WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

fredk@arl.wustl.edu http://www.arl.wustl.edu/~fredkhttp://www.arl.wustl.edu/~fredk

Packet Classification in the SPCarl/projects/msr/work/msrcfy.ppt

Fred KuhnsWashington University

Applied Research Laboratory

2WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Dynamically Extensible, Multi-Service, Extreme Router

PP

PPPP PP

PP

DQ

pluginplugin

plugin pluginPPPE

FP FP

PPPP

Configure

MMCP

flexroutdRouting

RA

OSPF

Logical Interfaces

framework

Routingand

Signaling

OSPF

flexsig

OSPF++NOCNet ManagerApp and GUI

classify/lookupDRR

classify/lookupDRR

NMAResource

WUGS

MSR

MSR controlPE

classifyDQ

classify

CP - Control ProcessorMM – MSR ManagerRA - Route AgentsNMA - Network Management AgentDQ – Distributed QueuingDRR – Deficit Round RobinPP - Port Processor (SPC/FPX)PE – Processing Environment (SPC)FP – Forwarding Path (PX/SPC)

ATM/Switch Lib(I/O and control) IPATM

The ARL DEMSER logical diagram

3WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

SW Classifier: Top-Level ViewClassifier

PI0 PI1 PI2 PIn

Plugin Control Unit

GeneralMatch

ExactMatch

Routelookup

classify packet

...

forward packet:get output queue

from pkt type, outVIN and reservation.

perform necessary IPprocessing

...

input port

or getroute

in shim

shim

IP

trailerpadding

output port

LFS Module

IPpr

epro

cess

ing

...

input port: 4 input VCs, 50-53, from phop/hostsoutput port: 8 input VCS, 40-47, from the 8 input ports.

Packet Scheduler

drop packet,return bufferto pool.

cmd processor command messagesto/from CP

Queues64 Dgram256 Reserve

input port: output queue from port number in outVIN.output port: output queue either one of 64 datagram queues or reserved queue. The outVIN’s subport value determines the VC a packet is sent on. Note, each queue in the packet scheduler may send a packet on any of the 4 output VCs.command messages to/from CP

Plugin Instances

monitoronly

plugin instancesmay modify packets

cmd processor

add/update EM filter and reservation

process/update optionrepo

rt an

d st

atus

statusto CP

LFS optionor protocol

InputLink/MACProcessing

4WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

input port: 4 input VCs, 50-53, from phop/hostsoutput port: 8 input VCS, 40-47, from the 8 input ports.

SW Classifier: Top-Level View

Queues64 Dgram256 Reserve

Classifier

PI0 PI1 PI2 PIn

Plugin Control Unit

GeneralMatch

ExactMatch

Routelookup

classify packet

command messages to/from CP

...

Plugin Instances

drop packet,return bufferto pool.

monitoronly

plugin instancesmay modify packets

forward packet:get output queue

from pkt type, outVIN and reservation.

perform necessary IPprocessing

...

input port

or getroute

in shim

shim

IP

trailerpadding

output port

input port: output queue from port number in outVIN.output port: output queue either one of 64 datagram queues or reserved queue. The outVIN’s subport value determines the VC a packet is sent on. Note, each queue in the packet scheduler may send a packet on any of the 4 output VCs.

LFS Module

IPpr

epro

cess

ing

add/update EM filter and reservation

process/update optionrepo

rt an

d st

atus

statusto CP

...

Packet Scheduler

command messagesto/from CPcmd processor

cmd processor

LFS optionor protocol

InputLink/MACProcessing

5WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Classifier Abstractions• The SW Classifier has three lookup engines and tables:

1. exclusive and non-exclusive general match filters, each with a settable priority and sharing a common table.

2. exact match filters, with global priority.3. destination prefix lookup (fipl and simple) with global priority

• Each table contains a set of rules and a lookup strategy– Strategy includes order relation, matching/selection criteria and bindings.– Rule is composed of a predicate, action and data.

• Predicate: set of one or more header fields and matching criteria. Depending on field, possible criteria include prefix match (value/length), all match (wildcard), range (i.e. port range), or exact value.

• Actions: Explicit {Deny – drop packet, Active – send to R/W plugin, Reserve – reserved flow with BW reservation, Monitor – send to RO monitoring plugin} Implicit {Permit – absence of Deny action}

• Data examples: plugin reference, priority, reservation

6WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

General Match Filters• General Match engine: compare packet fields (5-tuple),

interface (input/output port) and priority. • Specifying the packet fields, i.e. the 5-tuple:

– IP prefix/address, source and destination: Prefix/width• network prefix: 192.168.200.0/24; exact host: 192.168.204.2/32;

any address: 0/0– Ports, source and destination: exact, range or any

• exact value: 22; range: 1,1024; any port: 0– Protocol: exact or any

• exact value: 6; any protocol: 0

• Interface specification: port implicit, direction explicit:– Direction: input or output

• Priority: value between 1 and 255, inclusive. 0 is invalid – indicates that the default value should be used.

7WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

General Match Behavior• Two filter types: Exclusive and Non-exclusive

– Exclusive filters are intended to be used with plugins that must modify, delay, replace, add or drop traffic. Actions: may be Deny/Permit and Active.Expected use: fire wall functions or active processing

– Non-exclusive filters are used when either a net packet count or “read-only” (aka monitoring) plugins are needed. Actions: Implicit Permit and Monitor.Expected use: packet counts and passive traffic monitoring

• The classifier will select the highest priority matching filter (only one) from each type.

• Each GM filter has a type, packet count, priority and plugin binding(s).

8WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Exact Match Classifier• Exact match of the IP 5-tuple, global priority for all filters

Actions: Deny/Permit, Reserve and Active.Expected use: Identify reserved flows, used by LFS

• Current 12 bit hash, MSB == Byte 0, protocol not used:hash = ((destination address: low order 2 bits of Byte 2) << 10) |

(source address: low order 3 bits of Byte 2) << 7) | (source port: low order bit from Byte 1) << 6) |

(destination port: low order 6 bits from Byte 1))

Fragment offsetVersion H-length TOS Total length

Identification FlagsTTL Protocol Header checksum

Source AddressDestination Address

IP data (transport header and transport data)

AAL5 padding (0 - 40 bytes)

CPCS-UU (0) CPCS-UU (0) Length (IP packet + LLC/SNAP)CRC (APIC calculates and sets)

8 Bytes

Source Port Destination Port

hash of ip header

Hash Field widths and offsets are configurable: msr/msr_classify.h

Hash TablehashExact Match Classifier: Flow Table

FTE:qidpkt_cnt/ref_cntreservationfwdkey (route)handler

9WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Classifying a Packet1. general match lookup –highest priority exclusive

and non-exclusive filter matching packet2. exact match lookup – reserved flow entry

hash(index)

HashTable*head

*fte*hlistfilter

EMFilters

*hlist...

*filterflags (EM,...)qid (Unique id)reservationroute, *handlerrefcnt, pktcnt

Flow Table

*filterflags (~EM,...)~qid~reservation~route, *handlerrefcnt, pktcnt

priority (Pi)filterflags (Exclusive,...)*fte*handlers[5] (N/A)pkt_cnt

GM Table

priority (Pj)filterflags (Non-Excl,...)*fte (Null)*handlers[5]pkt_cnt

Highest priority,matching exclusive

filter

Highest priority,matching

non-exclusivefilter

MatchingExact Match

filter

10WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Classifying a Packet (2)• Why use the fte for both exact match and exclusive general

match?– reuse the new plugin interface codee– permits extended semantics for exclusive GM filters: useful for

tests and demos– limit the number of data structures in kernel

• How does it work?– After classification a packet my have one or more of the following:

Exact match FTEExclusive GM entry (GME), pointer to FTENon-Exclusive GME,Route: Input port: longest prefix route

Output port: route from SHIMI will discuss the queue ID and reservations separately

11WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Classifying a Packet• Basic processing steps (bufhdr references matching entries):

// check for monitoring plugins/packet counters if (Non-exclusive) increment its pkt_cnt and add its actions // set packet’s buff hdr to the correct fte and actionsif (Exclusive and Exact Match) {

// then set fte, prio and add action from the higher priority entryif (exclusive entry priority > global exact match priority)

use the exclusive GM entry/fte else the exact match entry} else // use the valid entry

fte = exclusive ? exclusive fte : exact match fte entry// set buf hdr’s fwdkey (route)if output port then get route from packet shimelse {if (~fte || prio < rt_lookup priority || invalid fte->route)

route = ip_prefix_lookup(pkt)else route = fte->route}

12WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Determining the QID• There are currently 64 Datagram queues defined and 256

reserved queues. qids between 0 and 255 are for reserved flows. Datagram qids fall between 256 and 319

• Reserved queue Ids are simply the corresponding FTE’s offset within the global Flow Table which has 256 entries.

• Datagram Queue Ids are calculated form the packet header’s hash value: datagram qid = hash(pkt) % 64Since the last 6 bits of the hash value are simply the low order six bits of the destination point is – the dgram queue id is equal to the this value.

• All values may be set in msr_classify.h

13WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Assigning the Queue ID• If an exact match entry is used then the queue ID is the

corresponding fte offset (< 256 => reserved).• If there is no valid exact match entry and no exclusive

match then the datagram value is used:hash % 64 + 256

• If the exclusive entry is used currently the qid is the fte’s offset – BUT Thas May Change: Options:

– use the datagram queue is calculated for each matching packet

– the offset qid– let the administrator specify correct behavior

14WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Classifier/PS Data Structures

*fte*hlistfilter

EMFilters

*hlist...

priority (Pi)filterflags (Exclusive,...)*fte*handlers[5] (N/A)pkt_cnt

GM Table

priority (Pj)filterflags (Non-Excl,...)*fte (Null)*handlers[5]pkt_cnt

IPPacketbuffer

*qlist*pkt*gid*fteqidrxcid, txcidflags, fwdkeyplen, atmlen

Buffer Header

Flow Table

*filterflags (EM,...)qid (Unique id)reservationroute, *handlerrefcnt, pktcnt

*filterflags (~EM,...)~qid~reservation~route, *handlerrefcnt, pktcnt

IPPacketbuffer

*qlist*pkt...

Buffer Headerqlist used by packet scheduler to implement packet queues

hash(index)

HashTable

*head

HashTable

qid(index)

HashTable

*head

PS QueueTable

15WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Communicating with the Classifiercfy [global params] cmd [cmd options]

Global Parameters: (-h, -v, -w, -p)-q qid : queue ID or Filter ID, 0-255 -c ctype : classifier type, gm em; default is gm-x prio : set gem/gnm filter priority to prio

Actions and Flags:-d : Drop packets matching this rule, must be a GM, Exclusive filter-o : applies to an output port, default is input port/filter-n : Non-exclusive general match filter, default is Exclusive General Match

Valid Commands:null : Null or no-op command. Can be used to verify connetivityaddfltr : Add filter to classifier

-sa ipaddr[/width]: Source Address or Net with prefix width-sp start[,end]: Source Port number or range-da ipaddr[/width]: Destination Address or Net with prefix width-dp start[,end]: Destination Port number or range-pr n|string: Protocol, can use numeric value or string-rt [sid/]port[/sub]: Statically set the forwarding key

remfltr : Remove filter: requires global parameters {ctype, prio, qid}flist : List all installed filters: {ctype|prio|qid} i.e. ctype<<24info fid: return status and parameters for filter id fid

16WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Current Default Filter Priorities• See $SYS/msr/msr_policy.h• Filter Priorities (1 <= prio <= 255), default

values:– IP Longest Prefix Match: 32– Non-Exclusive Match: 62– Exclusive General Match: 62 – Exact Match: 126

17WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

Example Filters• At output port 4, Drop all X-Windows traffic originating in

subnet 192.168.204.0 (priority 60)cfy -p 4 -x 60 -q 0 -o -d addfltr -sa 192.168.204/24 –dp 6000,7000 -pr tcp

• At input port 5, count all packets sent to net 192.168.0.0/16 cfy -p 5 -n -q 1 addfltr -sa 192.168.0.0/16

• At input port 6, add exact match filter that will be bound to a plugin, accept default route (it will be pinned) cfy -p 6 -c em addfltr -sa 192.168.224.2/32 -sp 3245

-da 192.168.208.2/32 -dp 1020 -pr tcp

• Same as above but send packet to port 7, sub-port 2 cfy -p 6 -c em addfltr -sa 192.168.224.2/32 -sp 3245

-da 192.168.208.2/32 -dp 1020 -pr tcp -rt 7/2

18WashingtonWASHINGTON UNIVERSITY IN ST LOUIS

Fred Kuhns - 1/9/01

More examples – extended functions• At input port 4, send all traffic from source network

192.168.216.0/24 to output port 7/0, set priority to 127cfy -p 4 -x 127 -q 0 addfltr -sa 192.168.216.0/24 -rt 7/0

• At input port 4, permit all SSH traffic, drop all other TCP trafficcfy -p 4 -q 0 -x 130 addfltr -dp 22 -pr tcpcfy -p 4 -q 1 -x 100 -d addfltr -pr tcp