSPF
User-level packet demultiplexing
12 words
EtherType
EtherDst EtherSrc
PupLength HopCount PupType
PupIdentifier
DstNet DstHost
DstSocket
SrcNet SrcHost
SrcSocket
Data
16 bits = 1 word
Ethernet header
Figure: The Pup protocol header (inside an Ethernet frame)
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter
Outline
1 Introduction
Overview
Why bother?
2 Packet Filters
CMU/Stanford Packet Filter (CSPF)
The BSD Packet Filter (BPF)
The Mach Packet Filter (MPF)
Dynamic Packet Filters (DPF)
The BSD Packet Filter+ (BPF+)
xPacket Filter (xPF)
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter
BPF
State of affairs in the early-90’s
4.3BSD UNIX brought a new TCP/IP implementation
Quickly became the authoritative reference, inherited by
many other free/commercial Unixes
User-level protocol implementation declined
Packet filtering facilities were mostly utilized for monitoring
purposes
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter
BPF
Motivation
CSPF was designed around the ISA of old DEC machines
Worked well on a 64K PDP-11, but performed
sub-optimally on RISC-based architectures
Why?
The stack-based VM requires multiple memory references
for the execution of a single filter
Memory references result in hundreds of wasted CPU
cycles (divergence between CPU clock speed and memory
speed)
Introduction Packet Filters
The BSD Packet Filter The Mach Packet Filter Dynamic Packet Filters The BSD Packet Filter+ xPacket Filter