The Design of Web-based Management Interface for Network Processor based Content Switch

1
The Design of Web-based Management Interface
forNetwork Processor based Content Switch

• Jayant Patil
• Department of Computer Science
• Univ. of Colorado at Colorado Springs

2
Outline of the Talk

• Overview of Content Switch, SSL, and Intel
  IXP12EB.
• NPCS Interface Requirements
• Components of interface Web server, RAM-based
  file system, restructured rule module
• Experimental results
• Lessons Learned and Future Directions
• Conclusion

3
Content Switch (CS)
server1
home.htm
ContentSwitch
server2
client
. .
uccs.jpg
Index.htm
.
rocky.mid
server9

• Route packets based on high layer (Layer 5/7)
• headers and content.
• Examples
• Direct Web traffic based on pattern of URLs, host
  tags, cookies.
• Can Route incoming email based on email
  addressConnect POP/IMAP based on login
• Web switches and Intel XML Director/accelerator
  are special cases of content switch.

4
What Services It Can Provide

• Enabling premium services for e-commerce, ISP,
  and Web hosting providers
• Load Balancing and High Available Server
  Clusters Web, E-commerce, Email, Computing,
  File, SAN
• Policy-based networking, differential/QoS
  services.
• Firewall, Strengthening DoS protection,
  cache/firewall load-balancing
• Flash-crowd' management

5
Content Switch Operation
6
Secure Socket Layer (SSL) Protocol

• We need SSL for secure communications between
  client and server.
• SSL Protocol allows
• the exchange of certificates for the
  authentication of server and potentially the
  clients
• cipher suites and selection of session keys for
  encryption

7
OpenSSL

• OpenSSL is based on the excellent SSLeay library
  developed by Eric A. Young and Tim J. Hudson.
• Open Source toolkit implementing the Secure
  Socket Layer (SSL v2/v3) and Transport Layer
  Security (TLS v1) protocols as well as a
  full-strength general purpose cryptography
  library
• Important Libraries
• SSL
• The OpenSSL ssl library implements the Secure
  Sockets Layer (SSL v2/v3) and Transport Layer
  Security (TLS v1) protocols
• Crypto
• The OpenSSL crypto library implements a wide
  range of cryptographic algorithms used in various
  Internet standards. The services provided by this
  library are used by the OpenSSL implementations
  of SSL, TLS, and they have also been used to
  implement SSH, OpenPGP, and other cryptographic
  standards

8
IXP12EB IXP1200 Network Processor Ethernet
Evaluation Kit

• Contain IXP1200 Network Processor with
• StrongArm Core
• Six MicroEngines
• 256 KB SRAM
• 64MB SDRAM
• 2 Fiber Gigabit Ethernet Interface
• 8 Fast Ethernet Interface
• IXP12DE software development kit.
• Allow developers to test network software at
  gigabit wired processing speed

9
NPCS Network Processor based Content Switch

• Explore the design issues in using Intel IXP1200
  Network Processor as content switch.
• Longhua Li ported Linux based Secure Content
  Switch developed by Ganesh Godavari to run on
  IXP12EB?NPCS version 1.
• NPCS version 1 does not support
• Web-based management interface
• Dynamic content switch rule set update
• Content switch status query

10
NCPS Web-based Interface Requirements

• Secure
• Efficient
• Reliable
• User-friendly ?Web-based
• The secure web-based interface should enable
• Configuration of the content switch
• Dynamic update of the content switching rules
• Retrieval of the network session/statistical data

11
NPCS Software layers
12
Enhanced NPCS v2 Architecture
13
GoAhead Webserver

• Fully-featured, open-source embedded Web server
• by GoAhead Software - http//www.goahead.com/
  
• Active Server Pages
• Embedded JavaScript
• Standard CGI Implementation
• GoForms (in-memory CGI processing)
• URL Handlers
• Extensive API Documentation
• Small Footprint -- 50K RAM (critical for NPCS)

14
GoForms In-Process CGI processing

• Instead of spawning separate process to execute
  the CGI program, the GoForms makes call to the
  function that is compiled and linked with the web
  server. The function processes and returns the
  dynamic web content.
• For example, following is the code that writes
  the uploaded file onto the RAM-based file system.

void upldForm(webs_t wp, char_t path,
char_t query) FILE fp char_t
fn char_t bn NULL int
locWrite int numLeft int
numWrite char
fulfilename100 fn websGetVar(wp,
T("filename"), T("")) strcat(bn,"rules")
strcat(fulfilename,DEV1/)
strcat(fulfilename, bn)
15
GoForms In-Process CGI processingcontinued..
if ((fp fopen((fulfilename NULL ?
"upldForm.bin" fulfilename), "wb")) NULL)
websWrite(wp, T("File open
failed!ltbrgt")) else
websWrite(wp, T("File opened!ltbrgt"))
locWrite 0 numLeft wp-gtlenPostData
while (numLeft gt 0) numWrite
fwrite((wp-gtpostDatalocWrite),
sizeof((wp-gtpostData)),
numLeft, fp) if (numWrite lt
numLeft) websWrite(wp, T("File
write failed.ltbrgt")) break
locWrite numWrite
numLeft - numWrite if
(numLeft 0) if (fclose(fp) ! 0)
websWrite(wp, T("File close
failed.ltbrgt")) else
websWrite(wp, T("File Size Written d
bytesltbrgt"), wp-gtlenPostData)
else websWrite(wp,
T("numLeftd locWrited Sized bytesltbrgt"),
numLeft,
locWrite, wp-gtlenPostData)
16
GoForms In-Process CGI processingcontinued..

• Following is the code we use to execute the
  refresh function to refresh switching ruleset.

17
Dynamic Update of NPCS Ruleset

• Rulemodule is responsible for matching the
  request with the rules in ruleset, and returning
  the designated real server for the request.
• NPCS v1 had the rules coded in the rulemodule
  code. Thus, to change the active ruleset, it was
  required to
• Shutdown the current rulemodule
• Unload rulemodule from memory,
• Load new rulemodule binary and
• Start new rulemodule
• It is very cumbersome and consumes lot of time.
  Thus it is decided to redesign the rulemodule.

18
Enhance Rulemodule

• The rulemodule is restructured into two
  components
• The rulematching component that matches request
  header/content with the ruleset.
• The ruleset maintenance module that
  loads/refreshes the ruleset on demand

19
Rule grammar and parser

• We modify the rule grammar and parser developed
  by Ganesh Godavari for Secure Information Sharing
  project.
• The rules are specified as per following grammar
  
• Rulemodule match if ( ltexpressiongt ) return
  lturl pathgt
• expression lttermgt lttermgt ltexpressiongt
  (ltexpressiongt) ! (ltexpressiongt)
• lttermgt ltfactorgt ltfactorgt lttermgt
  (lttermgt)
• ltfactorgt ltvariable operator valuegtltoperatorgt
  gt gt lt lt !
• Here is an example
• if ( ( url "wbtree" ) ) return
  cow.csnet.uccs.edu

20
Ram based File System

• There are two pieces provided by VxWorks
• Block device driver and
• dosFs MSDOS Compatible file system.
• We created a small ram memory based file system
  by making use of blocked device driver and dosFs
  filesystem provided by VxWorks.

21
Rulefile uploading
22
Ruleset Refreshing
23
NPCS V2 Development setup
24
NPCS V2 Test setup
25
Hardware Configuration
Machine Spec IP Address O/S Web Server
IXP12EB 200MHz (Content switch) Port 0 128.198.60.130 PCI Ethernet Card 128.198.60.32 VxWorks 5.4 GoAhead
a) dilbert.uccs.edu Dell Precision 330 128.198.60.23 a) Windows NT, 4.0 N/A
a) buck.csnet.uccs.edu b) cow.csnet.uccs.edu HP Vectra Machines, 500 MHz, 256MB RAM (Real Server) 128.198.61.112 128.198.61.113 Fedora Core 3 (2.6.10-1.770_FC3) Apache httpd server
26
Webbench test results - 1
Table 1 WebBench Summary Table 1 WebBench Summary Table 1 WebBench Summary Table 1 WebBench Summary Table 1 WebBench Summary
C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst
Mix Name Requests Per Second Throughput (Bytes/Sec)   Test Information
1_client 0.425 1345.975   Engine Types http
4_client 0.425 1147.525   WebBench 5.0
8_client 0.425 1314.850   Start Suite Thu Apr 28 032635 2005
12_client 0.400 1640.525   Finish Suite Thu Apr 28 034559 2005
16_client 0.425 1606.750   Elapsed Time 001924
20_client 0.400 1082.025   Status Suite completed successfully
24_client 0.400 627.950   Comments
28_client 0.425 739.675    
32_client 0.425 1403.250    
36_client 0.425 822.175    
40_client 0.425 824.225    
44_client 0.425 2533.825    
48_client 0.425 1323.575    
52_client 0.425 1080.550    
56_client 0.400 915.875    
60_client 0.425 2963.300    
27
Webbench test results - 2
28
(No Transcript)
29
Lessons Learned

• Sometimes, the peth0 driver initialization fail
• Manual compilation of VxWorks bootable image
• Generally available PC Webbenchs encryption
  level is 40bit. Thus, I had to reduce the
  ssl_proxys encryption level.

30
Conclusion

• A Secure Web-based Management Interface was
  developed for a Intel IXP1200 based Content
  Switch.
• It is capable of
• Dynamic update of the content switch rule sets
• Retrieving content switch status
• With reasonable management task performance.
• The NPCS performance is still slow due to not
  fully utilized the six microengine.
• The size of ssl_proxy.out (the downloadable
  application for IXP1200) is 9MB. It is relatively
  big in an embedded system with small memory size.
  It can be improved.

31
References

• Linux Virtual Server, http//www.linuxvirtualser
  ver.org
• High Performance Cluster ComputingArchitechures
  and Systems, Vol 12, by Rajkumar Buyya(Editor),
  May 21, 1999, Prentice Hall
• Gregory Yerxa and James Hutchinson, Web Content
  Switching, http//www.networkcomputing.com
• C. Edward Chow and Weihong Wang, Design and
  Implementation of a Linux-based Content Switch,
  to be published in Proceedings of Second
  International Conference on Parallel and
  Distributed Computing, Applications and
  Techniques. http//cs.uccs.edu/chow/pub/contentsw
  /status/chow1.doc
• Intel? IXP1200 Network Processor
  http//developer.intel.com/design/network/products
  /npfamily/ixp1200.htm
• Intel? IXA (Internet Exchange Architecture)
  http//developer.intel.com/design/network/ixa.htm
• WindRiver Tornado Development Tools
  http//www.windriver.com/products/html/tornado2.ht
  ml
• Tornado Users Guide (Wondows Version) 2.0
• WindRiver VxWorks, http//www.windriver.com/produc
  ts/vxworks5/index.html
• C. Edward Chow and Longhua Li, The Design and
  Implementation of Content Switch on IXP12EB
• Ganesh Godavari, Role Based Access Right
  Specification for Secure Information Sharing.
• Jigsaw W3Cs Server http//www.w3.org/Jigsaw
• Avenida 100 pure Java-based web server
  http//www.serverwatch.com/webserver-avenida.html
• Goahead webserver from GoAhead Software -
  http//www.goahead.com/
• Form-based File Upload in HTML -
• http//www.cis.ohio-state.edu/cgi-bin/
  rfc/rfc1867.html