Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Application-Based Routing

58 views

Published on

This talks shows how to implement the Application-Based Routing in the common Linux Distribution. We use the NDPI to execute the DPI function to category the packet first, use the linux kernel build-it mark to pass the information from user-space to kernel space and then the policy routing system use that mark to route the packet by different destination or interface.

Published in: Technology
  • Be the first to comment

Application-Based Routing

  1. 1. SDN X CLOUD NATIVE MEETUP #10
  2. 2. APPLICATION-BASED ROUTING Hung-Wei Chiu(hwchiu) hwchiu@thundertoken.tw
  3. 3. WHO AM I Hung Wei Chiu (Hwchiu) https://blog.hwchiu.com DevOps Engineer @ ThunderToken Interest in Networking/DevOps/Kubernetes/SDN/Programming
  4. 4. Software Defined Wide Area Network (SD-WAN)
  5. 5. SD-WAN Create a virtual-overlay to abstract underlying private/public WAN connections LTE MPLS Wifi Fiber Route WAN traffic along the best route Latency QoS
  6. 6. SD-WAN Managed by a centralized controller Remotely program edge devices and reduce provisioning times. Minimizing the need to manually configure network devices Security IPSec Firewall
  7. 7. SD-WAN Traffic Improve performance through a combination WAN connections Fail-over Simplifies the network Deployments Configurations Operations
  8. 8. DSL MPLS LTE DSL MPLS LTE DSL MPLS LTE Controller Internet
  9. 9. Application Based Routing
  10. 10. APPLICATION-BASED ROUTING Assume there’re multiple WAN Connections Different Latency Route the traffic based on application Priority Game/VoIP/…etc
  11. 11. Public Internet 10 sec 2 sec 3 sec500 ms
  12. 12. Public Internet 10 sec 2 sec 3 sec500 ms File Transfer Web Browse
  13. 13. How Can We Implement it In a Linux Host
  14. 14. CHALLENGES Which Application Policy Route Traffic
  15. 15. DPI Deep Packet Inspection Well-known tuple (L3 + L4) TCP/UDP Port (53/67/80/443)
  16. 16. DPI L7 application Organized format Guess by pattern SSL Termination User should import a trusted CA from DPI devices
  17. 17. NDPI Open Source Software (OSS) Based on C++ language Support 185+ protocols
  18. 18. NDPI Support capture packets by pcap Decision Tree Example (Skype)
  19. 19. nDPI Engine Packet PacketPacket Packet Packet Packet Packet Packet Packet Packet Packet Packet = skype Connections Results Packet = Quic Packet = Facebook
  20. 20. APPROACHES With Linux Kernel Without Linux Kernel OpenvSwitch/Openflow
  21. 21. SOURCE (WITH KERNEL) Use the pcap to catch packets from a specific interface By iptables and our implemented daemon
  22. 22. PCAP APPROACH Implement a daemon Capture packets by libpcap Feed packets to nDPI engine to get its type
  23. 23. Application nDPI Engine User-space Kernel-space Physical libpacp enp0s1 enp0s2 wlan1 BPF BPF BPF
  24. 24. IPTABLES APPROACH Implement a daemon Capture packets by iptables module (NFQueue) Feed packets to nDPI engine to get its type
  25. 25. Network Stack Application nDPI Engine User-space Kernel-space Physical libnetfilter_queue enp0s1 enp0s2 wlan1 netfilter nfqueue
  26. 26. IPTABLES APPROACH Use netlink to pass packets from/to user- kernel Flexible than pcap approach Iptables rules
  27. 27. IPTABLES APPROACH Use netlink to pass packets from/to user- kernel Flexible than pcap approach Iptables rules
  28. 28. Iptables -A INPUT -j NFQUEUE --queue-num 0 Iptables -A FORWARD -j NFQUEUE --queue-num 0 Iptables -A FORWARD -i br0 -j NFQUEUE --queue- num 0
  29. 29. Next Challenge.. How route packet by nDPI result?
  30. 30. ROUTE Tag the packets and route by tag Open the RAW socket to transmit that packet(?)
  31. 31. NFQUEUE We can send packets back to linux kern el Via netlink It’s based on sk_buff structure
  32. 32. NFQUEUE We can use the mark to represent the application ID. And then we can use that mark in the iptables to accept/drop that packet
  33. 33. http://lt.netfilter.org/projects/libnetfilter_queue/doxygen/ group__Queue.html
  34. 34. Network Stack Application nDPI Engine User-space Kernel-space Physical libnetfilter_queue enp0s1 enp0s2 wlan1 netfilter nfqueue - Receive Packets - Detect Packet - Mark Packet and send back to Kernel Routing - Accept/Drop by mark - Route ??
  35. 35. Iptables -i FORWARD -m mark --mark 0x0003 -j DROP Iptables -i FORWARD -m mark --mark 0x0003 -j ACCEPT
  36. 36. But how to use that mark to route via different interfaces?
  37. 37. LINUX ROUTINGTABLE Route packets by destination IP address in default. Policy Route Source IP address L3/L4 protocols Tos/Mark
  38. 38. LINUX ROUTINGTABLE Multiple Routing table Number from 0 - 32767 (high to low) Build-in 0(local) 32766(main) 32767(default) Custom
  39. 39. LINUX ROUTINGTABLE echo 201 hwchiu.test >> /etc/iproute2/rt_tables Use ip rule to manipulate the lookup order of tables. ip rule add fmmark 10 table 201 Ip rule add from 140.113.235.234 fwmark 25 table 202 ip rule show
  40. 40. LINUX ROUTINGTABLE Use ip route add to add the routing rule into table. ip route add default via 10.0.2.2 dev enp0s3 table 201
  41. 41. Network Stack Application nDPI Engine User-space Kernel-space Physical libnetfilter_queue enp0s1 enp0s2 wlan1 netfilter nfqueue - Receive Packets - Detect Packet - Mark Packet and send back to Kernel PRDB main local default custom
  42. 42. nfqueue User-space Kernel-Space Physical Interface enp0s1 Driver netfilter_system kernel_system Thread nfqueue_verdict netfilter_system enp0s2 Driver call nDPI
  43. 43. How About Performance ?
  44. 44. PERFORMANCE All packets have same l3/l4 tuple belong to same connection (mostly) We don’t need to detect all packets to know its application. Just pass the unknown connection packets to nDPI engine
  45. 45. PERFORMANCE Use the connmark to set the mark to connection tracking entry. Save the mark based on its skb_buff Iptables -t mangle -j CONNMARK --save- mark
  46. 46. nfqueue User-space Kernel-Space Physical Interface enp0s1 Driver netfilter_system kernel_system Thread nfqueue_verdict netfilter_system enp0s2 Driver call nDPI
  47. 47. PERFORMANCE You can also add those connection tuple(l3/l4) to hardware to get the high performance Remember, only few packets need to be detected.
  48. 48. Thanks!

×