nBroker

Traffic steering and filtering at 100 Gbps on Intel FM10000 (RRC).

---

Achieving full network visibility requires a combination of a wide range of monitoring tools for real-time activities. Fundamental activities include, but are not limited to:

• Efficient traffic steering from the network directly to the monitoring tools;
• Traffic filtering to perform selective analyses with the benefit of a reduced load on the CPU;
• Traffic blocking to implement policies in inline applications.

nBroker is a framework that can be used for traffic steering and filtering at 100 Gbps on Intel FM10000 Red Rock Canyon (RRC) adapters. The FM10000 adapters have an internal switch attached to the external ports of the NIC – those that are physically connected to the cables – and to the internal ports towards the CPU – those seen by the host OS.

nBroker consists of a daemon that drives the RRC switch, and an API that can be used to configure steering and filtering rules. The communication happens over a ZMQ channel. In addition to the API, a command-line tool with auto-completion is also provided to control the adapter. For learning more please read the nBroker user’s guide.

CLI API

A CLI tool nbroker-cli can be used to setup a communication over ZMQ to control the nbroker daemon. nbroker-cli sets up the communication and opens a console for the input of control commands (hint: hit tab for autocompletion)

$ nbroker-cli
 tcp://127.0.0.1:5555> help
 Commands syntax:
 default port PORT pass|drop
 set port PORT match FILTER pass|drop|steer-to [PORT]
 delete port PORT filtering|steering match FILTER
 delete port PORT filtering|steering rule ID
 clear port PORT filtering|steering
 rules port PORT filtering|steering
 gc idle-for SECONDS
 help
 quit
 FILTER is a space-separated list of:
 vlan NUM
 smac|dmac MAC
 shost|dhost IP
 shost|dhost IP/NUM
 shost|dhost IP netmask MASK
 sport|dport NUM
 proto udp|tcp
 proto NUM

C API

The nBroker is also available as a C API, in addition to the command-line tool, can be used to configure the RRC switch. A code snippet to pass all traffic an only drop flows matching a specific destination port is outlined below, to demonstrate the effectiveness of the API to write custom applications and configure the RRC switch. For learning more please read the API documentation.

nbroker_t *broker;
nbroker_match_t match = { 0 };
u_int32_t rule_id = NBROKER_AUTO_RULE_ID;
nbroker_init(&broker, 0);
nbroker_set_default_policy(broker, "eth1", NBROKER_POLICY_PASS);
match.dport.low = htons(80);
nbroker_set_filtering_rule(broker, "eth1", &rule_id, &match, NBROKER_POLICY_DROP);

Use Cases

IDS/IPS

An IDS/IPS is an example of inline application that can take advantage of nBroker to offload traffic forwarding. An IPS usually inspects all the traffic, and sometimes decides to whitelist (forward) or blacklist (drop) specific traffic. Such activities can be offloaded to the switch by means of steering and filtering rules.

Below an example of whitelisting a specific source IP towards a specific destination port using the nBroker.

CLI

$ nbroker-cli
 tcp://127.0.0.1:5555> default port eth1 pass
 tcp://127.0.0.1:5555> default port eth2 pass
 tcp://127.0.0.1:5555> set port eth1 match shost 10.0.0.1 dport 80 steer-to eth2

C

nbroker_set_default_policy(broker, "eth1", NBROKER_POLICY_PASS);
nbroker_set_default_policy(broker, "eth2", NBROKER_POLICY_PASS);match.shost.ip_version = 4;
match.shost.mask.v4 = 0xFFFFFFFF;
match.shost.host.v4 = inet_addr("10.0.0.1");
match.dport.low = htons(80);
rule_id = NBROKER_AUTO_RULE_ID;
nbroker_set_steering_rule(broker, "eth1", &rule_id, &match, "eth2");

Traffic Steering

Another example is traffic steering from an external port to an arbitrary internal port, in fact it is possible to set steering rules to divert selected traffic from one interface to a different one, and not just between external interfaces. This can be used for instance for redirecting the traffic to be analysed on the fly.

Operating Systems

Documentation

• User’s Guide
• API Documentation
• Code Examples

License

nBroker is distributed under the EULA and requires a PF_RING ZC license per interface.

Get It

PF_RING™ ZC is available from the ntop web site. If you are interested in large quantities or if you need a volume discount please contact us. Instead if you are looking for the software, you can download it here.