DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON

Download Report

Transcript DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON

DESIGN AND IMPLEMENTATION
OF CONTENT SWITCH ON
IXP1200EB
Presenter: Longhua Li
Committee Members:
Dr. C. Edward Chow
Dr. Jugal K. Kalita
Dr. Charles M. Shub
Dec. 3rd, 2002
1
NPCS
lli
Content-Based Switch
2
lli
NPCS
Content Switch Architecture
(Infocom 2000, Apostolopoulos et al)
Step2. CS processor
a. Extract content/Match CS rules
b.Route request
c. Setup Sequence# modification
on server side port
CS
Rules
Step 1. Controller finds
there is no entry in Hash Table,
Route request to
content switch processor
pkt
Modification
info
Hash
Table
3
Client
Real
Server
1
Step 3. At server side port,
Return pkts are modified
Sequence#/IP addr/Chksum
Route back to client
lli
NPCS
Commercial Content Switches






4
Cisco Content Engine (Arrowpoint)
Foundry Networks’ ServerIron Products
F5’s Big-IP.
Nortel Networks Alteon Web Switches
Intel XML Director
Phobe In-Switch
lli
NPCS
Content Switch Operations
Content
Switch
Rules
Incoming
Packets
CS Rule
Editor
Packet Classification
Header
Content
Extraction
Content Switching
Rule Matching Algorithm
Network Path Info
Server Load Status
5
lli
Packet Routing
(Load Balancing)
Forward
Packet
To
Servers
NPCS
Secure Socket Layer (SSL) Protocol


We need SSL for secure communications
between client and server.
SSL Protocol allows
–
–
6
the exchange of certificates for the authentication of
servler and potentially the clients
cipher suites and selection of session keys for
encryption
lli
NPCS
SSL Messages
Client
Overview of
1. Client hello
SSL Procedure
Server
---->
<----<----<----<-----
<----7. Certificate (Optional)
----->
8. Client key exchange
----->
9.
Certificate
(Optional)
----->
10. Change cipher spec
----->
11. Finished
----->
14. Encrypted data
7
verify
lli
2. Server hello
3. Certificate (Optional)
4.
Certificate
(Optional)
5. Server key
(Optional)
request
exchange
6. Server hello done
<-----
12. Change cipher spec
<-----
13. Finished
<-----
14. Encrypted data
NPCS
OpenSSL



8
An Open Source Toolkit for SSL/TLS
Implements the Secure Sockets Layer protocol
(SSL v2/v3), theTransport Layer Security (TLS
v1) protocol
Implements Cryptographic algorithms:
message digest algorithms
symmetric ciphers
public key cryptography
lli
NPCS
Intel IXP1200 NP and IXP12EB

The IXP 12000 Network Processor:
Highly integrated RISC architecture

The IXP12EB Evaluation Board:
–
–
–
–
9
PCI form factor board based on IXP1200 Network
Processor
eight 10/100 Mbps ports
two Gigabit Ethernet ports
PCI back-plane and an Ethernet Network Interface
Card (NIC)
lli
NPCS
IXP 1200 Network Processor
10
lli
NPCS
Development Environment


11
Intel Developer Workbench (for Microengines)
WindRiver Tornador IDE (for StrongARM)
lli
NPCS
Design of IXP1200-Based Secure
Content Switch (NPCS)

Purpose of this design
–
–
–

Assumptions
–
–
12
Study resource constrains (memory) on content
switch design.
Learn the impact of real time embedded OS.
Understand the porting issues (from Linux to
VxWorks)
Security
Certificates
lli
NPCS
Design of NPCS (Hardware set up)
13
lli
NPCS
Design of NPCS (Software layers)
14
lli
NPCS
Design of NPCS (Modules)
15
lli
NPCS
Implementation of NPCS

The implementation of NPCS is divided into
three parts:
–
–
–
16
Packets Receiving and Transmitting
Porting OpenSSL
Porting Linux-base Secure Content Switch and
Implementing it on IXP12EB
lli
NPCS
Hardware & Software Environments



Host machine: dilbert
Set up IXP12EB
tgtsvr.exe 128.198.60.32 –n IXP1200EB –m
15728640 –V –B Wdbrpc –redirectIO
Real Servers:
–
–
17
frodo.uccs.edu (128.198.60.183)
eca.uccs.edu (128.198.60.188)
lli
NPCS
The Prototype of NPCS

Packets Receiving and Transmitting
–
–


18
Microengine Reception and Transmission
Pseudo Device Driver
Porting OpenSSL
Porting and Implementing Secure Content
Switch on IXP1200EB
lli
NPCS
Packets Receiving & Transmitting
19
lli
NPCS
Porting OpenSSL




20
No public domain OpenSSL for VxWork.
Two major libraries: CryptoLib and SSLLib
Makefiles
Size of the libraries
lli
NPCS
Porting and Implementing Secure
Content Switch on IXP12EB

Three major tasks (two modules):
–
–
–
21
Controller
Request Processor
Rule Matcher
lli
NPCS
The Controller
22
lli
NPCS
The Request
Processor
23
lli
NPCS
The Rule Matcher
24
lli
NPCS
Test Results and Analysis

Three test scenarios:
–
–
–
25
Both SSL Proxy and Rule Module running on the
IXP12EB. Real servers are two Linux machines.
SSL Proxy running on IXP12EB with Rule Module
running on a Linux machine. Real servers are two
Linux machines.
Test response time according to different xml doc
request size for NPCS and Intel 7280 XML parser.
lli
NPCS
Test bed set up
26
lli
NPCS
Test Results and Analysis
27
lli
NPCS
Test Results and Analysis (Cont.)
28
lli
NPCS
Test Results and Analysis (Cont.)
29
lli
NPCS
Limitation of NPCS and Possible
Future Works





30
Communication between tasks
Rule Module
File store (no hard drive)
Utilization of Microengines
Sizes of Libraries CryptoLib and SSLLib
lli
NPCS
Lessons Learned







31
Hardware configuration
Memory cache size
Building VxWorks images
Debugging
Building libraries
Testing local OpenSSL implementation on IXP
ssldump
lli
NPCS
Conclusion





32
This NPCS is a prototype of a secure content switch that performs
the functions of a web switch at the Application Layer on IXP1200
Network Processor Evaluation Board.
The security part of this implementation currently used the
software package OpenSSL version 0.9.6b ported onto VxWorks.
The packets receiving is used the modified microengine reference
design codes and PETH driver.
Its performance not to be satisfactory for good reason.
Based on the architecture of the IXP1200 Network Processor and
the test results, there are some possible improvement that could
be done in the future.
lli
NPCS
Demo





33
launch IXP12EB and open a shell window
Download ssl_proxy.out and rulemodule.out to IXP
At shell window, type
> init
>PethDrvInit
>sslproxy
Open another shell window, type
>rulemodule
Go to test page: :
http://archie.uccs.edu/~acsd/ixp1200/sslproxytest.html
lli
NPCS