A Full Bandwidth ATM Firewall Olivier Paul, Maryline Laurent, Sylvain Gombault ENST de Bretagne in collaboration with DRET France Telecom R&D
Introduction • ATM (Asynchronous Transfer Mode) : • Specified to transport various kind of flows. • Allows applications to request Quality of Service. • Connection oriented. • Data transported through small packets (cells). • High Speed (155M->2.4Gb/s). • Usage: • Directly: Some native ATM applications (ANS, VoD). • Indirectly: IP over ATM (IPOA, LANE, MPOA, MPLS): most common use.
Control Actions of Private Network users. • Protect the Public Network from customers. Which problems ? • Protect the Private network from the outside. Firewall Private Network Public Network
Classification Buffer Buffer Fragmentation Reassembly Access Control Process Firewall • Classification Policy ACTION • Content of the packet
Classification Buffer Buffer Fragmentation Reassembly Access Control Process • The classification process usually requires a lot of power. • Poor performance. Firewall
Fragmentation Reassembly Access Control Process • The classification process is not aware of QoS requirements. • QoS may not be respected. Classification Buffer Buffer Firewall
Fragmentation Reassembly Access Control Process • Whole architecture has to be able to deal with high throughputs. • The PC architecture is currently not well suited for this task. Classification Buffer Buffer Firewall
CARAT - Goals • Security level similar to a stateless packet filter. • Improving access control on ATM Signalling. • High speed. • Worst case throughput = 620 Mb/s. • QoS preservation. • Delay has to be small and bounded. • Easy to manage.
Located between public and private networks. Made of three modules: • Manager. • Signalling Filter. • Cell-Level Filter. • Integrates to an existing switch. • Signalling flows are directed to the signalling filter. • User flows are directed to the cell-level filter. Architecture
Access Control Policy Description • ATM level access control policy • TCP/IP level access control policy. Example: Authorize workstation with the 220.127.116.11 address to use external WWW servers: 1 : IF (IP SRC ADDRESS = 18.104.22.168) AND (IP DST ADDRESS > 0.0.0.0) AND (TCP SRC PORT > 1023) AND (TCP DST PORT = 80) THEN PERMIT. 2 : IF (IP SRC ADDRESS > 0.0.0.0) AND (IP DST ADDRESS = 22.214.171.124) AND (TCP SRC PORT = 80) AND (TCP DST PORT > 1023) AND (TCP FLAG = SYN) THEN DENY. 3 : IF (IP SRC ADDRESS > 0.0.0.0) AND (IP DST ADDRESS = 126.96.36.199) AND (TCP SRC PORT = 80) AND (TCP DST PORT > 1023) THEN PERMIT.
Sig. A.C. Policy TCP/IP static policy Splitting the Access Control Policy Security Officer A.C. Policy Manager signalling Filter Cell-Level Filter
GOAL : Improve signalling access control parameters. Addressing Information. QoS Descriptors. Service Descriptors. Based on a SUN ATM signalling protocol stack. Modifications on the protocol stack. Filter (UNI 3.1 IEs filtering capability). The Signalling Filter
IFT (Internet Fast Translator) NICs: Designed and manufactured by France Telecom RD. Mono-directional. Made of two parts: OC 12 (620 Mb/s) Phys. connector. Filtering Process. On the fly configuration modification. RPC Demon IFT Driver • IFT Driver • RPC demon. • Remote configuration. Cell-level filter Solaris PC Filtering Process Filtering Process OC 12 Phys. connector OC 12 Phys. connector
Cells Extraction Process Extracts the 1st cell of the AAL5 frames. Propagates A.C. decision to the relevant ATM Cells. 1st Cell AAL 5 frames AAL 5 frames Filtering Process Interface to IFT driver Static Part Dynamic Part Trie Memory Analysis Automaton 1st Cell Extraction Process Filtering Process
ATM SNAP/LLC IP header w options/ v6 TCP/UDP/ICMP What’s inside the 1st cell ? TCP/UDP/ICMP TCP/UDP/ICMP IP Header TCP/UDP/ICMP IP SNAP/LLC IP Header TCP/UDP/ICMP SNAP/LLC SNAP/LLC IP Header TCP/UDP/ICMP AAL5 AAL5 ATM SNAP/LLC IP Header TCP/UDP/ICMP ATM 53 bytes
Protocols used over ATM TCP/UDP/ICMP Native ATM Applications & Services IP LANE MPOA LANE SNAP/LLC SNAP/LLC SNAP/LLC NULL Encaps AAL5 Where can we find the usefull Information in ATM Cells ? ? ATM
Sig. A.C. Policy TCP/IP static policy New connection (encaps,vpi,vci) Dynamic Part of the A.C. Policy (encaps,vpi,vci) Linking ATM Connections to TCP/IP Access Control Policy Security Officer Connection Establishment A.C. Policy Manager signalling Filter Cell-Level Filter
Connection shutdown(vpi,vci) Clearing (vpi,vci) Linking ATM Connections to TCP/IP Access Control Policy Manager Connection Shutdown Signalling Filter Cell-Level Filter
Cells Extraction Process Extracts the 1st cell of the AAL5 frames. Propagates A.C. decision to the relevant ATM Cells. • Analysis Automaton • Driven by the Trie Memory Content. • Trie Memory : 2 parts : • Dynamic, small : VPI/VCI, Encaps. • Static, big : All other fields. • Memory Size : 4 M bytes. A.C. Decision 1st Cell • Interface to IFT driver AAL 5 frames AAL 5 frames Filtering Process Interface to IFT driver Static Part Dynamic Part Trie Memory Analysis Automaton 1st Cell Extraction Process Filtering Process
Classification Algorithm = Content of the Trie Memory • Has to run on Trie Memory Classification Algorithm Existing Determinist Classification Algorithms • Algorithms for Static Policies • Fast. • Take advantage of access control policies redundancies. • Unbounded temporal & spatial complexities. • Generation & Update of the classification structure are slow. • Algorithms for Dynamic Policies • Comparatively slow. • Bounded temporal & spatial complexities. • Bounded complexities for Generation & update of the classification structure.
Static Part Complexities of the classification algorithm <=> height and size of the classification structure stored in trie memory. Trie Memory Configuration • We have developed algorithms that are able to build a classification structure with: • Temporal Complexity : O(d). • Max. Spatial Complexity : O((2n+1)d). • d : number of fields to analyse, n number of rules in the policy. Good, independent from number of rules Unusable for d = 4 and n = 50 HOWEVER ! • In practice we succeed to implement large policies by taking advantage: • The redundancy in the expression of A.C. Policies. • The ability of Trie Memory to use this redundancy to minimise the memory needed to store the policy.
Practical examples, analysis of 9 fields, using 15 ns analysis cycle. Max. Throughput to classify: Min. Classification Capacity : 1,31 * 53 * 8 = 555 Mb/s 620 * 26/27= 599 Mb/s Min. Classification Capability Cell Size Physical layer Overhead OC 12 Phys. Throughput Trie Memory Configuration < • Standing the load ? Buffering (8192 bytes) Max. delay = 120s
Conclusion • Security • Similar to a stateless packet filter. • Good performance • High Speed (577 Mb/s) and small delay (<120 s) • Throughput and delay don’t depend on policy and packets sizes. • Improved ATM signalling access control. • Almost all the information provided by signalling IEs can be used. • Easy to manage • Single access control policy definition language. • However some problems remain to be solved: • IP options problem and IPv6.
Future • Possible evolutions for our prototype • Tests in real networks. • Translators for popular router filtering languages. • Classification algorithms improvements. • Possible evolutions for the IFTs • IP Version (Without ATM support). • New physical connector (1Gb/s). • In deep analysis (255 bytes). • New tools to improve classification algorithms. • QUESTION : Can we still take advantage of rules redundancy with application level policies ?