Using XML for Efficient and Modular Packet Processing

1
Using XML for Efficient and Modular Packet
Processing

• Mario Baldi and Fulvio RissoPolitecnico di
  Torino, Italy
• Fulvio Risso (fulvio.risso_at_polito.it)

2
Introduction

• Several applications need to know the format of
  protocol headers and do some processing on them

Packet Capture
Capture packets whose IP source is 10.1.1.1
IPv4 format Version 4
bits HeaderLength 4 bits TOS 8
bits Total Length 16 bits Identification 16
bits ...
Raise an alert when packet with TOS ! 0 is
encountered
Intrusion Detection (IDS)
Permit only traffic from IP source 10.0.0.0/24
Firewall
Replace the content of the IP source and IP
destination fields
NAT
3
The problem

• Many different protocol descriptions
• Each application has its database
• We need to update all applications to support a
  new protocol
• Each application has its naming space
• The same field may be ip.source, or ip source, or
  ip src, ...
• Protocol descriptions embedded in the application
  code
• We cannot update dynamically the database in
  order to support a new protocol
• What about if a new security exploit cannot be
  filtered due to a missing protocol definition?

4
The Solution
Applications
NAT
Firewall
IDS
Traffic Monitor
L4/7 Switches
Access List
L3 forwarding
Packet Capture
. . .
Protocol Visualizers
S t a n d a r d D a t a E x
c h a n g e F o r m a t s
Packet Filter
Packet Decoder
Stream Reassembler
Traffic statistics
Packet Fields Extractor
. . .
NetPDL Protocol database
NetBee Library
(1) Shared components for modular packet
processing
(2) Shared protocol database
5
NetPDL

• Language for describing protocol headers
• Simple and intuitive
• XML-based
• C structures cannot be extended
• Simplified parsing
• Support for the most part of the TCP/IP protocols
• also tough protocols (IPv6 and extensions
  headers, etc)

6
NetPDL example
ltprotocol name"Ethernet" longname"Ethernet
802.3gt ltformatgt ltfieldsgt ltfield
type"fixed" name"dst" longname"MAC Dest."
size"6"/gt ltfield type"fixed" name"src"
longname"MAC Source" size"6"/gt ltfield
type"fixed" name"type" longname"Ethertype"
size"2"/gt lt/fieldsgt lt/formatgt
ltencapsulationgt ltswitch expr"type"gt
ltcase value"0x800"gt ltprotoref name"IP"/gt
lt/casegt ltcase value"0x806"gt ltprotoref
name"ARP"/gt lt/casegt lt/switchgt
lt/encapsulationgt lt/protocolgt
Header format
Protocol encapsulation
7
NetPDL fields
8
Conditional Elements

• NetPDL defines mathematical and string
  expressions
• Several conditional elements (if-then-else,
  switch-case, loop, presentif)

ltprotocol name"ip" longname"IPv4 (Internet
Protocol version 4)"gt ltformatgt ltfieldsgt
. . . ltloop type"size" expr"(hlen4) -
20"gt ltswitch expr"packetcurrentoffset
1 bitwand 0x1F"gt ltcase value"0"gt
ltincludeblk name"EndOfOptL"/gt lt/casegt
ltcase value"1"gt ltincludeblk name"NoOperation"/gt
lt/casegt ltcase value"2"gt ltincludeblk
name"SecOption"/gt lt/casegt ltcase
value"3"gt ltincludeblk name"SourceRouting"/gt
lt/casegt ltdefaultgt ltincludeblk
name"IP_OPT_UNK"/gt lt/defaultgt lt/switchgt
lt/loopgt lt/blockgt . . .
9
NetPDL expressions
10
Extensibility Visualization Extensions
ltprotocol name"Ethernet" longname"Ethernet
802.3" showsumtemplate"eth"gt ltformatgt
ltfieldsgt ltfield type"fixed" name"dst"
longname"MAC Destination" size"6"
showtemplate"EthMAC"/gt ltfield type"fixed"
name"src" longname"MAC Source" size"6"
showtemplate"EthMAC"/gt ltfield type"fixed"
name"type" longname"Ethertype" size"2"
showtemplate"FieldHex"/gt lt/fieldsgt ...
ltvisualizationgt ltshowtemplate name"FieldHex"
showtype"hex"/gt ltshowtemplate name"EthMAC"
showtype"hex" showgrp"3" showsep"-"/gt
ltshowsumtemplate name"ethernet"gt ltsection
name"next"/gt lttext value"Eth "/gt
ltprotofield name"src" attrib"show"/gt
lttext value" gt "/gt ltprotofield name"dst"
attrib"show"/gt lt/showsumtemplategt
lt/visualizationgt lt/protocolgt
11
NetPDL Missing pieces

• Highly structured fields (e.g. mail addresses)
• Support for stream-based protocols
• Currently more an implementation issue
• Processing based on run-time information
• e.g. port for an FTP data session
• Protocol State Machine
• Out of scope

12
NetPDL and applications

• Programmers must create a generic code that does
  processing using the protocol database
• Processing code is no longer bounded to a custom
  set of protocols

if ((packet120x800) (packet236)) /
TCP packet / else / Non TCP packet /
if (Packet.Contains(tcp)) / TCP packet
/ else / Non TCP packet /
if (((packet120x800) (packet236)
((packet120x86dd) (packet206))) /
TCP packet / else / Non TCP packet /
13
NetPDL and applications example
while (1) // Read packet from file or
network Res PacketSource-gtRead(PacketHeader,
PacketData) if (Res nbFAILURE)
break // Decode packet Decoder-gtDecodePacket
(DataLinkCode, PacketCounter, PacketHeader,
PacketData) // Get the current decoded
packet PDMLReader-gtGetCurrentPacket(Packet)
// Print some global information about the
packet printf("Total lenght d\n",
Packet-gtLength) // Retrieve the 1st protocol
contained in the packet Proto
Packet-gtFirstProto // Scan the current packet
and print the most relevant data contained in
each proto while(Proto)
printf("Protocol s size d, offset d\n",
Proto-gtLongName, Proto-gtSize, Proto-gtPosition)
Proto Proto-gtNextProto
14
NetPDL and performance issues

• NetPDL is a language
• Processing speed is not related to the language,
  but to the implementation of the code that uses
  this language
• We can also have C (native) code starting from
  NetPDL descriptions

15
Questions?
?
!