DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB
description
Transcript of DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB
NPCS lli1
DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON
IXP1200EB Presenter: Longhua Li
Committee Members:
Dr. C. Edward Chow
Dr. Jugal K. Kalita
Dr. Charles M. Shub
Dec. 3rd, 2002
NPCSlli2
Content-Based Switch
NPCSlli3
Content Switch Architecture(Infocom 2000, Apostolopoulos et al)
Client
HashTable
Step 1. Controller findsthere is no entry in Hash Table,Route request to content switch processor
Real Server
1
Step2. CS processora. Extract content/Match CS rules
b.Route requestc. Setup Sequence# modification
on server side port
CSRules
pktModification
info
Step 3. At server side port,Return pkts are modified
Sequence#/IP addr/ChksumRoute back to client
NPCSlli4
Commercial Content Switches
Cisco Content Engine (Arrowpoint) Foundry Networks’ ServerIron Products F5’s Big-IP. Nortel Networks Alteon Web Switches Intel XML Director Phobe In-Switch
NPCSlli5
Content Switch Operations
IncomingPackets
Content Switching Rule Matching Algorithm
HeaderContent
Extraction
Packet Classification
Content SwitchRules
Packet Routing(Load Balancing)
CS RuleEditor
ForwardPacket
To Servers
Network Path Info
Server Load Status
NPCSlli6
Secure Socket Layer (SSL) Protocol
We need SSL for secure communications between client and server.
SSL Protocol allows – the exchange of certificates for the authentication of
servler and potentially the clients– cipher suites and selection of session keys for
encryption
NPCSlli7
Overview of SSL Procedure
SSL Messages
Client Server
1. Client hello ---->
<----- 2. Server hello
<-----
3. Certificate (Optional)
<----- 4. Certificate request (Optional)
<----- 5. Server key exchange (Optional)
<----- 6. Server hello done
7. Certificate (Optional) ----->
8. Client key exchange ----->
9. Certificate verify (Optional)
----->
10. Change cipher spec ----->
11. Finished ----->
<----- 12. Change cipher spec
<----- 13. Finished
14. Encrypted data <----- 14. Encrypted data
NPCSlli8
OpenSSL
An Open Source Toolkit for SSL/TLS Implements the Secure Sockets Layer protocol
(SSL v2/v3), theTransport Layer Security (TLS v1) protocol
Implements Cryptographic algorithms: message digest algorithms symmetric ciphers public key cryptography
NPCSlli9
Intel IXP1200 NP and IXP12EB
The IXP 12000 Network Processor: Highly integrated RISC architecture
The IXP12EB Evaluation Board: – PCI form factor board based on IXP1200 Network
Processor– eight 10/100 Mbps ports– two Gigabit Ethernet ports– PCI back-plane and an Ethernet Network Interface
Card (NIC)
NPCSlli10
IXP 1200 Network Processor
NPCSlli11
Development Environment
Intel Developer Workbench (for Microengines) WindRiver Tornador IDE (for StrongARM)
NPCSlli12
Design of IXP1200-Based Secure Content Switch (NPCS)
Purpose of this design– Study resource constrains (memory) on content
switch design.– Learn the impact of real time embedded OS.– Understand the porting issues (from Linux to
VxWorks) Assumptions
– Security– Certificates
NPCSlli13
Design of NPCS (Hardware set up)
NPCSlli14
Design of NPCS (Software layers)
NPCSlli15
Design of NPCS (Modules)
NPCSlli16
Implementation of NPCS
The implementation of NPCS is divided into three parts: – Packets Receiving and Transmitting– Porting OpenSSL – Porting Linux-base Secure Content Switch and
Implementing it on IXP12EB
NPCSlli17
Hardware & Software Environments
Host machine: dilbert Set up IXP12EB
tgtsvr.exe 128.198.60.32 –n IXP1200EB –m 15728640 –V –B Wdbrpc –redirectIO
Real Servers:– frodo.uccs.edu (128.198.60.183)– eca.uccs.edu (128.198.60.188)
NPCSlli18
The Prototype of NPCS
Packets Receiving and Transmitting– Microengine Reception and Transmission – Pseudo Device Driver
Porting OpenSSL Porting and Implementing Secure Content
Switch on IXP1200EB
NPCSlli19
Packets Receiving & Transmitting
NPCSlli20
Porting OpenSSL
No public domain OpenSSL for VxWork. Two major libraries: CryptoLib and SSLLib Makefiles Size of the libraries
NPCSlli21
Porting and Implementing Secure Content Switch on IXP12EB
Three major tasks (two modules):– Controller– Request Processor– Rule Matcher
NPCSlli22
The Controller
NPCSlli23
The Request Processor
NPCSlli24
The Rule Matcher
NPCSlli25
Test Results and Analysis
Three test scenarios:– Both SSL Proxy and Rule Module running on the
IXP12EB. Real servers are two Linux machines.– SSL Proxy running on IXP12EB with Rule Module
running on a Linux machine. Real servers are two Linux machines.
– Test response time according to different xml doc request size for NPCS and Intel 7280 XML parser.
NPCSlli26
Test bed set up
NPCSlli27
Test Results and Analysis
NPCSlli28
Test Results and Analysis (Cont.)
NPCSlli29
Test Results and Analysis (Cont.)
NPCSlli30
Limitation of NPCS and Possible Future Works
Communication between tasks Rule Module File store (no hard drive) Utilization of Microengines Sizes of Libraries CryptoLib and SSLLib
NPCSlli31
Lessons Learned
Hardware configuration Memory cache size Building VxWorks images Debugging Building libraries Testing local OpenSSL implementation on IXP ssldump
NPCSlli32
Conclusion
This NPCS is a prototype of a secure content switch that performs the functions of a web switch at the Application Layer on IXP1200 Network Processor Evaluation Board.
The security part of this implementation currently used the software package OpenSSL version 0.9.6b ported onto VxWorks.
The packets receiving is used the modified microengine reference design codes and PETH driver.
Its performance not to be satisfactory for good reason. Based on the architecture of the IXP1200 Network Processor and
the test results, there are some possible improvement that could be done in the future.
NPCSlli33
Demo
launch IXP12EB and open a shell window Download ssl_proxy.out and rulemodule.out to IXP At shell window, type
> init >PethDrvInit>sslproxy
Open another shell window, type>rulemodule
Go to test page: : http://archie.uccs.edu/~acsd/ixp1200/sslproxytest.html