Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub Dec. 3rd, 2002 1 NPCS lli Content-Based Switch 2 lli NPCS Content Switch Architecture (Infocom 2000, Apostolopoulos et al) Step2. CS processor a. Extract content/Match CS rules b.Route request c. Setup Sequence# modification on server side port CS Rules Step 1. Controller finds there is no entry in Hash Table, Route request to content switch processor pkt Modification info Hash Table 3 Client Real Server 1 Step 3. At server side port, Return pkts are modified Sequence#/IP addr/Chksum Route back to client lli NPCS Commercial Content Switches 4 Cisco Content Engine (Arrowpoint) Foundry Networks’ ServerIron Products F5’s Big-IP. Nortel Networks Alteon Web Switches Intel XML Director Phobe In-Switch lli NPCS Content Switch Operations Content Switch Rules Incoming Packets CS Rule Editor Packet Classification Header Content Extraction Content Switching Rule Matching Algorithm Network Path Info Server Load Status 5 lli Packet Routing (Load Balancing) Forward Packet To Servers NPCS Secure Socket Layer (SSL) Protocol We need SSL for secure communications between client and server. SSL Protocol allows – – 6 the exchange of certificates for the authentication of servler and potentially the clients cipher suites and selection of session keys for encryption lli NPCS SSL Messages Client Overview of 1. Client hello SSL Procedure Server ----> <----<----<----<----- <----7. Certificate (Optional) -----> 8. Client key exchange -----> 9. Certificate (Optional) -----> 10. Change cipher spec -----> 11. Finished -----> 14. Encrypted data 7 verify lli 2. Server hello 3. Certificate (Optional) 4. Certificate (Optional) 5. Server key (Optional) request exchange 6. Server hello done <----- 12. Change cipher spec <----- 13. Finished <----- 14. Encrypted data NPCS OpenSSL 8 An Open Source Toolkit for SSL/TLS Implements the Secure Sockets Layer protocol (SSL v2/v3), theTransport Layer Security (TLS v1) protocol Implements Cryptographic algorithms: message digest algorithms symmetric ciphers public key cryptography lli NPCS Intel IXP1200 NP and IXP12EB The IXP 12000 Network Processor: Highly integrated RISC architecture The IXP12EB Evaluation Board: – – – – 9 PCI form factor board based on IXP1200 Network Processor eight 10/100 Mbps ports two Gigabit Ethernet ports PCI back-plane and an Ethernet Network Interface Card (NIC) lli NPCS IXP 1200 Network Processor 10 lli NPCS Development Environment 11 Intel Developer Workbench (for Microengines) WindRiver Tornador IDE (for StrongARM) lli NPCS Design of IXP1200-Based Secure Content Switch (NPCS) Purpose of this design – – – Assumptions – – 12 Study resource constrains (memory) on content switch design. Learn the impact of real time embedded OS. Understand the porting issues (from Linux to VxWorks) Security Certificates lli NPCS Design of NPCS (Hardware set up) 13 lli NPCS Design of NPCS (Software layers) 14 lli NPCS Design of NPCS (Modules) 15 lli NPCS Implementation of NPCS The implementation of NPCS is divided into three parts: – – – 16 Packets Receiving and Transmitting Porting OpenSSL Porting Linux-base Secure Content Switch and Implementing it on IXP12EB lli NPCS Hardware & Software Environments Host machine: dilbert Set up IXP12EB tgtsvr.exe 128.198.60.32 –n IXP1200EB –m 15728640 –V –B Wdbrpc –redirectIO Real Servers: – – 17 frodo.uccs.edu (128.198.60.183) eca.uccs.edu (128.198.60.188) lli NPCS The Prototype of NPCS Packets Receiving and Transmitting – – 18 Microengine Reception and Transmission Pseudo Device Driver Porting OpenSSL Porting and Implementing Secure Content Switch on IXP1200EB lli NPCS Packets Receiving & Transmitting 19 lli NPCS Porting OpenSSL 20 No public domain OpenSSL for VxWork. Two major libraries: CryptoLib and SSLLib Makefiles Size of the libraries lli NPCS Porting and Implementing Secure Content Switch on IXP12EB Three major tasks (two modules): – – – 21 Controller Request Processor Rule Matcher lli NPCS The Controller 22 lli NPCS The Request Processor 23 lli NPCS The Rule Matcher 24 lli NPCS Test Results and Analysis Three test scenarios: – – – 25 Both SSL Proxy and Rule Module running on the IXP12EB. Real servers are two Linux machines. SSL Proxy running on IXP12EB with Rule Module running on a Linux machine. Real servers are two Linux machines. Test response time according to different xml doc request size for NPCS and Intel 7280 XML parser. lli NPCS Test bed set up 26 lli NPCS Test Results and Analysis 27 lli NPCS Test Results and Analysis (Cont.) 28 lli NPCS Test Results and Analysis (Cont.) 29 lli NPCS Limitation of NPCS and Possible Future Works 30 Communication between tasks Rule Module File store (no hard drive) Utilization of Microengines Sizes of Libraries CryptoLib and SSLLib lli NPCS Lessons Learned 31 Hardware configuration Memory cache size Building VxWorks images Debugging Building libraries Testing local OpenSSL implementation on IXP ssldump lli NPCS Conclusion 32 This NPCS is a prototype of a secure content switch that performs the functions of a web switch at the Application Layer on IXP1200 Network Processor Evaluation Board. The security part of this implementation currently used the software package OpenSSL version 0.9.6b ported onto VxWorks. The packets receiving is used the modified microengine reference design codes and PETH driver. Its performance not to be satisfactory for good reason. Based on the architecture of the IXP1200 Network Processor and the test results, there are some possible improvement that could be done in the future. lli NPCS Demo 33 launch IXP12EB and open a shell window Download ssl_proxy.out and rulemodule.out to IXP At shell window, type > init >PethDrvInit >sslproxy Open another shell window, type >rulemodule Go to test page: : http://archie.uccs.edu/~acsd/ixp1200/sslproxytest.html lli NPCS