VPP DPI Plug-in

Spread the love

Telecom operators and networking vendors are constantly looking for new frameworks to develop next-generation high-performance SDN and NFV solutions. Currently, embedding real-time traffic visibility through DPI is complex and expensive using tightly coupled technologies. We at ATS are working towards decoupling DPI functionality from the primary network function (Switch/Router/SGW/PGW/UPF). With this plugin, any new network function developed using the VPP framework will come with a functional DPI out-of-the-box. The DPI processing engine is kept separate, enabling the possibility of implementing DPI processor as differently as required.

Introduction

The official website of Vector Packet Processing (VPP) describes VPP as a platform that is made up of an extensible framework that provides out of the box production quality switch/router functionality. This extensibility is achieved by a plug-in framework of interconnected graph nodes. We at ATS have leveraged this plug-in framework to develop a DPI (Deep Packet Inspection) plug-in that can be enabled on a per-interface basis. This plug-in’s primary function is to pick up every packet landing on an interface and scoop up relevant headers and send them out to the DPI processing engine running as a separate process, maintaining the lightweight nature of the plug-in itself and delegating DPI functionality to a separate process.

Architecture

The reference framework for building a high-performance Deep Packet Inspection solution using VPP is depicted in the diagram below. This supports both IPV4 and IPV6 packet flows. VPP DPI plugin does packet scoop after the “device-input” arc which makes sure that all packets are scooped up regardless of packet type. The first 165bytes of the packets are sent out to DPI processing engine for further processing.

Figure 1: Reference Architecture

Test Environment Set-Up

Pre-release VPP DPI plugin is available for testing, please feel free to try it out.

$ curl -s http://134.119.178.86:12340/vpp-pkgs.tgz -o vpp-pkgs.tgz $ tar xvfz vpp-pkgs.tgz

To use the plugin, please copy atsgen_dpi_plugin.so from the tarball to vpp/lib/vpp_plugins/ directory. More details are available in the README file.
Note: This plugin is validated and known to work with VPP release 20.05.1 on CentOS Linux release 7.7.1908 (Core).

Preparing Tap Interfaces and Network Namespaces on Host Machine

Creating network namespace (vpp1):

$ ip netns add vpp1

Creating veth pair (veth_vpp1) and setting the interface up:

$ ip link add name veth_vpp1 type veth peer name vpp1 $ ip link set dev vpp1 up

Adding veth_vpp1 to namespace vpp1:

$ ip link set dev veth_vpp1 up netns vpp1 $ ip netns exec vpp1 ip link set dev lo up

Assigning IP address to the interface:

$ ip netns exec vpp1 ip addr add 172.16.1.2/24 dev veth_vpp1

Adding route information:

$ ip netns exec vpp1 ip route add 172.16.2.0/24 via 172.16.1.1

Preparing Adjacent Tap Interfaces and Network Namespaces on Host Machine

Creating network namespace:

$ ip netns add vpp2

Creating veth pair (veth_vpp2) and setting the interface up:

$ ip link add name veth_vpp2 type veth peer name vpp2 $ ip link set dev vpp2 up

Adding veth_vpp2 to the namespace, vpp2:

$ ip link set dev veth_vpp2 up netns vpp2 $ ip netns exec vpp2 ip link set dev lo up

Assigning IP address to interface:

$ ip netns exec vpp2 ip addr add 172.16.2.2/24 dev veth_vpp2

Adding route information:

$ ip netns exec vpp2 ip route add ip route add 172.16.1.0/24 via 172.16.2.1

Setting up an interface on vRouter

Starting VPP:

$ /full/path/to/vpp/build-root/build-vpp_debug-native/vpp/bin/vpp unix { cli-listen /run/vpp/cli.sock }

Accessing VPP CLI

$ /full/path/to/vpp/build-root/build-vpp_debug-native/vpp/bin/vpp

Setting up L3 interface in VPP

vpp# create host-interface name vpp1 vpp# set int state host-vpp1 up vpp# set int ip address host-vpp1 172.16.1.1/24

Setting up L3 adjacent interface in VPP

vpp# create host-interface name vpp2 vpp# set int state host-vpp2 up vpp# set int ip address host-vpp2 172.16.2.1/24

Enabling DPI plug-in and running consumer process

vpp# show interface host-vpp2 

Name               Idx    State  MTU (L3/IP4/IP6/MPLS)     Counter          Count 

host-vpp2          4      up          9000/0/0/0 

vpp# dpi interface host-vpp2 

[root@vpp-dev atsgen_dpi]# ./vpp_recv 

Ready to receive message: 

Disabling DPI plug-in

vpp# dpi interface host-vpp2 disable

Test Process

Sending ICMP/TCP/UDP

$ ip netns exec vpp2 ping 172.16.1.2 -c1
$ ip netns exec vpp1 nc -4 -u -l 9999 $ ip netns exec vpp2 nc -u 172.16.1.2 9999
$ ip netns exec vpp1 nc -4 -k -l 1499 $ ip netns exec vpp2 nc 172.16.5.2 1499
Figure 2: Network Diagram: Test Environment Set-Up

Expected Output

Figure 3: Test Output

Advantages

  • Better performance monitoring
  • Real-time traffic monitoring
  • Single VPP DPI plugin manages heterogeneous network

Leave a Reply

Your email address will not be published. Required fields are marked *