BPC: A language for
packet classification
Haiyong Wang
hw6h@cs.virginia.edu
What is classification
Classification is a mechanism that inspects
incoming network packets, and based on
the values found in selected header fields,
determines how each to be processed.
Usually, specifications are expressed as
rules.
Packets satisfying the same rule are
classify into one flow.
Classification: an example
ISP1
net 202.128.201.0/24
Router
net 202.128.202.0/24
net 202.128.203.0/24
ISP2
Classifier
Flow1
Flow2
Flow3
ISP3
Why Classification
Essential to QoS (admission control, resource
reservation, per-flow queuing and fair scheduling)
Necessary to many advanced services
( load balancing and content-based routing)
ISP ( Accounting, billing and network monitoring )
Network Security
What has been done?
Networking community: extend IP lookup
Focus on performance
Very limited specifications, no language.
Only work on Layer 3/4 header
OS community: packet demultiplexing
machine-code level specification(difficult to
develop and test)
Filter composition issues
My work
Based on a high-level packet filter
language(BPF)
Filter composition
Look deeper and smarter
Keep status
Why high-level language?
Short!
(((12:16
(((12:16
== ==
0x80x8
) &&
) &&
#IP?
#IP?
Tcp port HTTP
Shift(6
Shift(6
+ 6++62)&&
+ 2)&& #skip
#skip
Ethernet
Ethernet
header
header
(9:8==
(9:8==
6)&&
6)&&
#TCP?
#TCP?
Tcp port HTTP
Shift(20)&&
Shift(20)&&
You can not express this in low level language!
Source network ==
Destination network
Easy to use and error-free
#skip
#skip
IP header
IP header
(0:16
(0:16
== ==
80)&&
80)&&
#src#src
portport
80 80
(2:16
(2:16
== ==
80)80)
#dst#dst
portport
80 80
Filter Composition
Syntax
$1 filter expression1
$2 filter expression2
…
$n filter expression n
Priority is used to resolve conflict
A Real Scenario
UserA: Online chat
Low Delay
Low Bandwidth
UserB: Napster fan
Greedy Source
Constant BW
UserC: Real
player Stream
Low delay
Low Jitter
ISP
BPC solution
UserA: Online chat
$1 host user A and port A
$2 host user B and port B
$3 host user C and port C
Flow A: the highest priority
UserB: Napster fan
Flow B:the lowest priority
UserC: Real
player Stream
Flow C: reserve bandwidth
Look Deeper and Smarter
Why
TCP/IP does not specify what to transmit
Many application-layer protocols put
keywords at the beginning of the payload
How
Search Regular Expression
Allow User to define their own criteria
Syntax
Include “Regular String”
Include “Regular String” from Len1 to Len2
Ethernet Header
IP Header
From Len1 to Len2
TCP Header
Application protocol
many protocols are case insensitive
Limit the range can reduce the expense
Invoke “user routine”
boolean user_routine( void *packet, int len)
“I love you”
I Love you
I Love you
I Love you
“I love you” (con’d)
I Love you
$include “I *Love*You” from 20 to 100
and port mail port
I Love you
I Love you
Why keep status
Enable us to classify packets dynamically
according to the connections
Provide uniform services to all the packets
in the same connection
Resource Reservation (allocation and deallocation)
How to do that: Syntax
trigger ( start expression )
remove ( end expression )
satisfy ( match expression )
identify by ( key words )
Keep status: an example
Example: TCP connection
trigger (tcp[13]&2 = 2) #SYN packet
remove tcp[13]&1 = 1 ) #FIN packet
satisfy ( tcp )
identify (src host, src port, dst host, dst port)
DDOS
Intruder
Master
D
D
Master
D
D
D
D
Packet Classifier
Web Server
Is Everything all right
Analogy
luxury, spacious, but slow carriage
economy, crowded and even unsafe,
but super-fast rocket
What’s the moral
Performance!!!
How to run fast
Replace interpreter with native code
Special hardware (hash table, parallel
computation)
Compiler Optimization
Intra-filter
Inter-filter
Inter-filter Optimization
Ip src host1
Ip dst host2
ether.type
== IP
ether.type
== IP
ip.src ==
host1
ip.dst ==
host2
Yes
True
No
Yes
False
True
No
Yes
No
Yes
No
False
Optimization( con’d )
ether.type
== IP
Ye
s
ip.src ==
host1
No
No
Ye
s
ip.dst ==
host2
Ye
s
#1
#2
No
False
Summary
Work has been done
Design a packet classification language by
extending BPF
Implement a working system.( You are
welcomed to take a look after class )
Future Work
Integrate BPC into BPF
Performance issues