Presentation is loading. Please wait.

Presentation is loading. Please wait.

NPCSlli 1 DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "NPCSlli 1 DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr."— Presentation transcript:

1 NPCSlli 1 DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub Dec. 3 rd, 2002

2 NPCS lli 2 Content-Based Switch

3 NPCS lli 3 Content Switch Architecture (Infocom 2000, Apostolopoulos et al) Client Hash Table Step 1. Controller finds there is no entry in Hash Table, Route request to content switch processor Real Server 1 Step2. CS processor a. Extract content/Match CS rules b.Route request c. Setup Sequence# modification on server side port CS Rules pkt Modification info Step 3. At server side port, Return pkts are modified Sequence#/IP addr/Chksum Route back to client

4 NPCS lli 4 Commercial Content Switches Cisco Content Engine (Arrowpoint) Foundry Networks’ ServerIron Products F5’s Big-IP. Nortel Networks Alteon Web Switches Intel XML Director Phobe In-Switch

5 NPCS lli 5 Content Switch Operations Incoming Packets Content Switching Rule Matching Algorithm Header Content Extraction Packet Classification Content Switch Rules Packet Routing (Load Balancing) CS Rule Editor Forward Packet To Servers Network Path Info Server Load Status

6 NPCS lli 6 Secure Socket Layer (SSL) Protocol We need SSL for secure communications between client and server. SSL Protocol allows – the exchange of certificates for the authentication of servler and potentially the clients – cipher suites and selection of session keys for encryption

7 NPCS lli 7 Overview of SSL Procedure SSL Messages Client Server 1. Client hello----> <-----2. Server hello <----- 3. Certificate (Optional) <----- 4. Certificate request (Optional) <----- 5. Server key exchange (Optional) <-----6. Server hello done 7. Certificate (Optional)-----> 8. Client key exchange-----> 9. Certificate verify (Optional) -----> 10. Change cipher spec-----> 11. Finished-----> <-----12. Change cipher spec <-----13. Finished 14. Encrypted data<-----14. Encrypted data

8 NPCS lli 8 OpenSSL An Open Source Toolkit for SSL/TLS Implements the Secure Sockets Layer protocol (SSL v2/v3), theTransport Layer Security (TLS v1) protocol Implements Cryptographic algorithms: message digest algorithms symmetric ciphers public key cryptography

9 NPCS lli 9 Intel IXP1200 NP and IXP12EB The IXP 12000 Network Processor: Highly integrated RISC architecture The IXP12EB Evaluation Board: – PCI form factor board based on IXP1200 Network Processor – eight 10/100 Mbps ports – two Gigabit Ethernet ports – PCI back-plane and an Ethernet Network Interface Card (NIC)

10 NPCS lli 10 IXP 1200 Network Processor

11 NPCS lli 11 Development Environment Intel Developer Workbench (for Microengines) WindRiver Tornador IDE (for StrongARM)

12 NPCS lli 12 Design of IXP1200-Based Secure Content Switch (NPCS) Purpose of this design – Study resource constrains (memory) on content switch design. – Learn the impact of real time embedded OS. – Understand the porting issues (from Linux to VxWorks) Assumptions – Security – Certificates

13 NPCS lli 13 Design of NPCS (Hardware set up)

14 NPCS lli 14 Design of NPCS (Software layers)

15 NPCS lli 15 Design of NPCS (Modules)

16 NPCS lli 16 Implementation of NPCS The implementation of NPCS is divided into three parts: – Packets Receiving and Transmitting – Porting OpenSSL – Porting Linux-base Secure Content Switch and Implementing it on IXP12EB

17 NPCS lli 17 Hardware & Software Environments Host machine: dilbert Set up IXP12EB tgtsvr.exe 128.198.60.32 –n IXP1200EB –m 15728640 –V –B Wdbrpc –redirectIO Real Servers: – frodo.uccs.edu (128.198.60.183) – eca.uccs.edu (128.198.60.188)

18 NPCS lli 18 The Prototype of NPCS Packets Receiving and Transmitting – Microengine Reception and Transmission – Pseudo Device Driver Porting OpenSSL Porting and Implementing Secure Content Switch on IXP1200EB

19 NPCS lli 19 Packets Receiving & Transmitting

20 NPCS lli 20 Porting OpenSSL No public domain OpenSSL for VxWork. Two major libraries: CryptoLib and SSLLib Makefiles Size of the libraries

21 NPCS lli 21 Porting and Implementing Secure Content Switch on IXP12EB Three major tasks (two modules): – Controller – Request Processor – Rule Matcher

22 NPCS lli 22 The Controller

23 NPCS lli 23 The Request Processor

24 NPCS lli 24 The Rule Matcher

25 NPCS lli 25 Test Results and Analysis Three test scenarios: – Both SSL Proxy and Rule Module running on the IXP12EB. Real servers are two Linux machines. – SSL Proxy running on IXP12EB with Rule Module running on a Linux machine. Real servers are two Linux machines. – Test response time according to different xml doc request size for NPCS and Intel 7280 XML parser.

26 NPCS lli 26 Test bed set up

27 NPCS lli 27 Test Results and Analysis

28 NPCS lli 28 Test Results and Analysis (Cont.)

29 NPCS lli 29 Test Results and Analysis (Cont.)

30 NPCS lli 30 Limitation of NPCS and Possible Future Works Communication between tasks Rule Module File store (no hard drive) Utilization of Microengines Sizes of Libraries CryptoLib and SSLLib

31 NPCS lli 31 Lessons Learned Hardware configuration Memory cache size Building VxWorks images Debugging Building libraries Testing local OpenSSL implementation on IXP ssldump

32 NPCS lli 32 Conclusion This NPCS is a prototype of a secure content switch that performs the functions of a web switch at the Application Layer on IXP1200 Network Processor Evaluation Board. The security part of this implementation currently used the software package OpenSSL version 0.9.6b ported onto VxWorks. The packets receiving is used the modified microengine reference design codes and PETH driver. Its performance not to be satisfactory for good reason. Based on the architecture of the IXP1200 Network Processor and the test results, there are some possible improvement that could be done in the future.

33 NPCS lli 33 Demo launch IXP12EB and open a shell window Download ssl_proxy.out and rulemodule.out to IXP At shell window, type > init >PethDrvInit >sslproxy Open another shell window, type >rulemodule Go to test page: : http://archie.uccs.edu/~acsd/ixp1200/sslproxytest.html http://archie.uccs.edu/~acsd/ixp1200/sslproxytest.html

Download ppt "NPCSlli 1 DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.

Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.
Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.

Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.

12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.
9/26/2001Godavari Thesis Proposal SSL Proxy1 The Design and Implementation of a SSL Proxy for Content Switch Thesis Proposal by Ganesh Kumar Godavari Department.

9/26/2001Godavari Thesis Proposal SSL Proxy1 The Design and Implementation of a SSL Proxy for Content Switch Thesis Proposal by Ganesh Kumar Godavari Department.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
11/2/2000Weihong Wang/Content Switch Page 1 Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of.

11/2/2000Weihong Wang/Content Switch Page 1 Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of.
Design of Web Interface for Advanced Content Switch Thesis proposal by Jayant Patil Department of Computer Science Univ. of Colorado at Colorado Springs.

Design of Web Interface for Advanced Content Switch Thesis proposal by Jayant Patil Department of Computer Science Univ. of Colorado at Colorado Springs.
11/2/2000Weihong Wang/Content Switch Page 1 Content Web Switch Weihong Wang.

11/2/2000Weihong Wang/Content Switch Page 1 Content Web Switch Weihong Wang.
Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of a content switch.

Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of a content switch.

Similar presentations

Ads by Google