330 likes | 501 Views
DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB. Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub Dec. 3 rd , 2002. Content-Based Switch. CS Rules. Real Server1. pkt Modification info. Client.
E N D
DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub Dec. 3rd, 2002 lli
CS Rules Real Server1 pkt Modification info Client Content Switch Architecture(Infocom 2000, Apostolopoulos et al) Step2. CS processora. Extract content/Match CS rulesb.Route requestc. Setup Sequence# modification on server side port Step 1. Controller finds there is no entry in Hash Table, Route request to content switch processor Step 3. At server side port, Return pkts are modified Sequence#/IP addr/ChksumRoute back to client Hash Table lli
Commercial Content Switches • Cisco Content Engine (Arrowpoint) • Foundry Networks’ ServerIron Products • F5’s Big-IP. • Nortel Networks Alteon Web Switches • Intel XML Director • Phobe In-Switch lli
Content Switch Rules CS RuleEditor Incoming Packets Packet Classification Header ContentExtraction Content Switching Rule Matching Algorithm Forward Packet To Servers Packet Routing(Load Balancing) Network Path Info Server Load Status Content Switch Operations lli
Secure Socket Layer (SSL) Protocol • We need SSL for secure communications between client and server. • SSL Protocol allows • the exchange of certificates for the authentication of servler and potentially the clients • cipher suites and selection of session keys for encryption lli
SSL Messages Client Server 1. Client hello ----> <----- 2. Server hello <----- 3. Certificate (Optional) <----- 4. Certificate request (Optional) <----- 5. Server key exchange (Optional) <----- 6. Server hello done 7. Certificate (Optional) -----> 8. Client key exchange -----> 9. Certificate verify (Optional) -----> 10. Change cipher spec -----> 11. Finished -----> <----- 12. Change cipher spec <----- 13. Finished 14. Encrypted data <----- 14. Encrypted data Overview of SSL Procedure lli
OpenSSL • An Open Source Toolkit for SSL/TLS • Implements the Secure Sockets Layer protocol (SSL v2/v3), theTransport Layer Security (TLS v1) protocol • Implements Cryptographic algorithms:message digest algorithmssymmetric cipherspublic key cryptography lli
Intel IXP1200 NP and IXP12EB • The IXP 12000 Network Processor: Highly integrated RISC architecture • The IXP12EB Evaluation Board: • PCI form factor board based on IXP1200 Network Processor • eight 10/100 Mbps ports • two Gigabit Ethernet ports • PCI back-plane and an Ethernet Network Interface Card (NIC) lli
Development Environment • Intel Developer Workbench (for Microengines) • WindRiver Tornador IDE (for StrongARM) lli
Design of IXP1200-Based Secure Content Switch (NPCS) • Purpose of this design • Study resource constrains (memory) on content switch design. • Learn the impact of real time embedded OS. • Understand the porting issues (from Linux to VxWorks) • Assumptions • Security • Certificates lli
Implementation of NPCS • The implementation of NPCS is divided into three parts: • Packets Receiving and Transmitting • Porting OpenSSL • Porting Linux-base Secure Content Switch and Implementing it on IXP12EB lli
Hardware & Software Environments • Host machine: dilbert • Set up IXP12EBtgtsvr.exe 128.198.60.32 –n IXP1200EB –m 15728640 –V –B Wdbrpc –redirectIO • Real Servers: • frodo.uccs.edu (128.198.60.183) • eca.uccs.edu (128.198.60.188) lli
The Prototype of NPCS • Packets Receiving and Transmitting • Microengine Reception and Transmission • Pseudo Device Driver • Porting OpenSSL • Porting and Implementing Secure Content Switch on IXP1200EB lli
Porting OpenSSL • No public domain OpenSSL for VxWork. • Two major libraries: CryptoLib and SSLLib • Makefiles • Size of the libraries lli
Porting and Implementing Secure Content Switch on IXP12EB • Three major tasks (two modules): • Controller • Request Processor • Rule Matcher lli
The Controller lli
The Rule Matcher lli
Test Results and Analysis • Three test scenarios: • Both SSL Proxy and Rule Module running on the IXP12EB. Real servers are two Linux machines. • SSL Proxy running on IXP12EB with Rule Module running on a Linux machine. Real servers are two Linux machines. • Test response time according to different xml doc request size for NPCS and Intel 7280 XML parser. lli
Test bed set up lli
Limitation of NPCS and Possible Future Works • Communication between tasks • Rule Module • File store (no hard drive) • Utilization of Microengines • Sizes of Libraries CryptoLib and SSLLib lli
Lessons Learned • Hardware configuration • Memory cache size • Building VxWorks images • Debugging • Building libraries • Testing local OpenSSL implementation on IXP • ssldump lli
Conclusion • This NPCS is a prototype of a secure content switch that performs the functions of a web switch at the Application Layer on IXP1200 Network Processor Evaluation Board. • The security part of this implementation currently used the software package OpenSSL version 0.9.6b ported onto VxWorks. • The packets receiving is used the modified microengine reference design codes and PETH driver. • Its performance not to be satisfactory for good reason. • Based on the architecture of the IXP1200 Network Processor and the test results, there are some possible improvement that could be done in the future. lli
Demo • launch IXP12EB and open a shell window • Download ssl_proxy.out and rulemodule.out to IXP • At shell window, type> init>PethDrvInit>sslproxy • Open another shell window, type>rulemodule • Go to test page: : http://archie.uccs.edu/~acsd/ixp1200/sslproxytest.html lli