Issues on fragmentation
10 views
Skip to first unread message
jigsaw
Nov 29, 2009, 5:57:08 AM11/29/09
to opendpi
Hi,
Both opendpi and ipp2p (also backed up by ipoque), IMO, lack a vital
functionality of DPI which is analysis to fragmented packets.
If the fragmentation happens at IP level, both reject to go further.
And if the payload is fragmented by TCP, chances are both fail to
target the
signature, if the signature happens at the edge of two consecutive
packets.
However, I don't believe DPI vendors would let go fragmented packets
easily.
One possible solution, as far as I can tell, is using a streaming data
window
model, by which means, every byte is involved in signature detection,
regardless
of fragmentation on any level.
Actually there are already decent papers [1] on this topic. Most are
on
hardware implementation, though. A software approach could be achieved
by
referring to the hardware implementation. This would probably be
heavily
dependent on parallel programming, due to performance concern.
Thus the outcome could be totally different from opendpi, ipp2p,
snort, etc.
My question are the following.
Does the commercial relative of opendpi handle fragmentation?
If so, is it just like reassembly in TCP/IP stacks?
If not, is there any mechanism to reduce the false negative ratio
cause by incomplete
scanning due to fragmentation?
And the last but not the least, could you give some advice on the
feasibility of
implementing the model [1] within software?
Thanks and
Regards,
-ql
References:
[1] S. Dharmapurikar, P. Krishnamurthy, T. Sproul and J. Lockwood.
Deep Packet Inspection using Parallel Bloom Filters.
Both opendpi and ipp2p (also backed up by ipoque), IMO, lack a vital
functionality of DPI which is analysis to fragmented packets.
If the fragmentation happens at IP level, both reject to go further.
And if the payload is fragmented by TCP, chances are both fail to
target the
signature, if the signature happens at the edge of two consecutive
packets.
However, I don't believe DPI vendors would let go fragmented packets
easily.
One possible solution, as far as I can tell, is using a streaming data
window
model, by which means, every byte is involved in signature detection,
regardless
of fragmentation on any level.
Actually there are already decent papers [1] on this topic. Most are
on
hardware implementation, though. A software approach could be achieved
by
referring to the hardware implementation. This would probably be
heavily
dependent on parallel programming, due to performance concern.
Thus the outcome could be totally different from opendpi, ipp2p,
snort, etc.
My question are the following.
Does the commercial relative of opendpi handle fragmentation?
If so, is it just like reassembly in TCP/IP stacks?
If not, is there any mechanism to reduce the false negative ratio
cause by incomplete
scanning due to fragmentation?
And the last but not the least, could you give some advice on the
feasibility of
implementing the model [1] within software?
Thanks and
Regards,
-ql
References:
[1] S. Dharmapurikar, P. Krishnamurthy, T. Sproul and J. Lockwood.
Deep Packet Inspection using Parallel Bloom Filters.
Reply all
Reply to author
Forward
0 new messages