design and implementation of content switch on ixp1200eb
DESCRIPTION
DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB. Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub Dec. 3 rd , 2002. Content-Based Switch. CS Rules. Real Server1. pkt Modification info. Client. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/1.jpg)
NPCS lli1
DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON
IXP1200EB Presenter: Longhua Li
Committee Members:
Dr. C. Edward Chow
Dr. Jugal K. Kalita
Dr. Charles M. Shub
Dec. 3rd, 2002
![Page 2: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/2.jpg)
NPCSlli2
Content-Based Switch
![Page 3: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/3.jpg)
NPCSlli3
Content Switch Architecture(Infocom 2000, Apostolopoulos et al)
Client
HashTable
Step 1. Controller findsthere is no entry in Hash Table,Route request to content switch processor
Real Server
1
Step2. CS processora. Extract content/Match CS rules
b.Route requestc. Setup Sequence# modification
on server side port
CSRules
pktModification
info
Step 3. At server side port,Return pkts are modified
Sequence#/IP addr/ChksumRoute back to client
![Page 4: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/4.jpg)
NPCSlli4
Commercial Content Switches
Cisco Content Engine (Arrowpoint) Foundry Networks’ ServerIron Products F5’s Big-IP. Nortel Networks Alteon Web Switches Intel XML Director Phobe In-Switch
![Page 5: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/5.jpg)
NPCSlli5
Content Switch Operations
IncomingPackets
Content Switching Rule Matching Algorithm
HeaderContent
Extraction
Packet Classification
Content SwitchRules
Packet Routing(Load Balancing)
CS RuleEditor
ForwardPacket
To Servers
Network Path Info
Server Load Status
![Page 6: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/6.jpg)
NPCSlli6
Secure Socket Layer (SSL) Protocol
We need SSL for secure communications between client and server.
SSL Protocol allows – the exchange of certificates for the authentication of
servler and potentially the clients– cipher suites and selection of session keys for
encryption
![Page 7: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/7.jpg)
NPCSlli7
Overview of SSL Procedure
SSL Messages
Client Server
1. Client hello ---->
<----- 2. Server hello
<-----
3. Certificate (Optional)
<----- 4. Certificate request (Optional)
<----- 5. Server key exchange (Optional)
<----- 6. Server hello done
7. Certificate (Optional) ----->
8. Client key exchange ----->
9. Certificate verify (Optional)
----->
10. Change cipher spec ----->
11. Finished ----->
<----- 12. Change cipher spec
<----- 13. Finished
14. Encrypted data <----- 14. Encrypted data
![Page 8: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/8.jpg)
NPCSlli8
OpenSSL
An Open Source Toolkit for SSL/TLS Implements the Secure Sockets Layer protocol
(SSL v2/v3), theTransport Layer Security (TLS v1) protocol
Implements Cryptographic algorithms: message digest algorithms symmetric ciphers public key cryptography
![Page 9: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/9.jpg)
NPCSlli9
Intel IXP1200 NP and IXP12EB
The IXP 12000 Network Processor: Highly integrated RISC architecture
The IXP12EB Evaluation Board: – PCI form factor board based on IXP1200 Network
Processor– eight 10/100 Mbps ports– two Gigabit Ethernet ports– PCI back-plane and an Ethernet Network Interface
Card (NIC)
![Page 10: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/10.jpg)
NPCSlli10
IXP 1200 Network Processor
![Page 11: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/11.jpg)
NPCSlli11
Development Environment
Intel Developer Workbench (for Microengines) WindRiver Tornador IDE (for StrongARM)
![Page 12: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/12.jpg)
NPCSlli12
Design of IXP1200-Based Secure Content Switch (NPCS)
Purpose of this design– Study resource constrains (memory) on content
switch design.– Learn the impact of real time embedded OS.– Understand the porting issues (from Linux to
VxWorks) Assumptions
– Security– Certificates
![Page 13: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/13.jpg)
NPCSlli13
Design of NPCS (Hardware set up)
![Page 14: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/14.jpg)
NPCSlli14
Design of NPCS (Software layers)
![Page 15: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/15.jpg)
NPCSlli15
Design of NPCS (Modules)
![Page 16: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/16.jpg)
NPCSlli16
Implementation of NPCS
The implementation of NPCS is divided into three parts: – Packets Receiving and Transmitting– Porting OpenSSL – Porting Linux-base Secure Content Switch and
Implementing it on IXP12EB
![Page 17: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/17.jpg)
NPCSlli17
Hardware & Software Environments
Host machine: dilbert Set up IXP12EB
tgtsvr.exe 128.198.60.32 –n IXP1200EB –m 15728640 –V –B Wdbrpc –redirectIO
Real Servers:– frodo.uccs.edu (128.198.60.183)– eca.uccs.edu (128.198.60.188)
![Page 18: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/18.jpg)
NPCSlli18
The Prototype of NPCS
Packets Receiving and Transmitting– Microengine Reception and Transmission – Pseudo Device Driver
Porting OpenSSL Porting and Implementing Secure Content
Switch on IXP1200EB
![Page 19: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/19.jpg)
NPCSlli19
Packets Receiving & Transmitting
![Page 20: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/20.jpg)
NPCSlli20
Porting OpenSSL
No public domain OpenSSL for VxWork. Two major libraries: CryptoLib and SSLLib Makefiles Size of the libraries
![Page 21: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/21.jpg)
NPCSlli21
Porting and Implementing Secure Content Switch on IXP12EB
Three major tasks (two modules):– Controller– Request Processor– Rule Matcher
![Page 22: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/22.jpg)
NPCSlli22
The Controller
![Page 23: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/23.jpg)
NPCSlli23
The Request Processor
![Page 24: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/24.jpg)
NPCSlli24
The Rule Matcher
![Page 25: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/25.jpg)
NPCSlli25
Test Results and Analysis
Three test scenarios:– Both SSL Proxy and Rule Module running on the
IXP12EB. Real servers are two Linux machines.– SSL Proxy running on IXP12EB with Rule Module
running on a Linux machine. Real servers are two Linux machines.
– Test response time according to different xml doc request size for NPCS and Intel 7280 XML parser.
![Page 26: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/26.jpg)
NPCSlli26
Test bed set up
![Page 27: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/27.jpg)
NPCSlli27
Test Results and Analysis
![Page 28: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/28.jpg)
NPCSlli28
Test Results and Analysis (Cont.)
![Page 29: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/29.jpg)
NPCSlli29
Test Results and Analysis (Cont.)
![Page 30: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/30.jpg)
NPCSlli30
Limitation of NPCS and Possible Future Works
Communication between tasks Rule Module File store (no hard drive) Utilization of Microengines Sizes of Libraries CryptoLib and SSLLib
![Page 31: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/31.jpg)
NPCSlli31
Lessons Learned
Hardware configuration Memory cache size Building VxWorks images Debugging Building libraries Testing local OpenSSL implementation on IXP ssldump
![Page 32: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/32.jpg)
NPCSlli32
Conclusion
This NPCS is a prototype of a secure content switch that performs the functions of a web switch at the Application Layer on IXP1200 Network Processor Evaluation Board.
The security part of this implementation currently used the software package OpenSSL version 0.9.6b ported onto VxWorks.
The packets receiving is used the modified microengine reference design codes and PETH driver.
Its performance not to be satisfactory for good reason. Based on the architecture of the IXP1200 Network Processor and
the test results, there are some possible improvement that could be done in the future.
![Page 33: DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681488e550346895db5a7e3/html5/thumbnails/33.jpg)
NPCSlli33
Demo
launch IXP12EB and open a shell window Download ssl_proxy.out and rulemodule.out to IXP At shell window, type
> init >PethDrvInit>sslproxy
Open another shell window, type>rulemodule
Go to test page: : http://archie.uccs.edu/~acsd/ixp1200/sslproxytest.html