1. The Design of Web-based Management Interface for Network Processor based Content Switch
Jayant Patil
Department of Computer Science
Univ. of Colorado at Colorado Springs
Welcome the committee members.
9/16/2018
Web Interface for NPCS/J Patil

2. Web Interface for NPCS/J Patil
Outline of the Talk
Overview of Content Switch, SSL, and Intel IXP12EB.
NPCS Interface Requirements
Components of interface – Web server, RAM-based file system, restructured rule module
Experimental results
Lessons Learned and Future Directions
Conclusion
First I will be briefly describing a content switch, SSL technology and Intel’s web development kit IXp12EB. Then I will present the NPCS interface requirements. I will explain the components of Web-based interface – Webserver, Ram-based filrsystem and restructured rulemodule.
Thereafter I will present the experimental results. Then will talk about the lessons learned and future directions.
9/16/2018
Web Interface for NPCS/J Patil

3. Web Interface for NPCS/J Patil
Content Switch (CS)
server1
home.htm
client
Content Switch
server2
uccs.jpg .
Index.htm .
rocky.mid
server9
Route packets based on high layer (Layer 5/7)
headers and content.
Examples:
Direct Web traffic based on pattern of URLs, host tags, cookies.
Can Route incoming based on address; Connect POP/IMAP based on login
Web switches and Intel XML Director/accelerator are special cases of content switch.
9/16/2018
Web Interface for NPCS/J Patil

4. What Services It Can Provide
Enabling premium services for e-commerce, ISP, and Web hosting providers
Load Balancing and High Available Server Clusters: Web, E-commerce, , Computing, File, SAN
Policy-based networking, differential/QoS services.
Firewall, Strengthening DoS protection, cache/firewall load-balancing
‘Flash-crowd' management
It makes more sense, to provide faster, more efficient service to larger, older customers of e-commerce company. This is only possible using content switch since the clients can be routed to faster/powerful servers based upon the request contents.
Flash crowd management also becomes simple, as just by changing switching ruleset dynamically, we can add more power more quickly to the server farm, and later remove it.
9/16/2018
Web Interface for NPCS/J Patil

5. Content Switch Operation
9/16/2018
Web Interface for NPCS/J Patil

6. Secure Socket Layer (SSL) Protocol
We need SSL for secure communications between client and server.
SSL Protocol allows
the exchange of certificates for the authentication of server and potentially the clients
cipher suites and selection of session keys for encryption
9/16/2018
Web Interface for NPCS/J Patil

7. Web Interface for NPCS/J Patil
OpenSSL
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson.
Open Source toolkit implementing the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library
Important Libraries
SSL
The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols
Crypto
The OpenSSL crypto library implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS, and they have also been used to implement SSH, OpenPGP, and other cryptographic standards
OpenSSL combines two tools in one package: a cryptography library and an SSL toolkit.
OpenSSL supports
·        MD2, MD4, MD5, MDC2, SHA1 and RIPEMD-160 message digest algorithms;
·        Blowfish, CAST5, DES, 3DES (Triple DES), IDEA, RC2, RC4, and RC5 symmetric ciphers and most of the ciphers support different modes, including CBC, CFB, ECB and OFB;
·        Public key cryptography including Diffie-Hellman algorithm (only used for key agreement), Digital Signature Algorithm (DSA), and RSA.
9/16/2018
Web Interface for NPCS/J Patil

8. IXP12EB: IXP1200 Network Processor Ethernet Evaluation Kit
Contain IXP1200 Network Processor with
StrongArm Core
Six MicroEngines
256 KB SRAM
64MB SDRAM
2 Fiber Gigabit Ethernet Interface
8 Fast Ethernet Interface
IXP12DE software development kit.
Allow developers to test network software at gigabit wired processing speed
9/16/2018
Web Interface for NPCS/J Patil

9. NPCS: Network Processor based Content Switch
Explore the design issues in using Intel IXP1200 Network Processor as content switch.
Longhua Li ported Linux based Secure Content Switch developed by Ganesh Godavari to run on IXP12EB NPCS version 1.
NPCS version 1 does not support
Web-based management interface
Dynamic content switch rule set update
Content switch status query
9/16/2018
Web Interface for NPCS/J Patil

10. NCPS Web-based Interface Requirements
Secure
Efficient
Reliable
User-friendly Web-based
The secure web-based interface should enable
Configuration of the content switch
Dynamic update of the content switching rules
Retrieval of the network session/statistical data
9/16/2018
Web Interface for NPCS/J Patil

11. Web Interface for NPCS/J Patil
NPCS Software layers
9/16/2018
Web Interface for NPCS/J Patil

12. Enhanced NPCS v2 Architecture
In-process CGI explained later in detail.
9/16/2018
Web Interface for NPCS/J Patil

13. Web Interface for NPCS/J Patil
GoAhead Webserver
Fully-featured, open-source embedded Web server
by GoAhead Software -
Active Server Pages
Embedded JavaScript
Standard CGI Implementation
GoForms™ (in-memory CGI processing)
URL Handlers
Extensive API Documentation
Small Footprint -- 50K RAM (critical for NPCS)
Make a note here, that GoAhead software doesnot provide SSL implementation code, but only has support interface to the RSA Security’s SSL toolkit, RSA BSAFE SSL-C. We have currently implemented digest based user security.
9/16/2018
Web Interface for NPCS/J Patil

14. GoForms : In-Process CGI processing
Instead of spawning separate process to execute the CGI program, the GoForms makes call to the function that is compiled and linked with the web server. The function processes and returns the dynamic web content.
For example, following is the code that writes the uploaded file onto the RAM-based file system.
void upldForm(webs_t wp, char_t * path, char_t * query) {
FILE * fp;
char_t * fn;
char_t * bn = NULL;
int locWrite;
int numLeft;
int numWrite;
char fulfilename[100];
fn = websGetVar(wp, T("filename"), T(""));
strcat(bn,"rules");
strcat(fulfilename,”DEV1:/”);
strcat(fulfilename, bn);
What is CGI? : When web server gets a request, that is a program instead of a static webpage, it spawns separate process to execute the program. The program executes, and returns HTML page to the browser as a response.
9/16/2018
Web Interface for NPCS/J Patil

15. GoForms : In-Process CGI processing continued……..
if ((fp = fopen((fulfilename == NULL ? "upldForm.bin" : fulfilename), "w+b")) == NULL) {
websWrite(wp, T("File open failed!<br>"));
} else {
websWrite(wp, T("File opened!<br>"));
locWrite = 0;
numLeft = wp->lenPostData;
while (numLeft > 0) {
numWrite = fwrite(&(wp->postData[locWrite]), sizeof(*(wp->postData)),
numLeft, fp);
if (numWrite < numLeft) {
websWrite(wp, T("File write failed.<br>"));
break; }
locWrite += numWrite;
numLeft -= numWrite;
if (numLeft == 0) {
if (fclose(fp) != 0) {
websWrite(wp, T("File close failed.<br>"));
websWrite(wp, T("File Size Written = %d bytes<br>"), wp->lenPostData);
websWrite(wp, T("numLeft=%d locWrite=%d Size=%d bytes<br>"),
numLeft, locWrite, wp->lenPostData);
9/16/2018
Web Interface for NPCS/J Patil

16. GoForms : In-Process CGI processing continued……..
Following is the code we use to execute the refresh function to refresh switching ruleset.
What is CGI? : When web server gets a request, that is a program instead of a static webpage, it spawns separate process to execute the program. The program executes, and returns HTML page to the browser as a response.
9/16/2018
Web Interface for NPCS/J Patil

17. Dynamic Update of NPCS Ruleset
Rulemodule is responsible for matching the request with the rules in ruleset, and returning the designated real server for the request.
NPCS v1 had the rules coded in the rulemodule code. Thus, to change the active ruleset, it was required to
Shutdown the current rulemodule
Unload rulemodule from memory,
Load new rulemodule binary and
Start new rulemodule
It is very cumbersome and consumes lot of time. Thus it is decided to redesign the rulemodule.
9/16/2018
Web Interface for NPCS/J Patil

18. Web Interface for NPCS/J Patil
Enhance Rulemodule
The rulemodule is restructured into two components:
The rulematching component that matches request header/content with the ruleset.
The ruleset maintenance module that loads/refreshes the ruleset on demand
9/16/2018
Web Interface for NPCS/J Patil

19. Rule grammar and parser
We modify the rule grammar and parser developed by Ganesh Godavari for Secure Information Sharing project.
The rules are specified as per following grammar :
Rulemodule match {if ( <expression> ) return <url path>
expression := <term> | <term> && <expression> | (<expression>) | ! (<expression>)
<term> := <factor> | <factor> || <term> | (<term>)
<factor> := <variable operator value><operator> := > | >= | < | <= | == |!= | #}
Here is an example :
if ( ( url # "*wbtree*" ) ) return cow.csnet.uccs.edu
9/16/2018
Web Interface for NPCS/J Patil

20. Web Interface for NPCS/J Patil
Ram based File System
There are two pieces provided by VxWorks :
Block device driver and
dosFs – MSDOS Compatible file system.
We created a small ram memory based file system by making use of blocked device driver and dosFs filesystem provided by VxWorks.
9/16/2018
Web Interface for NPCS/J Patil

21. Web Interface for NPCS/J Patil
Rulefile uploading
9/16/2018
Web Interface for NPCS/J Patil

22. Web Interface for NPCS/J Patil
Ruleset Refreshing
9/16/2018
Web Interface for NPCS/J Patil

23. NPCS V2 Development setup
Describe the setup in detail
9/16/2018
Web Interface for NPCS/J Patil

24. Web Interface for NPCS/J Patil
NPCS V2 Test setup
9/16/2018
Web Interface for NPCS/J Patil

25. Hardware Configuration
Machine Spec
IP Address
O/S
Web Server
IXP12EB 200MHz
(Content switch)
Port 0 :
PCI Ethernet Card :
VxWorks 5.4
GoAhead
a) dilbert.uccs.edu
Dell Precision 330
a) Windows NT, 4.0
N/A
a) buck.csnet.uccs.edu
b) cow.csnet.uccs.edu
HP Vectra Machines, 500 MHz, 256MB RAM
(Real Server)
Fedora Core 3
( _FC3)
Apache httpd server
9/16/2018
Web Interface for NPCS/J Patil

26. Webbench test results - 1
Table 1: WebBench Summary
C:\WebBench\Controller\Suites\Webbench\verify_ssl_wb401.tst
Mix Name
Requests Per Second
Throughput (Bytes/Sec)
Test Information
1_client
0.425
Engine Types: http
4_client
WebBench 5.0
8_client
Start Suite: Thu Apr 28 03:26:
12_client
0.400
Finish Suite: Thu Apr 28 03:45:
16_client
Elapsed Time: 00:19:24
20_client
Status: Suite completed successfully
24_client
Comments:
28_client
32_client
36_client
40_client
44_client
48_client
52_client
56_client
60_client
9/16/2018
Web Interface for NPCS/J Patil

27. Webbench test results - 2
9/16/2018
Web Interface for NPCS/J Patil

28. Web Interface for NPCS/J Patil
9/16/2018
Web Interface for NPCS/J Patil

29. Web Interface for NPCS/J Patil
Lessons Learned
Sometimes, the peth0 driver initialization fail
Manual compilation of VxWorks bootable image
Generally available PC Webbench’s encryption level is 40bit. Thus, I had to reduce the ssl_proxy’s encryption level.
9/16/2018
Web Interface for NPCS/J Patil

30. Web Interface for NPCS/J Patil
Conclusion
A Secure Web-based Management Interface was developed for a Intel IXP1200 based Content Switch.
It is capable of
Dynamic update of the content switch rule sets
Retrieving content switch status
With reasonable management task performance.
The NPCS performance is still slow due to not fully utilized the six microengine.
The size of ssl_proxy.out (the downloadable application for IXP1200) is 9MB. It is relatively big in an embedded system with small memory size. It can be improved.
9/16/2018
Web Interface for NPCS/J Patil

31. Web Interface for NPCS/J Patil
References
“Linux Virtual Server”,
High Performance Cluster Computing:Architechures and Systems, Vol 1&2, by Rajkumar Buyya(Editor), May 21, 1999, Prentice Hall
Gregory Yerxa and James Hutchinson, “Web Content Switching”,
C. Edward Chow and Weihong Wang, “Design and Implementation of a Linux-based Content Switch”, to be published in Proceedings of Second International Conference on Parallel and Distributed Computing, Applications and Techniques.
Intel IXP1200 Network Processor
Intel IXA (Internet Exchange Architecture)
WindRiver Tornado Development Tools
Tornado User’s Guide (Wondows Version) 2.0
WindRiver VxWorks,
C. Edward Chow and Longhua Li, “The Design and Implementation of Content Switch on IXP12EB”
Ganesh Godavari, “Role Based Access Right Specification for Secure Information Sharing.
Jigsaw – W3C’s Server
Avenida – 100% pure Java-based web server
Goahead webserver from GoAhead Software -
Form-based File Upload in HTML -
9/16/2018
Web Interface for NPCS/J Patil