Machine Problem 2

Introduction

Standard firewalls are not effective at blocking several types of low-priority traffic because they only examine the Source Address, Destination Address, Ports, and Proto fields of the IP header. This however, does not give enough information to block all Napster and SPAM traffic. Some Napster users switched to the standard web port 80 in order to bypass firewalls. SPAM still flows through the email port 25. In this lab, you will upgrade your firewall to drop packets based on the content of their payload. This assignment builds upon the first Machine Problem to allow for filtering both on header and payload data.

Background: Content Matching Module

A module has been developed that scans packets for regular expressions in FPGA hardware and reports which content matches. This module performs regular expression matching on each phrase defined by the phrase lists, which is done in parallel. The packet is held in a buffer until the content match operation completes. The match result is returned as an 8 bit vector that is set along with start of frame (SOF) output. This module uses the nearly the same output interface as the protocol wrappers, and so inserting the 'regex_app' module between the protocol wrappers and MP1 should be almost transparent. The one enhancement to the interface is the 8 bit content match vector, which is described in more detail in the following section.

Background: The Content Match Vector

A set of phrase lists has been compiled to categorize traffic into eight classifications. The content matching module uses the phrase list definitions shown below:

• General Spam (Bit 0)
  • "amazing"
  • "CALL NOW"
  • "Limited Time Offer"
  
  
• Save Money SPAM (Bit 1)
  • "Consolidate"
  • "full refund"
  
  
• Fast Money SPAM (Bit 2)
  • "MAKE MONEY FAST"
  • "Work from home"
  
  
• Chains and Forwards (Bit 3)
  • "Read this"
  • "FWD"
  
  
• Jokes (Bit 4)
  • "Joke"
  • "walks into bar"
  
  
• Work List (Bit 5)
  • "Homework"
  • "Machine Problem"
  • "CS536"
  • "Lockwood"
  • "Washington University"
  
  
• Personal List (Bit 6)
  • "Mom"
  • "Dad"
  • "Call Home"
  
  
• Urgent (Bit 7)
  • "Urgent"
  • "Emergency"
  
  

If one of the above phrases is found anywhere in the payload, then the corresponding bit of the content match vector will be set to one. A zero indicates that none of the phrases were found. Multiple bits in the vector can be set if the content contains phrases from multiple lists. The vector is only valid on the clock cycle that start of frame (SOF) signal is asserted.

Background: The Updated CAM Filter

A decision to drop the packet can be made using results from any combination of header and payload matching results. The CAM registers will need to be updated to include the match vector.

The UDP control packets will include additional fields for the match vector.

Directions:

• Part 1: Structural Changes to "wrapper_module.vhd"
  • Download the new MP2 distribution, and extract the files. If you had previously download the MP2 distribution (without syn/wrapper_app.sdc) than you can patch your distibution by extracting the patch files into the syn directory and overwriting wrapper_app.prj. You will need to synthesize and build your design with the new "patched" distribution. This patch fixes an issue with built circuits not returning cells by forcing the FPGA to us 24mA pads for quicker Regex_app was updated on 9/26/02. You will need to replace regex_app_sim.vhd and regex_app.edn to properly simulate and build your design. The tarball contains most of the files from MP1 and the 'regex' module, but the file "wrapper_app.vhd" has not been included. You will need to copy your "wrapper_app.vhd" from MP1.
  • Add a new component declaration for the regex module. The interface for the entity is given in "regex_app_sim.vhd".
  • Instantiate the regex component. Create any wire signals necessary to connect the interfaces for the udp_wrappers, wrapper_app, and regex. See Figure 1 for assistance.
  
  
• Part 2: Update the CAMs
  • Update the CAM registers to support the content matching vector.
  • Be sure to flop the match vector before using it.
  
  
• Part 3: Demonstrate the SPAM Filter
  • Generate (1) control packet and (2) test packets to check your answer to Problem 2 from Homework 2. One test packet should be dropped, and the other should be transmitted.
  • Use the iptestbench to create the test packets and control packet:
    • Modify INPUT_CELLS.TBP in the sim directory.
      You might find the ASCII-to-hex converter on the class website to be helpful.
    • Run:   make input_cells   from cygwin
    • Edit INPUT_CELLS.DAT to insert wait_10 (intra-packet) and wait_100 (inter-packet) statements between cells. This will make the waveforms much easier to read.
  • Run the simulation and save waveforms showing the TTL and payload of the outgoing test packets. You should submit the waveforms and the .TBP file.
  • Do the same for Problem 3 from Homework 2.
  • Synthesize your circuit and generate the bitfile. Upload your bitfile to the CS536 batch test server.

   

Table 1: Symbol Key

Of Interest	Modify	Synthesizable

Table 2: Contents of MP2.tar.gz

	FireWall/sim/ Simulation Folder
		/testbench/
			testbench.vhd	The testbench for this FPX module.
			clock.vhd	The clock for this FPX module.
			fake_NID_in.vhd	The fake input from the NID
			fake_NID_out.vhd	The fake output from the NID
		INPUT_CELLS.TBP		Testbench Script for generating the incoming IP packets.
		testbench.do		The Modelsim macro files.
		wave.do		Another Modelsim macro files.
		Makefile		Example make file used to automate compilation and simulation
	FireWall/syn/ Synthesis Folder
		/rad-xcv2000e/
			fpx.ucf	The FPGA chip pin constraints file
			bitgen.ut	The BITGEN option file.
			build	The backend script for executing the Xilinx backend tools
			*.edn	The EDIF Macro files for synthesis with the Xilinx backend tools.
		wrapper_app.prj		The project files for Synplicity Pro. It tells Synplicity Pro which vhdl files should be included for synthesis.
		Makefile		Example make file used to automate synthesis
	FireWall/vhdl/ VHDL Source Folder
		wrappers/
			cellproc_sim.vhd	The vhdl file for simulating the Cell Processor.
			frameproc_sim.vhd	The vhdl file for simulating the Frame Processor.
			ipproc_sim.vhd	The vhdl file for simulating the IP Processor.
			udpproc_sim.vhd	The vhdl file for simulating the UDP Processor.
			framewrapper.vhd	The vhdl file for the Frame Wrapper. It instantiates the Cell Processor and the Frame Processor and connects them together.
			ipwrapper.vhd	The vhdl file for the IP Wrapper. It instantiates the Frame Wrapper and the IP Processor and connects them together.
			udpwrapper.vhd	The vhdl file for the UDP Wrapper. It instantiates the IP Wrapper and the UDP Processor and connects them together.
		/rad_loopback/ The Rad_Loopback Package Folder
			blink.vhd	he vhdl file for the blink component. It controls the blinking of the LED on the FPX.
			loopback_module.vhd	The vhdl file for the loopback_module that is instantiated by the rad_loopback_core
			rad_loopback_core.vhd	The vhdl file for the rad_loopback_core component. It instantiates the wrapper_module at the ingress and the loopback_module at the egress.
			rad_loopback.vhd	The vhdl file for the top-level design of the rad_loopback.
		regex_app_sim.vhd		The vhdl file for simulating the Content Matching Module.  Use this file to copy the regex_app interface.
		wrapper_module.vhd		The vhdl file for the FireWall_module.
		<wrapper_app.vhd>		The vhdl file for the FireWall_module. This needs to be copied from MP1.

Things to Turn In:

Here is a checklist of the things you need to turn in:

• Part 1: Structural Changes to wrapper_module.vhd
  • Turn the following vhdl source code:
    • wrapper_module.vhd (12pts)
• Part 2: Update the CAMs
  • Turn the following vhdl source code:
    • wrapper_app.vhd (12pts)
• Part 3: Demonstrate the SPAM Filter
  • Turn in simulation files showing that your circuit functions correctly:
    • Homework 2, Problem 2:
      • One transmitted packet
        Name=p2_txpacket.ps (3pts)
      • One dropped packet
        Name=p2_dropped.ps (3pts)
      • The .TBP iptestbench file
        Name=p2_input.TBP (4pts)
    • Homework 2, Problem 3:
      • One transmitted packet
        Name=p3_txpacket.ps (3pts)
      • One dropped packet
        Name=p3_dropped.ps (3pts)
      • The .TBP iptestbench file
        Name=p3_input.TBP (4pts)
  • Synthesize the firewall
    • Extract resources used section of the mapping report. (wrapper_app.par in the syn directory) (1pt)
    • Extract timing in MHz from the timing report. (wrapper_app.twr in syn directory) (1pt)
  • Test your bitfile on the CS536 test server. (29pts)
• Submit your waveforms, the .TBP files, wrapper_module.vhd, wrapper_app.vhd, and a timing summary to the Electronic Homework Server.