Packet Processing

As we discussed in the previous chapters, processing packets at wire speed imposes impractical constraints on general purpose CPUs, even with several multi-core CPUs combined. Just for the sake of demonstration, consider the case of a 1 Gbps Ethernet, running about 1 million packets per second. For each packet, clas-sifi cation based on complex parsing must be executed; for instance, getting the destination IP address, destination port, and in some cases, for some destination ports—also getting some fi eld in layer 7 Protocol Data Unit (PDU), at an offset

1Virtual LAN ( VLAN), Internet Protocol (IP) and Multi-Protocol Label Switching (MPLS) were described in Part 1 of the book, in the Networks chapter.

Packet Processing

CHAPTER

depending on the destination port. Then a search (or two) must be executed to retrieve a destination IP address and port; the search must be conducted among hundreds of thousands of possible addresses, and a longest (or best) prefi x match is desired. All these parsing and searching activities must take no more than 1 s, if we ignore packet modifi cation and forwarding processing time. How much work, in terms of CPU instructions and memory accesses, can be done in 1 s? Is one microsecond enough to carry all the work required by the tasks mentioned above for that packet processing? Now, what about 10 Gbps links? How much work can be done in, say, 50 ns?

Packet processing can be described in various ways, and often the same ter-minology is used to mean different things. Moreover, the trade press, the industry, and academic researchers not only use the terms in contradictory ways, but also categorize functions in different ways. In this chapter we examine three aspects of packet processing, focusing specifi cally on: tasks, path, and direction.

Packet processing tasks (or functions) include:

■ Framing.

■ Parsing and classifi cation.

■ Search, lookup, and forwarding.

■ Modifi cation.

■ Compression and encryption.

■ Queueing and traffi c management (measurement, policing and shaping).

Packet processing can follow one of two paths:

■ Data path (fast path).

■ Control path (slow path).

Packet processing can be discussed according to direction:

■ Ingress (entering the equipment or the network processor, from the network).

■ Egress (exiting the equipment or the network processor, to the network).

■ Combinations of Ingress and Egress.

As mentioned before, processing functions are separate tasks, each following the other. The process starts with the packet entering the network processor and immediately goes through framing, whose function is to make sure that the packet arrived correctly. (In the other direction, framing is the last task, and is targeted to ensure valid packet output.) The second phase is to parse and clas-sify the packet, which simply means that the network processor must under-stand what the packet is, what type it is, and then must classify it according to the application requirements. Usually for this classifi cation function, searching is required. Searching might also be required for other functions that the applica-tion dictates. The last funcapplica-tion that the network processor carries is the required modifi cation of the packet, which includes dropping the packet if required, multi-plying it, or altering its content as required. Finally, transmitting the packet usually

5.1 Introduction and Defi nitions 185

involves an extra function of queuing, prioritization, and traffi c management of the packet to make sure that the receiver can receive the transmitted packet at traffi c patterns that it expects. Queuing and traffi c management sometimes happens inside the network processors and sometimes happens outside the net-work processors. Optionally, compression and encryption tasks are utilities that packets sometimes undergo and usually they are done outside of the network processor, although there are some network processors that contain an embed-ded security functional unit.

The main processing functions are classifi cation of the packet (at real time or at wire speed), and searching for various values (e.g., next hop address) that correspond with some fi elds in the packets (e.g., IP address). These two func-tions have received extensive treatment in the industry, to the extent of purpose search engine coprocessors, and the development of parsing and classifi cation languages. Due to their importance, these two functions receive more attention in this chapter than the other packet processing functions, and are outlined below.

A general framework of the three primary aspects of packet processing is depicted in Figure 5.1 [278]. The packets enter from left, in the ingress direc-tion, and take either the slow path (through some kind of upper level process-ing, for example, updating routing tables of the network processor), or the fast path (going through the network processor functions of searching, modifi cation, etc.). The packets are then forwarded either to a switch fabric or to the network (line interface) again, in the egress direction. Ingress and egress directions will be described in more detail in the next section, as they are a bit more complicated than described here.

FIGURE 5.1

A general framework of packet processing

Slow Path Processing Host Processing Functions

Switch Fabric PHY

Layer

System Side Network Side

Modification

Parsing / Classification

Framing Search / Lookup

Fast Path Processing

Queuing

Compression / Encryption

Although we are discussing the processing of “packets” here, it is important to note the formal definitions and differences between datagrams, frames, and packets—terms that are sometimes used interchangeably. We already discussed it briefly in Section 2.3 of Chapter 2 and described in Figure 2.8.

RFC 1661 [387] provides good definitions:

Frame The unit of transmission at the data link layer. A frame may include a header and/or a trailer, along with some number of units of data.

Packet The basic unit of encapsulation, which is passed across the interface between the network layer and the data link layer.

A packet is usually mapped to a frame; the exceptions are when data link layer fragmentation is being performed, or when multiple packets are incorporated into a single frame.

Datagram The unit of transmission in the network layer (such as IP).

A datagram may be encapsulated in one or more packets passed to the data link layer.

In essence, “packet” is a generic term for data that travels independently in the network, and is limited in size. “Datagram” is the data unit that applications use, packed in packets. “Frames” are sometimes defi ned as packets understood by hard-ware. In network processing we actually talk about and process frames, as we start working at layer 2 (the data link layer), although what we mean here is packets (and eventually datagrams).

5.2 INGRESS AND EGRESS

Ingress and egress processing are not as clearly separated in the architectures of today’s network processors as they were in the past, although they still play an important role in some current network processors and equipment. The reason the categories can be regarded as fuzzy is that in some contemporary implementations of network processors, there is one processing direction, from packet input to its out-put (sometimes on the same interface), or there are no distinguishable elements that specifi cally target ingress or egress processing. However, the ability to separate ingress processing from egress processing in network processors is still very important if we want to be able to use network processors in various situations and equipment, that is, to be able to distinguish between packets coming from the line interfaces, on the way in, or from the switch fabric after some processing, on the way out.

Figure 5.2 outlines the basic implementation schemes of network processors, in order to understand the ingress and egress functions and importance. Figure 5.2(a) demonstrates a two-part equipment: in the fi rst part there are line cards for receiv-ing and transmittreceiv-ing packets to the network, while the second part is composed of switch fabric, service cards, and other forwarding and processing mechanisms that

5.2 Ingress and Egress 187

packets undergo internally. Figure 5.2(b) shows a plain in-line packet processing equipment that has one stage, and one direction of processing.²

Half-duplex processing, such as shown in Figure 5.2(a), can be done by two network processors, each dedicated to one of the directions, or it can be done by one network processor that works in both directions (such as shown in Figure 5.2(b), which is full-duplex processing). In half-duplex processing, we can dis-tinguish between functions that a network processor executes on packets when they are in the ingress path, or those it executes on the packets when they are on their way out to the line again (egress). In some network processors, there are separated paths and functions in the architectures for ingress and egress, and in others they are combined.

Now, going back to packet processing in terms of functions, we can distinguish between typical ingress tasks and typical egress tasks. Usually, ingress processing can include the following tasks [86]:

■ Error checking.

■ Security checking and decoding.

■ Classifi cation (or demultiplexing).

■ Traffi c management (measurement and policing).

■ Searching (usually address lookup).

■ Header manipulations.

■ Packet reassembly.

■ Packet prioritization and queueing.

■ Packet forwarding.

2Usually this kind of equipment comes in a “pizza box”-like packaging (form factor).

FIGURE 5.2

Network processors implementations PHY

Ingress Processing

PHY Egress Processing

PHY

Switch Service

Processing (a)

PHY Packet Processing

(b)