Machine Problem 1

Introduction

The FPX provides simple and fast mechanisms to process cells or packets directly in hardware. By performing all computations in FPGA hardware, cells and packets can be processed at the full line speed of the card [currently 2.4 Gbits/sec].

Your goal in this problem is to implement a simple firewall that filters datagram packets according to the destination IP address.  Secondary goals include familiarization with the suite of CAD tools used in FPGA design such as ModelSim for simulation/verification, Simplify for synthesis, and the Xilinx backend tools for place and route and critical path information.  If you have not previously used these tools please take the time during this short machine problem to familiarize yourself with these tools and ask questions about their use.  A couple hours investigating the tools will save you considerable time in the future.  The TA's are available to answer CAD tools problems and may be able to show you aspects of the program to increase your productivity.

This circuit will be implemented as a module on the FPX. It instantiates the Layered Protocol Wrappers, which takes ATM Cells from the RAD and implements the firewall application with IP control signals and TCP/IP payload, and selectively forwards the packet based on the destination IP address. An extension to the machine problem uses CAMs to selectively forward packets based on source IP, destination IP, source port, destination port, and protocol. In this machine problem packets are dropped by setting the TTL field in the header of the packet to zero.

Background: Layered Protocol Wrappers

The Layered Protocol Wrappers are used to streamline and simplify the networking functions to process ATM cells, AAL5 frames, IP packets and UDP datagrams directly in hardware. It is a layered design and consists of different processing circuits in each layer. The block diagram of the Layered Protocol Wrappers is shown in Figure 1. At the lowest level, the Cell Processor processes raw ATM cells between network interfaces. At the higher levels, the Frame Processor processes variable length AAL5 frames while the IP Processor processes IP packets. At the user level, the UDP Processor transmits and receives UDP messages. Different layers of abstraction are important for networks because they allow application to be implemented at a level where important details are exposed and irrelevant details are hidden. This way, an application that interacts with IP packets or an application that interacts with UDP messages can equally use the Layered Protocol Wrappers effectively. Similar to the network stack on a PC the wrapper's each level of abstraction maintains state by using headers as shown in Figure 2.  Specifically in this problem the IP Header is of interest and the source IP address field of the header.

Background: The IP Wrapper

Each circuit in the Layered Protocol Wrappers can be used separately. Also, multiple circuits can be connected together to form a high level wrapper. For example, the Frame Wrapper is formed by connecting the Cell Processor and the Frame Processor together; the IP Wrapper is formed by connecting the Frame Wrapper and the IP Processor together; and the UDP Wrapper is formed by connecting the IP Wrapper and the UDP Processor together. For this assignment, the IP Wrapper will be used to encapsulate the data sent and received between the RAD and the simple firewall application. The block diagram of the application module is shown in Figure 3.

Background: The CAM Filter

Firewalls can decide when to drop packets by comparing the packet header to a range of addresses.  Content Addressable Memory (CAM) is one method of implementing a fast, parallel lookup table.  In this machine problem you will implement a CAM table lookup by comparing select fields from the packet header (Src IP, Dest IP, Src Port, Dest Port, and Proto) to  CAM_VALUE and CAM_MASK pairs, as shown below.  If the packet header matches either CAM entries (with a result of all ones), then the packet should be dropped.  (Assume that mask bits that are zero are "don't care" bits) 

Figure 4: Diagram of the CAM Lookup Circuit

The application will be programmed by UDP control packets, which will be sent to a fixed Destination IP (192.168.30.13) and Port (800).  Control packets contain CAM_VALUE and CAM_MASK pairs that you will need to store so that you can dynamically program the lookup table.

Figure 5: UDP Control Packet

Directions:

• Part 1: Build a Static Firewall
  • Download the MP1 distribution, and extract the files.  A description of the files and the directory structure is provided below in Table 2.
  • Start Modelsim and run a simulation of the provided pass-through circuit.  Export a simulation waveform as a Postscript file (.PS) that shows a packet entering and leaving the circuit unmodified (do this by choosing 'Print Postscript', then specify a filename).
  • Modify the circuit so that packets with Destination IP of 128.252.153 using a netmask of 255.255.255.0 will be "dropped."  Implement the "drop" by setting the TTL field to zero (0x00). 
  • Export simulation waveforms to show that the packets to that subnet are now being dropped.  Create a text file with a description of the important events shown by your waveforms such as the value of the TTL field when the packet enters and leaves the wrapper_app.  Comment your code to describe how your circuit operates.
• Part 2: Package (4) Writeable 104 bit Registers
  • Instantiate (5) 104 bit std_logic_vectors, (2 for CAM values; 2 for CAM masks; and 1 to buffer the Src IP, Dest IP, Src Port/Dest Port, and Proto fields).
  • Packets with a Destination IP of 192.168.30.13 on Port 800 will be treated as control packets.  Modify your circuit to set CAM_VALUE_1, CAM_VALUE_2, CAM_MASK_1, and CAM_MASK_2 whenever a control packet is received (see Figure 5). 
  • Simulate your circuit to verify that the CAM registers are properly set.
• Part 3:  Create a Dynamic Firewall using CAMs
  • Using the registers from Part 2 implement the CAM lookup function that will make the drop decision (See Figure 4). 
  • Export simulation waveforms to show that the packets are being dropped according to the CAM rules.  Be sure to describe the important events shown by the waveforms during the CAM comparison.  Comment your code to describe how your circuit operates.
  • Use the Synthesis tools, as discussed in lecture, to generate a bit file of your design.  You can test this bit file from the class NCHARGE website at http://fpx2.arl.wustl.edu/cs536

   

Table 1: Symbol Key

Of Interest	Modify	Synthesizable

Table 2: Contents of MP1.tar.gz

	FireWall/sim/ Simulation Folder
		/testbench/
			testbench.vhd	The testbench for this FPX module.
			clock.vhd	The clock for this FPX module.
			fake_NID_in.vhd	The fake input from the NID
			fake_NID_out.vhd	The fake output from the NID
		INPUT_CELLS.DAT		The input files read by the testbench. Modify this file so that the desired data input is being injected into the RAD
		LC_CELLSOUT.DAT		The output files from the ingress. Because the FireWall_module is instantiated at the ingress, the output data is modified by the FireWall_module. Look at this file to check if the FireWall_module is actually blocking unwanted packets. (Only present after running simulation)
		testbench.do		The Modelsim macro files.
		Makefile		Example make file used to automate compilation and simulation
	FireWall/syn/ Synthesis Folder
		/rad-xcv2000e/
			fpx.ucf	The FPGA chip pin constraints file
			bitgen.ut	The BITGEN option file.
			build	The backend script for executing the Xilinx backend tools
			*.edn	The EDIF Macro files for synthesis with the Xilinx backend tools.
		wrapper_app.prj		The project files for Synplicity Pro. It tells Synplicity Pro which vhdl files should be included for synthesis.
		Makefile		Example make file used to automate synthesis
	FireWall/vhdl/ VHDL Source Folder
		FireWall/wrappers/
			cellproc_sim.vhd	The vhdl file for simulating the Cell Processor.
			frameproc_sim.vhd	The vhdl file for simulating the Frame Processor.
			ipproc_sim.vhd	The vhdl file for simulating the IP Processor.
			udpproc_sim.vhd	The vhdl file for simulating the UDP Processor.
			framewrapper.vhd	The vhdl file for the Frame Wrapper. It instantiates the Cell Processor and the Frame Processor and connects them together.
			ipwrapper.vhd	The vhdl file for the IP Wrapper. It instantiates the Frame Wrapper and the IP Processor and connects them together.
			udpwrapper.vhd	The vhdl file for the UDP Wrapper. It instantiates the IP Wrapper and the UDP Processor and connects them together.
		/rad_loopback/ The Rad_Loopback Package Folder
			blink.vhd	he vhdl file for the blink component. It controls the blinking of the LED on the FPX.
			loopback_module.vhd	The vhdl file for the loopback_module that is instantiated by the rad_loopback_core
			rad_loopback_core.vhd	The vhdl file for the rad_loopback_core component. It instantiates the wrapper_module at the ingress and the loopback_module at the egress.
			rad_loopback.vhd	The vhdl file for the top-level design of the rad_loopback.
		wrapper_app.vhd		The vhdl file for the FireWall. Modify this file to selectively pass packets based on IP source address..
		wrapper_module.vhd		The vhdl file for the FireWall_module.

Things to Turn In:

Here is a checklist of the things you need to turn in:

• Part 1: Static Firewall 
  • Turn the following vhdl source code:
    • wrapper_app.vhd (rename to wrapper_app_part1.vhd) ( 4 pts)
  • Turn in waveforms showing that your circuit functions correctly:
    • One transmitted packet (d_in and d_out showing the ttl)
      Name=txpacket.ps ( 4 pts)
    • One dropped packet
      Name=dropped.ps ( 4 pts)
• Part 2: Designing the firewall application
  • Verify that CAM registers are properly set (Nothing to submit).
• Part 3: Synthesizing the firewall
  • Turn the following vhdl source code:
    • wrapper_app.vhd ( 16 pts)
  • Turn in waveforms showing that your circuit functions correctly:
    • One transmitted packet
      Name=firewall_txpacket.ps( 4 pts)
    • One dropped packet
      Name=firewall_dropped.ps( 4 pts)
  • Synthesize the firewall
    • Extract resources used section of the mapping report. (wrapper_app.par in the syn directory) ( 2 pts)
    • Extract timing in Mhz from the timing report. (wrapper_app.twr in syn directory) ( 2 pts)
• Submit your synthesized bit file, the requested waveforms, waveform descriptions, and the 'wrapper_app.vhd' to the Electronic Homework Server. ( 35 pts)