Internet on Chip. Dr. Johannes Wolkerstorfer Gigabit Ethernet and Programmable Hardware. x Face. Realraum Graz, January 26th 2010

Transcription

1 Internet on Chip Gigabit Ethernet and Programmable Hardware Dr. Johannes Wolkerstorfer Realraum Graz, January 26th 2010

2 Motivation How does Internet data look like? On the wire In the chip How can packets be processed? What is the advantage of hardware Real world example: PRISM project Privacy for Internet monitoring Internet on Chip 2

3 PRISM application PRIvacy-aware Secure Monitoring Europrean research project Goals Austrian partner: FTW (Forschungszentrum Telekommunikation Wien Monitor network traffic at ISP Detection of attacks Maintain privacy of user information (law) e.g. IP address Internet on Chip 3

4 PRISM architecture Frontend Monitoring of Internet traffic Backend Storage of encrypted data interface to monitoring applications NETWORK LINK PUBLIC DOMAIN THIRD PARTIES OUTSOURCED MONITORING APPLICATION IPFIX XML Front-end Traffic Probe Front-end application support Front-end encryption IPFIX Anonymization & data processing components Semantic Middleware Back-end Monitoring and Storage System PRIVACY PRESERVING CONTROLLER Internal monitoring applications (over encrypted data) Internet on Chip 4

5 PRISM frontend Functionality Flow extraction classification of packets normal flow anomaly Encryption Requirements Throughput: 1 Gbps Per-packet basis stateless Packet Capture Module IPaddr proto Packet p Encryption (symmetric) Flow label f i = f(p) Encryption key K i = PRF(S +, f i ) Internet on Chip 5

6 NetFPGA project NetFPGA FPGA board with 4 Gigabit Ethernet ports Opensource HW & SW provided by Stanford University Applications Router, switch, traffic gen. Network security Intrusion detection NetFPGA Board Internet on Chip 6

7 NetFPGA system Host PC Linux PC Kernelmode driver 4 additional network interfaces PCI interface Network traffic PC with NetFPGA Management of NetFPGA CPU PCI 1GE FPGA 1GE 1GE Memory Memory 1GE Internet on Chip 7

8 NetFPGA Where to get? Hardware From Digilent 600 US$ for research inst. Software / HDL From Stanford University Internet on Chip 8

9 NetFPGA architecture NetFPGA components Xilinx Virtex-2 Pro FPGA for User Logic Xilinx Spartan for PCI Host Interface Cypress: 2 * 2.25 MB ZBT SRAM Micron: 64MB DDR2 DRAM Broadcom: 4 Gigabit Ethernet PHYs FPGA (Xilinx Virtex-II Pro) Accommodates own project FPGA configured via PCI bus Four Gigabit Ethernet Interfaces NetFPGA platform 1GE PHY 1GE PHY 1GE PHY 1GE PHY Host computer 1GE 1GE 1GE 1GE V2-Pro50 FPGA w/ infrastructure FIFO packet buffers Your hardware specified in Verilog source code connected - to components of the Reference Router circuits and cores. Control, PCI Interface Linux OS - NetFPGA Kernel driver 18Mb SRAM User-defined software networking applications 64MB DDR2 SDRAM 18Mb SRAM 3 Gb SATA Board-Board Interconnect Internet on Chip 9

10 Gigabit Ethernet Packet switching network OSI Schichtmodell TCP/IP: Transmission Control Protocol Transport-Layer (Layer 4) Gesicherte Datenverbindung IP: Internet Protocol Network-Layer (Layer 3) Datenvermittlung im Internet Ethernet (IEEE 802.3) Data-Link Layer (OSI Layer 2) Sicherung Physical Layer (OSI Layer 1) Bitübertragung Interfaces: GMII for PHY Anwendung Transport Netz Netzzugang FTP HTTP SMTP DHCP TCP UDP IP ARP Ethernet Internet on Chip 10

11 Ethernet frames Protocol / Packet / Frame Protocol: standard for communication Packet: Part of data Frame: Packet in transmission Ethernet Frame Preamble 56 Bit: alternating 0 und 1 For Synchronization SFD Start of Frame Delimiter Ethernet Frame (ctd) Source and target address 48-Bit -Address Unique for every NIC Manufaqcturer pefix Do not mix up with IP address Paket-Typ z.b. 0x0800: IP Prüfsumme CRC Präambel SFD AAAAAAAAAA AAAAAB Zieladresse Quelladr. VLAN (Size) Typ IP Daten (1-1500)... (Pad) CRC Internet on Chip 11

12 Ethernet FIFO: First in First out Buffering of network data : Media access control Controls access to PHY Framing of packets CRC Checksum PHY: Physical layer Electric standard Encoding of signals 1000 Base-T GbE: 4 twisted pairs FIFO PHY Foto Realtek NIC FIFO + - Internet on Chip 12

13 Ethernet packets: Wireshark Internet on Chip 13

14 Ethernet packets in NetFPGA GMII: Gigabit media independent interface connects to the PHY 8-bit interface; 125 MHz user_data_path interface 64-bit interface, 125 MHz FIFO handshake NF2 IOQ ETH header ETH payload dest src (lo) RxQ TxQ data CPU RxQ CPU TxQ RxQ TxQ 63 0 NF2 dest NF2 src (one hot) Len64=6 (bin) Len8=43 Ether- Type CPU RxQ RxQ Input Arbiter Output Port Lookup Output Queues CPU TxQ TxQ CPU RxQ CPU TxQ ctrl RxQ TxQ CPU RxQ CPU TxQ 0xff=b xff=b xff=b xff=b xff=b xff=b x20=b Internet on Chip 14

15 FPGA Field programmable gate array (FPGA) Manufactured digital hardware Configurable hardware resources (CLB) Lookup-table based logic Flipflop for data storage Memory resources block ram, distributed RAM Programmable interconnect CLB CLB CLB CLB Internet on Chip 15

16 FPGA: Xilinx Virtex-II Pro NetFPGA Xilinx Virtex-II Pro 50 Internet on Chip 16

17 Design methodology Top down design Informal specification High-level model: C/C++, Java HDL simulation Synthesis, place & route No hardware debugging Sufficient testing of HDL model Internet on Chip 17

18 Design tools: high level High-level model: C/C++ Functional model Performance not important Evaluation of algorithms Internet on Chip 18

19 Design tools: Verilog Modelling of digital hardware Hardware description language (HDL): Verilog Internet on Chip 19

20 PRISM: Crypto hardware 6 6 dest source 0x9180: flow normal 0x9181: flow anomaly 2 typ t i reg_if S*K3 ^ S*K1(t i ) j + req_c j S*K1 AES C1 AES-XCBC-PRF Management interface PRISM frontend enckeyshare c j IV, S*K3 ^ S*K1(t i ) + Shamir 191 keystore S*, S**, #COEFFS y x anom RNG 128 t S*K1(ti), i, payload AES C0 128 in_data out_data z i IP Set setid Length timestamp Cap Total xff Length Length IP data padding, 0x x Ki 6 6 dest source S*K1, S*K3, S**K1, S**K2, ADPprf, Ki(payload) 2 typ (x, y) 0x0191: flow normal IV Pkt asm 16 ADP pre =rnd 16 n*16 IPfix header AES-128 CBC ADP PRF 16 ADP1 IP data Pad 01,02 Internet on Chip 20

21 Design tools: Verification Packets.pcap text2pcap Packets.k12 HDL simulator User_data_path.v ethernet_extract128.v enckeyshare.v Sim.tcl ethernet_assemble128.v tcpreplay wave.vcd Textual output Waveform viewer tshark > a4 7b ea e b3 fe c0 a8 00 2c c0 a a 2d e a 0b 0c 0d 0e 0f > a4 7b ea e b3 fe c0 a8 00 2c c0 a a 2d e a 0b 0c 0d 0e 0f aa NetFPGA card HDL simulation Internet on Chip 21

22 Conclusions Gigabit Ethernet and digital hardware Can be done with FPGAs Hardware and Software nearly affordable Results 1 Gigabit Ethernet encryption: AES-128 CBC Computation of Shamir keyshares Internet on Chip 22