VPP/HostStack/SessionLayerArchitecture

From fd.io
< VPP‎ | HostStack
Jump to: navigation, search

Session Layer Architecture

Session API Diagram

TBD: walk through

Session Namespaces

In order to constrain the range of communication, applications are supposed to provide at attachment time the namespace they pertain to and a secret. Namespaces are configured in advance/independently and serve as a means of associating applications to network layer resources like interfaces and fib tables. Therefore they serve as a means to constrain source ips to be used and limit the scope of the routing. If applications request no namespace, they are assigned to the default one, which at its turn uses the default fib and by default has no secret configured.

Multiple namespaces can use the same fib table, in which case local inter-namespace communication uses shared memory fifos. However, if the namespaces use different fib tables, communication can be established only post ip routing, if any fib table/vrf leaking is configured so shared memory communication is not supported anymore. It should be noted that when a sw_if_index is provided for a namespace, zero-ip (inaddr_any) binds are converted to binds to the requested interface.

Session Tables

Another option for applications is to provide the scope of their communication within a namespace. That is, they can request a session layer local scope, as opposed to a global scope that requires assistance from transport and network layers. In this mode of communication, shared-memory fifos (cut-through sessions) are used exclusively. Nonetheless, in_addr_any (zero) local host ip addresses must still be provided in the session establishment messages due to existing application idiosyncrasies.

This separation allowed us to define a type of session layer ACLs, something we call session rules, whereby connections are allowed/denied/redirected to applications. The local tables are namespace specific, and can be used for egress session/connection filtering: i.e., connects to a given ip or ip prefix + port can be denied. Whereas, global tables are fib table specific, and can be used for ingress filtering: i.e., incoming connects to ip/port can be allowed or dropped.

The session rules are implemented as a match-mask-action data structure and support longest ip prefix matching and port wildcarding.

Session Closing State Machine

Session close state machine

Session Layer Startup Configuration

The configuration is to be added to vpp's startup.conf file under the session stanza.

session { ... }

Parameter Description
event-queue-length <nn> VPP worker message queue length.
preallocated-sessions <nn> Number of sessions to preallocate.
v4-session-table-buckets <nn> Number of buckets for IPv4 sessions bihash table
v4-halfopen-table-buckets <nn> Number of buckets for IPv4 half-open sessions bihash table
v4-session-table-memory <nn bytes> Memory for IPv4 sessions bihash table
v4-halfopen-table-memory <nn bytes> Memory for IPv4 half-open sessions bihash table
v6-session-table-buckets <nn> Number of buckets for IPv6 sessions bihash table
v6-halfopen-table-buckets <nn> Number of buckets for IPv6 half-open sessions bihash table
v6-session-table-memory <nn bytes> Memory for IPv6 sessions bihash table
v6-halfopen-table-memory <nn bytes> Memory for IPv6 half-open sessions bihash table
local-endpoints-table-buckets <nn> Number of buckets for local sessions bihash table
local-endpoints-table-memory <nn bytes> Memory for local endpoints table
evt_qs_seg_size <nn bytes> Size of shared memory segment where worker's messages queues are allocated.
segment-baseva <address> Offset at which session layer starts mapping shared memory segments.
use-app-socket-api Enable session layer socket api. Per app namespace sockets are allocated in /var/run/vpp/app_ns_sockets/
enable Enable session layer on vpp startup.
poll-main Poll session queue node in main thread when multiple workers are configured.