[Snort-devel] further ruminations on a language-based approach

roel at ...60... roel at ...60...
Tue Apr 10 14:23:33 EDT 2001


Todd,

> 3) I think that the preprocessor/stateful-protocol/fragmentation case
> needs to be handled in a generic way.  Examples of content that is
> fragmented at lower protocols and reassembled at higher protocols abounds
> throughout the stack.  Aside from the obvious cases of IP fragmentation
> and TCP stream reassembly, I also came up with the killer case of ATM,
> which passes in IP packets 53 (or whatever) bytes at a time.

Time to speak up I guess: ATM is and odd duck in the pond of link/physical layer 
protocols. On the wire ATM is 53 bytes 'cells' indeed. However the way software 
interacts with the ATM link layer is through an ATM Adaption Layer (AAL)
The AAL takes care of the 'fragmentation' and 'reassembly' of cells into frames 
and vice versa. There are different AAL's for different applications, for data
99% of the time AAL5 is used. AAL5 can take complete frames/packets, and does the
fragmentation and reassmebly completely in hardware, so at the kernel end you
get complete packets/frames. (All popular chip sets for ATM implement AAL5)
So from an IP level you're actually dealing with an interface that has
an MTU of 1500, 41something, or 9180 (Lan emulation (LANE), Multi protocol over 
ATM (MPOA), and CLIP, classical IP respectively) AAL5's are protected by CRC's,
so if a cell out of an AAL5 frame gets lost, the entire frame gets dropped at 
the interface level, and the IP stack never sees it. From a snort standpoint
ATM just looks like another interface, you don't have to treat ATM any 
differently than say ethernet. You get complete frames from the interface, you
may have to deal with regular IP fragmentation, but you don't have to deal with
the ATM assembly/fragmentation.

In comparison to any other link/physical layer protocols ATM is odd in that it
fulfills particular network and  data link layer functions that other physical
layer don't. (Normally things that are done by the IP layer for example, like
packet integrity) Due to it's connection oriented nature it also does routing
essentially. However most of these aspects are transparent to the upper layers.
(*Sordid detail: If you knew all your physical/link layer is ATM you could get
rid of quite a bit of the functionality of the IP layer.)

Maybe not the clearest of explanations, but I hope it conveys the idea.
If aspects of this aren't clear please let me know, and I'll be happy to try to
explain it.




-- 
roel
Silicon Defense: Technical Support for Snort!
http://www.SiliconDefense.com







More information about the Snort-devel mailing list