Dependencies Among Packets - Analysis and architectural support for parallel stateful packet pr

Lower layer applications can exploit packet parallelism since processing among packets are completely independent. However, both DPI and stateful DPI applications introduce important processing requirements that can limit parallelism among packets. For the

2.3 Dependencies Among Packets 19

sake of readibility we describe state–dependency and order–of–seniority processing. Depending in the degree of statefulness, the application maintains information of middle layers (e.g. flow) or upper layers (e.g. user). The higher the layer, the higher the probability is that a particular state is shared by two or more in–flight packets, or that two packets belong to the same user than to the same flow.

Order–of–seniority requires a particular input of data to be processed following a certain order. In the network environment, the packets sometimes have to be processed in the order of arrival to the network node. This feature specially impacts the performance of systems that exploit packet processing parallelism. Due to a variety of reasons, a given packet can be processed faster by a thread than others. That is, a thread can reach a checkpoint before other threads, which are processing ”older” packets. If the checkpoint needs order–of–seniority, the thread has to wait until the processing of previous packets reaches that checkpoint.

In general, checkpoints are associated to updates of the stateful data, and the consis- tency of the data is determined by the original order of arrival of the packets from the network. However, order–of–seniority is not a requirement in all stateful applications.

Host A Host B Pkt1: S_YN Pkt2: SY N + ACK Pkt3: A_CK Network Node Network Node Packet Processing T im e Pkt2 Pkt3 1 1 2 2 3 3 4 4

20 Background

For example, NIDSs that detect TCP protocol based attacks need order–of–seniority to update stateful data. If the three–step TCP handshake protocol is not correctly per- formed, an alert is triggered. Otherwise, the system can trigger false positive alerts (i.e. a false attack is detected) and false negative detections (i.e. a real attack is not detected). Figure 2.2 depicts this scenario. On the left part of the graph, we can ob- serve the three–step TCP handshake protocol between two hosts A and B. In the middle, there is a network node that performs stateful packet processing for security services. The right part of the graph shows the packet processing of second and third packets. In this scenario we assume both packets are processed in parallel. Each numbered block represents a section of code for processing the packet. The section number 3 requires order–of–seniority processing (e.g. updating the flow state). For different reasons, al- though packet 3 starts to be processed after packet 2, it can process the section 3 earlier than the other packet. Then, this packet processing has to be stalled until the packet 2 has finished the section 3.

To recapitulate, emerging complex network services present stronger likelihood of experiencing packet depencencies that can significantly reduce the exploitation of packet level parallelism, especially in stateful DPI applications on the highest network layers.

Chapter 3

Network Traffic Analysis

Representative network traffic traces are mandatory to do research in network processing. Applications present significant performance variations according to the network traffic features. Thus, it is critical to preserve key real traffic characteristics.

For reasons of confidentiality, most of the original packet data (both header and pay- load) is faked or suppressed in the publicly available traffic traces. For example, IP addresses are anonymized in order to avoid revealing any real IP address. The anonymiza- tion lead to lose some key network traffic properties, such as IP address distribution. Indeed, network research community has demonstrated that anonymized traffic traces are not useful to do research in lower network layers, but there is no study about the impact on stateful.

The problem is stressed in stateful applications. Packet processing requires high traffic bandwidth to simulate traffic of current and future network edge–nodes as well as bidirectional traffic (i.e. source to destination traffic and vice versa) to correctly keep track of states due to statefulness. Nowadays, the sites that provide public traffic present many traces with unidirectional high bandwidth traffic and few traces with bidirectional low bandwidth traffic.

This chapter addresses the effects of the previously mentioned network features

on network applications, especially stateful processing. We analyze the impact of

anonymized IP addresses on the memory workload of stateful processing. We also study the impact of network traffic aggregation on the memory performance of several network applications. In order to do this study, we present a mechanism to linearly increase traffic

22 Network Traffic Analysis

aggregation from a particular bandwidth link to another.

3.1 Chapter Roadmap

Section 3.2 introduces key network properties that are under study in this chapter. Sec- tions 3.3 and 3.4 show the two studies of this chapter focused on the effects of sanitized traffic processing and the impact of traffic aggregation on network processing, respec- tively. The former compares the data memory workload of sanitized traffic to real traffic processing. The latter shows the impact of traffic aggregation on the memory performance of several network applications, especially comparing layer 2 to stateful layer 4+ network processing.

Related work is presented in Section 3.5 and a summary of the chapter in Section 3.6.

In document Analysis and architectural support for parallel stateful packet processing (Page 37-41)