Limitation
Overview
The key test, key match and IP match tests allow the application to define filters that match lists and ranges of, for example, IP addresses.
-
The key test relies on user-defined key types and key definitions. A user-defined key can contain a combination of 16, 32, 64 and 128 bit fields from any protocol location. The key definition can apply a mask to each field, in effect defining fields of any size up (to 128 bits).
-
The key match test can use an IPv4-address-size (32-bit) or IPv6-address-size (128-bit) field from any protocol location.Note: The key match test does not apply to NT200A02 running on the 2 × 40 Gbit/s FM image nor on the 8 × 10 Gbit/s FM image.
-
The IP match test is hardwired to match IP source or destination addresses.Note: The IP match test does not apply to NT200A02 running on the 2 × 40 Gbit/s FM image nor on the 8 × 10 Gbit/s FM image.
Features
Functionality of the key test, key match and IP match function:
- Up to 15 sets of keys can be specified. Each key set is used for a specific key type, either a user-defined key type, IPv4-address-size fields or IPv6-address-size fields.
- Default key sets are reserved for IPv4 addresses (key set 1) and for IPv6 addresses (key set 2). Inner and outer IP addresses can be matched.
- Entries can be added to a key set as lists of exact values, or as wildcard values, using ranges or masks.
- Two values, for example source and destination addresses, can be tested simultaneously in one filter.
- For key tests, color information and a stream ID can be associated with keys as they are added to the key store. When a packet matches a key test with color information, the color information is transferred to the packet descriptor. When a packet matches a key test with stream ID specified, this information can be used to distribute the packet.
- For exact match (CAM) searches, the store supports up to 36000 IPv4-address-size entries or up to 8000 IPv6-address-size entries. For wildcard (TCAM) searches, the store supports up to 864 IPv4-address-size entries or up to 216 IPv6-address-size entries.
Configuration of key store
Two stores are used for the key sets: a CAM (Content Addressable Memory) store for exact IP address values, and a TCAM (Ternary Content Addressable Memory) store for wildcard (ranges and masked) IP address values.
The TCAM store consists of 12 banks. Each bank holds 72 IPv4-address-length entries. Banks can be coupled in sets to accommodate various entry lengths. For example, the key length for an IPv6 wildcard address require 4 banks to be coupled. TCAM storage is dynamically allocated during runtime.
If you need simultaneous lookup of 2 values (dual lookup) of the same type, for example source and destination IP addresses, twice the number of banks are required.
For key tests, dual lookup is enabled in the key type definition in NTPL.
For key match and IP match, dual lookup is enabled in ntservice.ini using the KmTcamConfig parameter (see DN-0449). The default configuration is no dual lookup support.
For NT200A01 running at 2 × 100 Gbit/s, enabling dual lookup will also halve the CAM capacity.
The key test
The key test uses lists of user-defined keys, created using the KeyList command.
A user-defined key type is created using the KeyType command, and tied to fields from any location using the KeyDef command.
In this example, traffic with IPv6 source or destination address 1234:abcd:0:0:0:0:0:c0ed is captured.
//Define key type, enable dual lookup and enable assigning color KeyType[Name=KT; Access=Full; ColorInfo=True] = {128} // Define keys that extract inner source and destination addresses KeyDef[Name=Kd_Src; KeyType=KT] = (InnerLayer3Header[8]/128) KeyDef[Name=Kd_Dst; KeyType=KT] = (InnerLayer3Header[24]/128) // Keys can now be added KeyList[KeyType=KT; Color=23] = ([1234:abcd:0:0:0:0:0:c0ed]) // Set up filter Assign[StreamId=0] = TunnelType == GTPv1-U and InnerLayer3Protocol == IPv6 and (Key(Kd_Src) == 3 or Key(Kd_Dst) == 3)
The key match and IP match tests
The key match and the IP match test both use lists of IP addresses, created using the IPMatchListcommand.
The IP address type, IPv4 or IPv6, must be specified when addresses are added to a key set. Address types cannot be mixed in a key set.
IPMatchList[KeySet=7] = IPv4Addr == [10.32.1.76], [10.32.1.77], [10.33.11.6] IPMatchList[KeySet=8] = IPv6Addr == [DEAD:BEEF:0:0:0:0:0:27], [DEAD:BEEF:0:0:0:0:0:45]
If the key set is not specified, IPv4 addresses are added to key set 1 and IPv6 addresses are added to key set 2. You cannot add IPv6 addresses to key set 1 or IPv4 addresses to key set 2. While you must specify the key set in a key test or a key match test, the IP match test implicitly uses key set 1 for IPv4 addresses and key set 2 for IPv6 addresses. The following two examples have the same effect:
Define SrcIPv4 = Field(Layer3Header[12]/32) Define SrcIPv6 = Field(Layer3Header[8]/128) IPMatchList[KeySet=1] = IPv4Addr == [10.32.1.76], [10.32.1.77], [10.33.11.6] IPMatchList[KeySet=2] = IPv6Addr == [DEAD:BEEF:0:0:0:0:0:27], [DEAD:BEEF:0:0:0:0:0:45] Assign[StreamId=1] = Layer3Protocol == IPv4 AND KeyMatch(SrcIPv4) == 1 Assign[StreamId=2] = Layer3Protocol == IPv6 AND KeyMatch(SrcIPv6) == 2
IPMatchList = IPv4Addr == [10.32.1.76], [10.32.1.77], [10.33.11.6] IPMatchList = IPv6Addr == [DEAD:BEEF:0:0:0:0:0:27], [DEAD:BEEF:0:0:0:0:0:45] Assign[StreamId=1] = Layer3Protocol == IPv4 AND IPMatch==SrcIP Assign[StreamId=2] = Layer3Protocol == IPv6 AND IPMatch==SrcIP
Using multiple key, key match or IP match tests
Even if you have multiple filters with key, key match or IP match tests, for each packet only one (single or dual) lookup will be performed: a lookup on the one or two fields specified in the highest priority matching filter. The result of the lookup, the set of all matching key sets for each field in this filter, is available for all filters with key, key match or IP match tests.
As a consequence, to have a number of filters that test more than one field, you must ensure that the correct fields are included in the highest-priority matching filter.
In order to test two fields, for example both source and destination IP address, you must include both fields in all filters with key, key match, or IP match tests:
// Distribute frames based on mobile subscriber’s IP address Define InnerSrcIPv4 = Field(InnerLayer3Header[12]/32) Define InnerDestIPv4 = Field(InnerLayer3Header[16]/32) Define HashUp = Hash(HashWord0_3=InnerSrcIPv4) Define HashDown = Hash(HashWord0_3=InnerDestIPv4) IPMatchList[KeySet=1] = IPv4Addr == [192.168.0.1], [10.10.100.1] Assign[StreamId=(0..3);Hash=HashUp] = KeyMatch(InnerSrcIPv4) == 1 AND KeyMatch(InnerDestIPv4) != 1 Assign[StreamId=(0..3);Hash=HashDown] = KeyMatch(InnerSrcIPv4) != 1 AND KeyMatch(InnerDestIPv4) == 1
If, as in this case, you actually just want to ignore a field in some of the tests, you can match that field with the dummy key set Any:
// Distribute frames based on mobile subscriber’s IP address Define InnerSrcIPv4 = Field(InnerLayer3Header[12]/32) Define InnerDestIPv4 = Field(InnerLayer3Header[16]/32) Define HashUp = Hash(HashWord0_3=InnerSrcIPv4) Define HashDown = Hash(HashWord0_3=InnerDestIPv4) IPMatchList[KeySet=1] = IPv4Addr == [192.168.0.1], [10.10.100.1] Assign[StreamId=(0..3);Hash=HashUp] = KeyMatch(InnerSrcIPv4) == 1 AND KeyMatch(InnerDestIPv4) == Any Assign[StreamId=(0..3);Hash=HashDown] = KeyMatch(InnerSrcIPv4) == Any AND KeyMatch(InnerDestIPv4) == 1
// Test on protocol ensures that the key match lookup is performed for the correct field Define isIPv4 = Filter(Layer3Protocol == IPv4) Define isIPv6 = Filter(Layer3Protocol == IPv6) Define IPv4Src = Field(Layer3Header[12]/32) Define IPv6Src = Field(Layer3Header[8]/128) IPMatchList[KeySet=7] = IPv4Addr == [10.32.1.76], [10.32.1.77], [10.33.11.6] IPMatchList[KeySet=8] = IPv6Addr == [DEAD:BEEF:0:0:0:0:0:27], [DEAD:BEEF:0:0:0:0:0:45] Assign[StreamId=0] = isIPv4 AND KeyMatch(IPv4Src) == 7 Assign[StreamId=1] = isIPv6 AND KeyMatch(IPv6Src) == 8