The Design of Web-based Management Interface for Network Processor based Content Switch

Download Report

Transcript The Design of Web-based Management Interface for Network Processor based Content Switch 

The Design of Web-based Management
Interface for
Network Processor based Content Switch
Jayant Patil
Department of Computer Science
Univ. of Colorado at Colorado Springs
5/23/2016
Web Interface for NPCS/J Patil
1
Outline of the Talk
• Overview of Content Switch, SSL, and Intel IXP12EB.
• NPCS Interface Requirements
• Components of interface – Web server, RAM-based file system,
restructured rule module
• Experimental results
• Lessons Learned and Future Directions
• Conclusion
5/23/2016
Web Interface for NPCS/J Patil
2
Content Switch (CS)
server1
Content
Switch
client
Index.htm
uccs.jpg
server2
.
.
.
server9
•
•
•
Route packets based on high layer (Layer 5/7)
headers and content.
Examples:
– Direct Web traffic based on pattern of URLs, host tags, cookies.
– Can Route incoming email based on email address;
Connect POP/IMAP based on login
Web switches and Intel XML Director/accelerator are special cases of
content switch.
5/23/2016
Web Interface for NPCS/J Patil
3
What Services It Can Provide
• Enabling premium services for e-commerce, ISP, and Web
hosting providers
• Load Balancing and High Available Server Clusters: Web, Ecommerce, Email, Computing, File, SAN
• Policy-based networking, differential/QoS services.
• Firewall, Strengthening DoS protection, cache/firewall loadbalancing
• ‘Flash-crowd' management
5/23/2016
Web Interface for NPCS/J Patil
4
Content Switch Operation
5/23/2016
Web Interface for NPCS/J Patil
5
Secure Socket Layer (SSL) Protocol
• We need SSL for secure communications between client and server.
• SSL Protocol allows
– the exchange of certificates for the authentication of server and
potentially the clients
– cipher suites and selection of session keys for encryption
5/23/2016
Web Interface for NPCS/J Patil
6
OpenSSL
•
•
•
OpenSSL is based on the excellent SSLeay library developed by Eric A.
Young and Tim J. Hudson.
Open Source toolkit implementing the Secure Socket Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library
Important Libraries
– SSL
• The OpenSSL ssl library implements the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) protocols
– Crypto
• The OpenSSL crypto library implements a wide range of
cryptographic algorithms used in various Internet standards. The
services provided by this library are used by the OpenSSL
implementations of SSL, TLS, and they have also been used to
implement SSH, OpenPGP, and other cryptographic standards
5/23/2016
Web Interface for NPCS/J Patil
7
IXP12EB: IXP1200 Network Processor
Ethernet Evaluation Kit
• Contain IXP1200 Network
Processor with
•StrongArm Core
•Six MicroEngines
• 256 KB SRAM
• 64MB SDRAM
• 2 Fiber Gigabit Ethernet Interface
• 8 Fast Ethernet Interface
• IXP12DE software development kit.
• Allow developers to test network
software at gigabit wired processing
speed
5/23/2016
Web Interface for NPCS/J Patil
8
NPCS: Network Processor based Content
Switch
• Explore the design issues in using Intel IXP1200 Network Processor
as content switch.
• Longhua Li ported Linux based Secure Content Switch developed
by Ganesh Godavari to run on IXP12EB
NPCS version 1.
• NPCS version 1 does not support
– Web-based management interface
– Dynamic content switch rule set update
– Content switch status query
5/23/2016
Web Interface for NPCS/J Patil
9
NCPS Web-based Interface Requirements
• Secure
• Efficient
• Reliable
• User-friendly Web-based
The secure web-based interface should enable
• Configuration of the content switch
• Dynamic update of the content switching rules
• Retrieval of the network session/statistical data
5/23/2016
Web Interface for NPCS/J Patil
10
NPCS Software layers
5/23/2016
Web Interface for NPCS/J Patil
11
Enhanced NPCS v2 Architecture
Web-based Management Interface Module
in-process CGI
NPCS Mgmt
Requests
Rulefile
Rulerefresh
GoAhead
Webserver
Ram-based
Filesystem
Switching Stats
Rulefile upload
NPCS
Cluster
Requests
ssl_proxy/
switching
module
Refresh
Rule
matching
VxWorks
Operating
System
Ruleset
5/23/2016
Web Interface for NPCS/J Patil
12
GoAhead Webserver
• Fully-featured, open-source embedded Web server
by GoAhead Software - http://www.goahead.com/
•
•
•
•
•
•
•
Active Server Pages
Embedded JavaScript
Standard CGI Implementation
GoForms™ (in-memory CGI processing)
URL Handlers
Extensive API Documentation
Small Footprint -- 50K RAM (critical for NPCS)
5/23/2016
Web Interface for NPCS/J Patil
13
GoForms : In-Process CGI processing
Instead of spawning separate process to execute the CGI program, the GoForms
makes call to the function that is compiled and linked with the web server. The
function processes and returns the dynamic web content.
For example, following is the code that writes the uploaded file onto the RAMbased file system.
void upldForm(webs_t wp, char_t * path, char_t * query) {
FILE *
fp;
char_t * fn;
char_t * bn = NULL;
int
locWrite;
int
numLeft;
int
numWrite;
char
fulfilename[100];
fn = websGetVar(wp, T("filename"), T(""));
strcat(bn,"rules");
strcat(fulfilename,”DEV1:/”);
strcat(fulfilename, bn);
5/23/2016
Web Interface for NPCS/J Patil
14
GoForms : In-Process CGI processing
continued……..
if ((fp = fopen((fulfilename == NULL ? "upldForm.bin" : fulfilename), "w+b")) == NULL) {
websWrite(wp, T("File open failed!<br>"));
} else {
websWrite(wp, T("File opened!<br>"));
locWrite = 0;
numLeft = wp->lenPostData;
while (numLeft > 0) {
numWrite = fwrite(&(wp->postData[locWrite]), sizeof(*(wp->postData)),
numLeft, fp);
if (numWrite < numLeft) {
websWrite(wp, T("File write failed.<br>"));
break;
}
locWrite += numWrite;
numLeft -= numWrite;
}
if (numLeft == 0) {
if (fclose(fp) != 0) {
websWrite(wp, T("File close failed.<br>"));
} else {
websWrite(wp, T("File Size Written = %d bytes<br>"), wp->lenPostData);
}
} else {
websWrite(wp, T("numLeft=%d locWrite=%d Size=%d bytes<br>"),
numLeft, locWrite, wp->lenPostData);
}
}
5/23/2016
Web Interface for NPCS/J Patil
15
GoForms : In-Process CGI processing
continued……..
Following is the code we use to execute the refresh function to refresh switching
ruleset.
5/23/2016
Web Interface for NPCS/J Patil
16
Dynamic Update of NPCS Ruleset
Rulemodule is responsible for matching the request with the rules in
ruleset, and returning the designated real server for the request.
NPCS v1 had the rules coded in the rulemodule code. Thus, to change
the active ruleset, it was required to
• Shutdown the current rulemodule
• Unload rulemodule from memory,
• Load new rulemodule binary and
• Start new rulemodule
It is very cumbersome and consumes lot of time. Thus it is decided to
redesign the rulemodule.
5/23/2016
Web Interface for NPCS/J Patil
17
Enhance Rulemodule
The rulemodule is restructured into two components:
• The rulematching component that matches request header/content
with the ruleset.
• The ruleset maintenance module that loads/refreshes the ruleset on
demand
5/23/2016
Web Interface for NPCS/J Patil
18
Rule grammar and parser
We modify the rule grammar and parser developed by Ganesh Godavari for
Secure Information Sharing project.
The rules are specified as per following grammar :
Rulemodule match {if ( <expression> ) return <url path>
expression := <term> | <term> && <expression> | (<expression>) | ! (<expression>)
<term> := <factor> | <factor> || <term> | (<term>)
<factor> := <variable operator value><operator> := > | >= | < | <= | == |!= | #}
Here is an example :
if ( ( url # "*wbtree*" ) ) return cow.csnet.uccs.edu
5/23/2016
Web Interface for NPCS/J Patil
19
Ram based File System
There are two pieces provided by VxWorks :
• Block device driver and
• dosFs – MSDOS Compatible file system.
We created a small ram memory based file system by making use of
blocked device driver and dosFs filesystem provided by VxWorks.
5/23/2016
Web Interface for NPCS/J Patil
20
Rulefile uploading
Web-based Management Interface Module
in-process CGI
NPCS Mgmt
Requests
Rulefile
Rulerefresh
GoAhead
Webserver
Ram-based
Filesystem
Switching Stats
Rulefile upload
NPCS
Cluster
Requests
ssl_proxy/
switching
module
Refresh
Rule
matching
VxWorks
Operating
System
Ruleset
5/23/2016
Web Interface for NPCS/J Patil
21
Ruleset Refreshing
Web-based Management Interface Module
in-process CGI
NPCS Mgmt
Requests
Rulefile
Rulerefresh
GoAhead
Webserver
Ram-based
Filesystem
Switching Stats
Rulefile upload
NPCS
Cluster
Requests
ssl_proxy/
switching
module
Refresh
Rule
matching
VxWorks
Operating
System
Ruleset
5/23/2016
Web Interface for NPCS/J Patil
22
NPCS V2 Development setup
Host
dilbert
Target
IXP12EB
RS-232
Serial Link
Ethernet
5/23/2016
Web Interface for NPCS/J Patil
23
NPCS V2 Test setup
5/23/2016
Web Interface for NPCS/J Patil
24
Hardware Configuration
Machine Spec
IP Address
O/S
Web
Server
IXP12EB 200MHz
(Content switch)
Port 0 :
128.198.60.130
VxWorks 5.4
GoAhead
PCI Ethernet Card
:
128.198.60.32
a) dilbert.uccs.edu
Dell Precision 330
128.198.60.23
a) Windows NT, 4.0
N/A
a) buck.csnet.uccs.edu
b) cow.csnet.uccs.edu
HP Vectra Machines,
500 MHz, 256MB RAM
(Real Server)
128.198.61.112
128.198.61.113
Fedora Core 3
(2.6.10-1.770_FC3)
Apache
httpd server
5/23/2016
Web Interface for NPCS/J Patil
25
Webbench test results - 1
Table 1: WebBench Summary
C:\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst
Mix Name
Requests Per Second
Throughput (Bytes/Sec)
Test Information
1_client
0.425
1345.975
Engine Types: http
4_client
0.425
1147.525
WebBench 5.0
8_client
0.425
1314.850
Start Suite: Thu Apr 28 03:26:35 2005
12_client
0.400
1640.525
Finish Suite: Thu Apr 28 03:45:59 2005
16_client
0.425
1606.750
Elapsed Time: 00:19:24
20_client
0.400
1082.025
Status: Suite completed successfully
24_client
0.400
627.950
28_client
0.425
739.675
32_client
0.425
1403.250
36_client
0.425
822.175
40_client
0.425
824.225
44_client
0.425
2533.825
48_client
0.425
1323.575
52_client
0.425
1080.550
56_client
0.400
915.875
60_client
0.425
2963.300
5/23/2016
Comments:
Web Interface for NPCS/J Patil
26
5/23/2016
Web Interface for NPCS/J Patil
60_client
56_client
52_client
48_client
44_client
40_client
36_client
32_client
28_client
24_client
20_client
16_client
12_client
8_client
4_client
1_client
Requests / Second
Webbench test results - 2
Overall WebBench Requests/Second
0.450
0.400
0.350
0.300
0.250
0.200
0.150
0.100
0.050
0.000
Mix Name
27
Statistics retrieving times
Rule Refreshing Times
3
0.5
2.8
0.45
2.6
0.4
2.4
0.35
Time
2.2
0.3
2
Series1
1.8
0.25
Series1
0.2
1.6
0.15
1.4
0.1
1.2
0.05
1
5
10
20
30
40
50
# of Rules
5/23/2016
60
70
80
90
100
0
1
2
3
Web Interface for NPCS/J Patil
4
5
6
7
8
9
10
28
Lessons Learned
• Sometimes, the peth0 driver initialization fail
• Manual compilation of VxWorks bootable image
• Generally available PC Webbench’s encryption level is 40bit. Thus, I
had to reduce the ssl_proxy’s encryption level.
5/23/2016
Web Interface for NPCS/J Patil
29
Conclusion
• A Secure Web-based Management Interface was
developed for a Intel IXP1200 based Content Switch.
• It is capable of
– Dynamic update of the content switch rule sets
– Retrieving content switch status
– With reasonable management task performance.
• The NPCS performance is still slow due to not fully
utilized the six microengine.
• The size of ssl_proxy.out (the downloadable application
for IXP1200) is 9MB. It is relatively big in an embedded
system with small memory size. It can be improved.
5/23/2016
Web Interface for NPCS/J Patil
30
References
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
“Linux Virtual Server”, http://www.linuxvirtualserver.org
High Performance Cluster Computing:Architechures and Systems, Vol 1&2, by Rajkumar
Buyya(Editor), May 21, 1999, Prentice Hall
Gregory Yerxa and James Hutchinson, “Web Content Switching”,
http://www.networkcomputing.com
C. Edward Chow and Weihong Wang, “Design and Implementation of a Linux-based Content
Switch”, to be published in Proceedings of Second International Conference on Parallel and
Distributed Computing, Applications and Techniques.
http://cs.uccs.edu/~chow/pub/contentsw/status/chow1.doc
Intel IXP1200 Network Processor
http://developer.intel.com/design/network/products/npfamily/ixp1200.htm
Intel IXA (Internet Exchange Architecture) http://developer.intel.com/design/network/ixa.htm
WindRiver Tornado Development Tools http://www.windriver.com/products/html/tornado2.html
Tornado User’s Guide (Wondows Version) 2.0
WindRiver VxWorks, http://www.windriver.com/products/vxworks5/index.html
C. Edward Chow and Longhua Li, “The Design and Implementation of Content Switch on
IXP12EB”
Ganesh Godavari, “Role Based Access Right Specification for Secure Information Sharing.
Jigsaw – W3C’s Server http://www.w3.org/Jigsaw
Avenida – 100% pure Java-based web server http://www.serverwatch.com/webserveravenida.html
Goahead webserver from GoAhead Software - http://www.goahead.com/
Form-based File Upload in HTML http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1867.html
5/23/2016
Web Interface for NPCS/J Patil
31