NPCS lli1

DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON

IXP1200EB Presenter: Longhua Li

Committee Members:

Dr. C. Edward Chow

Dr. Jugal K. Kalita

Dr. Charles M. Shub

Dec. 3rd, 2002

NPCSlli2

Content-Based Switch

NPCSlli3

Content Switch Architecture(Infocom 2000, Apostolopoulos et al)

Client

HashTable

Step 1. Controller findsthere is no entry in Hash Table,Route request to content switch processor

Real Server

1

Step2. CS processora. Extract content/Match CS rules

b.Route requestc. Setup Sequence# modification

on server side port

CSRules

pktModification

info

Step 3. At server side port,Return pkts are modified

Sequence#/IP addr/ChksumRoute back to client

NPCSlli4

Commercial Content Switches

Cisco Content Engine (Arrowpoint) Foundry Networks’ ServerIron Products F5’s Big-IP. Nortel Networks Alteon Web Switches Intel XML Director Phobe In-Switch

NPCSlli5

Content Switch Operations

IncomingPackets

Content Switching Rule Matching Algorithm

HeaderContent

Extraction

Packet Classification

Content SwitchRules

Packet Routing(Load Balancing)

CS RuleEditor

ForwardPacket

To Servers

Network Path Info

Server Load Status

NPCSlli6

Secure Socket Layer (SSL) Protocol

We need SSL for secure communications between client and server.

SSL Protocol allows – the exchange of certificates for the authentication of

servler and potentially the clients– cipher suites and selection of session keys for

encryption

NPCSlli7

Overview of SSL Procedure

SSL Messages

Client   Server

1. Client hello ---->   

  <----- 2. Server hello

 <----- 

3. Certificate (Optional)

  <----- 4. Certificate request (Optional)

  <----- 5. Server key exchange (Optional)

  <----- 6. Server hello done

7. Certificate (Optional) ----->  

8. Client key exchange ----->  

9. Certificate verify (Optional)

----->  

10. Change cipher spec ----->  

11. Finished ----->  

  <----- 12. Change cipher spec

  <----- 13. Finished

14. Encrypted data <----- 14. Encrypted data

NPCSlli8

OpenSSL

An Open Source Toolkit for SSL/TLS Implements the Secure Sockets Layer protocol

(SSL v2/v3), theTransport Layer Security (TLS v1) protocol

Implements Cryptographic algorithms: message digest algorithms symmetric ciphers public key cryptography

NPCSlli9

Intel IXP1200 NP and IXP12EB

The IXP 12000 Network Processor: Highly integrated RISC architecture

The IXP12EB Evaluation Board: – PCI form factor board based on IXP1200 Network

Processor– eight 10/100 Mbps ports– two Gigabit Ethernet ports– PCI back-plane and an Ethernet Network Interface

Card (NIC)

NPCSlli10

IXP 1200 Network Processor

NPCSlli11

Development Environment

Intel Developer Workbench (for Microengines) WindRiver Tornador IDE (for StrongARM)

NPCSlli12

Design of IXP1200-Based Secure Content Switch (NPCS)

Purpose of this design– Study resource constrains (memory) on content

switch design.– Learn the impact of real time embedded OS.– Understand the porting issues (from Linux to

VxWorks) Assumptions

– Security– Certificates

NPCSlli13

Design of NPCS (Hardware set up)

NPCSlli14

Design of NPCS (Software layers)

NPCSlli15

Design of NPCS (Modules)

NPCSlli16

Implementation of NPCS

The implementation of NPCS is divided into three parts:      – Packets Receiving and Transmitting– Porting OpenSSL – Porting Linux-base Secure Content Switch and

Implementing it on IXP12EB

NPCSlli17

Hardware & Software Environments

Host machine: dilbert Set up IXP12EB

tgtsvr.exe 128.198.60.32 –n IXP1200EB –m 15728640 –V –B Wdbrpc –redirectIO

Real Servers:– frodo.uccs.edu (128.198.60.183)– eca.uccs.edu (128.198.60.188)

NPCSlli18

The Prototype of NPCS

Packets Receiving and Transmitting– Microengine Reception and Transmission – Pseudo Device Driver

Porting OpenSSL Porting and Implementing Secure Content

Switch on IXP1200EB

NPCSlli19

Packets Receiving & Transmitting

NPCSlli20

Porting OpenSSL

No public domain OpenSSL for VxWork. Two major libraries: CryptoLib and SSLLib Makefiles Size of the libraries

NPCSlli21

Porting and Implementing Secure Content Switch on IXP12EB

Three major tasks (two modules):– Controller– Request Processor– Rule Matcher

NPCSlli22

The Controller

NPCSlli23

The Request Processor

NPCSlli24

The Rule Matcher

NPCSlli25

Test Results and Analysis

Three test scenarios:– Both SSL Proxy and Rule Module running on the

IXP12EB. Real servers are two Linux machines.– SSL Proxy running on IXP12EB with Rule Module

running on a Linux machine. Real servers are two Linux machines.

– Test response time according to different xml doc request size for NPCS and Intel 7280 XML parser.

NPCSlli26

Test bed set up

NPCSlli27

Test Results and Analysis

NPCSlli28

Test Results and Analysis (Cont.)

NPCSlli29

Test Results and Analysis (Cont.)

NPCSlli30

Limitation of NPCS and Possible Future Works

Communication between tasks Rule Module File store (no hard drive) Utilization of Microengines Sizes of Libraries CryptoLib and SSLLib

NPCSlli31

Lessons Learned

Hardware configuration Memory cache size Building VxWorks images Debugging Building libraries Testing local OpenSSL implementation on IXP ssldump

NPCSlli32

Conclusion

This NPCS is a prototype of a secure content switch that performs the functions of a web switch at the Application Layer on IXP1200 Network Processor Evaluation Board.

The security part of this implementation currently used the software package OpenSSL version 0.9.6b ported onto VxWorks.

The packets receiving is used the modified microengine reference design codes and PETH driver.

Its performance not to be satisfactory for good reason. Based on the architecture of the IXP1200 Network Processor and

the test results, there are some possible improvement that could be done in the future.

NPCSlli33

Demo

launch IXP12EB and open a shell window Download ssl_proxy.out and rulemodule.out to IXP At shell window, type

> init >PethDrvInit>sslproxy

Open another shell window, type>rulemodule

Go to test page: : http://archie.uccs.edu/~acsd/ixp1200/sslproxytest.html