1 / 14

Experience at Auckland with SRL and NetFlowMet

Experience at Auckland with SRL and NetFlowMet Nevil Brownlee The University of Auckland Chicago IETF, August 1998. manager. meter. rule set. meter reader. network. *. *. *. *. *. *. analysis application. RTFM Architecture. ICMP Smurf Attacks. M. R. M. M. M. R. M. R.

garrett-stewart
Télécharger la présentation

Experience at Auckland with SRL and NetFlowMet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Experience at Auckland with SRL and NetFlowMet Nevil BrownleeThe University of AucklandChicago IETF, August 1998

  2. manager meter rule set meter reader network * * * * * * analysis application RTFM Architecture The University of Auckland

  3. ICMP Smurf Attacks The University of Auckland

  4. The University of Auckland

  5. M R M M M R M R M R R M R M M Kawaihiko Network Test Meter Internet Waikato 512 Cache Auckland NZIX 128 256 512 Massey 128 Otago • Canterbury Lincoln August 97

  6. NetFlowMet router * * * * * * nifty NetFlowMet Test Setup network The University of Auckland

  7. The University of Auckland

  8. NetFlowMet Summary • Provides access to traffic data from up to five Cisco routers • NetFlow sums packet and bytes - less work for NetFlowMet meter => higher metering capacity • NetFlow flows are uni-directional. NetFlowMet matches them up to give RTFM-style flow data • Time resolution for flows is determined by NetFlow. The algorithm used for sending out information from the NetFlow cache are not documented The University of Auckland

  9. SRL: the language • A Language for Describing Traffic Flows and Specifying Actions for Flow Groups • For creating RTFM rulesets. Should also be useful for other work involving traffic flows • RTFM rulesets have three goals: • Decide whether or not a flow is of interest • Save values of requested attributes for flow • Specify direction for metered flows • High-level language takes away the need for users to understand the meter’s Packet Matching Engine (PME) The University of Auckland

  10. Language Elements • Operands: value & mask or value / width • AND and OR expressions on operand lists • Compound statements in braces { } • IF-THEN-ELSE statement • Variables and Store statements • SAVE statements • COUNT, IGNORE, NOMATCH statements • SUBROUTINE statements • Simple DEFINEs (no parameters) The University of Auckland

  11. Prog 1: Watch ICMP packets if SourcePeerType == IP && SourceTransType == ICMP save, { if SourceTransAddress == 0 # Echo reply store FlowKind := ’E'; else if SourceTransAddress == 3 # Destination unreachable store FlowKind := 'U'; ~ ~ ~ else store FlowKind := '?'; save SourceTransAddress; # ICMP type save DestTransAddress; # ICMP dest save SourcePeerAddress; save DestPeerAddress; count; } else ignore; # Not an ICMP packet The University of Auckland

  12. Prog 2: Watch Kawaihiko network define Waikato_B = 130.217/16, 163.7/16, 166.83/16; define Kawaihiko_B = Auckland_B, AIT_B, Waikato_B, Canterbury_B, Lincoln_B, Otago_B; if SourcePeerType == IP save; else ignore; if DestPeerAddress == (Kawaihiko_B) nomatch; # We want the Kawaihiko site as source if SourcePeerAddress == (Auckland_B) save, store FlowKind := 'A'; else if SourcePeerAddress == (Otago_B) save, store FlowKind := 'O'; else { save SourcePeerAddress; store FlowKind := '?'; } save DestPeerAddress; count; The University of Auckland

  13. Prog 3: Overlapping networks define test_nets = 130.216/16, 130.216.7/24, # overlapped 130.216.9/20, 130.216.7/24; # duplicate Nevil's SRL compiler, version 4.2b1 16:36:44 Thu 13 Aug 1998: Compiling k5.srl k5.srl 17: if SourcePeerAddress == (test_nets) count; WARNING >>>> 130.216.9 & 255.255.240 value has bits not covered by mask WARNING >>>> 130.216.7 & 255.255.255 is duplicated in OR group WARNING >>>> 130.216 & 255.255 contains 130.216.9 & 255.255.240 WARNING >>>> 130.216 & 255.255 contains 130.216.7 & 255.255.255 WARNING >>>> 130.216.9 & 255.255.240 contains 130.216.7 & 255.255.255 The University of Auckland

  14. SRL Summary • The compiler has been carefully tested. SRL programs are in production use at Auckland • It wasn’t difficult to translate old rulesets into SRL. The resulting SRL programs are a lot smaller and much easier to understand • The language seems well-suited to its immediate goals, i.e. for writing RTFM rulesets • Using DEFINEs is one good way to write ‘generic’ programs which can be easily converted for use in other people’s networks • srl (the compiler) is available with NeTraMet 4.2 . . . everyone should use it! The University of Auckland

More Related