Service Function Chaining (SFC) allows the delivery of advanced end-to-end services composed of one or more network functions. IPv6 Segment Routing (SRv6) is a network architecture based on source routing, where a list of segments is attached to packets to enforce different path from the shortest one. SRv6 supports SFC by assigning each network function a segment and combining these segments into a segment list. In order to fully leverage the SRv6 network programming capabilities, network functions are required to be SR-aware. In this paper, we present our implementation of SR-Snort, a SR-aware intrusion detection system (IDS) and intrusion prevention system (IPS). We extended the open-source implementation of Snort, so it can apply the configured rules to the inner packet of SR traffic. SR-Snort can handle both inner IPv4 and inner IPv6 traffic. It can work in either IDS or IPS mode.
[1]
Luca Veltri,et al.
Implementation of virtual network function chaining through segment routing in a linux-based NFV infrastructure
,
2017,
2017 IEEE Conference on Network Softwarization (NetSoft).
[2]
Stefano Salsano,et al.
SERA: SEgment Routing Aware Firewall for Service Function Chaining scenarios
,
2018,
2018 IFIP Networking Conference (IFIP Networking) and Workshops.
[3]
Xiaohu Xu,et al.
Service Programming with Segment Routing
,
2019
.
[4]
Seungjoon Lee,et al.
Network function virtualization: Challenges and opportunities for innovations
,
2015,
IEEE Communications Magazine.
[5]
Martin Roesch,et al.
Snort - Lightweight Intrusion Detection for Networks
,
1999
.
[6]
Clarence Filsfils,et al.
IPv6 Segment Routing Header (SRH)
,
2020,
RFC.