Detecting and Resolving Packet Filter Conflicts

1

Detecting and Resolving Detecting and Resolving Packet Filter ConflictsPacket Filter Conflicts

Presented by Yaron Gvili

Advanced Topics in IP Networks

Adiseshu Hari, Bell Laboratories

Subhash Suri and Guru Parulkar, Washington University

2

OutlineOutline

• Packet filtering conceptsPacket filtering concepts

• The filter conflict problemThe filter conflict problem

• General algorithms for filter conflict General algorithms for filter conflict detection and resolutiondetection and resolution

• Optimizations for specific casesOptimizations for specific cases

• Results and conclusionsResults and conclusions

3

Packet Filtering ConceptsPacket Filtering Concepts

• Classification of packets based on Classification of packets based on their header fieldstheir header fields

• Actions taken according to packet Actions taken according to packet classclass

– Forwarding, QoS, VPN, FirewallForwarding, QoS, VPN, Firewall

• Rules applied to millions of packets Rules applied to millions of packets per secondper second

4

Packet FiltersPacket Filters

• Are sets of packetsAre sets of packets

• Are defined in terms of header fieldsAre defined in terms of header fields– Source IP prefix, destination IP prefixSource IP prefix, destination IP prefix

– Protocol type setProtocol type set

– Source port range, destination port Source port range, destination port rangerange

• compose the router statecompose the router state

5

Example: Simple Router Example: Simple Router StateState

Src IP Dst IP Protocol Srcports

Dstports

Action

* 136.44.* * * * Forward to outlet #2

202.13.10.* 66.* TCP * 0-1023 Reject

* 250.22.1.3 UDP * 3000 Serve at 10Mbps

6

OutlineOutline

• Packet filtering concepts Packet filtering concepts





7

Problem: Filter ConflictsProblem: Filter Conflicts

• A packet may match overlapping filters A packet may match overlapping filters with different actionswith different actions

– Traffic loss, poor bandwidth Traffic loss, poor bandwidth utilization, security holesutilization, security holes

• A packet may match A packet may match many filtersmany filters, , requiring a linear filter base scan or requiring a linear filter base scan or special hardwarespecial hardware

– Performance, costPerformance, cost

8

The Geometric ConnectionThe Geometric Connection

• A 1-tuple corresponds to a segment A 1-tuple corresponds to a segment in a line; a 2-tuple to a rectangle in in a line; a 2-tuple to a rectangle in a planea plane

0 232 0 232

232

9

Solution: Implicit Conflict Solution: Implicit Conflict ResolutionResolution

• First matching filter (FMF)First matching filter (FMF)

• Best matching filter (BMF)Best matching filter (BMF)

• Highest priority field matching filter Highest priority field matching filter (HPFMF)(HPFMF)

10

Example: Implicit Conflict Example: Implicit Conflict ResolutionResolution• Consider the following rule base and Consider the following rule base and

packetspackets

Rule Src IP Dst IP ActionA 155.50.* * Allow

B 155.50.60.* * Reject

C * 136.44.* Allow

Src IP Dst IP FMF BMF HPFMF (Src IP)

155.50.1.1 140.13.22.10 Allow by A Allow by A Allow by A155.50.60.81 167.76.23.90 Allow by A Reject by B Reject by B

155.50.60.10 136.44.101.41 Allow by A Conflict by B,C Reject by B

11

Implicit Conflict Resolution Implicit Conflict Resolution ShortcomingsShortcomings

• FMF requires careful rule base orderingFMF requires careful rule base ordering

• BMF may still leave conflictsBMF may still leave conflicts

• HPFMF is not scalable for large rule HPFMF is not scalable for large rule basesbases

• Rule bases exist for which Rule bases exist for which no filter no filter prioritization schemeprioritization scheme achieves the achieves the desired behaviordesired behavior

12

Example: Unresolvable Example: Unresolvable ConflictsConflicts• Consider the following rule base and Consider the following rule base and

desired behavior for overlapping desired behavior for overlapping areasareasRule Src IP Dst IP Protocol Action

A Z.secure1.* Z.* TCP Allow

B Z.secure2.* Z.* TCP Allow

C Z.* Z.secure1.* TCP Reject

D Z.* Z.secure2.* TCP Reject

Bahavior Src IP Dst IP Protocol Overlap Action E Z.secure1.* Z.secure2.* TCP A,D Reject

F Z.secure2.* Z.secure1.* TCP B,C Reject

G Z.secure1.* Z.secure1.* TCP A,C Allow

H Z.secure2.* Z.secure2.* TCP B,D Allow

13

Example: Unresolvable Example: Unresolvable ConflictsConflicts

• A circular priority constraints graph A circular priority constraints graph is formed, for which no prioritization is formed, for which no prioritization suitssuits

A

C

B

DE

FG

H

14

Solution: Resolve FiltersSolution: Resolve Filters

• Prefixes cannot partially overlap, Prefixes cannot partially overlap, hencehence

• Add Add resolve filtersresolve filters to the rule base to the rule base to break the circular constraints to break the circular constraints graphgraph

• Now BMF resolution is unambiguousNow BMF resolution is unambiguousRule Src IP Dst IP Protocol ActionE Z.secure1.* Z.secure2.* TCP Reject

F Z.secure2.* Z.secure1.* TCP Reject

G Z.secure1.* Z.secure1.* TCP Allow

H Z.secure2.* Z.secure2.* TCP Allow

15

Resulting TheoremsResulting Theorems

• If the priority constraints graph contains If the priority constraints graph contains a a directed cycledirected cycle, then the set of filters , then the set of filters cannot be made conflict-free by filter cannot be made conflict-free by filter reordering (or prioritizing) alonereordering (or prioritizing) alone

• Finding the smallest number of resolve Finding the smallest number of resolve filters that will make the graph conflict-filters that will make the graph conflict-free is equivalent to the free is equivalent to the smallest smallest feedback arcfeedback arc problem and is NP- problem and is NP-completecomplete

16

Implications of Resolve Implications of Resolve FiltersFilters• Any cycle breaking heuristics is good, Any cycle breaking heuristics is good,

though here we will add though here we will add allall resolve filters resolve filters

• Explicit conflict resolutionExplicit conflict resolution

• O(|B|) of resolve filters for rule base BO(|B|) of resolve filters for rule base B

• No need for linear rule base scan or special No need for linear rule base scan or special hardwarehardware

• O(w) time for finding the longest prefix of a O(w) time for finding the longest prefix of a bit string of length wbit string of length w

17

OutlineOutline






18

Towards a General Towards a General AlgorithmAlgorithm

• Define a Define a filterfilter F=(F[1],F[2],…,F[k]) F=(F[1],F[2],…,F[k]) where F[i] is a prefix bit stringwhere F[i] is a prefix bit string

• Define a bit string S to Define a bit string S to matchmatch F[i], if F[i], if F[i] is a prefix of SF[i] is a prefix of S

• Define a packet P=(P[1],P[2],…,P[k]) Define a packet P=(P[1],P[2],…,P[k]) to to matchmatch F, if P[i] matches F[i] for all F, if P[i] matches F[i] for all i.i.

19

Relations between Relations between PrefixesPrefixes

• Define prefixes F[i] and G[i] as Define prefixes F[i] and G[i] as disjointdisjoint, , if no bit string S matches them bothif no bit string S matches them both

• Define F[i] a Define F[i] a prefixprefix of G[i], if S matches of G[i], if S matches G[i] implies S matches F[i] for all SG[i] implies S matches F[i] for all S

• Define F[i] a Define F[i] a strict prefixstrict prefix of G[i], if F[i] is of G[i], if F[i] is a prefix of G[i] and F[i]a prefix of G[i] and F[i]G[i]G[i]

20

General Conflict DetectionGeneral Conflict Detection

• Filters F Filters F G are conflict-free iffG are conflict-free iff– F and G are F and G are disjointdisjoint, i.e. F[i] and G[i] , i.e. F[i] and G[i]

are disjoint for some i, orare disjoint for some i, or

– F is a F is a prefixprefix or G, i.e. F[i] is a prefix of or G, i.e. F[i] is a prefix of G[i] for all i, or G is a G[i] for all i, or G is a prefixprefix of F of F

Filter F Filter G Relation(167.47.*, 202.134.*) (203.23.*, 155.69.*) Disjoint(132.23.*, 176.84.*) (132.23.*, 176.52.*) Disjoint

(144.91.*, 166.20.*) (144.91.*, 166.20.152.*) F is a prefix of G

(175.40.13.*, 205.42.*) (175.40.*, 205.*) G is a prefix of F

(145.73.*, 183.50.*) (145.*, 183.50.41.*) Conflict

21

2 2 Filter Conflict DetectionFilter Conflict DetectionAlgorithmAlgorithm 2FilterConflict(F,G) 2FilterConflict(F,G)

(* Determine whether F and G conflict *)(* Determine whether F and G conflict *)1.1. ForFor i = 1 to k i = 1 to k dodo2.2. IfIf F[i] and G[i] are disjoint F[i] and G[i] are disjoint thenthen returnreturn “No Conflict”; “No Conflict”;3.3. SetSet flag = 1; flag = 1;4.4. ForFor i = 1 to k i = 1 to k dodo5.5. If F[i] is not a prefix of G[i] If F[i] is not a prefix of G[i] thenthen setset flag = 0; flag = 0;6.6. IfIf flag = 1 flag = 1 thenthen returnreturn “No Conflict”; “No Conflict”;7.7. SetSet flag = 1 flag = 18.8. ForFor i = 1 to k i = 1 to k dodo9.9. IfIf g[i] is not a prefix of f[i] g[i] is not a prefix of f[i] thenthen setset flag = 0; flag = 0;10.10.IfIf flag = 1 flag = 1 thenthen returnreturn “No Conflict”; “No Conflict”;11.11.ReturnReturn “Conflict”; “Conflict”;end Algorithmend Algorithm

22

Computing the Resolve Computing the Resolve FilterFilter• When filters F and G conflict, the When filters F and G conflict, the

overlapping area is defined by the overlapping area is defined by the longerlonger of the two prefixes for each of the two prefixes for each filter fieldfilter field

• The resolve filter of F and G is equal The resolve filter of F and G is equal to the to the overlapping areaoverlapping area between between themthemFilter F Filter G Resolve filter

(191.50.8.*, 80.23.*) (191.50.*, 80.23.17.*) (191.50.8.*, 80.23.17.*)(62.13.*, 142.50.*) (62.*, 142.50.96.*) (62.13.*, 142.50.96.*)(171.4.*, 101.20.*) (171.4.15.*, 101.*) (171.4.15.*, 101.20.*)

23

Computing the Resolve Computing the Resolve FilterFilter

AlgorithmAlgorithm ResolveFilter(F,G) ResolveFilter(F,G)(* Computes the filter resolving the conflict of F and G (* Computes the filter resolving the conflict of F and G *)*)

1.1. ForFor I = 1 to k I = 1 to k dodo2.2. Let X[i] be the longer of the two prefixes F[i] Let X[i] be the longer of the two prefixes F[i]

and G[i];and G[i];3.3. ReturnReturn (X[1], X[2], …, X[k]); (X[1], X[2], …, X[k]);end Algorithmend Algorithm

24

Adding Resolve FiltersAdding Resolve Filters

• Define C(F) the set of filters in a Define C(F) the set of filters in a conflict-free rule base B={Fconflict-free rule base B={F11,F,F22,,…,F…,Fnn} that conflict with filter F} that conflict with filter F

• The resolve filters of F introduce The resolve filters of F introduce no no new conflictsnew conflicts (relative to F) with B, (relative to F) with B, and can therefore be added safely and can therefore be added safely to Bto B

25

Maintaining a Conflict-free Maintaining a Conflict-free Rule BaseRule Base

AlgorithmAlgorithm AddNewFilter(F,B) AddNewFilter(F,B)(* Insert a new filter into B *)(* Insert a new filter into B *)

1.1. Initialize C(F) = {F};Initialize C(F) = {F};2.2. ForFor i = 1 to |B| i = 1 to |B| dodo

3.3. If 2FilterConflict(F,FIf 2FilterConflict(F,Fii) = “Conflict” then add F) = “Conflict” then add F ii to to C(F);C(F);

4.4. ForFor each filter F’ each filter F’ C(F) C(F) dodo5.5. Add ResolveFilter(F,F’) to B;Add ResolveFilter(F,F’) to B;end Algorithmend Algorithm

• Worst case running time O(|B|+|Worst case running time O(|B|+|C(F)|)C(F)|)

26

Example: Maintaining a Example: Maintaining a Conflict-free Rule BaseConflict-free Rule Base

Filter Src IP Dst IP RemarkF[1] B 165.80.11.* 165.80.*F[2] B 182.30.* 174.35.94.*F[3] B 165.80.* 165.*F 165.* 165.80.13.* Added to BF’[1] C(F) 165.80.11.* 165.80.13.* Resolving F[1] conflictF’[2] C(F) 165.80.* 165.80.13.* Resolving F[3] conflict

27

OutlineOutline






28

Motivations for Motivations for OptimizationsOptimizations

• The handling of filter updates in the The handling of filter updates in the router control pathrouter control path must be fast must be fast

• Routers with large rule bases cannot Routers with large rule bases cannot afford the linear general algorithms afford the linear general algorithms describeddescribed

• The majority of internet filters are 2- The majority of internet filters are 2- or 5-tupledor 5-tupled

29

2-2-tuple Filter Conflict tuple Filter Conflict DetectionDetection

• Since 2-tuple filters F, G conflict iffSince 2-tuple filters F, G conflict iff– G[1] prefixes F[1] and F[2] prefixes g[2], orG[1] prefixes F[1] and F[2] prefixes g[2], or

– F[1] prefixes G[1] and G[2] prefixes F[2]F[1] prefixes G[1] and G[2] prefixes F[2]

• Then for rule base B, we construct a 2-Then for rule base B, we construct a 2-level recursive trie for each caselevel recursive trie for each case– The recursive source trie S(B)The recursive source trie S(B)

– The recursive destination trie D(B)The recursive destination trie D(B)

30

Recursive Source Trie Recursive Source Trie ConstructionConstruction

• Construct a Construct a first level triefirst level trie for the for the source prefixes of the filters in Bsource prefixes of the filters in B

• Define s(u) the Define s(u) the associated prefixassociated prefix of of node u in the first level trie of S(B)node u in the first level trie of S(B)

• Define X(u) the set of filters in B Define X(u) the set of filters in B with source prefix equal to s(u)with source prefix equal to s(u)X(u) = {F X(u) = {F B | F[1] = s(u) } B | F[1] = s(u) }

31

Recursive Source Trie Recursive Source Trie ConstructionConstruction

• For every node u in the first level trie, For every node u in the first level trie, construct a construct a second level triesecond level trie D(u) for D(u) for the destination prefixes of X(u)the destination prefixes of X(u)

• Let u point to D(u)Let u point to D(u)

• D(B) is similarly constructedD(B) is similarly constructed– The first level trie holds destination The first level trie holds destination

prefixesprefixes

– The second level tries hold source prefixesThe second level tries hold source prefixes

32

Example: 2-tuple FiltersExample: 2-tuple Filters

• Consider the following rule baseConsider the following rule base

Filter Source DestinationF1 10* 100*F2 10* 011*F3 10* 001*F4 1* 00*F5 1* 11*F6 1* 10*F7 0* 101*F8 * 1*

33

Example: The Recursive Example: The Recursive Source TrieSource Trie

F2 F1F3F7

F8

F4 F6 F5

0

0

00 0

0

0

0 0

0

1

1

1

1 1

1

1

1

1

a

b

c

d

1

Legend

Src/Dst trie node

Src/Dst trie arc

Arc to Dst trie

Filter F1

34

Fast Conflict Detection Fast Conflict Detection using the Recursive using the Recursive Source TrieSource Trie• Find the longest matching prefix of F[1] Find the longest matching prefix of F[1]

noted u, and let vnoted u, and let v11,…,v,…,vmm be the be the proper proper prefixes nodesprefixes nodes of F[1], possibly v of F[1], possibly v11=u=*=u=*

• For each destination trie D(VFor each destination trie D(Vii) locate the ) locate the longest matching prefix for F[2], noted zlongest matching prefix for F[2], noted z

• If z is a leaf there is no conflict, otherwise If z is a leaf there is no conflict, otherwise all descendants filters of z conflict with Fall descendants filters of z conflict with F

35

Example: Fast Filter Example: Fast Filter Conflict Detection for Conflict Detection for (10*,1*)(10*,1*)

F2 F1F3F7

F8

F4 F6 F5

0

0

00 0

0

0

0 0

0

1

1

1

1 1

1

1

1

1

a

b

c

d

F6 F5

1

Legend

Src/Dst trie node

Src/Dst trie arc

Arc to Dst trie

Filter

Src prefix node

Src/Dst prefix arc

Arc from Src prefixnode to Dst trie

Conflicting filterF1

F1

36


• Restrict the protocol to be either Restrict the protocol to be either TCP or UDP or OTHER or *TCP or UDP or OTHER or *

• We need 3 separate 2-tuple We need 3 separate 2-tuple detection data structuresdetection data structures

• A wildcarded protocol filter will be A wildcarded protocol filter will be placed in all three data structuresplaced in all three data structures

37


• Restrict the protocol as in the 3-Restrict the protocol as in the 3-tuple casetuple case

• Restrict the source and destination Restrict the source and destination port to be either stated or *, thus port to be either stated or *, thus dividing filter into four groups in dividing filter into four groups in each nodeeach node

– (*,*) (s(*,*) (sii,*) (*,d,*) (*,dii) (s) (sii,d,dii))

38

Tracking Prefixes Length Tracking Prefixes Length While Traversing S(B)While Traversing S(B)

• Define SrcPrefixLen as Define SrcPrefixLen as shortershorter or or equalequal or or longerlonger, depending on the length of , depending on the length of the new filter source prefix relative to the new filter source prefix relative to the length of the the length of the currentcurrent source trie source trie nodenode

• Define DstPrefixLen similarly, but Define DstPrefixLen similarly, but depending on the destination prefixdepending on the destination prefix

• Track prefixes length for D(B) similarlyTrack prefixes length for D(B) similarly

39

Example: 5-tuple Filter Example: 5-tuple Filter Conflict DetectionConflict Detection• IPs conflict and ports are joint; IPs IPs conflict and ports are joint; IPs

are prefixes-of and ports are are prefixes-of and ports are prefixed-by the node’s filters (or prefixed-by the node’s filters (or vice versa)vice versa)

>

>

!

>

=<

> %,= ! %,<

40

5-5-tuple Conflict Detection tuple Conflict Detection in Other Casesin Other Cases

• Cases are symmetric, e.g.Cases are symmetric, e.g.– ShorterShorter//longerlonger behaves like behaves like longerlonger//shortershorter

– ShorterShorter//equalequal behaves like behaves like equalequal//shortershorter

• Tables may similarly be constructed Tables may similarly be constructed for filters of type (*,*) (*,dfor filters of type (*,*) (*,dii) and (s) and (sii,d,dii))

• The The shortershorter//shortershorter case is handled case is handled with exhaustive searchwith exhaustive search

41

OutlineOutline






42

Result: Firewall Conflict Result: Firewall Conflict DetectionDetection

• Filter conflicts that are potential Filter conflicts that are potential security holes have been discovered security holes have been discovered in all 3 inspected Firewallsin all 3 inspected Firewalls

43

Result: Conflict Detection Result: Conflict Detection TimeTime

• Fast Detect quickly out performs Fast Detect quickly out performs linear conflict detectionlinear conflict detection

44

Result: Conflicts per FilterResult: Conflicts per Filter

• Conflict histogram (1000 separate Conflict histogram (1000 separate runs) increases by an order of runs) increases by an order of magnitude when filter DB increases magnitude when filter DB increases from 1K to 10Kfrom 1K to 10K

45

Result: Conflict Result: Conflict EnumerationEnumeration• Enumeration time quickly diverges Enumeration time quickly diverges

relative to detection timerelative to detection time

46

Conclusions and RemarksConclusions and Remarks

• General and specific 2-,3-,5-tuple General and specific 2-,3-,5-tuple filter conflict detection and resolution filter conflict detection and resolution – Forwarding, QoS, VPN, Firewall, signalingForwarding, QoS, VPN, Firewall, signaling

• Conflict free rule bases are desirableConflict free rule bases are desirable– 2-tuple filter base compaction2-tuple filter base compaction

– faster packet classificationfaster packet classification

47

Conclusions and RemarksConclusions and Remarks

• The tries may be reused for the The tries may be reused for the router data pathrouter data path

• K-bit tries reduce time by a factor of K-bit tries reduce time by a factor of K and increase memory by a factor of K and increase memory by a factor of 22KK

• Supports port ranges and protocol Supports port ranges and protocol setssets

Detecting and Resolving Packet Filter Conflicts

Documents

Transcript of Detecting and Resolving Packet Filter Conflicts