enable deep packet inspection and policy control with · pdf filepolicy control and deep...

TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc.

June, 2010

Sam SiuSystems and Applications Engineer

Enable Deep Packet Inspection and Policy Control with the QorIQ P4080 ProcessorFTF-NET-F0424

TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 2

Agenda

►Policy Control and Deep Packet Inspection

►QorIQ Data Path Acceleration Architecture (DPAA) accelerates Policy Control and Deep Packet Inspection


Policy Control and Deep Packet Inspection


What is Policy Control?

►Policy control and management tools, including Deep Packet Inspection (DPI), enable mobile network operators to:

• Provision the network• Charge base on usage and service level

►Policy control is vital for mobile operators to successfully harness next-generation networks and deliver services that meet the growing needs of subscribers and applications

• Must be able to handle and prioritize all traffic types: Voice, VoIP, Video, IPTV, Web surfing, Email, Instant Messenger

►Architectures like 3GPP Evolved Packet Core imply a new role for policy and DPI tools that will place them right at the heart of the wireless network

►Policy Control requires a Policy Management Server and a Policy Reinforcement server

• Optionally, one can implement a Charging Server to track bandwidth consumption

Presenter

Presentation Notes

http://finance.yahoo.com/news/Verizon-Wireless-Deploys-iw-1413547196.html?x=0&.v=1 "Policy control is vital for us to successfully harness LTE and deliver services that meet the growing needs of our subscribers and their applications," said Tony Melone, chief technical officer for Verizon Wireless. "Every day, Camiant is demonstrating their policy control capabilities, and we look forward to having them play an important role in realizing our vision of the nation's best 4G LTE network." "Verizon Wireless is making the promise of LTE a reality," said Susie Kim Riley, Camiant founder and chief technical officer. "We are honored that Verizon Wireless has selected Camiant as a key vendor partner in the building of an unparalleled mobile infrastructure for the delivery of next generation services and applications." Verizon Wireless' LTE rollout plan positions the company to be a global leader in 4G LTE deployment, and it is on track to deliver the nation's first 4G LTE network to customers in 25 to 30 markets, covering roughly 100 million people by year's end.


Why Policy Control and Deep Packet Inspection?

►You cannot manage what you do not measure►It’s all about choice and delivery of the choice

• Apply per subscriber • Apply per application

►There is nothing new in Policy Control

►DPI is a policy enforcement point, nothing more


Deploy Deep Packet Inspection and Policy Control

► DPI enables companies to:• Understand the network traffic and pattern• Gather business intelligence• Identify trends and adapt to those trends

► Policy Control enables:• A smarter pipe requires fine-tuned network controls• Control and manage growing usage• Fair usage to all network users

6

Packet NetworkFive TupleProtocol (TCP or UDP)Source and destination PortSource and destination IP Addr

Application Protocolhttp, BT, VoIP, IPTV

IP AddrMac Addr

ApplicationPresentationSessionTransportNetworkData LinkPhysical

Smart Phone RNC 3G SGSN PDN GW DPI Inspection Web

10111011000011100110011192.168.1.1:80 TCP 10.10.10.100:16734192.168.1.1:25 TCP 10.10.10.100:17784192.168.1.1:1863 TCP 10.10.10.100:16855

Presenter

Presentation Notes

http://theucguy.wordpress.com/2008/10/13/ocs-2007-audiovideo-bandwidth-calculation/ MediumMinHigh Quality Data56kbps56kbps Voice50kbps80kbps Video50kbps350kbps RoundTable (Conference video phone)50kbps350kbps Note that the requirements are cumulative – Data + Voice + Video = 56 + 50 + 50 = 156kbps (Minimum Quality) or 56 + 80 + 250 = 386kbps (High Quality)” ============================= Wikipedia One hour of video encoded at 300 kbit/s (this is a typical broadband video in 2005 and it is usually encoded in a 320×240 pixels window size) will be: (3,600 s × 300,000 bit/s) / (8×1024×1024) give around 128 MiB of storage. If the file is stored on a server for on-demand streaming and this stream is viewed by 1,000 people at the same time using a Unicast protocol, the requirement is: 300 kbit/s × 1,000 = 300,000 kbit/s = 300 Mbit/s of bandwidth This is equivalent to around 135 GB per hour.


Controversy Over Policy Control

►Pros• Delivery of desirable services• Improved user experience• Compliance• Statistic collection• Application awareness• Intelligence built into the network

911 must go thru the network

►Cons• How is information being used?• Distrust of Service Provider or Mobile Carriers


Adoption of Policy Control

►3GPP• 3GPP PCC (Policy and Charging Control)• Policy Charging Rules Function (PCRF)• Policy Charging Enforcement Function (PCEF)

►LTE• IP Multimedia Subsystem (IMS)• PCRF, PCEF

►WiMAX• IP Multimedia Subsystem (IMS)• AAA (Authentication, Authorization

and Accounting)►Unified Communication (UF)

Presenter

Presentation Notes

http://www.wimax.com/commentary/spotlight/evolution-of-qos-and-charging-framework-in-wimax/?searchterm=policy%20control 3. POLICY FUNCTION IN 3G (PCC)��The Policy Function was introduced as the Policy Decision Function (PDF) in 3GPP Release 5. Initially, the PDF was limited to determining static charging rules, which were then utilized for postpaid applications. However, today, there are services such as online gaming, which require specialized charging models. However, the Release 5 PDF specification was limited to static charging rules. ��3GPP Release 7 evolved the Policy and Charging Control (PCC) architecture for determining and enforcing dynamic QoS and charging policies to all the network infrastructure elements involved in providing a specific requested service. The Policy and Charging Rules Function (PCRF) is the node designated in real-time for the determination of the policy rules. For example, a set of policy rules can be activated to verify access permission, checking and debiting credit balance etc., all in real-time. The PCRF enforces these policy rules through its interaction with 3GPP Release 7 Policy and Charging Enforcement Function (PCEF), which handles the transport plane.


Policy and Charging Controls (PCC)

►3GPP PCC Architecture• Based on the flow-based control (FBC)

structure defined in 3GPP R6• The policy and charging control (PCC)

structure is defined in 3GPP R7, adopts the session-based local policy (SBLP) function.

• PCRF defines set of operator-created business rules and charge schedule

• In this case, integration of the QoS policy and charging control is achieved

DPI

GGSN/PGW/PDSNPCRF

+SBLP

Presenter

Presentation Notes

Policy Charging and Rules Function (PCRF) PCRF does not operate in the data plane. It is solely a control plane function.


Deploy Deep Packet Inspection

►A pre-defined policy that controls the network use is based on application types and bandwidth usage• First, it needs to identify the applications running on the network• Second, it must be able to rate limit the bandwidth for the pre-defined application

► Identify Applications using Snort multimedia.rules• # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA

Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:1437; rev:8;)

• Flow from External Network to Internal Network• Multiple Signatures:

Content-Type:\s*(video/x-ms-(w[vm]x|asf)) ORContent-Type:\s*(audio/x-ms-w(m[av]|ax) ORContent-Type:\s*(application/x-ms-wm[zd])

►Signatures vs. fingerprint• Fingerprint is the behaviour of the application• May include multiple signatures and flow behaviour


11

QorIQ Data Path Acceleration Architecture (DPAA) Accelerates Policy Control and Deep Packet Inspection


QorIQ Data Path Acceleration Architecture

RapidIOMessageUnit (RMU)

2x DMA

PCIe

18-Lane 5 GHz SerDes

PCIe SRIOPCIe

CoreNet™

1024 KBFrontsideL3 Cache

64-bitDDR-2 / 3

Memory ControllerQorIQ P4080 Processor

SRIO

WatchpointCross

Trigger

PerfMonitor

CoreNetTrace

Aurora

Sec 4.0 PME 2

BufferMgr

eLBC

TestPort/SAP Frame Manager

1GE 1GE

1GE 1GE10GE

1024 KBFrontsideL3 Cache

64-bitDDR-2 / 3

Memory Controller

PAMU

Coherency FabricPAMUPAMUPAMU PAMU Peripheral

Access Mgmt Unit

eOpenPIC

Power Mgmt

2x USB 2.0/ULPI

SD/MMC

Clocks/Reset

2x DUART

4x I 2C

SPI

GPIO

PreBoot Loader

Security Monitor

Internal BootROM

CCSR

Power Architecture®

e500-mc Core

D-Cache I-Cache

128 KBBacksideL2 Cache 32 KB 32 KB

Real Time Debug

Frame Manager1GE 1GE

1GE 1GE10GE

Queue Manager


DPAA - Maximizing Acceleration

►Data path resources are effectively virtualized with software drivers

►Minimal SW overhead for any packet• Queue Manager supports the logical passage of frames between data path

functioning blocksProvides various queue-related functionality such as congestion management (tail drop, RED/WRED)Prioritize scheduling of data from queues

• Buffer Manager manages pools of buffers for storing frame dataManaged on behalf of softwareUsed by hardware

• Pattern Matching Engine search input data against patternsUp to 32K patternsUp to 128B matched length9.6 Gbps raw scanning throughput


Policy Control: QoS with QMAN

►Queue Manager’s (QMan) Frame Queues enables:

• Prioritized queuing of descriptors between cores, network I/O and accelerators

• Active queue management (WRED)• Delivery of per-queue accelerator specific

commands and context information to offload accelerators along with dequeued descriptors

►Policy Control Use Case• VoIP traffic assigns to a FQ in Low Priority

Weighted Interleaved Round Robin (WIRR) WQ7

• Web traffic assigns to a FQ in Low Priority WIRR WQ7

• High priority “911” call assign to a FQ in Strict Priority WQ1

Channel

Channel

WQ7

WQ0

WQ1

…

FQ

FQ FQ

FQ FQ

FDFD

SGT

Buffer

FD

User memoryQMan data structures

Buffer

Buffer

Portal

Context

FD


Policy Control: DPI with Pattern Matcher

►Regex support plus significant extensions:

• Patterns can be split into 256 sets each of which can contain 16 subsets

• 32K patterns of up to 128B length• 9.6 Gbps raw performance

►Combined hash/NFA technology• No “explosion” in number of patterns

due to wildcards• Low system memory utilization• Fast pattern database compiles and

incremental updates

►Stateful rules operate on a per session basis

• User-defined logic reacts to pattern matches detected by the DXE

• Can be used to further qualify the pattern match

• Protocol state tracking (e.g. track the “normal” transitions of SMTP)

On-ChipSystem

BusInterface

PatternMatcherFrameAgent

(PMFA)

DataExamination

Engine(DXE)

StatefulRule

Engine(SRE)

KeyElementScanningEngine(KES)

HashTables

Access to Pattern Descriptors and State

Pattern Matching Engine components

Cache Cache

User Definable Reports

Core

Net

BM

anQ

Man


Policy Control with Stateful Rule Engine► Condition Operands are: ==, !=, >, >=, <, <=, “IF (CONCLUSIVE)”► If/else

if (<condition>){<action_1><action_2>...}else{<action_1>...}

► While loop• Keywords: break

while (<condition>){action}

If the rule reaction needs to distinguish between conclusive or inconclusive matches, you must specify the compiler option - allow_inconclusive. Otherwise, the compiler assumes that only conclusive matches are desired.

Example:STATEFUL_RULE: HTTP_Recognizer

RESET_STATE:EVENT “http_request”

next_state AWAIT_response

STATE AWAIT_response:EVENT “http_response”

report {0x00000001}next_state RESET_STATE

EVENT “end_of_flow”exit

http_reqest /^(get|post)\s.*?http\/1\.\d$/http_response /^http\/1\.\d\s200\sOK$/


Policy Control: Identify Video Traffic

►Sample Snort rule from multimedia.rules:• # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any

(msg:"MULTIMEDIA Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*(?=[av]) (video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:1437; rev:8;)

• The PCRE is scanning for: Content-Type:\s*(video/x-ms-(w[vm]x|asf)) ORContent-Type:\s*(audio/x-ms-w(m[av]|ax) ORContent-Type:\s*(application/x-ms-wm[zd])

►PME Equivalent Signatures:• /^Content-Type\x3a\s*(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-

w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi

Presenter

Presentation Notes

The (?=[av]) is an "extended constructs" called lookahead that PME does not support natively. (?=[av]) helps software base regex to be more efficient, but it does not change the accuracy of the pattern. PME does not require software base "lookahead" and remove it will not impact the performance AND matching operation.


Use SRE for Flow Base with Multiple Fingerprints

►Tracking P2P Video session and state of activities

►Sample Snort rule from multimedia.rules:• alert tcp $HOME_NET any -> $EXTERNAL_NET 16800:17000 (msg:"POLICY

P2PTv TVAnts TCP tracker connect traffic detected"; flow:to_server,established; flowbits:isnotset,tvant.session; content:"|04 00 07 00|"; depth:4; content:"TVANTS SHARE"; depth:12; offset:8; flowbits:set,tvant.session; classtype:policy-violation; sid:12210; rev:1;)

10.10.1.1:16800 <-TVants request <- 10.10.1.100:1673410.10.1.1:16800 -> TVAnts reply -> 10.10.1.100:16734

PME Equivalent Signatures:s12210_1 /\x04\x00\x07\x00/ tag=0x2fb2 noreport s12210_2 /TVANTS SHARE/ tag=0x2fb2 noreport

Presenter

Presentation Notes

TVants use TCP and UDP to communicate default by ports 16600 and 16800.


SRE Configurable

►Stateful Rule for multiple fingerprints with distance restriction

STATEFUL_RULE: rule_12210RESET_STATE:

EVENT "snort_12210_1"# Depth checkif ($M <= 4) { next_state GOT_snort_12210_1 }else { next_state RESET_STATE }

STATE GOT_snort_12210_1:EVENT "snort_12210_2"

if ($M <= 12) { # Depth checkSRV[1:4] = $P - $NL # Offset checkif (SRV[1:4] > 8) { # Simple match report

SRV[5] = 0; SRV[5] = $I & 0x7SRV[5] = SRV[5] << 4; SRV[5] = SRV[5] | 0x01write SRV[5]:1; write $N:1; write $SI:6; write $M:4; write $T:4} }

else { next_state RESET_STATE}STATE FAIL:

EVENT END_OF_SUInext_state RESET_STATE

10.10.1.1:16800 <-TVants request <- 10.10.1.100:1673410.10.1.1:16800 -> TVAnts reply -> 10.10.1.100:16734


Conclusion

►Wireless service providers need to gather application-level intelligence for network planning and provisioning

►QorIQ DPAA accelerated Deep Packet Inspection and offloads policy control decision from the host processor

Presenter

Presentation Notes

The (?=[av]) is an "extended constructs" called lookahead that PME does not support natively. (?=[av]) helps software base regex to be more efficient, but it does not change the accuracy of the pattern. PME does not require software base "lookahead" and remove it will not impact the performance AND matching operation.

enable deep packet inspection and policy control with · pdf filepolicy control and deep...

Documents