310 likes | 323 Views
This talk provides an overview of the design and implementation of a web-based management interface for a network processor based content switch. It discusses the requirements, components, experimental results, lessons learned, and future directions for the interface.
E N D
The Design of Web-based Management Interface forNetwork Processor based Content Switch Jayant Patil Department of Computer Science Univ. of Colorado at Colorado Springs Web Interface for NPCS/J Patil
Outline of the Talk • Overview of Content Switch, SSL, and Intel IXP12EB. • NPCS Interface Requirements • Components of interface – Web server, RAM-based file system, restructured rule module • Experimental results • Lessons Learned and Future Directions • Conclusion Web Interface for NPCS/J Patil
Content Switch (CS) server1 home.htm • Route packets based on high layer (Layer 5/7) headers and content. • Examples: • Direct Web traffic based on pattern of URLs, host tags, cookies. • Can Route incoming email based on email address;Connect POP/IMAP based on login • Web switches and Intel XML Director/accelerator are special cases of content switch. ContentSwitch server2 client . . uccs.jpg Index.htm . rocky.mid server9 Web Interface for NPCS/J Patil
What Services It Can Provide • Enabling premium services for e-commerce, ISP, and Web hosting providers • Load Balancing and High Available Server Clusters: Web, E-commerce, Email, Computing, File, SAN • Policy-based networking, differential/QoS services. • Firewall, Strengthening DoS protection, cache/firewall load-balancing • ‘Flash-crowd' management Web Interface for NPCS/J Patil
Content Switch Operation Web Interface for NPCS/J Patil
Secure Socket Layer (SSL) Protocol • We need SSL for secure communications between client and server. • SSL Protocol allows • the exchange of certificates for the authentication of server and potentially the clients • cipher suites and selection of session keys for encryption Web Interface for NPCS/J Patil
OpenSSL • OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. • Open Source toolkit implementing the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library • Important Libraries • SSL • The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols • Crypto • The OpenSSL crypto library implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS, and they have also been used to implement SSH, OpenPGP, and other cryptographic standards Web Interface for NPCS/J Patil
IXP12EB: IXP1200 Network Processor Ethernet Evaluation Kit • Contain IXP1200 Network Processor with • StrongArm Core • Six MicroEngines • 256 KB SRAM • 64MB SDRAM • 2 Fiber Gigabit Ethernet Interface • 8 Fast Ethernet Interface • IXP12DE software development kit. • Allow developers to test network software at gigabit wired processing speed Web Interface for NPCS/J Patil
NPCS: Network Processor based Content Switch • Explore the design issues in using Intel IXP1200 Network Processor as content switch. • Longhua Li ported Linux based Secure Content Switch developed by Ganesh Godavari to run on IXP12EBNPCS version 1. • NPCS version 1 does not support • Web-based management interface • Dynamic content switch rule set update • Content switch status query Web Interface for NPCS/J Patil
NCPS Web-based Interface Requirements • Secure • Efficient • Reliable • User-friendly Web-based The secure web-based interface should enable • Configuration of the content switch • Dynamic update of the content switching rules • Retrieval of the network session/statistical data Web Interface for NPCS/J Patil
NPCS Software layers Web Interface for NPCS/J Patil
Enhanced NPCS v2 Architecture Web Interface for NPCS/J Patil
GoAhead Webserver • Fully-featured, open-source embedded Web server by GoAhead Software - http://www.goahead.com/ • Active Server Pages • Embedded JavaScript • Standard CGI Implementation • GoForms™ (in-memory CGI processing) • URL Handlers • Extensive API Documentation • Small Footprint -- 50K RAM (critical for NPCS) Web Interface for NPCS/J Patil
GoForms : In-Process CGI processing Instead of spawning separate process to execute the CGI program, the GoForms makes call to the function that is compiled and linked with the web server. The function processes and returns the dynamic web content. For example, following is the code that writes the uploaded file onto the RAM-based file system. void upldForm(webs_t wp, char_t * path, char_t * query) { FILE * fp; char_t * fn; char_t * bn = NULL; int locWrite; int numLeft; int numWrite; char fulfilename[100]; fn = websGetVar(wp, T("filename"), T("")); strcat(bn,"rules"); strcat(fulfilename,”DEV1:/”); strcat(fulfilename, bn); Web Interface for NPCS/J Patil
GoForms : In-Process CGI processingcontinued…….. if ((fp = fopen((fulfilename == NULL ? "upldForm.bin" : fulfilename), "w+b")) == NULL) { websWrite(wp, T("File open failed!<br>")); } else { websWrite(wp, T("File opened!<br>")); locWrite = 0; numLeft = wp->lenPostData; while (numLeft > 0) { numWrite = fwrite(&(wp->postData[locWrite]), sizeof(*(wp->postData)), numLeft, fp); if (numWrite < numLeft) { websWrite(wp, T("File write failed.<br>")); break; } locWrite += numWrite; numLeft -= numWrite; } if (numLeft == 0) { if (fclose(fp) != 0) { websWrite(wp, T("File close failed.<br>")); } else { websWrite(wp, T("File Size Written = %d bytes<br>"), wp->lenPostData); } } else { websWrite(wp, T("numLeft=%d locWrite=%d Size=%d bytes<br>"), numLeft, locWrite, wp->lenPostData); } } Web Interface for NPCS/J Patil
GoForms : In-Process CGI processingcontinued…….. Following is the code we use to execute the refresh function to refresh switching ruleset. Web Interface for NPCS/J Patil
Dynamic Update of NPCS Ruleset Rulemodule is responsible for matching the request with the rules in ruleset, and returning the designated real server for the request. NPCS v1 had the rules coded in the rulemodule code. Thus, to change the active ruleset, it was required to • Shutdown the current rulemodule • Unload rulemodule from memory, • Load new rulemodule binary and • Start new rulemodule It is very cumbersome and consumes lot of time. Thus it is decided to redesign the rulemodule. Web Interface for NPCS/J Patil
Enhance Rulemodule The rulemodule is restructured into two components: • The rulematching component that matches request header/content with the ruleset. • The ruleset maintenance module that loads/refreshes the ruleset on demand Web Interface for NPCS/J Patil
Rule grammar and parser We modify the rule grammar and parser developed by Ganesh Godavari for Secure Information Sharing project. The rules are specified as per following grammar : Rulemodule match {if ( <expression> ) return <url path> expression := <term> | <term> && <expression> | (<expression>) | ! (<expression>) <term> := <factor> | <factor> || <term> | (<term>) <factor> := <variable operator value><operator> := > | >= | < | <= | == |!= | #} Here is an example : if ( ( url # "*wbtree*" ) ) return cow.csnet.uccs.edu Web Interface for NPCS/J Patil
Ram based File System There are two pieces provided by VxWorks : • Block device driver and • dosFs – MSDOS Compatible file system. We created a small ram memory based file system by making use of blocked device driver and dosFs filesystem provided by VxWorks. Web Interface for NPCS/J Patil
Rulefile uploading Web Interface for NPCS/J Patil
Ruleset Refreshing Web Interface for NPCS/J Patil
NPCS V2 Development setup Web Interface for NPCS/J Patil
NPCS V2 Test setup Web Interface for NPCS/J Patil
Hardware Configuration Web Interface for NPCS/J Patil
Webbench test results - 1 Web Interface for NPCS/J Patil
Webbench test results - 2 Web Interface for NPCS/J Patil
Lessons Learned • Sometimes, the peth0 driver initialization fail • Manual compilation of VxWorks bootable image • Generally available PC Webbench’s encryption level is 40bit. Thus, I had to reduce the ssl_proxy’s encryption level. Web Interface for NPCS/J Patil
Conclusion • A Secure Web-based Management Interface was developed for a Intel IXP1200 based Content Switch. • It is capable of • Dynamic update of the content switch rule sets • Retrieving content switch status • With reasonable management task performance. • The NPCS performance is still slow due to not fully utilized the six microengine. • The size of ssl_proxy.out (the downloadable application for IXP1200) is 9MB. It is relatively big in an embedded system with small memory size. It can be improved. Web Interface for NPCS/J Patil
References • “Linux Virtual Server”, http://www.linuxvirtualserver.org • High Performance Cluster Computing:Architechures and Systems, Vol 1&2, by Rajkumar Buyya(Editor), May 21, 1999, Prentice Hall • Gregory Yerxa and James Hutchinson, “Web Content Switching”, http://www.networkcomputing.com • C. Edward Chow and Weihong Wang, “Design and Implementation of a Linux-based Content Switch”, to be published in Proceedings of Second International Conference on Parallel and Distributed Computing, Applications and Techniques. http://cs.uccs.edu/~chow/pub/contentsw/status/chow1.doc • Intel IXP1200 Network Processor http://developer.intel.com/design/network/products/npfamily/ixp1200.htm • Intel IXA (Internet Exchange Architecture) http://developer.intel.com/design/network/ixa.htm • WindRiver Tornado Development Tools http://www.windriver.com/products/html/tornado2.html • Tornado User’s Guide (Wondows Version) 2.0 • WindRiver VxWorks, http://www.windriver.com/products/vxworks5/index.html • C. Edward Chow and Longhua Li, “The Design and Implementation of Content Switch on IXP12EB” • Ganesh Godavari, “Role Based Access Right Specification for Secure Information Sharing. • Jigsaw – W3C’s Server http://www.w3.org/Jigsaw • Avenida – 100% pure Java-based web server http://www.serverwatch.com/webserver-avenida.html • Goahead webserver from GoAhead Software - http://www.goahead.com/ • Form-based File Upload in HTML - • http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1867.html Web Interface for NPCS/J Patil