11/2/2000Weihong Wang/Content Switch Page 1 Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of

11/2/2000 Weihong Wang/Content Switch Page 1

Content Switch

. Introduction of content web switch.

. Some content switch products in the market.

. Design of a content switch.


Introduction of Content Switch (1)

What is web server load balancing?

. Distribute incoming request to achieve parallel services.

. Transport layer load balancing, balancing the incoming request based on address and port number.. Application layer load balancing, redirecting the user request based on the content of the request. (e.g. url, http header…)


Introduction of Content Switch (2)

What is Content Switch?

. An application layer load distribution.

. A network device which routes the unique user request for specific content to the optimal server best able to handle the request.

. For example, a Content Switch can classify the incoming request based on its url, http meta header, cookie value and so on.


ArrowPoint Network Services

(Support url and cookie-based switching)

. Who the customer is based on user cookie located within HTTP header.

. What information or transaction the customer is requesting.

. Where best to service the customers.


Content Switch Architecture

• From Apostolopoulos2000.

• Port controller matches incoming packets

• Forward packets tocontent switch processor or routethem directly.

• Rule matching resultsdownload toport controller

Content switch processor

http://cs.uccs.edu/~chow/pub/contentsw/paper/contentsw/apostolopoulosum.pdf


Content Switch Operations

Content Switching Rule Matching Algorithm

HeaderContent

Extraction

Packet Classification

Content SwitchRules

Packet Routing(Load Balancing)

CS RuleEditorIncoming

Packets

ForwardPacket

To Servers

Network Path Info

Server Load Status


Component of Content Switch

. Defining the rules. Determine the type of web content being request.

. Rule matching process Identifying specific type of traffic, then routing that traffic to the location best able to serve the traffic or customer request.


Two different design approach of Content Switch

. Process content type classification and routing policy on application level. For example: application level proxies.

. Process content type classification and routing policy on tcp/ip level. Need to modify operating system kernel. For example: using NAT to develop a content switch.


Cisco Content Engine 2.20(CE)

. Cisco CE supports HTTP and HTTPS proxy server.

. CE examines web request and makes the action decision such as block, cache, or proxy.. CE is worked in application level.. An example of the matching rules:

rule no-cache url-regex\. *cgi-bin.*

This rule configures that the incoming packets with the url matching the pattern “*cgi-bin” will not be forward to the proxy servers.


Intel Action/Classification Engines(ACEs)

. ACE classifies incoming packets according to the predefined rule files.

. ACE then triggers action in the associated action files.

. ACE use Network Classification Language(NCL) to configure rules.

. ACE is developed in tcp/ip level.

. Example of NCL,

Rule check_http{tcp&&(tcp.sport==80)}{action_scan()}

. check_http is the name of the rule, {tcp&&(tcp.sport==80)} is class matching condition, and {action_scan()} is action function of this condition.. This rule means that incoming request with protocol=tcp and port=80 will go to action “action_scan()”.. NCL is simple for configuration.


Design of the Content Switch

. Architecture of Content Switch.

. Matching rules and routing policy.

. Flow chart.


TCP/IP level Content Switch Architecture (1)

NAT(network address translation)

. Incoming and out going packets all pass through Content Switch.

. Content Switch masquerades the ip address and port number of incoming and out going packets.

. Content Switch uses delayed binding to connect with back server.


Packet Processing in Content Switch

Phase 1:

Phase 2:

Phase 3:


TCP Delay Binding


NAT Content Switch delayed binding

. Content Switch establishes a connection with client first.

. When get data, choose a server to establish another connection, forward original syn msg, discard the ack from back server.. For the following data transmission, Content Switch only forward it after masquerades its ip address and port number.


TCP/IP level Content Switch Architecture (2)

IP Tunnel and IP Direct Routing

. Content Switch accepts request and forward it to the choosed server.

. The server then connects with client directly.

. Delayed binding .

. Need to modify back end server’s tcp protocol.

. Faster than NAT approach.


Content Switch Rules

The contents should be covered :

. Source IP address and TCP/UDP port number.

. URL regular expression.

. HTTP meta header.

. SSL session ID.

. Values of XML tags.


Content Switch Rules (1)Examples of Content Switch Rules

Foundry ServerIron

ServerIron(config)#url-map gifPolicyServerIron(config-url-gifPolicy)#method suffixServerIron(config-url-gifPolicy)#match “gif”1ServerIron(config-gifPolicy)#default 2ServerIron(config-gifPolicy)#exit

If the suffix of url in the incoming packets is gif, route to server group 1, else route to server group 2.

Cisco Network Based Application Recognition

Router(config)#class-map match-all http_secureRouter(config)#match protocol secure-http

Router(ifconfig)#class-map match any audio_videoRouter(config)#match protocol http mime “audio/*”Router(config)#match protocol http mime “video/*”

Router(config)#policy-map e-expressRouter(config-pmap-c)#class http_secureRouter(config-pmap-c)#bandwidth 32Router(config-pmap-c)#class audio_videoRouter(config-pmap-c)#bandwidth 10

First define classes for secure http request and audio/video request, and then distribute the outbound bandwidth for each class.

Intel IX-API SDK

Rule check_src {ip.src==10.10.10.30} {action_A()}Rule check_http{tcp&&(tcp.sport==80)}{action_scan()}

The meaning of rule check_src is: if source ip addressis 10.10.10.30, then execute the action function “action_A()”.


Content Switching Rule Matching Algorithm

. Brute Forced Sequential Execution – Early rules have higher priority.. Easy to solve conflict problem.

. Ways to speed up the process of rule matching: - Set flags based on the headers and content

by-passed rules not related. - Use compiler-optimization techniques to speed up the set of rule


Flow Chart of Content Switch (1)

packet from client

input to ip_input

connection established?

TCP/SYN?

create ACK back msg

send back ACK to client

masquerade ip addrport,seq.

forward ib packet

return

return

choose server

masq SYN msg

forward to server

choose server

masq UDP packet

forward to server

deliver to upper layer

TCP/data/ack UDP?

y

n

yy y

nnn


Flow Chart of Content Switch

packet from back server

Connection established?

msaq packet

forward it

return

SYN/ACK?

create connection hash table

masq ip addr,

port,seq.

forward saved ip packet

forward as normal

input to ip_forward

Documents

11/2/2000Weihong Wang/Content Switch Page 1 Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of