1 / 33

DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB

DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB. Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub Dec. 3 rd , 2002. Content-Based Switch. CS Rules. Real Server1. pkt Modification info. Client.

abie
Télécharger la présentation

DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub Dec. 3rd, 2002 lli

  2. Content-Based Switch lli

  3. CS Rules Real Server1 pkt Modification info Client Content Switch Architecture(Infocom 2000, Apostolopoulos et al) Step2. CS processora. Extract content/Match CS rulesb.Route requestc. Setup Sequence# modification on server side port Step 1. Controller finds there is no entry in Hash Table, Route request to content switch processor Step 3. At server side port, Return pkts are modified Sequence#/IP addr/ChksumRoute back to client Hash Table lli

  4. Commercial Content Switches • Cisco Content Engine (Arrowpoint) • Foundry Networks’ ServerIron Products • F5’s Big-IP. • Nortel Networks Alteon Web Switches • Intel XML Director • Phobe In-Switch lli

  5. Content Switch Rules CS RuleEditor Incoming Packets Packet Classification Header ContentExtraction Content Switching Rule Matching Algorithm Forward Packet To Servers Packet Routing(Load Balancing) Network Path Info Server Load Status Content Switch Operations lli

  6. Secure Socket Layer (SSL) Protocol • We need SSL for secure communications between client and server. • SSL Protocol allows • the exchange of certificates for the authentication of servler and potentially the clients • cipher suites and selection of session keys for encryption lli

  7. SSL Messages Client Server 1. Client hello ---->  <----- 2. Server hello <-----  3. Certificate (Optional) <----- 4. Certificate request (Optional) <----- 5. Server key exchange (Optional) <----- 6. Server hello done 7. Certificate (Optional) -----> 8. Client key exchange -----> 9. Certificate verify (Optional) -----> 10. Change cipher spec -----> 11. Finished -----> <----- 12. Change cipher spec <----- 13. Finished 14. Encrypted data <----- 14. Encrypted data Overview of SSL Procedure lli

  8. OpenSSL • An Open Source Toolkit for SSL/TLS • Implements the Secure Sockets Layer protocol (SSL v2/v3), theTransport Layer Security (TLS v1) protocol • Implements Cryptographic algorithms:message digest algorithmssymmetric cipherspublic key cryptography lli

  9. Intel IXP1200 NP and IXP12EB • The IXP 12000 Network Processor: Highly integrated RISC architecture • The IXP12EB Evaluation Board: • PCI form factor board based on IXP1200 Network Processor • eight 10/100 Mbps ports • two Gigabit Ethernet ports • PCI back-plane and an Ethernet Network Interface Card (NIC) lli

  10. IXP 1200 Network Processor lli

  11. Development Environment • Intel Developer Workbench (for Microengines) • WindRiver Tornador IDE (for StrongARM) lli

  12. Design of IXP1200-Based Secure Content Switch (NPCS) • Purpose of this design • Study resource constrains (memory) on content switch design. • Learn the impact of real time embedded OS. • Understand the porting issues (from Linux to VxWorks) • Assumptions • Security • Certificates lli

  13. Design of NPCS (Hardware set up) lli

  14. Design of NPCS (Software layers) lli

  15. Design of NPCS (Modules) lli

  16. Implementation of NPCS • The implementation of NPCS is divided into three parts: • Packets Receiving and Transmitting • Porting OpenSSL • Porting Linux-base Secure Content Switch and Implementing it on IXP12EB lli

  17. Hardware & Software Environments • Host machine: dilbert • Set up IXP12EBtgtsvr.exe 128.198.60.32 –n IXP1200EB –m 15728640 –V –B Wdbrpc –redirectIO • Real Servers: • frodo.uccs.edu (128.198.60.183) • eca.uccs.edu (128.198.60.188) lli

  18. The Prototype of NPCS • Packets Receiving and Transmitting • Microengine Reception and Transmission • Pseudo Device Driver • Porting OpenSSL • Porting and Implementing Secure Content Switch on IXP1200EB lli

  19. Packets Receiving & Transmitting lli

  20. Porting OpenSSL • No public domain OpenSSL for VxWork. • Two major libraries: CryptoLib and SSLLib • Makefiles • Size of the libraries lli

  21. Porting and Implementing Secure Content Switch on IXP12EB • Three major tasks (two modules): • Controller • Request Processor • Rule Matcher lli

  22. The Controller lli

  23. The Request Processor lli

  24. The Rule Matcher lli

  25. Test Results and Analysis • Three test scenarios: • Both SSL Proxy and Rule Module running on the IXP12EB. Real servers are two Linux machines. • SSL Proxy running on IXP12EB with Rule Module running on a Linux machine. Real servers are two Linux machines. • Test response time according to different xml doc request size for NPCS and Intel 7280 XML parser. lli

  26. Test bed set up lli

  27. Test Results and Analysis lli

  28. Test Results and Analysis (Cont.) lli

  29. Test Results and Analysis (Cont.) lli

  30. Limitation of NPCS and Possible Future Works • Communication between tasks • Rule Module • File store (no hard drive) • Utilization of Microengines • Sizes of Libraries CryptoLib and SSLLib lli

  31. Lessons Learned • Hardware configuration • Memory cache size • Building VxWorks images • Debugging • Building libraries • Testing local OpenSSL implementation on IXP • ssldump lli

  32. Conclusion • This NPCS is a prototype of a secure content switch that performs the functions of a web switch at the Application Layer on IXP1200 Network Processor Evaluation Board. • The security part of this implementation currently used the software package OpenSSL version 0.9.6b ported onto VxWorks. • The packets receiving is used the modified microengine reference design codes and PETH driver. • Its performance not to be satisfactory for good reason. • Based on the architecture of the IXP1200 Network Processor and the test results, there are some possible improvement that could be done in the future. lli

  33. Demo • launch IXP12EB and open a shell window • Download ssl_proxy.out and rulemodule.out to IXP • At shell window, type> init>PethDrvInit>sslproxy • Open another shell window, type>rulemodule • Go to test page: : http://archie.uccs.edu/~acsd/ixp1200/sslproxytest.html lli

More Related