[Snort-devel] further ruminations on a language-based approach
roel at ...60...
roel at ...60...
Tue Apr 10 14:23:33 EDT 2001
> 3) I think that the preprocessor/stateful-protocol/fragmentation case
> needs to be handled in a generic way. Examples of content that is
> fragmented at lower protocols and reassembled at higher protocols abounds
> throughout the stack. Aside from the obvious cases of IP fragmentation
> and TCP stream reassembly, I also came up with the killer case of ATM,
> which passes in IP packets 53 (or whatever) bytes at a time.
Time to speak up I guess: ATM is and odd duck in the pond of link/physical layer
protocols. On the wire ATM is 53 bytes 'cells' indeed. However the way software
interacts with the ATM link layer is through an ATM Adaption Layer (AAL)
The AAL takes care of the 'fragmentation' and 'reassembly' of cells into frames
and vice versa. There are different AAL's for different applications, for data
99% of the time AAL5 is used. AAL5 can take complete frames/packets, and does the
fragmentation and reassmebly completely in hardware, so at the kernel end you
get complete packets/frames. (All popular chip sets for ATM implement AAL5)
So from an IP level you're actually dealing with an interface that has
an MTU of 1500, 41something, or 9180 (Lan emulation (LANE), Multi protocol over
ATM (MPOA), and CLIP, classical IP respectively) AAL5's are protected by CRC's,
so if a cell out of an AAL5 frame gets lost, the entire frame gets dropped at
the interface level, and the IP stack never sees it. From a snort standpoint
ATM just looks like another interface, you don't have to treat ATM any
differently than say ethernet. You get complete frames from the interface, you
may have to deal with regular IP fragmentation, but you don't have to deal with
the ATM assembly/fragmentation.
In comparison to any other link/physical layer protocols ATM is odd in that it
fulfills particular network and data link layer functions that other physical
layer don't. (Normally things that are done by the IP layer for example, like
packet integrity) Due to it's connection oriented nature it also does routing
essentially. However most of these aspects are transparent to the upper layers.
(*Sordid detail: If you knew all your physical/link layer is ATM you could get
rid of quite a bit of the functionality of the IP layer.)
Maybe not the clearest of explanations, but I hope it conveys the idea.
If aspects of this aren't clear please let me know, and I'll be happy to try to
Silicon Defense: Technical Support for Snort!
More information about the Snort-devel