Research on Implementation of Security Gateway Based on IXP2400 Abstract: This paper discusses a solution to implement a security gateway by applying IPSec on IXP2400, which can provide strong security for the passing traffic. IPSec is a communication security mechanism based on the IP layer. It is currently the only protocol that can provide security for any form of communication. Therefore, implementing a gateway with IPSec function can ensure the security of the IP layer communication. However, the use of IPSec to authenticate and encrypt / decrypt data packets is a relatively resource-intensive task, and it is easy to cause bottleneck problems for gateway devices with IPSec functions. At the same time, new products with such complex functions based on ASIC are more For difficulties. Therefore, traditional network solutions have been challenged in both processing speed and flexibility. The emergence of a programmable network processor with the flexibility of a general-purpose CPU and the execution speed of an ASIC chip provides a new way for the application of the IPSec mechanism to online-speed gateway equipment. Its main functional components are as follows [1]: Among them, Receive Microblock and Transmit Microblock are used to receive and send data packets, Transmit Queues are used to manage and schedule data packets, and IP forwarding microfunction modules ( Forwarding Microblock) is used for simple forwarding of general IP packets (including routing announcements, etc.), the core component is the slow channel processing part of the related micro-function block, such as exception handling, etc .; XScale also runs embedded OS, various protocols and high-level Processing procedures, etc. IPC is a multi-function touch tablet computer solution that supports Intel Atom D2550 1.86GHz dual-core CPU and DDR memory, equipped with LCD display and five-wire resistive touch screen. The whole machine uses 9 ~ 36V wide voltage DC power supply, front panel IP65 protection built-in power supply optional, equipped with a variety of I / O interfaces and also reserved a 32-bit PCI slot, rack-mounted design, making it the first choice for industrial automation man-machine interface, suitable for factory automation, machinery Host computer control and monitoring of manufacturing, CNC equipment, textile machinery, boiler control, intelligent power equipment, etc. Rack Mount Screen,Rack Mount Monitor,Rack Mount Touch Screen,Rack Mount Computer Monitor Shenzhen Hengstar Technology Co., Ltd. , https://www.angeltondal.com
Keywords: network processor; IXP2400; micro-engine; IPSec
This paper introduces the characteristics, structure and IPSec architecture of Intel's IXP2400 network processor, and discusses a solution to implement a security gateway with IPSec in IXP2400.
1 IXP2400 architecture network processor (Network Processor) is a special device for packet structure processing. IXP2400 is one of Intel's second-generation high-performance network processors. It is based on the first-generation network processors and implements a high-performance parallel processing structure, which can implement complex algorithms, in-depth view of packet content, and traffic Manage and forward packets at line speed (2.4 Gb / s); and use Intel ’s super-task pipeline technology for the first time, allowing one packet processing task to be decomposed into multiple easy-to-connect, orderly subtasks, and ensuring the micro engine Low latency for inter-communication. In terms of architecture, it has the following characteristics:
(1) Multi-processing unit structure, each unit runs independently, and implements multi-thread technology in hardware, without any switching overhead between threads.
(2) Assign tasks to each processing unit in the form of software pipeline, and each processing unit can operate in parallel.
(3) ALU uses optimized instructions, which are dedicated to data packet processing, and one instruction can be completed in one clock cycle.
(4) There are some hardware units that complete special functions, such as CRC check, Hash calculation, and even encryption / decryption arithmetic units, which are used to accelerate special processing.
The architecture of IXP2400 is shown in Figure 1.
(1) XScale: 32-bit RISC high-performance general-purpose processor, used to initialize and manage the entire chip, and can perform high-level network processing tasks, such as complex algorithm processing and routing table maintenance.
(2) Microengine (MEv2): 8 mutually independent 32-bit programmable micro-engines, which are the main places for processing data, and each micro-engine uses register communication. Each micro-engine mainly includes: a control memory to store the running program of the micro-engine, eight hardware-supported threads, data paths and control status registers, an ALU and a CRC unit.
(3) Memory controller: used to control access to off-chip RAM, including SRAM and DRAM. SRAM is mainly used to store various control information, such as routing tables, etc .; DRAM is mainly used as a buffer for data processing.
(4) Scratch: 16 KB general-purpose memory on-chip, storing all kinds of data that need to be quickly searched.
(5) Hash: Hash operation can be performed on 48 bit, 64 bit or 128 bit data, and an index can be generated.
In addition, IXP2400 also uses some technologies such as hardware queues to improve the processing speed of the ALU.
2 Working Principle of IPSec The security service of IPSec is implemented by using a combination of password and security protocol on all data streams at the IP layer, which can ensure the security of application communication. It can be applied to gateway devices such as firewalls and routers, and is transparent to upper-layer applications.
IPSec uses 2 communication security protocols [2]: authentication header (AH) and encapsulated security payload (ESP). There are also protocol components such as Internet Key Exchange Protocol (IKE) [2] and corresponding authentication / encryption algorithms for key exchange and management. AH and ESP can be used to protect a complete IP packet, but also can be used to protect the upper layer data in the IP packet. In addition, it can also be used in combination to achieve different levels of security protection. AH and ESP use 2 working modes [3]: transmission mode and tunnel mode.
Since the design of the IPSec system has nothing to do with algorithms, it is possible to choose different security algorithms for different communication peers. To maintain these dynamically existing security policies, when implementing IPSec, it is necessary to define a corresponding security policy database (SPD), where each record is a security policy.
In order to correctly handle IP packets with IPSec function, IPSec communication peers need to combine the security protocol, working mode, encryption / authentication algorithm, key and other information adopted after negotiation with the established link to Different data streams provide different security protections. The implementation method is to establish a security association (SA) between IPSec communication peers. SA is an agreement negotiated between communication peers for secure communication. SA can be uniquely identified by a triplet, expressed as <security parameter index (SPI), destination IP, security protocol identification>.
In order to maintain all active SA parameters, when implementing IPSec, you need to define the corresponding SA database (SAD). The main function of IKE is to dynamically negotiate communication parameters among IPSec communication peers [4], and provide authenticated key information, so as to establish an SA, and maintain and manage it.
3 Implementation of IPSec in IXP2400
3.1 Programming In network applications, the processing of network information is usually contained in the following two logical levels [5]:
(1) Data plane: responsible for high-speed processing and forwarding of data packets. Because all data packets to be processed must pass through this layer, its performance directly affects the performance of the entire program.
(2) Control plane: mainly deals with protocol information, and is responsible for creating, configuring, and updating various tables and data sets for data plane search. For example, processing RIP and OSPF packets containing routing information, and then updating the IPv4 forwarding table for the data plane.
The network processor is to complete the functions of these two levels.
In IXP2400, the data plane is divided into fast channel and slow channel. The fast channel is mainly composed of micro-engines, which complete the normal processing of most packets, such as IP packet forwarding, etc .; the slow channel is mainly composed of XScale, processing a few packets that require complex processing, such as abnormal packets and packet segmentation. Considering the requirements of processing speed, in the fast channel, the processing tasks are usually distributed to multiple microengines in the form of software pipelines, and each microengine implements the specified tasks programmatically. When a micro-engine completes its task, it passes the packet to the next micro-engine to continue processing until the entire task is completed. The pipeline of each micro-engine can be composed of several pipeline stages, and these pipeline stages are executed sequentially. Since each micro-engine has 8 threads concurrently (even several micro-engine threads are in parallel) performing the same task, to correctly process the data packets in order, the synchronization of each thread's access to the critical code must be considered. In order to ensure as few instructions as possible in order to meet the line speed requirements, one processing method is: let each thread execute sequentially in a microengine, and each thread executes all pipeline stages sequentially. If a pipeline-level function does not require packets to be processed, it must enter a wait when it reaches the pipeline level, and execute the next pipeline level when the thread gets the next run; if there are several micro-engines executing in parallel For the same task, the order of execution between microengines must be considered. It can be seen that handing over the complex processing tasks required by a few packages to XScale can effectively reduce the unnecessary waiting time of the micro-engine and speed up the data processing speed.
For the control level, because the information to be processed is complex and extensive, and the range of instructions involved is wide, the fast channel in the data level is difficult to handle, so it should be implemented in XScale [5].
Generally, the fast channel processing task is logically divided into several functional blocks. In a programmable micro-engine, each block is called a micro-function block (microblock). The slow channel processing part corresponding to the micro function block running in XScale is called the core component, which completes the configuration, initial trial and maintenance of the corresponding micro function block, and handles the abnormality sent by the micro function block. Package or information. In addition, various routing protocols also run in XScale to process various protocol information. In this way, the data plane and the control plane are separated, and standard APIs can be used to communicate between the two planes.
Putting all tasks in one IXP2400 to achieve, may not meet the line speed requirements, so usually the task is assigned to two IXP2400 to achieve. In this way, for micro-function blocks that require more instructions, multiple micro-engines can be designated to run in parallel, appropriately increasing the execution time of each micro-engine.
3.2 System functions In summary, the system block diagram of the implementation scheme is shown in Figure 2.
IPSec Processing Microblock (Processing Microblock) is the main part of the system, including the following main functions: protocol core, AH / ESP processing module, SPD, SAD. Among them, the AH / ESP processing program is responsible for processing the data packets according to the AH / ESP protocol according to the security services defined in the SA; SPD and SAD are stored in the off-chip SRAM with an appropriate lookup table structure, but there are Respective quick access interfaces for querying data (there are also interfaces to access these two databases in XScale in order to maintain the data in them); the core of the protocol is mainly to coordinate the work of the above parts and explain the obtained IP packets.
3.3 Data processing process The IPSec module is the core of the entire IPSec system. The process of processing packets is as follows:
(1) The thread extracts an IP packet and judges whether it is segmented. If it is, the thread enters a waiting state and the next thread starts to run. After all segments have arrived and reorganized, proceed to the next step.
(2) Use the selector to retrieve the SPD. If the search fails, discard the package; if the returned action is "discard", discard the package. For packets that do not contain the IPSec header, if the return is "bypass", the packet is handed over to the IP forwarding module (if the destination IP is the local machine, it is handed over to XScale and processed by the corresponding program, otherwise it is forwarded to the next Node); if the return is "application", enter (4) processing. For the packet containing the IPSec header, if the return is "application", and the destination of the packet is the local machine, enter (3) processing; if the destination is not the local machine, enter (4) processing.
(3) Search the SAD with the triple returned by the retrieval SPD. If there is no matching SA, the packet is discarded; otherwise, it is processed according to the definition in SA, which mainly includes:
â‘ Retransmission check: Use sequence number, overflow flag, and retransmission window size to check whether the packet is valid.
â‘¡Data packet verification: Use the specified authentication algorithm and key to verify the data packet. If ESP does not select authentication, it will not be done.
â‘¢Decryption: If it is an ESP protocol package, use the specified encryption algorithm and key to decrypt the data package.
If the above processing fails, the data packet is discarded; if there is an IPSec header in the packet, you need to select a new selector and repeat (2) and (3).
â‘£The reconstructed IP packet is handed over to the IP forwarding module.
(4) Search for SAD with the triple returned by SPD. If there is no matching SA, the thread sends an IKE service request to XScale. The IKE service program negotiates with the communication peer to establish the corresponding SA and records it in SAD. After the SA is available, proceed as follows in an orderly manner:
â‘ According to the security protocol and operation mode specified in SA, call the corresponding processing module to generate the protocol header for the data packet.
â‘¡If the transmission mode is used, simply change the protocol type in the original IP header to the protocol used in the previous step; if it is in tunnel mode, you need to use the IP at both ends of the tunnel as the source, destination IP and the protocol used in the previous step to generate a new The IP header encapsulates the original IP packet.
â‘¢ For the ESP protocol, encrypt the corresponding part of the package according to the encryption algorithm and key specified in the SA.
â‘£According to the authentication algorithm specified in SA, authenticate the corresponding part of the package.
⑤ Modify the relevant data and recalculate the checksum; if segmentation is required, hand the package to XScale for processing.
(5) After the above processing, the packet is arranged in the queue of the corresponding port, and after the scheduling, the transmission module sends the MAC frame header again.
It is worth mentioning that in the above process, because it is multi-threaded processing, in a micro-engine, one thread enters the waiting state, and the other thread runs immediately. This process is controlled by the programmer. The following program segment is the main control part of the data processing process:
while (1) {
dl_source (); // Remove the packet descriptor from the receiving thread if (dlBufHandle = = 0) {conTInue;}
Ethernet_validate (); // Verify that this packet is a valid Ethernet header Ethernet_strip_header (); // Remove the Ethernet header IPSec_process (); // IPSec processing IPv4_five_tuple_class (); // Forwarding IPv4 classifier If (dlNextBlock == = IX_DROP) {// clNextBlock global variable,
// Indicates the next Goto drop; // Jump to the processing module of dropped packets}
Ethernet_add_header (); // Add a new Ethernet header D1_sink (); // Put the processed packet descriptor in the send buffer Drop:
Dl_BufDrop (dlBufHandle); // Handling of discarded packets}
IPSec is considered to be the current technical standard for implementing VPN, and plays an important role in the secure communication of the Internet. At present, higher requirements for speed and security are constantly being put forward for network communication. The realization of high-speed secure network equipment with a network processor that combines the flexibility of a general-purpose CPU and the execution speed of an ASIC chip is the focus of current research and application of new network technologies.
references
[1] Intel Corp. Intel IXP2400 network processor hardware reference manual [DB / OL]. 2002.
[2] GONCALVES M. IPv6 network [M]. Huang Xiwei, Yang Zhen, translated. Beijing: People ’s Posts and Telecommunications Press, 2000: 251-275.
[3] DAVIS CR. Security Implementation of IPSec VPN [M]. Zhou Yongbin, Feng Denguo, Xu Zhen, et al. Beijing: Tsinghua University Press, 2002: 165-201.
[4] Wang Jian, Li Tao, Liu Xiaojie, etc. Research on IKE and its application in IPSec [J]. Communication Technology, 2003, 144: 128-129.
[5] Intel Corp. Intel IXA portability framework: developer ’s manual [DB / OL]. 2002.