FFPF: Fairly Fast Packet Filters u uspace k kspace n nspace Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis Vrije Universiteit Amsterdam Universiteit Leiden http://ffpf.sourceforge.net/ Vrije Universiteit Amsterdam Network Monitoring ● Increasingly important – ● traffic characterisation, security traffic engineering, SLAs, billing, etc. Existing solutions: – designed for slow networks or traffic engineering/QoS – not very flexible We’re hurting because of spread of SAPPHIRE in 30 minutes ● – hardware (bus, memory) – software (copies, context switches) demand for solution: - scales to high link rates - scales in no. of apps - flexible -process at lowest possible level -minimise copying -minimise context switching -freedom at the bottom generalised notion of flow Flow: “a stream of packets that match arbitrary user criteria” TCP SYN UDP with CodeRed bytecount eth0 HTTP U IP TCP RTSP “contains worm” UDP RTP Flowgraph UID 0 efficient userspace ? reduced copying and context switches kernel ● sharing data ● ● flowgraphs: sharing computations ? x “push filtering tasks as far down the processing hierarchy as possible” ? ? network card reduce copying ● FFPF avoids both ‘horizontal’ and ‘vertical’ copies Application A Application B U K ‘filter’ - no ‘vertical’ copies - no ‘horizontal’ copies within flow group - more than ‘just filtering’ in kernel (e.g.,statistics) Extensible (device,eth0) | (device,eth1) -> (sampler,2) -> (FPL-2,”..”) | (BPF,”..”) -> (bytecount) (device,eth0) -> (sampler,2) -> (BPF,”..”) -> (packetcount) ✔ modular framework ✔ language agnostic ✔ plug-in filters Buffers R O O ● ● PacketBuf – circular buffer with N fixed-size slots – large enough to hold packet O O IndexBuf – circular buffer with N slots – contains classification result + pointer O O O W Buffers O O ● ● PacketBuf – circular buffer with N fixed-size slots – large enough to hold packet O O IndexBuf – circular buffer with N slots – contains classification result + pointer O R O O W Buffers X X ● ● PacketBuf – circular buffer with N fixed-size slots – large enough to hold packet X X IndexBuf – circular buffer with N slots – contains classification result + pointer X O R O W R1 O Buffer management what to do if writer catches up with slowest reader? ● – ● fast reader preference – application responsible for keeping up ● ● O O O O can check that packets have been overwritten different drop rates for different apps O O overall speed determined by slowest reader overwrite existing packets O O drop new packets (traditional way of dealing with this) – O O slow reader preference – O O O O O W R1 Languages IF (PKT.IP_PROTO == PROTO_TCP) THEN // reg.0 = hash over flow fields R[0] = Hash (14,12,1024) ● FFPF is language neutral ● Currently we support: – BPF – C – OKE Cyclone – FPL // increment pkt counter at this // location in MBuf MEM[ R[0] ]++ FI • simple to use • compiles to optimised native code • resource limited (e.g., restricted FOR loop) • access to persistent storage (scratch memory) • calls to external functions (e.g., fast C functions or hardware assists) • compiler for uspace, kspace, and nspace (ixp1200) packet sources ● currently three kinds implemented -netfilter -net_if_rx() -IXP1200 uspace ● kspace implementation on IXPs: NIC-FIX -bottom of the processing hierarchy -eliminates mem & bus bottlenecks nspace Network Processors “programmable NIC” zero copy copy once on-demand copy Performance results pkt loss: FFPF: < 0.5% LSF: 2-3% Performance results pkt loss: LSF:64-75% FFPF: 10-15% Performance Copy St rat egies 100 reference d rop accept 90 processed (in %) 80 70 60 50 40 30 20 10 0 r eg ular copy copy once zer o copy Summary concept of ‘flow’ generalised copying and context switching minimised processing in kernel/NIC complex programs + ‘pipes’ FPL: FFPF Packet Languages fast + flexible persistent storage flow-specific state authorisation + third-party code any user flow groups applications sharing packet buffers More Information http://ffpf.sourceforge.net/ microbenchmarks