Open Packet Monitoring on FLAME: Safety, Performance, and Applications
Packet monitoring arguably needs the flexibility of open architectures and active networking. In earlier work we have implemented FLAME, an open monitoring system, that balanced flexibility and safety while attempting to achieve high performance by combining the use of a type-safe language, lightweight run-time checks, and fine-grained policy restrictions.
We seek to understand the range of applications, workloads, and tra.c, for which a safe, open, traffic monitoring architecture is practical. To that end, we investigated a number of applications built on top of FLAME.We use measurement data and analysis to predict the workload at which our system cannot keep up with incoming traffic.We report on our experience with these applications, and make several observations on the current state of open architecture applications.
KeywordsNetwork Interface Card Packet Rate Trajectory Sampling Worm Detection Open Monitoring System
- K. G. Anagnostakis and H. Bos. Towards flexible real-time network monitoring using a network processor. In Proceedings of the 3rd USENIX/NLUUG SANE Conference (short paper), May 2002.Google Scholar
- K. G. Anagnostakis, S. Ioannidis, S. Miltchev, J. Ioannidis, M. B. Greenwald, and J. M. Smith. Efficient packet monitoring for network management. In Proceedings of the 8th IFIP/IEEE Network Operations and Management Symposium (NOMS), pages 423–436, April 2002.Google Scholar
- K. G. Anagnostakis, S. Ioannidis, S. Miltchev, and J. M. Smith. Practical network applications on a lightweight active management environment. In Proceedings of the 3rd Int’l Working Conference on Active Networks (IWAN), pages 101–115, October 2001.Google Scholar
- M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D. Keromytis. The KeyNote Trust Management System Version 2. Internet RFC 2704, September 1999.Google Scholar
- H. Bos and B. Samwel. Safe kernel programming in the OKE. In Proceedings of IEEE OPENARCH 2002, June 2002.Google Scholar
- J. Brunner. The Shockwave Rider. Del Rey Books, Canada, 1975.Google Scholar
- J. Chase, H. Levy, M. Baker-Harvey, and E. Lazowska. Opal: A single address space system for 64-bit architectures. In Proceedings of the Fourth Workshop on Workstation Operating Systems, pages 80–85, 1993.Google Scholar
- M. Hicks, J. T. Moore, and S. Nettles. Compiling PLAN to SNAP. In Proceedings of the 3rd Int’l Working Conference on Active Networks (IWAN), pages 134–151, October 2001.Google Scholar
- S. Ioannidis, K. G. Anagnostakis, J. Ioannidis, and A. D. Keromytis. xPF: packet filtering for low-cost network monitoring. In Proceedings of the IEEE Workshop on High-Performance Switching and Routing (HPSR), pages 121–126, May 2002.Google Scholar
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of USENIX 2002 Annual Technical Conference, June 2002.Google Scholar
- G. R. Malan and F. Jahanian. An extensible probe architecture for network protocol performance measurement. In Proceedings of ACM SIGCOMM, pages 215–227, August 1998.Google Scholar
- D. Moore. The spread of the code-red worm (crv2). In http://www.caida.org/analysis/security/code-red/. August 2001.
- R. Morris, E. Kohler, J. Jannotti, and M. F. Kaashoek. The click modular router. In Proceedings of the 17th ACM Symposium on Operating System Principles (SOSP), pages 217–231, December 1999.Google Scholar
- C. Partridge, A. Snoeren, T. Strayer, B. Schwartz, M. Condell, and I. Castineyra. FIRE: Flexible intra-AS routing environment. In Proceedings of ACM SIGCOMM, pages 191–203. August 2000.Google Scholar
- F. B. Schneider, G. Morrisett, and R. Harper. A language-based approach to security. Informatics: 10 Years Back, 10 Years Ahead, pages 86–101, 2000.Google Scholar
- D. Tennenhouse, J. Smith, W. Sincoskie, D. Wetherall, and G. Minden. A survey of active network research. IEEE Communications Magazine, pages 80–86, January 1997.Google Scholar
- D. Wetherall. Active network vision and reality: Lessons from a capsule-based system. In Proceedings of the 17th ACM Symposium on Operating System Principles (SOSP), pages 64–79, December 1999.Google Scholar
- C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In Proceedings of the 1993 Summer USENIX Conference, June 1993.Google Scholar