enable deep packet inspection and policy control with the qoriq … · 2016-03-21 · deploy deep...
TRANSCRIPT
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc.
June, 2010
Sam SiuSystems and Applications Engineer
Enable Deep Packet Inspection and Policy Control with the QorIQ P4080 ProcessorFTF-NET-F0424
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 2
Agenda
►Policy Control and Deep Packet Inspection
►QorIQ Data Path Acceleration Architecture (DPAA) accelerates Policy Control and Deep Packet Inspection
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 3
Policy Control and Deep Packet Inspection
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 4
What is Policy Control?
►Policy control and management tools, including Deep Packet Inspection (DPI), enable mobile network operators to:
• Provision the network• Charge base on usage and service level
►Policy control is vital for mobile operators to successfully harness next-generation networks and deliver services that meet the growing needs of subscribers and applications
• Must be able to handle and prioritize all traffic types: Voice, VoIP, Video, IPTV, Web surfing, Email, Instant Messenger
►Architectures like 3GPP Evolved Packet Core imply a new role for policy and DPI tools that will place them right at the heart of the wireless network
►Policy Control requires a Policy Management Server and a Policy Reinforcement server
• Optionally, one can implement a Charging Server to track bandwidth consumption
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 5
Why Policy Control and Deep Packet Inspection?
►You cannot manage what you do not measure►It’s all about choice and delivery of the choice
• Apply per subscriber • Apply per application
►There is nothing new in Policy Control
►DPI is a policy enforcement point, nothing more
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc.
Deploy Deep Packet Inspection and Policy Control
► DPI enables companies to:• Understand the network traffic and pattern• Gather business intelligence• Identify trends and adapt to those trends
► Policy Control enables:• A smarter pipe requires fine-tuned network controls• Control and manage growing usage• Fair usage to all network users
6
Packet NetworkFive TupleProtocol (TCP or UDP)Source and destination PortSource and destination IP Addr
Application Protocolhttp, BT, VoIP, IPTV
IP AddrMac Addr
ApplicationPresentationSessionTransportNetworkData LinkPhysical
Smart Phone RNC 3G SGSN PDN GW DPI Inspection Web
10111011000011100110011192.168.1.1:80 TCP 10.10.10.100:16734192.168.1.1:25 TCP 10.10.10.100:17784192.168.1.1:1863 TCP 10.10.10.100:16855
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 7
Controversy Over Policy Control
►Pros• Delivery of desirable services• Improved user experience• Compliance• Statistic collection• Application awareness• Intelligence built into the network
911 must go thru the network
►Cons• How is information being used?• Distrust of Service Provider or Mobile Carriers
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 8
Adoption of Policy Control
►3GPP• 3GPP PCC (Policy and Charging Control)• Policy Charging Rules Function (PCRF)• Policy Charging Enforcement Function (PCEF)
►LTE• IP Multimedia Subsystem (IMS)• PCRF, PCEF
►WiMAX• IP Multimedia Subsystem (IMS)• AAA (Authentication, Authorization
and Accounting)►Unified Communication (UF)
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 9
Policy and Charging Controls (PCC)
►3GPP PCC Architecture• Based on the flow-based control (FBC)
structure defined in 3GPP R6• The policy and charging control (PCC)
structure is defined in 3GPP R7, adopts the session-based local policy (SBLP) function.
• PCRF defines set of operator-created business rules and charge schedule
• In this case, integration of the QoS policy and charging control is achieved
DPI
GGSN/PGW/PDSNPCRF
+SBLP
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 10
Deploy Deep Packet Inspection
►A pre-defined policy that controls the network use is based on application types and bandwidth usage• First, it needs to identify the applications running on the network• Second, it must be able to rate limit the bandwidth for the pre-defined application
► Identify Applications using Snort multimedia.rules• # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MULTIMEDIA
Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:1437; rev:8;)
• Flow from External Network to Internal Network• Multiple Signatures:
Content-Type:\s*(video/x-ms-(w[vm]x|asf)) ORContent-Type:\s*(audio/x-ms-w(m[av]|ax) ORContent-Type:\s*(application/x-ms-wm[zd])
►Signatures vs. fingerprint• Fingerprint is the behaviour of the application• May include multiple signatures and flow behaviour
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc.
11
QorIQ Data Path Acceleration Architecture (DPAA) Accelerates Policy Control and Deep Packet Inspection
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 12
QorIQ Data Path Acceleration Architecture
RapidIOMessageUnit (RMU)
2x DMA
PCIe
18-Lane 5 GHz SerDes
PCIe SRIOPCIe
CoreNet™
1024 KBFrontsideL3 Cache
64-bitDDR-2 / 3
Memory ControllerQorIQ P4080 Processor
SRIO
WatchpointCross
Trigger
PerfMonitor
CoreNetTrace
Aurora
Sec 4.0 PME 2
BufferMgr
eLBC
TestPort/SAP Frame Manager
1GE 1GE
1GE 1GE10GE
1024 KBFrontsideL3 Cache
64-bitDDR-2 / 3
Memory Controller
PAMU
Coherency FabricPAMUPAMUPAMU PAMU Peripheral
Access Mgmt Unit
eOpenPIC
Power Mgmt
2x USB 2.0/ULPI
SD/MMC
Clocks/Reset
2x DUART
4x I 2C
SPI
GPIO
PreBoot Loader
Security Monitor
Internal BootROM
CCSR
Power Architecture®
e500-mc Core
D-Cache I-Cache
128 KBBacksideL2 Cache 32 KB 32 KB
Real Time Debug
Frame Manager1GE 1GE
1GE 1GE10GE
Queue Manager
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc.
DPAA - Maximizing Acceleration
►Data path resources are effectively virtualized with software drivers
►Minimal SW overhead for any packet• Queue Manager supports the logical passage of frames between data path
functioning blocksProvides various queue-related functionality such as congestion management (tail drop, RED/WRED)Prioritize scheduling of data from queues
• Buffer Manager manages pools of buffers for storing frame dataManaged on behalf of softwareUsed by hardware
• Pattern Matching Engine search input data against patternsUp to 32K patternsUp to 128B matched length9.6 Gbps raw scanning throughput
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 14
Policy Control: QoS with QMAN
►Queue Manager’s (QMan) Frame Queues enables:
• Prioritized queuing of descriptors between cores, network I/O and accelerators
• Active queue management (WRED)• Delivery of per-queue accelerator specific
commands and context information to offload accelerators along with dequeued descriptors
►Policy Control Use Case• VoIP traffic assigns to a FQ in Low Priority
Weighted Interleaved Round Robin (WIRR) WQ7
• Web traffic assigns to a FQ in Low Priority WIRR WQ7
• High priority “911” call assign to a FQ in Strict Priority WQ1
Channel
Channel
WQ7
WQ0
WQ1
…
FQ
FQ FQ
FQ FQ
FDFD
SGT
Buffer
FD
User memoryQMan data structures
Buffer
Buffer
Portal
Context
FD
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 1515
Policy Control: DPI with Pattern Matcher
►Regex support plus significant extensions:
• Patterns can be split into 256 sets each of which can contain 16 subsets
• 32K patterns of up to 128B length• 9.6 Gbps raw performance
►Combined hash/NFA technology• No “explosion” in number of patterns
due to wildcards• Low system memory utilization• Fast pattern database compiles and
incremental updates
►Stateful rules operate on a per session basis
• User-defined logic reacts to pattern matches detected by the DXE
• Can be used to further qualify the pattern match
• Protocol state tracking (e.g. track the “normal” transitions of SMTP)
On-ChipSystem
BusInterface
PatternMatcherFrameAgent
(PMFA)
DataExamination
Engine(DXE)
StatefulRule
Engine(SRE)
KeyElementScanningEngine(KES)
HashTables
Access to Pattern Descriptors and State
Pattern Matching Engine components
Cache Cache
User Definable Reports
Core
Net
BM
anQ
Man
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 16
Policy Control with Stateful Rule Engine► Condition Operands are: ==, !=, >, >=, <, <=, “IF (CONCLUSIVE)”► If/else
if (<condition>){<action_1><action_2>...}else{<action_1>...}
► While loop• Keywords: break
while (<condition>){action}
If the rule reaction needs to distinguish between conclusive or inconclusive matches, you must specify the compiler option - allow_inconclusive. Otherwise, the compiler assumes that only conclusive matches are desired.
Example:STATEFUL_RULE: HTTP_Recognizer
RESET_STATE:EVENT “http_request”
next_state AWAIT_response
STATE AWAIT_response:EVENT “http_response”
report {0x00000001}next_state RESET_STATE
EVENT “end_of_flow”exit
http_reqest /^(get|post)\s.*?http\/1\.\d$/http_response /^http\/1\.\d\s200\sOK$/
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 17
Policy Control: Identify Video Traffic
►Sample Snort rule from multimedia.rules:• # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"MULTIMEDIA Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*(?=[av]) (video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:1437; rev:8;)
• The PCRE is scanning for: Content-Type:\s*(video/x-ms-(w[vm]x|asf)) ORContent-Type:\s*(audio/x-ms-w(m[av]|ax) ORContent-Type:\s*(application/x-ms-wm[zd])
►PME Equivalent Signatures:• /^Content-Type\x3a\s*(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-
w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 18
Use SRE for Flow Base with Multiple Fingerprints
►Tracking P2P Video session and state of activities
►Sample Snort rule from multimedia.rules:• alert tcp $HOME_NET any -> $EXTERNAL_NET 16800:17000 (msg:"POLICY
P2PTv TVAnts TCP tracker connect traffic detected"; flow:to_server,established; flowbits:isnotset,tvant.session; content:"|04 00 07 00|"; depth:4; content:"TVANTS SHARE"; depth:12; offset:8; flowbits:set,tvant.session; classtype:policy-violation; sid:12210; rev:1;)
10.10.1.1:16800 <-TVants request <- 10.10.1.100:1673410.10.1.1:16800 -> TVAnts reply -> 10.10.1.100:16734
PME Equivalent Signatures:s12210_1 /\x04\x00\x07\x00/ tag=0x2fb2 noreport s12210_2 /TVANTS SHARE/ tag=0x2fb2 noreport
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 19
SRE Configurable
►Stateful Rule for multiple fingerprints with distance restriction
STATEFUL_RULE: rule_12210RESET_STATE:
EVENT "snort_12210_1"# Depth checkif ($M <= 4) { next_state GOT_snort_12210_1 }else { next_state RESET_STATE }
STATE GOT_snort_12210_1:EVENT "snort_12210_2"
if ($M <= 12) { # Depth checkSRV[1:4] = $P - $NL # Offset checkif (SRV[1:4] > 8) { # Simple match report
SRV[5] = 0; SRV[5] = $I & 0x7SRV[5] = SRV[5] << 4; SRV[5] = SRV[5] | 0x01write SRV[5]:1; write $N:1; write $SI:6; write $M:4; write $T:4} }
else { next_state RESET_STATE}STATE FAIL:
EVENT END_OF_SUInext_state RESET_STATE
10.10.1.1:16800 <-TVants request <- 10.10.1.100:1673410.10.1.1:16800 -> TVAnts reply -> 10.10.1.100:16734
TMFreescale, the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. CoreNet and QorIQ are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2010 Freescale Semiconductor, Inc. 20
Conclusion
►Wireless service providers need to gather application-level intelligence for network planning and provisioning
►QorIQ DPAA accelerated Deep Packet Inspection and offloads policy control decision from the host processor
TM