C H A P T E R 9 |
Reference Applications |
This chapter describes reference applications including IP Packet Forwarding and radio link protocol (RLP) applications. Topics include:
The IP packet forwarding application (ipfwd) simulates an IPv4 (Internet Protocol Version 4) forwarding operation. When each packet is received, the program performs a forward table search, rewrites the MAC source and destination address, rewrites the TTL, and recalculates the IP header checksum. The packet is then sent out to a specified port. The application can either simulate an IP packet forwarding lookup table or actually perform an IP packet forwarding lookup through the use of the lookup table. The goal of this application is to provide a framework for users to develop their own application based on their own lookup algorithm.
All ipfwd source files are located in the following package directory: /opt/SUNWndps/src/apps/ipfwd. The contents include:
On a system that has SUNWndps installed, go to the src/app/ipfwd directory and use the build scripts shown in TABLE 9-1 to build the application.
Note - Copy the application files from the /opt/SUNWndps/src/apps/ipfwd directory of the package into your workspace before compiling the application. |
TABLE 9-1 shows the ipfwd application build scripts.
Note - This script does not have the <cmt> option because the Netra ATCA CP3060 system is UltraSPARC T1 based only. |
This argument specifies whether to build the ipfwd application to run on the UltraSPARC T1 platform or UltraSPARC T2 platform.
cmt1 - Build for CMT1 (UltraSPARC T1) architecture
cmt2 - Build for CMT2 (UltraSPARC T2) architecture
This argument is required for scripts that expect <cmt>.
This optional argument specifies whether to build the ipfwd application to run on the LDoms environment. When this flag is specified, the IPFWD LDoms reference application will be compiled. If this argument is not specified, then the non-LDoms application is compiled.
In /opt/SUNWndps/src/apps/rlp, pick the correct build script and run it. For example, to build for Sun multithreaded ethernet adapter on Netra or Sun Fire T2000 systems, enter the following at your shell window.
In this example, build_10g is used to build IP forwarding application to run on the Sun multithreaded 10Gb ethernet. The <cmt> argument is specified as cmt1 to build the application to run on UltraSPARC T1-based Netra or Sun Fire T2000 systems.
1. Copy the binary into the /tftpboot directory of the tftpboot server.
2. On the tftpboot server, type:
3. On the target machine, type the following at the ok prompt:
Note - net is an OpenBoot PROM alias corresponding to the physical path of the network. |
This section shows the default configurations:
Main files that control the system configurations:
Note - e1000g (ipge) only has one DMA channel per port. |
Main files that control the application configurations:
To enable profiling, follow the instructions given in each build script that states:
To enable the Radix Forwarding Algorithm for IP forwarding, uncomment the following line from Makfile.ipge or Makefile.nxge for e1000g 1Gb PCIe ethernet adapter or Sun multithreaded 10Gb and 1Gb PCIe Ethernet adapter, respectively:
To bypass the ipfwd operation (that is, receive --> transmit without forwarding operation), uncomment the following line from Makfile.ipge or Makefile.nxge for 1Gb PCIe ethernet adapter or Sun multithreaded 10 Gb and 1Gb PCIe Ethernet adapter, respectively:
When the Multiple Forward Destinations option is enabled, the output destination port is determined by the output of the Forwarding Table Lookup. Otherwise, the output destination port is the same as the input port. To enable this option, uncomment the following line from Makefile.ipge or Makefile.nxge for Ophir or Sun multithreaded 10GbE Ethernet, respectively:
You can specify a policy for spreading traffic into multiple DMA flows by hardware hashing. TABLE 9-2 describes each policy:
To enable one of the above policies, add the following into the gmake line:
where policy is one of those specified in TABLE 9-2. For example, to enable hash on an IP destination and source address, add HASH_POLICY=HASH_IP_ADDR to the gmake line as shown below:
If none of the policies listed in TABLE 9-2 are specified, a default policy is given. When you use the default policy, all L2/L3/L4 header fields are used for spreading traffic.
The ipfwd_config.c file assists you in mapping application tasks to CPU core and hardware strands. Normally, mapping is set in the ipfwd_map.c file in the config directory. This configuration file is a productivity tool. This file provides a way to facilitate mapping in a quick manner without any modification to the ipfwd_map.c file.
This configuration file is not a replacement of ipfwd_hwarch.c, ipfwd_swarch.c and ipfwd_map.c. This framework is to conduct performance analysis and measurement with different system configurations. The default (*_def) configurations specified assumes a minimum of 16 threads of the system allocated for Netra DPS in ipfwd_map.c and all memory pool resources required are declared in ipfwd_swarch.c. You still need to specify system resources declarations and mapping in ipfwd_hwarch.c, ipfwd_swarch.c, and ipfwd_map.c. The configuration is assigned to a pointer named ipfwd_thread_config.
Each application configuration is represented in an array of a six-element entry. Each entry (each row) represents a software task and its corresponding resources:
TROLE_ETH_NETIF_RX -- This task performs a receive function. TROLE_ETH_NETIF_TX -- This task performs a transmit function. TROLE_APP_IPFWD -- This task performs IP forwarding function.
See common.h for all definitions. If you do not want to run any software task on this hardware strand, the role field should be set to -1. By default, during initialization of the ipfwd application, the hardware strand that encounters a -1 software role is parked.
Note - A parked strand is a strand that does not consume any pipeline cycles (an inactive strand). |
The Radio Link Protocol (RLP) application (rlp) simulates Radio Link Protocol operation, which is one of the protocols in the CDMA-2000 High Rate Packet Data Interfaces (HRPD-A). This application implements the forwarding direction fully, with packets flowing from PDSN --> AN --> AT (that is, Packet Data Serving Node to Access Network to Access Terminal). Reverse direction support is also implemented, but requires an AT side application which can generate NAKs (Negative Acknowledges). The application must be modified to process reverse traffic.
On a system that has SUNWndps installed, go to the src/app/rlp directory and use the build scripts shown in TABLE 9-1 to build the application.
Note - First copy the application files from the /opt/SUNWndps/src/apps/rlp directory of the package into your workspace before compiling the application. |
TABLE 9-1 shows the RLP (rlp) application build scripts.
This argument specifies whether to build the rlp application to run on the UltraSPARC T1 platform or UltraSPARC T2 platform.
cmt1 - Build for CMT1 (UltraSPARC T1) architecture
cmt2 - Build for CMT2 (UltraSPARC T2) architecture
This argument is required for scripts that expect <cmt>.
This i optional argument specifies whether to build the rlp application to run on the LDoms environment. When this flag is specified, the RLP LDoms reference application will be compiled. If this argument is not specified, then the non-LDoms application is compiled.
In /opt/SUNWndps/src/apps/ipfwd, pick the correct build script and run it. For example, to build for Sun multithreaded 10Gb PCIe ethernet adapter on Netra or Sun Fire T2000 systems, enter the following at your shell window:
In this example, build_10g is used to build RLP application to run on the Sun multithreaded 10Gb Ethernet. The <cmt> argument is specified as cmt1 to build the application to run on UltraSPARC T1-based Netra or Sun Fire T2000 systems.
To Run the Application |
1. Copy the binary into the /tftpboot directory of the tftpboot server, and perform.
2. On the tftpboot server, type:
3. On the target machine, type the following at the ok prompt:
Note - net is an OpenBoot PROM alias corresponding to the physical path of the network. |
This section shows the default configurations.
Main files that control the system configurations are:
Note - e1000g (ipge) only has one DMA channel per port. |
Main files that control the application configurations are:
Follow the instructions given in each build script that states:
To bypass the rlp operation (that is, receive --> transmit without rlp_process operation), uncomment the following line from Makfile.ipge or Makefile.nxge for 1Gb PCIe ethernet adapter or Sun multithreaded 10 Gb and 1Gb PCIe Ethernet adapter, respectively:
Note - This action disables the RLP processing operation only, the queues are still used. This is not the default option. |
By default, the RLP application uses a single global memory pool for all the DMA channels.
1. Enable the single memory pool by using the following flag:.
2. Update the rlp_swarch.c file to use individual memory pools.
By default, the RLP application is configured for two port-pairs for the ipge driver.
To run the application on eight ipge interfaces (four port-pairs), enable the following flag:
You can specify a policy for spreading traffic into multiple DMA flows by hardware hashing or the TCAM lookup table. TABLE 9-4 describes each policy:
Add the following into the gmake line:
where policy is one of the above specified policies.
For example, to enable flow on an IP destination and source address, add FLOW_POLICY=hash_ip_addr to the gmake line as shown below:
If none of the policies listed in TABLE 9-4 are specified, a default policy is given. When you use the default policy, all L2/L3/L4 header fields are used for spreading traffic.
The IPSec Gateway Reference Application implements the IP Encapsulating Security Payload (ESP) protocol using Tunnel Mode. This application allows two Gateways (or a host and a gateway) to securely send packets over an unsecure network with the original IP packet tunneled and encrypted (privacy service). This application also implements the optional integrity service allowing the ESP header and tunneled IP packet to be hashed on transmit and verified on receipt.
The design calls for six Netra DPS threads in a classic architecture where four threads are dedicated to packet reception and transmission (two receivers, two senders). In this architecture, a thread takes plain text packets and encapsulates and encrypts them, as well as a thread that de-encapsulates and decrypts. The architecture is shown in FIGURE 9-1.
FIGURE 9-1 IPSec Gateway Reference Application Architecture
For testing purposes, this architecture uses four interfaces (NICS) as shown in TABLE 9-5.
Two extra packet receive threads are also used to listen on NIC 1 and NIC 3 where the test scenario above receives no packets. The main purpose of these threads are to assist with freeing TX buffers (see Netra Data Plane Software Suite 2.0 Reference Manual regarding the Netra DPS ethernet API).
Refer to Request for Comments (RFC) documents for a description of IPSec and the ESP protocol:
The IPSec RFC refers to outbound and inbound packets. These design notes refer to these terms.
IPSec is a complex protocol. This application handles the following most common processing:
Contains the type of service to provide (privacy, integrity), crypto and hashing types and keys to be used for a session, among other housekeeping items. An item in the SADB is called a Security Association (SA). An SA can be unique to one connection, or shared among many.
A partial implementation that is used to contain “selectors” that designate what action should be taken on a packet based on the source and destination IP addresses, protocol, and port numbers.
A critical cache used to quickly look up the SA to use for packets coming from the plaintext side. The packet source and destination addresses and ports are hashed to find the action to take on the packet (discard, pass-through, or IPSec protect) and the SA.
A critical cache used to quickly find an SA for ESP packets entering the system from the ciphertext side. The Security Parameter Index is in the ESP header
This IPSec implementation uses the ESP protocol (it does not currently handle AH, though ESP provides most of the AH functionality). Tunnel Mode is used to encapsulate (tunnel) IP packets between hosts and interface to a peer gateway machine.
The following describes functions of outbound and inbound packet processing:
The packet encapsulation and encryption code is straight-forward once you have a pointer to the SA. The SA contains the following information:
Packet encapsulation and de-encapsulation is just a matter of determining where the new IP header goes or where the original IP header is, building the new IP header, and invoking the crypto APIs on the correct packet location and length. For the IPSec implementation, you need to find the SA to use when a packet is received (either outbound on inbound). You must use software hashing and hash table lookups for every packet. Note that when this is ported to Sun Multithreaded 10G Ethernet on PCIe, the packet classification features speed-up this hashing.
The following sections describe how the SA is obtained for each packet.
The following sections describe how the SA is obtained for each packet.
You must look at the packet selectors to determine what action to take (either DISCARD, PASS-THROUGH as is, or PROTECT). The selectors are the source and destination IP addresses, the source and destination ports, and the protocol (TCP, UDP, and so on).
The action to take is stored in the Security Policy Database (SPD). For this application, the complete SPD is not implemented. A static SPD exists that consists of rules that must be searched in order using the packet selectors.
For each selector (source IP, destination IP, source port, destination port, protocol), the rule states one of the following:
If all selectors match the rules, use the SP entry to determine what action to take. If it is PROTECTED (IPSec), the inbound and outbound Security Parameter Index (SPI) knows which SA to use. This implies the following:
The last rule in the SPD should be a catch-all that says DISCARD the packet.
The SPD structures and definitions can be found in spd.h
The source code for the SPD can be found in spd.c
The function used to lookup a rule is SPD_Search(), which is passed the selector values from the packet.
The above lookup is complex for every packet. Because of this, a cache called the SPD-Cache is maintained. The first time you lookup a particular connection, create a SPDC structure, hash the selectors, and place this SPDC in a hash table.
When a packet using the exact combination of selectors comes in, you first hash it (using SPDC_HASH()) and then look it up in the SPDC hash table. If found, immediate access to the SA is made.
The definitions for this SPDC can be found in sadb.h. The functions can be found in sadb.c.
This application does not hash on the protocol and assumes that it is either UDP or TCP because there are source and destination ports.
The SPDC hash table is defined as:
The primary function used to lookup an SPDC entry is:
For this hash table, take the hash value, mask off the hash table size - 1, then index into this table to get an entry. YOu then have to compare the entry for a match, and if it is not a match, walk the chain until you find one.
Inbound IPSec packets contain an ESP header with an SPI. Take the SPI, hash it using SPI_HASH_FROM_SPI(), look it up in the SPI hash table, and access the SA pointer from there. You cannot use the same hashing as done for outbound packets since the selectors (source/destination IP address and ports) have been encapsulated and encrypted. Decrypt cannot be done until the SA is looked up.
The SPI has table is defined as:
For the purposes of the application, statically define the test SPD and SAD in compile-time initialized C-code in the following C file: sa_init_static_data.c
This rule matches any source or destination IP address and protocol (TCP or UDP), and a source port of 6666 and a destination port of 7777. The load generator is set to send UDP packets with those ports. This needs to be changed if other ports are used.
These rules are added to the SPD at init-time (init_ipsec() calls sa_init_static_data()) through the following call: SPD_Add()
Two other functions are defined but not currently used: SPD_Delete() and SPD_Flush().
The SAD is also statically defined in sa_init_static_data.c. There are currently two SA entries: one for the outbound SA and one for the inbound SA. Only the outbound SA needs to be defined as the inbound is just a copy except for the SPI.
To test out various encryption and hashing scenarios, this SA entry is where you need to make changes, as shown below:
The first element to note is the service type. If you want to test privacy (encryption), leave INTEGRITY commented out. No hashing will be done. If you want hashing, comment in the #define for INTEGRITY.
The next fields you might change are the encryption parameters: encr alg, encr mode, encr key len, encr IV len, encr block len, and the encr key. The IV is only used for certain modes, such as CBC for AES.
Be sure to put the proper key lengths and IV lengths in the table.
You might then need to modify the hashing algorithms in a similar manner assuming you chose INTEGRITY.
Eventually, the SPD and SAD need to be integrated with a Control Plane (CP) such that the CP determines the static databases. There are two scenarios on how this takes place: download the tables and shared memory.
The CP uses the LDoms IPC mechanism to interface with Netra DPS to download (add) or modify the SPD and SA. Some functionality already exists to build these databases once the protocol is defined:
The CP sets up the tables in memory that is accessible from both the CP and Netra DPS and informs the Netra DPS application of updates through the LDoms IPC mechanism.
The main packet processing functions are called from the two processing threads which reside in ipsecgw.c.
The main plaintext packet processing thread is called PlaintextRcvProcessLoop() and it pulls a newly received packet off of a Netra DPS fast queue and calls:
IPSEC_Process_Plaintext_Pkt(mblk)
The main ciphertext packet processing thread is called CiphertextRcvProcessLoop() and it takes a packet off a fast queue and calls:
IPSEC_Process_Ciphertext_Pkt(mblk)
You can find the IPSEC_Process_Plaintext_Pkt() and IPSEC_Process_Ciphertext_Pkt() functions in:
The following two functions perform the hashing and invoke the actual processing code:
The message block (mblk) contains pointers to the start and end of the incoming packets (b_rptr and b_wptr). Because plaintext packets must be prepended with a new outer IP header and ESP header, do not shift the incoming packet data down which is a copy. Therefore, when the ethernet driver asks for a new receive buffer through teja_dma_alloc(), a buffer is grabbed from the receive buffer Netra DPS memory pool. The memory pool is 2KB and returns an offset into that buffer which tells the driver where to place the packet data. This offset is set to 256 (MAX_IPSEC_HEADER), which is enough space to prepend the IPSec header information.
This section contains notes on how to calculate the location of the various parts of the ESP packet (outbound and inbound).
The IPSec Gateway uses the Netra DPS memory pools shown in table. The names and sizes are defined in ipsecgw_config.h:
The two main processing threads (PlaintextRcvProcessLoop and CiphertextRcvProcessLoop) are pipelined into another thread each: one to do most of the packet encapsulation and de-encapsulation, and one to do the encryption and decryption and optional hashing.
An extra fast queue was inserted in each path, therefore, the pipeline for the eight threads are as shown below:
The two new threads (EncryptAndHash and HashAndDecrypt) reside in ipsec_processing.c rather than ipsecgw.c where the other threads reside.
The packet processing portion of this pipeline must pass the packet to the crypto part of the pipeline. Packets are normally passed on fast queues through the mblk pointer. Other vital information also needs to be passed, such as the SA pointer. Rather than allocation of a new structure to pass the data and the mblk, this data is piggy-back at the beginning of the receive buffer, which is not used. Refer to the cinfo structure defined in ipsec_processing.c.
The IPSec package comes with the following directories:
This directory consists of IPSec code that supports the ipge (Ophia 1G Ethernet)
This directory consists of IPSec code that supports the Sun multithreaded 10G Ethernet on PCI-E with NIU or on-chip (NIU)).
This directory consists of Crypto API that interface to the Crypto hardware.
This directory consists of IPSec library functions.
The file descriptions in the following tables are based on the files in the
ipsec-gw-nxge directory.
TABLE 9-7 lists the build scripts.
Build for Sun Multi-thread 10G Ethernet with multi instances configuration. |
|
TABLE 9-8 lists the source files.
TABLE 9-9 lists the IPSec library files.
TABLE 9-10 lists the Crypto library files.
Each UltraSPARC T2 processor CPU core has a crypto unit. This unit leverages the Modular Arithmetic Unit and the Hash and Cipher Unit inside the SPU to accelerate crypto operations. There are a total of eight crypto units in an eight-core system.
IPSec and Crypto has four reference application configurations:
This application tests how fast the pure accessing Crypto Engine can perform.
This application is the IPSec Gateway prototyped using the Sun multithreaded Quad Giga-bit Ethernet card.
This application is the IPSec Gateway prototyped using the Sun multithreaded UltraSPARC T2 on-chip NIU.
The following is an example of one instance of the IPSec Gateway Application on the Sun multithreaded 10GbE with NIU interface.
This application simulates multiple flow of IPSec, encrypt, and decrypt instances. It is designed to measure IPSec and Crypto overhead.
Note - This setting of the traffic generator applies to the Sun SPARC Enterprise T5120/T5220 systems. For Netra ATCA CP3260 systems, see Flow Policy for Spreading Traffic to Multiple DMA Channels). |
The following is an example of multiple instances of the IPSec gateway application on the Sun multithreaded 10GbE with NIU interface.
For Sun SPARC Enterprise T5220 system (UltraSPARC T2 server) configurations:
sa_outb1 remote_gw_mac must be {{0x0,0x14,0x4f,0x9d,0x17,0x6}}
If it is port 0, do not do anything; if it is port 1, then add the following:
..., OPEN_OPEN, NXGE_10G_START_PORT+1, ...
For Netra ATCA CP3260 system (UltraSPARC T2 ATCA Blade) configurations:
Note - You need to select the SA IP to have COUNT 255 and step = 0.0.0.1 so that it will increment the SA IP from 0.0.0.1 to 0.0.0.255 with the step of 0.0.0.1 |
If it is port 0, do not do anything; if it is port 1, then set the following:
#define PORT_PLAINTEXT_RX 1
sa_outb1 remote_gw_mac must be {{0x0,0x14,0x4f,0x9d,0x17,0x6}}
If it is port 0, do not do anything; if it is port 1, then add the following:
..., OPEN_OPEN, NXGE_10G_START_PORT+1, ...
You can specify a policy for spreading traffic into multiple DMA flows by hardware hashing or TCAM lookup (classification). TABLE 9-11 describes flow policies:
Add the following into the gmake line:
whereas policy is one of the above specified policies
For example, to enable hash on an IP destination and source address, add FLOW_POLICY=HASH_IP_ADDR to the gmake line in the build script file build_niu_multi Remove # in front of FLOW_POLICY=HASH_IP_ADDR:
Note - If you specify FLOW_POLICY=HASH_ALL which is backward compatible with Sun SPARC Enterprise T5120/T5220 systems, all fields are used. |
If none of the policies in TABLE 9-11 are specified (do not specify the HASH_POLICY in the above gmake line, for example, #HASH_POLICY=HASH_IP_ADDR, a default policy will be given. When the default policy is used, all level (L2/L3/L4) header fields are used for spreading traffic.
Copyright © 2008, Sun Microsystems, Inc. All Rights Reserved.