Layer 7 Switching

The recent explosive demand for application hosting and increased security fueled the demand for a new concept called content switching, also known as Layer 7 switching, proxy switching, or URL switching. This switching technology basically inspects the payload, which is expected to be some HTTP request, such as a static or dynamic Web page. The content switch searches for a certain string, and if there is a match, it takes some type of action. For example, the content switch might rewrite the content or redirect it to a pool of servers that specializes in these services or to a caching server for increased performance. The main idea is that a forwarding decision is made based on the application data, not traditional Layer 2 or Layer 3 destination network addresses.

Some major technical challenges arise in performing this type of processing. The first is a tremendous performance impact. In traditional Layer 2 and Layer 3 processing, the destination addresses and corresponding egress port are found by looking at a fixed offset in the packet. This allows for extremely cheap and fast ASICs. Usually, the packet header is read in from the MAC and copied into SRAM, which has an access time of around five nanoseconds. The variable size and bulky payload are usually copied into DRAM, which has a higher initial setup time. The forwarding decision requires two SRAM memory accesses, where the header is read, modified, written, and a quick lookup is performed usually a Telecommunications Access Method (TCAM) or Patricia Tree lookup in SRAM, which takes a few nanoseconds. However, for Layer 7 forwarding decisions, almost all commercial switches, except the Extreme Px1, must perform this function in much slower CPU, running a real-time operating system, such as VxWorks. The payload, which resides in DRAM, must be read, processed, and written. This string search is also time intensive. (There have been recent advances in Layer 7 technology such as that offered by Solidum and PMC-Sierras ClassiPI, which perform this at wirespeed rates. However, at the time of this writing, we are not aware of any major switch manufacturer using this technology.) This operation takes orders of magnitude more time.

NAT can be extended not only to hide internal private IP addresses but also to base packet forwarding decisions on the payload. There are two approaches to accomplish this function:

• Application Gateway This approach terminates the socket connection on the client side and creates another connection on the server side, providing complete isolation between the client and the server. This requires more processing time and resources on the switch. However, it allows the switch to make a comprehensive application-layer forwarding decision.

• TCP Splicing This approach simply rewrites the TCP/IP packet headers, thereby reducing the amount of processing required on the switch. This makes it more difficult for the switch to make application-layer forwarding decisions if the complete payload spans many small TCP packets.

This section describes an application gateway approach to NAT and performing Layer 7 processing.

FIGURE 4-9 shows an overview of the functional content switching model.

Figure 4-9. Content Switching Functional Model

Content switching with full network address translation (NAT) serves the following purposes:

• Isolates internal IP addresses from being exposed to the public Internet.

• Allows reuse of a single IP address. For example, clients can send their Web requests to www.a.com or www.b.com, where DNS maps both domains to a single IP address. The proxy switch receives this request with the packet containing an HTTP header in the payload that contains the target domain, for example a.com or b.com, and determines to which group of servers to redirect this request.

• Allows parallel fetching of different parts of Web pages from servers optimized and tuned for that type of data. For example, a complex Web page might need GIFs, dynamic content, cached content, and so on. With content switching, one set of Web servers can hold the GIFs, while another can hold the dynamic content or cached content. The proxy switch can make parallel fetches and retrieve the entire page at a faster rate than would be possible otherwise.

• Ensures requests with cookies or SSL session IDs are redirected to the same server to take advantage of persistence.

FIGURE 4-9 shows that the client's socket connection is terminated by the proxy function. The proxy retrieves as much of the URL as is needed to make a decision based on the retrieved URL. In FIGURE 4-9, various URLs map to various server groups, which are VIP addresses. The proxy determines whether to forward the URL directly or pass it off to a server load-balancing function that is waiting for traffic destined to the server group.

The proxy is configured with a VIP address, so the switch forwards all client requests destined to this VIP address to the proxy function. The proxy function also rewrites the IP header, particularly the source IP and port, so that the server sends back the requested data to the proxy, not to the client directly.

Network Address Translation

Network Address Translation (NAT) is a critical component for security and proper traffic direction. There are two basic types of NAT: half and full. Half NAT rewrites the destination IP address and MAC address to a redirected location such as a Web cache, which returns the packet directly to the client because the source IP address is unchanged. Full NAT is where the socket connection is terminated by a proxy, so the source IP and MAC are changed to that of the proxy server.

NAT serves the following purposes:

• Security Prevents exposing internal private IP addresses to the public.

• IP Address Conservation Requires only one valid exposed IP address to fetch Internet traffic from internal networks with invalid IP addresses.

• Redirection Intercepts traffic destined to one set of servers and redirects it to another by rewriting the destination IP and MAC addresses. The redirected servers can send back the request directly to the clients with half NAT-translated traffic because the original source IP has not been rewritten.

NAT is configured with a set of filters, usually a 5-tuple Layer 3 rule. If the incoming traffic matches a certain filter rule, the packet IP header is rewritten or another socket connection is initiated to the target server, which itself can be changed, depending on the particular rule. NAT is often combined with other IP services such as SLB and content switching. The basic idea is that the client and servers are completely decoupled from each other, and the NAT device manages the IP address conversions, while the partner service is responsible for another decision such as determining which server will handle the request based on load or other rules.