-
Notifications
You must be signed in to change notification settings - Fork 42
4ID principals
In order to be a practical and deployable architecture, Linux XIA must on some level coexist with IP networks. This page describes the 4ID series of principals, which provide avenues for utilizing different degrees of IPv4 network functionality. The same ideas could theoretically be applied to the IPv6 architecture, although the 6ID series of principals has not yet been planned.
This page presents the 4ID principals in order of interaction with legacy network functionality, with principals relying more heavily on IPv4 listed first.
Status: implemented.
The U4ID principal allows XIP packets to be encapsulated into the payload of UDP/IPv4 packets so that XIP can effectively be tunneled through legacy networks.
The U4ID principal is similar in theory to protocols such as 6in4, which encapsulates IPv6 packets into the payload of IPv4 packets for backwards compatibility, and L2TP, which encapsulates data into UDP datagrams to support VPNs. The goal is to allow XIA to interoperate with TCP/IP by using encapsulation.
However, U4ID tunnels are slightly different than the tunnels used in 6in4 and L2TP. Those tunnels have some associated state and are constructed as part of an agreement by the hosts at the ends of the tunnel. However, U4ID tunnels are implicit in the network. A host can locally add a tunnel destination (and optionally, a tunnel source), but there is no agreement to set-up an explicit tunnel between hosts. Therefore, it's possible for a packet to be sent via a tunnel source without knowing whether the tunnel destination actually exists.
For a valid set-up, both tunnel endpoints need to be dual-stacked with IP and XIA with a loaded U4ID principal. That ensures that both ends of the tunnel can translate the XIP packets to UDP/IP packets and vice versa. At the source of the tunnel, XIP packets are loaded into an UDP/IP packet as the payload. In XIA terminology, the source of the tunnel is when the next node in the destination address DAG is of type U4ID. If the next node is a U4ID node, then the generator of the DAG wishes to try to use an IPv4 network to reach a given host.
When a U4ID node is reached in a DAG and the XIA stack must transfer control to IP, the IP stack needs to know a destination IP address for the new packet. To accomplish this, the IP address and port number are extracted from the U4ID XID and passed to the IP stack when constructing the new packet. This is possible because the XID format of the U4ID principal is four bytes for the IP address, followed by two bytes for the port number, followed by 14 bytes of zeros.
Once the packet is transmitted, it will traverse the IP network (unreliably, since UDP and IP are both best-effort protocols).
If the packet is received at the end of the tunnel, the packet must be passed back to the XIA stack for further processing. The XIA routing mechanism will inspect the packet, and expects to see that the last node pointer references a U4ID type, as it did at the source of the tunnel. The routing mechanism must then verify that the U4ID XID that is present matches a U4ID XID that is local to the host. If it does, then the packet has indeed reached its correct location and the last node pointer can be advanced. If the U4ID XID that is present does not match a local U4ID XID, then an error occurred. A fallback edge may be tried, or the packet may be dropped.
After advancing the last node pointer, the XIA routing mechanism can continue processing the packet by looking at the next node in the DAG.
One of the central tenets of XIA is the notion of intrinsic security. There is a lack of such security for the U4ID principal, which stems from two reasons. Firstly, the communication involved in using the U4ID is inherently not completely via XIA. When the U4ID routines are invoked, the forwarding of the packet is done in the space of IP. Moreover, the format of the XID for the U4ID principal is purposely transparent, so that an IP address and port number can easily be mapped to an XID and vice versa.
The basic use of the U4ID principal using the xip application is available on the How to set-up page.
Once you understand the basics of the U4ID principal from the above link, we can illustrate how the U4ID principal works using two other applications:
- net-echo, an echo application that works with TCP and UDP in IP as well as Serval and XDP in XIA
- XLXC, a lightweight virtualization solution for quickly simulating many XIA hosts
Follow the instructions at the above links to obtain the applications and install the net-echo executables into the /bin directory of the host. This demonstration will also require that you use an XIA development environment. Follow the instructions at that link to set-up your own environment or to use a virtual machine that has already been configured with XIA.
On the host, we need to create two Linux XIA containers. Navigate to the xlxc directory and issue the following command:
# ruby xlxc-net.rb -n xia -s 2 --create -t star
This creates a linear topology of three XIA hosts, where a container named xia0 is connected to the host via the Ethernet bridge xia0br, and where the host is connected to a container named xia1 via the Ethernet bridge xia1br. Notice that xia0 and xia1 are not on the same broadcast domain, so in order for them to communicate, the packets must pass through the host.
We also need to load the appropriate XIA principals (U4ID and XDP):
# modprobe xia_ppal_u4id # modprobe xia_ppal_xdp
If you want to view the packets that will be transmitted between the containers, you can use tcpdump on one of the bridge devices to capture the packet traces and then use Wireshark to view them graphically:
# tcpdump -i xia0br -w u4id_capture.log (follow sections below to send packets; once sent, quit tcpdump using Ctrl + C) # wireshark u4id_capture.log
If you use tcpdump to capture the UDP packets that are sent between the two containers, and if you enable UDP checksum validation in Wireshark, then you may notice that the UDP checksums appear to be incomplete. However, this is due to checksum offloading, and is a false error.
We will use xia0 as the host running the echo server. Therefore, start xia0 running from within the xlxc directory:
# ruby xlxc-start.rb -n xia0 --daemon # lxc-attach -n xia0
The next task is to find the IP address of the container. Issue the following command:
# ifconfig
This will display the networking configuration of the container; locate the IPv4 address associated with the eth0 interface. For example, this may be 10.0.1.2.
Next, add the local U4ID as a tunnel source and destination for this IP address, using the port 0x35d5 (or any other valid port). For example, if the IP address was found to be 10.0.1.2 (with a netmask of 255.255.255.0), this command would be:
# xip u4id add 10.0.1.2 0x35d5 -tunnel
Finally, create a file server_address.txt that contains the address of the server listening instance. This address will be a DAG consisting of two nodes: a U4ID and an XDP. Recall from the "Design" section above that the U4ID XID format is four bytes for the IP address, followed by two bytes for a port number, followed by fourteen bytes of zeros. Therefore, our example U4ID above combined with an XDP that represents the server instance would be:
server_address.txt
u4id-0a00010235d50000000000000000000000000000-1: xdp-007f4e38904e83634acc7e1340ef7665e3f1f57a-0
We now have a running container, the net-echo application, a U4ID instance in the local routing table, and the address of the server instance. We are now ready to run the net-echo server application:
# eserv datagram xip server_address.txt
The server will begin listening, and we can move on to setting-up the echo client.
The set-up for the client is very similar to the set-up for the server.
We will use xia1 as the host running the echo client. Therefore, start xia1 running from within the xlxc directory:
# ruby xlxc-start.rb -n xia1 # and log-in as root, as before
Now find the IP address of xia1 using ifconfig as in the previous section. This IP address should be on a different network; for example, it may be 10.0.2.2 (with a netmask of 255.255.255.0). Then add a local U4ID as a tunnel source and destination for this address using the port 0x35d5 (or any other valid port):
# xip u4id add 10.0.2.2 0x35d5 -tunnel
Finally, create two address files. The first file, server_address.txt, should exactly match the file created in the previous section. The second file, client_address.txt, should contain the address of the echo client. This address will be a DAG consisting of two nodes: a U4ID and an XDP. Our example U4ID above combined with an XDP that represents the client instance would be (note the 'b' at the end of the XDP, whereas the server XDP in server_address.txt contained an 'a' at the end instead):
client_address.txt
u4id-0a00020235d50000000000000000000000000000-1: xdp-007f4e38904e83634acc7e1340ef7665e3f1f57b-0
We now have a running container, the net-echo application, a U4ID instance in the local routing table, and the addresses of the server and client instance. We are now ready to run the net-echo client application:
# ecli datagram xip client_address.txt server_address.txt
We can then enter text strings or files to be echoed.
Status: not yet implemented.
The I4ID principal allows XIP packets to be encapsulated into the payload of an IP packet by writing XIP into the protocol field of the IP header.
Status: not yet implemented.
The X4ID principal leverages IP's routing table to forward XIDs. In other words, routers forward X4IDs by directly looking up the corresponding IP address in the IP routing table. In this way, XIA can leverage the IP routing infrastructure such as BGP sessions.
Documentation written by Vineet Parikh.
Status: implemented.
The LPM principal allows forwarding based on longest prefix matching. In the future, the LPM principal could populate its routing tables with information from BGP sessions directly, which allows greater routing power similar to the X4ID principal, and eliminates the need to depend on the TCP/IP stack.
The LPM principal is largely a way to support the longest prefix matching commonly used in IP identifiers. The LPM XID is a typed string of bits which XIA routers must match against a list of prefixes. Such usage enables XIA to reuse the routing infrastructure of IP, although LPM supports prefixes up to and including 160 bits in length.
To do a longest prefix match, the LPM principal uses a special forwarding information base, such as a binary tree or a poptrie. When a packet is to be forwarded and there are multiple matches in the FIB, the FIB entry whose prefix has the longest match with the LPM XID in the packet will be selected.
The basic use of the LPM principal using the xip application is available on the How to set-up page.
Once you understand the basics of the LPM principal from the above link, we can illustrate how the LPM principal works using two other applications:
- net-echo, an echo application that works with TCP and UDP in IP as well as XDP in XIA
- XLXC, a lightweight virtualization solution for quickly simulating many XIA hosts
Follow the instructions at the above links to obtain the applications and install the net-echo executables into the /bin directory of the host. This demonstration will also require that you use an XIA development environment. Follow the instructions at that link to set-up your own environment or to use a virtual machine that has already been configured with XIA.
The idea is to create a single client and two servers, and observe how we can use the LPM principal to change which server is communicating with the client even while using the same server address!
We first need to load the appropriate XIA principals (LPM, XDP, and HID):
# modprobe xia_ppal_lpm # modprobe xia_ppal_xdp # modprobe xia_ppal_hid
Once the principals are loaded, we should add an HID for the host:
# xip hid new host # xip hid add host
On the host, we need to create three Linux XIA containers. Navigate to the xlxc directory and issue the following command:
# ruby xlxc-net.rb -n xia -s 3 --create -t star
This creates a "Y" topology of three XIA guests connected by the host machine in the middle. The host is connected to a container named xia0 via the Ethernet bridge xia0br, to a container named xia1 via the Ethernet bridge xia1br, as well as a container named xia2 via the Ethernet bridge xia2br. Notice that the containers are not on the same broadcast domain, so in order for them to communicate, the packets must pass through the host.
Now, open three more terminals, and start each container in a separate terminal. For example, for xia0 the command is:
# ruby xlxc-start.rb -n xia0
Log-in with the username "root". No password should be required.
Once inside each container, add an HID for each. For example, for xia0 the commands are:
# xip hid new xia0 # xip hid add xia0
For all three containers and the host, run the following command:
# xip hid showaddrs
Keep note of these HIDs (we’ll call them HID_host, HID_xia0, HID_xia1 and HID_xia2). We’ll need to use them later.
Populate the LPM routing table. For both servers, we will need to add a local entry to accept packets coming from the client as well as a main entry to send packets back to the client.
# xip lpm addlocal 0x90b 12 # Run this on xia1. # xip lpm addlocal 0x90b 12 # Run this on xia2.
To add the main entries, we’ll need to use HID_host. This way, to send packets back to the client, we will forward them through the host. To do so, run the following command on both xia1 and xia2:
# xip lpm addroute 0x0a00020235d50000000000000000000000000000 160 gw HID_host
The exact value of HID_host will change because it is randomly generated, but this command may look like:
# xip lpm addroute 0x0a00020235d50000000000000000000000000000 160 gw hid-73a15cd6e05ec45c5cbba8c61d5f4f26b4e2e4c4
Finally, create two files: server_address_1.txt (on xia1) and server_address_2.txt (on xia2). These contain the addresses of the server listening instance. Each address will be a DAG consisting of two nodes: a LPM and a XDP. Therefore, an example LPM above combined with a XDP that represents the server instance for xia1 could be:
server_address_1.txt
lpm-90be400000000000000000000000000000000000-1: xdp-8b9c0c5f2434a1010a7ce9a8bb768dd8bb054a63-0
For xia2, it could be:
server_address_2.txt
lpm-90be500000000000000000000000000000000000-1: xdp-8b9c0c5f2434a1010a7ce9a8bb768dd8bb054a63-0
Notice that the XDP XIDs are exactly the same, and the only difference in the LPM XIDs is the fifth digit.
We are now ready to run the net-echo server application for both server containers:
# eserv datagram xip server_address_1.txt # on xia1 # eserv datagram xip server_address_2.txt # on xia2
The servers will begin listening, and we can move on to setting-up the echo client.
The set-up for the client is very similar to the set-up for the server.
First, populate the LPM routing table on xia0. Add a local entry that will accept packets sent by the server:
# xip lpm addlocal 0x0a00020235d50000000000000000000000000000 160
We also want to add a rule that says forward an LPM to the host using the host’s HID, just like we did for the servers:
# xip lpm addroute 0x90b0000000000000000000000000000000000000 12 gw HID_host
After adding this rule, any LPM XID that matches the first 12 bits of 0x90b0000000000000000000000000000000000000 will be forwarded to the host.
Finally, create two address files on the client. The first file represents the server’s address. Let’s make it the same as the server_address2.txt file from above:
server_address.txt
lpm-90be500000000000000000000000000000000000-1: xdp-8b9c0c5f2434a1010a7ce9a8bb768dd8bb054a63-0
The second file, client_address.txt, should contain the address of the echo client. This address will be a DAG consisting of two nodes: a LPM and a XDP:
client_address.txt
lpm-0a00020235d50000000000000000000000000000-1: xdp-007f4e38904e83634acc7e1340ef7665e3f1f57b-0
Notice that the LPM XID in this file should be the same as the XID that was used to add main entries on the servers.
We are now ready to run the net-echo client application:
# ecli datagram xip client_address.txt server_address.txt
We now have one client container and two server containers fully configured, but we still need to write forwarding rules on the host, which acts as a router between the client and servers. This is where we can decide whether to forward packets to the server at xia1 or xia2.
Recall that both servers accept LPM XIDs of that match the first 12 bits of 0x90b<tt>, so when the host sees an LPM XID of <tt>lpm-90be500000000000000000000000000000000000 in a packet, we could forward it to either server. Let’s choose the server on xia1, so add this rule on the host:
# xip lpm addroute 0x90b0000000000000000000000000000000000000 12 gw HID_xia1
We then just need to allow packets to flow from the servers through the host and to the client, so we also add this route on the host:
# xip lpm addroute 0x0a00020235d50000000000000000000000000000 160 gw HID_xia0
Strings can now be entered into the client running on xia0. The packets will be routed through the host to xia1 and then echoed back. Wireshark can be used to capture the packets that are being sent:
# tcpdump -i xia0br -w lpm_capture.log (follow sections below to send packets; once sent, quit tcpdump using Ctrl + C) $ wireshark lpm_capture.log
Let’s now show the real power of the LPM principal by changing the rule at the host to forward to xia2 instead of xia1. To do so, let’s add a longer prefix to the routing table on the host. Instead of 12 bits, we will use a 20 bit prefix:
# xip lpm addroute 0x90be500000000000000000000000000000000000 20 gw HID_xia2
Try sending more packets from the client -- they will now be forwarded to xia2 without any changes being made to the client! This is because packets flowing from the client to the host have an LPM XID that matches more bits in the second entry, so those packets will be forwarded to xia2.
In some versions of lxc there is a bug which may prevent the containers from starting. If this happens, here is the solution:
In the xlxc directory, go into the file xlxc.rb and look for the constant named LXC_CONFIG_TEMPLATE. Add a line at the end of that string with this: lxc.aa_allow_incomplete = 1. Then, try creating and starting the containers over again.
All grants that have generously supported the development of Linux XIA are listed on our Funding page.