Cesnet Liberouter
  • Projects
  • Liberouter
  • Scampi
  • FlowMon
  • NIC
  • NIFIC
  • IDS
  • NetCOPE
  • VHDL design
  • System software
  • Testing
  • Formal verification
  • Netopeer
  • Documents
  • Our hardware
  • Card Availability
  • Our partners
Main page -> VHDL
NIFIC over NetCOPE
InfoHW sectionSW sectionAddr spaceVersions

Introduction

The NIFIC project is built over NetCOPE project. NetCOPE project creates a card independent abstract interface which is utilized by NIFIC.

NetCOPE based NIFIC utilizes a FrameLink protocol protocol for inter-component data transmisions. Thanks to its generic width data throughputs between components can be set as needed. There is also an extensive set of FrameLink tools which helped the effective development of this project.

NIFIC placement

NIFIC can be utilized in many high-speed networks where any of following is required:

  • Filtration of network traffic based on user rules
  • Hardware firewalls
  • Redirecting chosen traffic to honeypots
Nowadays we fully support 1 Gbps network speed.

Structure

The NIFIC design is divided into the two parts: interface card part and mother card part. The interface card contains Input GMII Buffer and Output GMII Buffer for data receiving/sending. The mother card part contains main NIFIC functions like packet analysis and filtering.

Both cards are conected through RocketIO utilizing Aurora for safe data transmition. See the detailed NIFIC architecture on the following figure.



NIFIC architecture

Data flow

Packet reception

Input packet stream is captured by IBUFs on interface card. Each IBUF sends captured packets over FrameLink bus to Binder, where a one wide data bus is created and sent to mother card over Aurora component.

Packet processing

All packet processing actions takes place on mother card. Captured packets are received from other side of Aurora and the data bus is splitted into 4 thiner data buses. Each packet is processed by Header Field Extractor. It extracts chosen protocol headers according to assembler program and sends them to UH FIFO. Packet itself is stored into Packet FIFO.

The headers in UH FIFO have a fixed structure according to specification. The specification itself is located in our internal repository. According to record in UH FIFO, the packet packet processing is decided in Look-up Processor.

Look-up Processor is a key komponent for packet filtering. It decides, according to user-defined rulest, what action should be taken for packet. Currently the packet can be:

  • Sent to 1 or more specified output interfaces
  • Exported to software
  • Discarded

Sending to software is provided by driver, which reads packet data from SW RXBUF. Packets sent from software are stored in SW TXBUF. Packets from SW TXBUF and received packet decided to be sent to output interface are binded into one wide data bus and transmitted to interface card (over Aurora again).

Packet transmition

According to Look-up Processor decision, received packets are sent to appropriate OBUFs and send back to Ethernet.

Debugging NIFIC

A set of FL_WATCH probes has been placed at strategic places in NIFIC design. Their function is to gather statistics about number of passed packets. You can easily gather these information with our software tools.

Main Page About Liberouter Team Mailing list SVN Contacts