Beruflich Dokumente
Kultur Dokumente
CREATING INNOVATIVE EMBEDDED APPLICATIONS IN THE NETWORK WITH THE JUNOS SDK
This work is an excerpt from the forthcoming book Network Embedded Management and Applications expected to be published in 2011 by Springer Press.
Copyright 2011, Juniper Networks, Inc. 1
Creating Innovative Embedded Applications in the Network with the Junos SDK
Junos SDK-built applications integrate with the Junos OS to create innovative solutions in several architectural areas of the device. Where can you deploy an application, and how can you determine where it is best suited? We present the Junos OS architecture at a high level and in detail where it pertains to building applications. We continue by explaining how the architecture fits over the hardware, and what types of applications are best suited to the environments we describe. The figure at the end of this section summarizes the main conceptual separations.
Creating Innovative Embedded Applications in the Network with the Junos SDK task of managing the device is shared among the Junos kernel, many Junos daemons, and some ephemeral utilitystyle tools launched on demand. The daemons and tools that come bundled with the Junos OS are considered part of the Junos OS platform. Junos SDK-built applications for the control plane resemble these daemons and tools. In fact, Juniper Networks employs the Junos SDK APIs internally when building these applications, which then become part of the common platform and Junos OS software bundle. The Junos SDK provides the Routing Engine SDK (RE SDK) APIs and tools to build applications to extend the control plane software on the RE. Because an RE is always present in any device, RE SDK-based applications are always deployable without the addition of any extra hardware or software. On the control plane, the Junos kernel and many Junos daemons expose APIs so that other processes can programmatically manipulate their states and make use of their services in a dynamic way. The daemons that control the Junos user interface also allow for programmatic and seamless extensibility of the user interface. New applications added to a device can thus be configured and administered in the same ways as the Junos OS platform applications. The Data Plane The data plane spans many aspects of a devices chassis and its modules. It is collectively referred to and abstracted as the Packet Forwarding Engine (PFE) and is comprised of ASIC-based hardware and Junos OS microcode that performs packet processing that is generally stateless. Aiming to perform at fast wire speeds and within its hardware resource limits, the PFE generally delegates stateful packet processing to the services plane. The data planes chief role is forwarding traffic according to the forwarding table, which is primarily formed through the routing control service on the control plane. The data planes main extended abilities include switching, filtering, rate limiting, shaping, and other quality-of-service (QoS) functions. These functions are originally controlled in software on the control plane, and much of that software exposes APIs. Today, Junos SDK applications do not run in the data plane, but an application running on the control plane or the services plane can certainly influence packet processing in the data plane by using APIs. Fortunately for application developers, the details of data plane hardware are abstracted out in APIs that are common across hardware platforms. Some APIs enable
use of features unique to specific hardware platforms. The Services Plane The services plane can be thought of as an extension to the data plane to perform stateful services and any services nonnative to the PFE. A classic example of a Junos service application is the stateful firewall. In traditional forwarding devices, the data plane usually handles most of the packet processing, and the services plane runs on optionally installable and hot-swappable hardware, which we generically name services modules. These contain one or more service processing engines, which connect to the PFE at speeds up to 10 Gbps (circa 2010 hardware). The services plane includes all services modules and engines in a chassis, and a given service application can be deployed on more than one engine or module. In security- and service-oriented devices, the services plane is the primary packet processor, and the data plane merely connects a chassis mostly full of services modules. While these devices can perform forwarding, they are intended to service traffic in stateful ways implemented in software running on the service engines across the services modules. This focus contrasts with the devices mentioned above that are purpose built to forward packets in hardware, but the services modules are similar, and the Junos SDK supports a common model for service application development in either case. Each service engine runs a Junos OS kernel with real-time processing capabilities. The kernel is essentially the same as the one present on an RE, but far fewer and different daemons run, since the service engine is geared towards servicing tasks instead of the general device management done on the RE. Also, the hardware resources differ greatly from those on the RE. Each service engine consists of a multiprocessing, multithreaded CPU and more memory than the typical RE, so that the software-based services can quickly process packets in parallel and maintain a large amount of state. The Services SDK encompasses the APIs and tools to build applications to run on the service engines. Copyright 2011, Juniper Networks, Inc. 3
Creating Innovative Embedded Applications in the Network with the Junos SDK The Junos kernel on a services engine further logically divides packet handling for applications in two sub-planes. Its services plane (data plane extension) is for fast customized transit traffic processing. Its control plane is for traffic termination with the kernels IP stack. The control side here is used to send or terminate traffic, as can be done on the RE or any usual host system. The control subplane inside a service engine can be used to run a control-plane-style application that would normally run on the RE. Such components frequently implement a server or signaling to communicate outside the device or simply to other components on the RE. Co-location of such a control-plane-style component with a service-plane-style component benefits many applications because the two components can share memory and information more easily and with greater performance. Applications in the services sub-plane of a service engine can take on two roles involving inline packet processing: transforming and monitoring. Transforming applications have access to any traffic flowing through the PFE that is selected for servicing at the given service engine. They can modify, drop, hold, and create entire IP packets. Sending and receiving this service traffic by using Services SDK packet-processing APIs happens in parallel and much more quickly than it would in a program using traditional sockets. Monitoring applications work similarly, but the packets they receive are duplicates of some traffic originally transiting the PFE. The original traffic is not impacted or serviced in this case, hence the term monitoring. A hybrid application can differentiate and deal with both original and duplicated packets. Another kind of hybrid application, namely a gateway, may combine a server or signaling control plane component with a transforming or monitoring services plane component. Many familiar service applications, such as IPsec, work with both styles of components.
Integrated Hardware
An application built with the Junos SDK can run on either a routing engine (RE) or a services module. On some of the smaller Juniper Networks devices, physical modules do not plug in to a chassis. Rather, a single enclosure contains the hardware necessary to run a built-in control, data, and services plane. Nonetheless, applications still are supported in the control and services planes, and we continue to use the routing engine and services module terminology.
Traffic Types
As applications take on different roles working in either the control or services plane, they deal with two different traffic types. Control traffic is dealt with on the control plane. This traffic is either entirely internal to the device (e.g., inter-process
communication), or it is traffic that is destined to or sourced from an address of the device. Most addresses configured on the device belong to the master RE. For example, all addresses configured on network interfaces for I/O ports and the loopback interface pertain to the RE, so control traffic destined to those addresses is forwarded to the master RE and handled there. The Junos OS also allows the configuration of addresses on interfaces representing a service engine. Traffic destined to those addresses is forwarded to and handled on the given service engines control sub-plane. Data traffic flows through the data plane. That which is related to any Junos SDK-built application is the data traffic selected for servicing or monitoring. This is the traffic seen in the services plane handled by transforming or monitoring applications. Data traffic would naturally flow through the PFE as transit traffic, but by special mechanisms it can be selected for steering through the service engines services plane. Upon exit, it is rerouted and filtered in the PFE as if it were entering the device from any I/O interface. 4 Copyright 2011, Juniper Networks, Inc.
Creating Innovative Embedded Applications in the Network with the Junos SDK Built with the Routing Engines Control Plane Built with the RE SDK RE SDK Application(s) User interface extensions Local control tra c Internal control tra c Non-serviced (transit) data Packet Forwarding Engine Data Plane tra c Ingress Tra c I/O Service Engine Service Plane Egress I/O Tra c Modules Service Modules application Services (data) plane Control Plane Local control tra c addressed to service module Serviced (transit) data tra c Built with the Services SDK Figure 1. Architecture summary and traffic paths
Familiar Basics
Given that the basis of the Junos kernel comes from the FreeBSD UNIX operating system, most C and C++ UNIX developers are familiar with the API basics in the Junos SDK: the POSIX APIs, POSIX threads, the C standard library (libc), the C++ standard template library (STL), socket programming, and syslog. Developers using the Junos SDK can immediately
take advantage of this knowledge, or even reuse existing code developed to these common standards. Third-party libraries of custom utilities that are not already packaged in the Junos SDK are generally quick to port and use during application development as well. One different but basic concept present in the Junos OS for which the Junos SDK provides APIs is that of routing instances. These are analogous to virtual routers. Communication using sockets is enhanced by optional tying of the socket to a routing instance. Routing instances normally are configured by the operator, but an internal instance also is reserved for all Junos SDK-built applications to use for their own IP socket-based inter-process communication (IPC). The Junos SDK provides an IPC library of APIs that uses these features for internal control traffic. It facilitates IPC on the RE and service engines, or between them, without the need for IP addressing. Because this library automatically uses the internal routing instance reserved for new applications, using it means that these applications cannot interfere with the Junos OS platform softwares IPC and other traffic in the device. Applications also benefit from the inherent security of the internal routing instance: no connections from outside the machine can be made to these sockets.
Creating Innovative Embedded Applications in the Network with the Junos SDK The interfaces that manage service engines can also be paired up in a redundant configuration. In such a mode, the redundancy state and properties are entirely retrievable, and applications can listen for state changes such as switchovers. In addition, all of the per-interface traffic and error statistics for local and transit traffic typically are accessed through the Junos UI. RE SDK APIs, however, allow for an application to retrieve these interface statistics programmatically.
Junos OS to Junos Space Device Management Interface. All interfaces but SNMP function in either an operational or a configuration mode. Commands issued in the operational mode upgrade software, trigger events, or most often show status and statistics to allow inspection of the systems operation. Commands issued in the configuration mode modify the configuration database, which is persistent across reboots. The syntax for the user interface commands follows a predefined hierarchical schema that can be extended with the addition of RE-based applications packages. The RE SDK provides a simple language to facilitate extending the schema for new operational commands. It allows defining the syntax for commands and registering a new application as the handler. When the application receives a command, it may want to return some resultant data. This return is facilitated by another new language used to define the structure and display format of an XML response. You can extend the schema for the hierarchy of object nodes in the configuration database. This capability allows the operator to configure an RE SDK-built application with new syntax through any one of the Junos user interfaces. The same language used to create new operational commands allows defining new configuration syntax for objects. It can also designate points within the configuration database that, if present, require an application to be run, or if changed, require an application to be notified. Through Junos SDK APIs, applications have read-only access to the configuration database. These APIs provide easy ways to detect specific configuration additions, changes, or deletions, so applications can modify their behavior accordingly. Write access to the configuration database and the ability to call configuration commands are not achieved through APIs. These capabilities are left under the operators control, but with Junos scripting, the operator can run operational scripts to execute commands and configuration changes. When an operator grants such a script executable permissions, it becomes executable from an RE SDK-built application as well. Thus an application can effectively manipulate any aspect of the Junos system that is exposed through the Junos user interface. 6 Copyright 2011, Juniper Networks, Inc.
Creating Innovative Embedded Applications in the Network with the Junos SDK
from the kernel to the queues polled by the user-space application. Since there are many real-time threads, each with its own queue to poll for packets, the system needs to decide how to distribute received packets among the many queues. This configurable property can be set one of two ways: round robin, or flow affinity. The round robin method distributes the packets evenly, cycling through the queues and back again continuously. The flow affinity method ensures that packets of the same flow, or actually the same 3- or 5-tuple, always are distributed to the same queue and hence to the same thread. The tuple defined for a flow usually consists of the protocol, along with source and destination IP addresses, and optionally source and destination ports. Real-time threads can be created with API extensions added to the normal POSIX thread library, but other Services SDK APIs simplify this task even further to create and start the threads along with matching packet queues. Each real-time thread runs without preemption on what we call a virtual CPU because the software thread is exclusively bound to a single hardware thread of the underlying multi-processing CPU. While these threads are necessary for the packet loops, the Services SDK also provides APIs allowing the creation of threads for generic real-time processing just as easily. Although the POSIX thread-locking structures are available, real-time threads benefit more from the use of spinlocks and atomic operations. The Services SDK provides simple APIs for both, optimized for the service engine environment. Once an application holds a packet, it may use a comprehensive suite of APIs to access or change its metadata or actual content. The metadata, for example, contains information such as the ingress interface and modifiable parameters such as the interface or the routing instance to which the packet should be sent back when it exits the service engine. The entire packet content is available, starting from the layer 3 (IP) header. APIs would be used to, for example, rewrite bytes 20 through 40 of a packet, or to find out if a packet is original data traffic or if it has been duplicated for monitoring. If the application needs to do accurate time-based calculations for packet events, it may make use of precise hardware timestamping APIs to read a cycle count from the current CPU, or to read the time at which the hardware received the packet. Copyright 2011, Juniper Networks, Inc. 7
Creating Innovative Embedded Applications in the Network with the Junos SDK
benefits from the intrinsic security of the existing process. When the software package originates from a third party, this process demands explicit configured authorization of the software provider. This authorization is verified in an administratorcontrolled list of third-party providers. Naturally, the active system operator, if not an administrator, must have been granted permission to perform any software installations. The Junos operating system further guarantees software authenticity during installation, but also every time any process is launched. This mechanism safeguards genuineness, tamper resistance, and trustworthiness of the source using wellknown public-key cryptography techniques involving the certification of the provider and a provider-generated signature that is not forgeable. Certification of third-party providers is securely controlled by Juniper Networks, while tools in the Junos SDK make for an uncomplicated process for a partner. Furthermore, signatures are generated and incorporated into the software package along with the certificate automatically during the package build process. Once an application has been authorized and authenticated successfully, it is executed in a non-root user-space resourcecontrolled environment managed by the Junos OS. The kernel provides each process with the familiar protected memory environment, while ensuring that the process acts within policy-defined resource and access limits. These limits are controlled on several levels: limits global to the operating system, those that are provider-specific, those configured by the operator, and those imposed by the application developer. The most restrictive values over all levels are applied. They can control features such as the familiar UNIX rlimits and access to certain APIs and system calls, and they can give certain permissions normally associated with the root user. These mechanisms provide sensible assurances about Junos SDK-built software. Such programs cannot directly interfere or cause harm to the native Junos OS software or other third party software. An application can, however, make changes with wide-ranging impacts on the device operation. For example, you must take great care when wielding the power of routing and filtering, so that resulting changes are in accordance with the expectations of the operator. 8 Copyright 2011, Juniper Networks, Inc.
Creating Innovative Embedded Applications in the Network with the Junos SDK
pick up where it formerly left off. Furthermore, in the context of a single RE, if an application is restarted for any reason, it can equally resume its previous state if desired. Finally, the service engines themselves also support a mirrored redundant configuration. Rapid switchover behavior is all the more critical to mitigate packet loss, so applications installed on service engines can be augmented to support hot standby. As when running an application on two REs simultaneously, applications can use the same APIs to replicate state from the master to the backup.
Creating Innovative Embedded Applications in the Network with the Junos SDK Second, once the service software starts on a service engine, to the software must be configured with policies to apply, and it may want eventually to report back information through the Junos UI. Policies in this context are simply the configuration pertaining to the service application, especially its packet processing. The model used to achieve the coordination of policy and reporting is to have a central management component (daemon) on the REs control plane. This daemon coordinates multiple software instances in the case of multiple service engines, and it handles RE-specific functionality such as loading custom configuration and processing changes. It also communicates the relevant policy information to the corresponding service applications connecting to it. Communication can flow in the other direction as well if a service application, for example, wanted to send statistics for eventual display in response to an operational command. Third, the management component optionally controls the data plane to steer packets to the services plane for servicing on service engines. We examine three of several approaches to doing so. These approaches are actually only pertinent to forwarding-oriented devices, where the service plane is optional. In security- and service-oriented devices, the services plane is always in the packet processing path, so no steering is implicit. Routes are the simplest steering approach. A route to a service engine is a route like any other, containing a prefix against which to match and a next hop; but the next hop is an interface managing a service engine, as opposed to an external address. Once this route is installed in the forwarding table, packets matching it are redirected to the service engine. Variants on basic routing are also possible. For example, equal-cost multipath routing and filter-based forwarding are both interesting options that can include routes to service engines. Routes can also be controlled programmatically with the Junos SDKs APIs. The second option is to create and apply service sets to network interfaces on ingress or egress. A service set is a conglomeration of an identifier, one or more services policies to be applied, and a service engine to which to redirect packets for servicing. When a service set is applied to an interface, the data plane selects packets flowing through that interface as part of the service set, and accordingly steers them to the specified service engine for servicing. The service application can retrieve and correlate a packets service set identifier in order to apply the correct policy configured in the service set. When traffic is selected for servicing at a network interface, the service set is said to be an interface-style service set. Other service set styles are equally useful for steering data traffic to the service engine, but this style in particular allows the traffic
to be filtered so that only a subset of the traffic is steered towards the service engine for servicing. This filtering is done with service filters based on Junos stateless firewall filters. A third option uses the Junos OS sampling framework. This feature of the PFE duplicates packets according to a configured frequency and sample length. All packets that enter the PFEs sampling engine do so as a result of the application of a stateless firewall filter. These duplicate packets typically are steered to a service engine for service processing. Given that the original packet is forwarded without impact and is not modifiable by the service, sampling is well suited to monitoringstyle services. Service sets can also be combined with sampling when a service chain is needed, as described in the next section. These options, in combination with other Junos features, make for a large array of possibilities in the design of a service solution.