Title: The Design of Web-based Management Interface for Network Processor based Content Switch
1The Design of Web-based Management Interface
forNetwork Processor based Content Switch
- Jayant Patil
- Department of Computer Science
- Univ. of Colorado at Colorado Springs
2Outline of the Talk
- Overview of Content Switch, SSL, and Intel
IXP12EB. - NPCS Interface Requirements
- Components of interface Web server, RAM-based
file system, restructured rule module - Experimental results
- Lessons Learned and Future Directions
- Conclusion
3Content Switch (CS)
server1
home.htm
ContentSwitch
server2
client
. .
uccs.jpg
Index.htm
.
rocky.mid
server9
- Route packets based on high layer (Layer 5/7)
- headers and content.
- Examples
- Direct Web traffic based on pattern of URLs, host
tags, cookies. - Can Route incoming email based on email
addressConnect POP/IMAP based on login - Web switches and Intel XML Director/accelerator
are special cases of content switch.
4What Services It Can Provide
- Enabling premium services for e-commerce, ISP,
and Web hosting providers - Load Balancing and High Available Server
Clusters Web, E-commerce, Email, Computing,
File, SAN - Policy-based networking, differential/QoS
services. - Firewall, Strengthening DoS protection,
cache/firewall load-balancing - Flash-crowd' management
5Content Switch Operation
6Secure Socket Layer (SSL) Protocol
- We need SSL for secure communications between
client and server. - SSL Protocol allows
- the exchange of certificates for the
authentication of server and potentially the
clients - cipher suites and selection of session keys for
encryption
7OpenSSL
- OpenSSL is based on the excellent SSLeay library
developed by Eric A. Young and Tim J. Hudson. - Open Source toolkit implementing the Secure
Socket Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a
full-strength general purpose cryptography
library - Important Libraries
- SSL
- The OpenSSL ssl library implements the Secure
Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols - Crypto
- The OpenSSL crypto library implements a wide
range of cryptographic algorithms used in various
Internet standards. The services provided by this
library are used by the OpenSSL implementations
of SSL, TLS, and they have also been used to
implement SSH, OpenPGP, and other cryptographic
standards
8IXP12EB IXP1200 Network Processor Ethernet
Evaluation Kit
- Contain IXP1200 Network Processor with
- StrongArm Core
- Six MicroEngines
- 256 KB SRAM
- 64MB SDRAM
- 2 Fiber Gigabit Ethernet Interface
- 8 Fast Ethernet Interface
- IXP12DE software development kit.
- Allow developers to test network software at
gigabit wired processing speed
9NPCS Network Processor based Content Switch
- Explore the design issues in using Intel IXP1200
Network Processor as content switch. - Longhua Li ported Linux based Secure Content
Switch developed by Ganesh Godavari to run on
IXP12EB?NPCS version 1. - NPCS version 1 does not support
- Web-based management interface
- Dynamic content switch rule set update
- Content switch status query
10NCPS Web-based Interface Requirements
- Secure
- Efficient
- Reliable
- User-friendly ?Web-based
- The secure web-based interface should enable
- Configuration of the content switch
- Dynamic update of the content switching rules
- Retrieval of the network session/statistical data
11NPCS Software layers
12Enhanced NPCS v2 Architecture
13GoAhead Webserver
- Fully-featured, open-source embedded Web server
- by GoAhead Software - http//www.goahead.com/
- Active Server Pages
- Embedded JavaScript
- Standard CGI Implementation
- GoForms (in-memory CGI processing)
- URL Handlers
- Extensive API Documentation
- Small Footprint -- 50K RAM (critical for NPCS)
14GoForms In-Process CGI processing
- Instead of spawning separate process to execute
the CGI program, the GoForms makes call to the
function that is compiled and linked with the web
server. The function processes and returns the
dynamic web content. - For example, following is the code that writes
the uploaded file onto the RAM-based file system.
void upldForm(webs_t wp, char_t path,
char_t query) FILE fp char_t
fn char_t bn NULL int
locWrite int numLeft int
numWrite char
fulfilename100 fn websGetVar(wp,
T("filename"), T("")) strcat(bn,"rules")
strcat(fulfilename,DEV1/)
strcat(fulfilename, bn)
15GoForms In-Process CGI processingcontinued..
if ((fp fopen((fulfilename NULL ?
"upldForm.bin" fulfilename), "wb")) NULL)
websWrite(wp, T("File open
failed!ltbrgt")) else
websWrite(wp, T("File opened!ltbrgt"))
locWrite 0 numLeft wp-gtlenPostData
while (numLeft gt 0) numWrite
fwrite((wp-gtpostDatalocWrite),
sizeof((wp-gtpostData)),
numLeft, fp) if (numWrite lt
numLeft) websWrite(wp, T("File
write failed.ltbrgt")) break
locWrite numWrite
numLeft - numWrite if
(numLeft 0) if (fclose(fp) ! 0)
websWrite(wp, T("File close
failed.ltbrgt")) else
websWrite(wp, T("File Size Written d
bytesltbrgt"), wp-gtlenPostData)
else websWrite(wp,
T("numLeftd locWrited Sized bytesltbrgt"),
numLeft,
locWrite, wp-gtlenPostData)
16GoForms In-Process CGI processingcontinued..
- Following is the code we use to execute the
refresh function to refresh switching ruleset.
17Dynamic Update of NPCS Ruleset
- Rulemodule is responsible for matching the
request with the rules in ruleset, and returning
the designated real server for the request. - NPCS v1 had the rules coded in the rulemodule
code. Thus, to change the active ruleset, it was
required to - Shutdown the current rulemodule
- Unload rulemodule from memory,
- Load new rulemodule binary and
- Start new rulemodule
- It is very cumbersome and consumes lot of time.
Thus it is decided to redesign the rulemodule.
18Enhance Rulemodule
- The rulemodule is restructured into two
components - The rulematching component that matches request
header/content with the ruleset. - The ruleset maintenance module that
loads/refreshes the ruleset on demand
19Rule grammar and parser
- We modify the rule grammar and parser developed
by Ganesh Godavari for Secure Information Sharing
project. - The rules are specified as per following grammar
- Rulemodule match if ( ltexpressiongt ) return
lturl pathgt - expression lttermgt lttermgt ltexpressiongt
(ltexpressiongt) ! (ltexpressiongt) - lttermgt ltfactorgt ltfactorgt lttermgt
(lttermgt) - ltfactorgt ltvariable operator valuegtltoperatorgt
gt gt lt lt ! - Here is an example
- if ( ( url "wbtree" ) ) return
cow.csnet.uccs.edu
20Ram based File System
- There are two pieces provided by VxWorks
- Block device driver and
- dosFs MSDOS Compatible file system.
- We created a small ram memory based file system
by making use of blocked device driver and dosFs
filesystem provided by VxWorks. -
21Rulefile uploading
22Ruleset Refreshing
23NPCS V2 Development setup
24NPCS V2 Test setup
25Hardware Configuration
Machine Spec IP Address O/S Web Server
IXP12EB 200MHz (Content switch) Port 0 128.198.60.130 PCI Ethernet Card 128.198.60.32 VxWorks 5.4 GoAhead
a) dilbert.uccs.edu Dell Precision 330 128.198.60.23 a) Windows NT, 4.0 N/A
a) buck.csnet.uccs.edu b) cow.csnet.uccs.edu HP Vectra Machines, 500 MHz, 256MB RAM (Real Server) 128.198.61.112 128.198.61.113 Fedora Core 3 (2.6.10-1.770_FC3) Apache httpd server
26Webbench test results - 1
Table 1 WebBench Summary Table 1 WebBench Summary Table 1 WebBench Summary Table 1 WebBench Summary Table 1 WebBench Summary
C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst C\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst
Mix Name Requests Per Second Throughput (Bytes/Sec) Test Information
1_client 0.425 1345.975 Engine Types http
4_client 0.425 1147.525 WebBench 5.0
8_client 0.425 1314.850 Start Suite Thu Apr 28 032635 2005
12_client 0.400 1640.525 Finish Suite Thu Apr 28 034559 2005
16_client 0.425 1606.750 Elapsed Time 001924
20_client 0.400 1082.025 Status Suite completed successfully
24_client 0.400 627.950 Comments
28_client 0.425 739.675
32_client 0.425 1403.250
36_client 0.425 822.175
40_client 0.425 824.225
44_client 0.425 2533.825
48_client 0.425 1323.575
52_client 0.425 1080.550
56_client 0.400 915.875
60_client 0.425 2963.300
27Webbench test results - 2
28(No Transcript)
29Lessons Learned
- Sometimes, the peth0 driver initialization fail
- Manual compilation of VxWorks bootable image
- Generally available PC Webbenchs encryption
level is 40bit. Thus, I had to reduce the
ssl_proxys encryption level.
30Conclusion
- A Secure Web-based Management Interface was
developed for a Intel IXP1200 based Content
Switch. - It is capable of
- Dynamic update of the content switch rule sets
- Retrieving content switch status
- With reasonable management task performance.
- The NPCS performance is still slow due to not
fully utilized the six microengine. - The size of ssl_proxy.out (the downloadable
application for IXP1200) is 9MB. It is relatively
big in an embedded system with small memory size.
It can be improved.
31References
- Linux Virtual Server, http//www.linuxvirtualser
ver.org - High Performance Cluster ComputingArchitechures
and Systems, Vol 12, by Rajkumar Buyya(Editor),
May 21, 1999, Prentice Hall - Gregory Yerxa and James Hutchinson, Web Content
Switching, http//www.networkcomputing.com - C. Edward Chow and Weihong Wang, Design and
Implementation of a Linux-based Content Switch,
to be published in Proceedings of Second
International Conference on Parallel and
Distributed Computing, Applications and
Techniques. http//cs.uccs.edu/chow/pub/contentsw
/status/chow1.doc - Intel? IXP1200 Network Processor
http//developer.intel.com/design/network/products
/npfamily/ixp1200.htm - Intel? IXA (Internet Exchange Architecture)
http//developer.intel.com/design/network/ixa.htm - WindRiver Tornado Development Tools
http//www.windriver.com/products/html/tornado2.ht
ml - Tornado Users Guide (Wondows Version) 2.0
- WindRiver VxWorks, http//www.windriver.com/produc
ts/vxworks5/index.html - C. Edward Chow and Longhua Li, The Design and
Implementation of Content Switch on IXP12EB - Ganesh Godavari, Role Based Access Right
Specification for Secure Information Sharing. - Jigsaw W3Cs Server http//www.w3.org/Jigsaw
- Avenida 100 pure Java-based web server
http//www.serverwatch.com/webserver-avenida.html - Goahead webserver from GoAhead Software -
http//www.goahead.com/ - Form-based File Upload in HTML -
- http//www.cis.ohio-state.edu/cgi-bin/
rfc/rfc1867.html