Deep Packet Inspection as a Service
Anat Bremler-BarrIDC Herzliya
Joint work with Yotam Harchol, David Hay and Yaron Koral The Hebrew University
Appeared at CoNEXT 2014
www.deepness-lab.orgThis work was supported by European Research Council (ERC) Starting Grant no. 259085 and “Neptune” consortium
2
Middlebox : Current Status
• Many Middleboxes (MB) – In some cases even more than switches & routers
• Two revolutions:– Software Defined Networks (SDN): controlling the routing
• Easier to realize Service Chains– Network Function Virtualization(NFV): From HW SW
• Rethinking MB architecture
DDoS protectionFirewall
IDSLoad balancer
Ad insertion
3
NFV: Hardware MB Software MB
• Hardware Middlebox – Not Flexible– Expensive– Hard to manage (many vendors)– Not multi-tenants – Difficult to add new features– Constraining innovation: higher entry
barrier
• Software Middlebox– Performance penalty
• Commodity Servers• VMs • No hardware accelerators
We suggest a new MB architecture that improves
performance and innovation using NFV and SDN
Our approach: MB common modules as a service • Break MB architecture to common modules
- E.g. many MBs use Deep Packet Inspection (DPI)
• Provide modules as a service- A single module provides a service to many different kinds of MBs- In service chain scenario: packets use the service only once and not repeatedly in each MB
• DPI as an example
5
DPI-Based Middleboxes
Intrusion Detection
System
Network Anti-Virus
L7 Firewall L7 Load BalancerLeakage
Prevention System
Network Analytic Traffic Shaper
Lawful Interception
Copyright Enforcement
A MB processes packet header or payload
The latter uses DPI engine
DPI
6
DPI Engine – Complicated Challenge
• Pattern set size varies between 102-105 patterns• DPI engine is considered a system bottleneck in many
of todays MBs (30%-80%)[Laboratory simulations over real deployments of Snort and ClamAV]
• Hundreds of academic papers over recent years
scalability throughput latency power
resiliency updates compression
7
Middleboxes Service Chains
• Each packet is scanned multiple times causing waste of computation resources
• Each MB implements its own DPI engine (higher MB costs, reduced features)
8
Our Solution: DPI as a Service
Contribution:The idea of having
a centralized DPI service instead of multiple instances of it
at each MiddleboxBenefits:• Innovation – Lower entry barriers• Reduced costs – Cheaper MB HW/SW• Improved performance - Scan each packet once• Rich DPI functionality – Invest once for all MB• Enhanced data-plane – Potential to enhance switches
Agenda
• Architecture aspects of DPI as a service– DPI controller– Passing results from the DPI to the MBs
• Scalable algorithm that combines DPI patterns from different MBs
• Experimental Results• Vision & Future Work
10
ARCHITECTURE
Service chain of MBs in NFV
L7 FW1
IDS1
IDS2AV2
AV1 TS
S1S2
S3
S4
VMVM
VM
VM
VMVM
TrafficSteering
SDN Controller
DPI as a Service
L7 FW1 IDS1
DPI
IDS2AV2
AV1 TS
S1S2
S3
S4
AV1 TS IDS1 L7 FW1
Modified Service Chain:
DPI
TrafficSteering
SDN Controller
13
DPI2
Architecture Overview
L7 FW1 IDS1
DPI1
IDS2AV2
AV1 TS
S1S2
S3
S4
SDN Controller
TrafficSteering
DPIController New elements:
• DPI controller• Multiple DPI instances
Details: DPI instance
• MB sends its pattern set to DPI controller• DPI instance receives an aggregated pattern set from DPI controller• DPI instance scans incoming packets against an aggregated pattern
set• Each pattern & each MB has a unique ID • Result: <MB ID> + <Pattern ID> + <Match Offset>• Each packet may contain several pattern matches• All pattern-match results are attached to the packet
14
MB: 1 ID: 139; Offset: 90MB: 2 ID: 14; Offset: 109MB: 3 ID: 723; Offset: 201MB: 4 ID: 221; Offset: 507… DPI
Instance
15
DPI2
Architecture Overview (SDN)
L7 FW1 IDS1
DPI1
IDS2AV2
AV1 TS
S1S2
S3
S4
SDN Controller
TrafficSteering
DPIController
hello
hello
hello
Register PatternsAdd
PatternsUpdate Service Chain
16
Passing Results
• Use a dedicated new header in packet• A common need by many network services• Network Service Header (NSH) – IETF draft (cisco’s vPath)
hello
Results header size• For security apps: mostly 0B (95% normal traffic)• Upon match: 99% use less than 200B
17
Question: Are The DPIalgorithms scalable?
18
Are DPI Algorithms Scalable?
• Yes, each input byte requires a single lookup regardless the number of patterns!!
• But: Lookup can be 1 memory access or 1 cache access • Increasing the number of patterns may result in a
moderate performance reduction• DPI service has a small penalty as compared to its
advantages.
19
String Matching: Aho-Corasick Algorithm • Build a Deterministic Finite Automaton
(basic full-table variant)
• Example:{E, BE, BD, BCD, CDBCAB, BCAA}
• The head of the tree is in the cache (fast memory).
• More patterns - less levels of the tree are in the cache.
s0
s7
s12
s1 s2
s3 s5s4
s14
s13 s6
s8
s9
s10
s11
C
C
E
D
B
E D
D B
C
A
B
A
A
B
E
CB
E
C
BE
C
DE
BC
D
E C
E
BC
E
B
C
E
B C
E
C
B B
B
Input: BCDBCAB
s0
s12
s2
s5
s6s9
s10
s11
Cache
20
Pattern Set Aggregation
MB 0: Pattern Set 0 MB 1: Pattern Set 1
Pattern set 1
Pattern set 2
Both sets
Pattern set 0Pattern set 1Both sets
Regular Expressions Matching• Are regular expression algorithms scalable ? Yes.• Solutions like DFA/NFA are not scalable with repetition operators (e.g. * )
– May cause memory blowout/huge performance penalty– Not commonly implemented in MB today
• Current MB common approach (e.g. Snort) is scalable Implement two-phase approach:
1. String matching over all strings that appeared in the combined set of regular expressions 2. Running single regular expression DFA
21
<\x21DOCTYPE\s+[^>]*SYSTEM[^>]*>.*\x2EparseError
<\x21DOCTYPE SYSTEM \x2EparseError
Multi Regex Matching
Multi String
Matching + Single Regex
Matching
22
Other Middlebox architecture
• MB Consolidation– [Comb, NSDI 2012], [xOMB, ANCS 2012],
[Crossbeam, 2012],[Kekely et al., Infocom 2014]
– One box to rule them all (MBs)
– Unified management & resource sharing
– Our DPI as a service can be also combined internal in MB consolidation solution
• Outsource MB (out-of-network)– [Gibb et al., HotSDN 2012], [Sherry et al., SIGCOMM 2012]– Latency is no more an issue– DDoS mitigation - Prolexic (now part of Akamai)– Our DPI as a service can be also combined in outsource MB
Hypervisor
TSL7 FW1
IDS1
AV1DPI
DPI
DPI
DPI
DPI
23
Experiments
24
Experiment: Proof of Concept
• POX SDN Controller (OpenFlow 1.0)• Static steering mechanism• Separate machines for DPI and Middlebox • Toy middlebox applications: Snort, ClamAV
Toy Snort2
Toy ClamAV
Toy Snort1
VirtualEnvironment
DPIController
StaticSteering
Runs overPOX SDNController
DPI ServiceInstance
Virtual DPI Performance
Number of Patterns
Thro
ughp
ut [M
bps]
• Running DPI as a virtual service has minor implications on performance
DPI on Combined Pattern Set
Total Number of Patterns
Thro
ughp
ut [M
bps]
• The throughput of the combined AC DFA is comparable to the original AC DFA• The number of patterns has moderate effect on the throughput
27
DPI as a Service
Two separate DPIs
IDS1
Performance ResultsService Chain with Two DPIs :
DPI as a Service: Combined DPI instances
IDS1 AV1
IDS1 AV1
DPI1
DPI2
Each using separate machines
AV1
Latency traditional: 21.5us/pLatency DPI as a services: 13.8us/p
Two
Superior Performance
Two separate IDSs:
Combined DPI instances (DPI as a Service):
DPI as a Service
Two separate IDSs
IDS1 IDS2
IDS1
DPI1
IDS2
DPI2
Two
Dynamic Load Balancing
Separate IDSs:Static Load Balancing
DPI as a Service:Dynamic Load Balancing
Two separate IDSs:
Combined DPI instances (DPI as a Service):
IDS1
IDS2
IDS1DPI1
IDS2DPI2
30
Vision & Future work
MB Data plane
Data plane tasks: each MB application performs more or less a set of the same MB modules (in pipeline).
• Wire speed• Module: Software (VM) or
Hardware (Accelerator)• Currently:
– In many cases, companies use home-made modules Limited innovation
– Common modules repeat in many MBs in the service chain Reduced throughput
Packet Classification
Application Classification
Session Reconstruction
Decrypt/Decompress
Traffic Normalizer
DPI
Traffic Measurement
Thin MB with MB Services
MB modules will be implemented as services in the network. Traffic travels between the services.
Example: DDOS protection
IP anti-spoofing
Packet Classification
DPI
Traffic Measurement
The control tasks
• Configure the flow between MB modules
• Configure each of the MB modules
• Dynamic changes due to measurements
• Scale up and scale out of modules (orchestration)
DDOS protection
IP anti-spoofing
Packet Classification
DPI
Traffic Measurement
FIlter ICMP
X is an attacker
Filter X
• Service chain optimization – use the same service one time in a service chain Improved performance
34
Innovation Enabler
• Lower entry barriers– If the modules are services one can tailor a MB by using off-the shelf modules– Cheaper MB HW/SW
• Richer functionality – Companies will specialize in specific MB modules
• Simple MB would be implemented by off-the-shelf services and switches– Enhance Switch: use DPI service to tag packets to drive policies in switches– Enhance MB: SDN switches can perform the packet classification module
35
Related Industry solution: Qosmos
• Application aware classification– The company (Qosmos) suggests a NFV service that
classifies the traffic • Skype/IM/VoIP/FTP/Video/Social Networks…
Application Classification
Anat Bremler-Barr
David Hay Yotam Harchol Yaron Koral
Thank You!!