The Netnice packet filter: bridging the structural mismatches in end-host network control

There have been increasing demands for proper monitoring and control in end-host systems, mainly for security and QoS purposes. Nevertheless, existing technologies are insufficient as primitives for end-host security. For example, Berkeley packet filter (BPF), the most popular monitoring infrastructure for many Unix systems, is intended for packet capturing at physical interfaces, and thus, not appropriate for monitoring of applications, which is sometimes critical for system security. This paper presents a simple solution to the problem, utilizing hierarchical virtual network interface (VIF) mechanism. VIF is a new OS abstraction that can be hierarchically structured and attached to OS entities to control their network I/O. We extend VIFs to allow filtering and monitoring of their traffic, and show that it has desirable properties for end-host monitoring and control of traffic. We present our prototype implementation on FreeBSD, and evaluate it qualitatively and quantitatively. Demonstrated advantages include: i) ability to monitor terminating entities at arbitrary granularity, ii) a single consistent framework for both network security and network quality of service, iii) OS independence, iv) efficiency as a control primitive, v) compatibility with BPF interface and its applications, and vi) flexibility for future functional expansion.