A Flexible Name-Based Packet Filtering Engine and System for Named Data Networking

Packet filtering is a fundamental technique that provides the cornerstone building block for network management and security. Although IP packet filtering is mature enough, the design and benefits of packet filtering within the context of named data networking remain unexplored in depth. In comparison, NDN is an information-centric networking paradigm with content names instead of IP addresses, two types of packets rather than the sole IP packet, and a stateful data plane rather than a stateless one. NDN packet filtering has numerous design choices that should be carefully considered, as well as system-wide challenges. In this paper, for the first time, we propose a complete solution for name-based packet filtering, which consists of a flexible filtering engine that resides inside OS kernel and a rule-based packet filtering system for users. We present three key components: ihooks, ifilters, and itables. In detail, ihooks includes fourteen well-designed hooking points for inline processing of NDN Interest and Data packets. ifilters is a rule-based packet filtering engine configured by quadruple rules built on matching operations. itables facilitates several tables to manage rule configuration between the kernel and userspace using Netlink sockets, which serve as a unified interface for users. Our design follows the design philosophy of packet processing in modern OS and has been fully implemented in Linux. Experimental results indicate that the system exhibits excellent performance in rule processing (e.g., applying 50 rules across four different tables yields an average processing time of around 1.6~\mu s). Our work fundamentally provides a practical full-scale packet filtering solution for NDN that addresses the requirements of network traffic control, content security, and access management.