Here we explain how the fa interacts with the

Info icon This preview shows pages 7–9. Sign up to view the full content.

View Full Document Right Arrow Icon
Here, we explain how the FA interacts with the stateful firewall. To detect that the rule becomes unnecessary, CODO uses Netfilter’s user space packet-processing mechanism. Netfilter allows user processes to specify various conditions and to handle packets satisfying those conditions. To allow a connection from a client to a server, the FA adds a Netfilter rule that allows initial packets 4 (first SYN packets, for example) from the client to the server. In addition, it also adds other rules to catch non-initial packets that are sent from the client to the server, or vice versa, that would otherwise be allowed by the firewall. Note that those non-initial packets will be denied by the firewall and not caught by the FA until the necessary state has been created at the firewall because the first rule only allows initial packets. When such a packet is caught, FA deletes the rule that allows initial packets and those that catch non- initial packets. 7. Performance measurement To measure the performance, we set up two private networks. Each network has two private nodes behind a Linux NAT box (headnode) with two network 4 The initial packet may be sent multiple times because of retry mechanism of reliable protocols such as TCP.
Image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
interfaces. Nodes within each private network are connected via 100Mbps Ethernet. The two networks are connected via a department network (100Mbps). Neither inbound nor outbound connections are allowed through the NATs. Every machine has two 2.4 GHz CPUs with 512K cache and 2G RAM with about 1.7G free space. Using a test suite that we wrote, we measured connection setup and data transfer times. In our test suite, a client makes a connection to a server and then sends 100 messages of 10K bytes long back-to-back. The server echoes back to the client. When every message is echoed, the client tears down the connection. We inserted random delay between connections. Actual delay was determined using a Poisson process with a mean (λ) of 3 seconds. Table 1: TCP connection and transfer. Numbers are microseconds. Those in parenthesis are standard deviation. Inter Intra Conn Data Conn Data CODO 27320 (1330) 279945 (6921) 4958 (142) 141853 (5370) Reg. 543 (77) 278187 (7022) 221 (58) 141494 (5366) Table 1 shows the average time to make a connection and the average (total) time that 100 messages are echoed. In order to indicate the overhead of CODO, the table also has numbers for regular sockets with NATs manually configured to allow traffic between two networks. For private-private measurements (‘Inter’ column), we used a client in one network and a server in the other. For intra-network communication (‘Intra’ column), we used a client and a server both in the same private network. We used X.509 (RSA) public key for authentication and session keys establishment. SHA-1 and 3DES were used for integrity and encryption of CODO commands, respectively.
Image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern