2022P4可編程應用案例技術(shù)白皮書

P4可編程應用案例技術(shù)白皮書P4可編程應用案例技術(shù)白皮書P4可編程應用案例技術(shù)白皮書目錄P4可程應案技術(shù)白書 1參考資料 1縮略術(shù)語 1P4-16用基代范例 1P4應案例 21流量實統(tǒng)計 21特征報復制 23一致性HASH網(wǎng)關(guān) 25VPCEIP卸載 29安全防墻 31四層網(wǎng)卸載 33應用服鏈 35可編程換機型PTP 374. 結(jié)語 41iP4可編程應用案例技術(shù)白皮書（中文版）P4可編程應用案例技術(shù)白皮書（中文版）PAGEPAGE10P4可編程應用案例技術(shù)白皮書參考資料（改）適用于本文件。P4編程介紹\h/P4\h/p4lang/p4-spec/tree/master/p4-16P4編程練習\h/p4lang/tutorials縮略術(shù)語P4-16常用基礎(chǔ)代碼范例P4的各應用編程中，都會遇到一些通用的邏輯，這部分主要涉及數(shù)據(jù)結(jié)構(gòu)的定義，PARSER，DEPARSER部分，如下：通用長度定義typedefbit<48>mac_addr_t;typedefbit<32>ipv4_addr_t;typedefbit<128>ipv6_addr_t;typedefbit<12>vlan_id_t;常用頭部字段定義ETHERNET_HEADERheaderethernet_h{mac_addr_tdst_addr;mac_addr_tsrc_addr;bit<16>ether_type;}VLAN_HEADERheadervlan_tag_h{bit<3>pcp;bit<1>cfi;vlan_id_tvid;bit<16>ether_type;}MPLS_HEADERheadermpls_h{bit<20>label;bit<3>exp;bit<1>bos;bit<8>ttl;}IPV4_HEADERheaderipv4_h{bit<4>version;bit<4>ihl;bit<8>diffserv;bit<16>total_len;bit<16>identification;bit<3>flags;bit<13>frag_offset;bit<8>ttl;bit<8>protocol;bit<16>ipv4_addr_tsrc_addr;ipv4_addr_tdst_addr;}IPV4_OPTION_HEADERheaderipv4_option_h{bit<8>type;bit<8>length;bit<16>value;}IPV6_HEADERheaderipv6_h{bit<4>version;bit<8>traffic_class;bit<20>flow_label;bit<16>payload_len;bit<8>next_hdr;bit<8>hop_limit;ipv6_addr_tsrc_addr;ipv6_addr_tdst_addr;}TCP_HEADERheadertcp_h{bit<16>src_port;bit<16>dst_port;bit<32>seq_no;bit<32>ack_no;bit<4>data_offset;bit<4>res;bit<8>flags;bit<16>window;bit<16>checksum;bit<16>urgent_ptr;}UDP_HEADERheaderudp_h{bit<16>src_port;bit<16>dst_port;bit<16>length;bit<16>checksum;}VXLAN_HEADER//VXLAN--RFC7348headervxlan_h{bit<8>flags;bit<24>reserved;bit<24>vni;bit<8>reserved2;}VXLAN_GPE_HEADER//GenericProtocolExtensionforVXLAN--IETFv4headervxlan_gpe_h{bit<8>flags;bit<16>reserved;bit<24>vni;bit<8>reserved2;}ICMP_HEADERheadericmp_h{bit<8>type;bit<8>code;bit<16>//...}IGMP_HEADERheaderigmp_h{bit<8>type;bit<8>bit<16>checksum;//...}ARP_HEADER//AddressResolutionProtocol--RFC6747headerarp_h{bit<16>hw_type;bit<16>proto_type;bit<8>hw_addr_len;bit<8>proto_addr_len;bit<16>opcode;//...}ROCEV2HEADER//RDMAoverConvergedEthernet(RoCEv2)headerrocev2_bth_h{bit<8>opcodee;bit<1>se;bit<1>migration_req;bit<2>pad_count;bit<4>transport_version;bit<16>partition_key;bit<1>f_res1;bit<1>b_res1;bit<6>reserved;bit<24>dst_qp;bit<1>ack_req;bit<7>reserved2;//...}GRE_HEADER//GenericRoutingEncapsulation(GRE)--RFC1701headergre_h{bit<1>C;bit<1>R;bit<1>K;bit<1>S;bit<1>s;bit<3>recurse;bit<5>flags;bit<3>version;bit<16>proto;}NVGRE_HEADER//NetworkVirtualisationusingGRE(NVGRE)--RFC7637headernvgre_h{bit<24>vsid;bit<8>}ERSPAN_HEADER//ERSPANcommonheaderfortype2/3headererspan_h{bit<16>version_vlan;bit<16>session_id; //includecos_en_t(6)andsession_id(10)}ERSPAN_TYPE2_HEADER//ERSPANTypeII--IETFv3headererspan_type2_h{bit<32>index; //includereserved(12)andindex(20)}ERSPAN_TYPE3_HEADER//ERSPANTypeIII--IETFv3headererspan_type3_h{bit<32>timestamp;bit<32>ft_d_other;/*bit<16>sgt; //Securitygroupbit<1> p;bit<5>ft; //Framebit<6>hw_id;bit<1>d; //Directionbit<2>gra; //Timestampbit<1>o; //Optionalsub-header*/}BFD_HEADER//BidirectionalForwardingDetection(BFD)--RFC5880headerbfd_h{bit<3>version;bit<5>diag;bit<8>flags;bit<8>detect_multi;bit<8>len;bit<32>my_discriminator;bit<32>your_discriminator;bit<32>desired_min_tx_interval;bit<32>req_min_rx_interval;bit<32>req_min_echo_rx_interval;}TELEMETRY_REPORT_HEADER//Telemetryreportheader--version0.5// See /p4lang/p4-applications/blob/master/docs/telemetry_report_v0_5.pdfheaderdtel_report_v05_hbit<4>version;bit<4>next_proto;bit<3>d_q_f;bit<15>reserved;bit<6>hw_id;bit<32>seq_number;bit<32>timestamp;bit<32>switch_id;}常用以太網(wǎng)協(xié)議//Commonprotocols/types#defineETHERTYPE_IPV40x0800#defineETHERTYPE_ARP0x0806#defineETHERTYPE_VLAN#defineETHERTYPE_IPV60x86dd#defineETHERTYPE_MPLS#defineETHERTYPE_PTP0x88F7#defineETHERTYPE_FCOE0x8906#defineETHERTYPE_ROCE#defineETHERTYPE_BFN#defineETHERTYPE_QINQ0x8100常用IP協(xié)議#defineIP_PROTOCOLS_ICMP 1#defineIP_PROTOCOLS_IGMP 2#defineIP_PROTOCOLS_IPV4 4#defineIP_PROTOCOLS_TCP 6#defineIP_PROTOCOLS_UDP 17#defineIP_PROTOCOLS_IPV6 41#defineIP_PROTOCOLS_SRV6 43#defineIP_PROTOCOLS_GRE 47#defineIP_PROTOCOLS_ICMPV658常用UDP協(xié)議#defineUDP_PORT_VXLAN 4789#defineUDP_PORT_ROCEV24791#defineUDP_PORT_GENV 6081#defineUDP_PORT_SFLOW 6343#defineUDP_PORT_MPLS 6635常用GRE協(xié)議#defineGRE_PROTOCOLS_ERSPAN_TYPE_30x22EB#defineGRE_PROTOCOLS_NVGRE 0x6558#defineGRE_PROTOCOLS_IP 0x0800#defineGRE_PROTOCOLS_ERSPAN_TYPE_20x88BE常用TCP協(xié)議#defineTCP_FLAGS_FIN 0x01#defineTCP_FLAGS_SYN 0x02#defineTCP_FLAGS_RST 0x04#defineTCP_FLAGS_ACK 0x10#defineTCP_FLAGS_FIN_MASK#defineTCP_FLAGS_SYN_MASK0x17 //SYNis1,FIN,RSTandACKare0#defineTCP_FLAGS_RST_MASK0x04#defineTCP_FLAGS_ACK_MASK0x10常見數(shù)據(jù)包類型完整定義#defineVLAN_DEPTH2#defineMPLS_DEPTH3Struct packet_header_tethernet_hethernet;vlan_tag_h[VLAN_DEPTH]vlan_tag;mpls_h[MPLS_DEPTH]mpls;ipv4_hipv4;ipv4_option_hipv6_hipv6;arp_harp;udp_hudp;icmp_hicmp;igmp_higmp;tcp_htcp;rocev2_bth_hrocev2_bth;vxlan_hvxlan;gre_hgre;erspan_herspan;erspan_type2_herspan_type2;erspan_type3_herspan_type3;ethernet_hinner_ethernet;ipv4_hinner_ipv4;ipv6_hinner_ipv6;udp_hinner_udp;tcp_hinner_tcp;icmp_hinner_icmp;}常用PARSER邏輯PARSER_ETHERNETstateparse_ethernet{pkt.extract(hdr.ethernet);transitionselect(hdr.ethernet.ether_type,ig_intr_md.ingress_port){(ETHERTYPE_IPV4,_):parse_ipv4;(ETHERTYPE_ARP,_):parse_arp;(ETHERTYPE_IPV6,_):parse_ipv6;(ETHERTYPE_VLAN,_):parse_vlan;default:accept;}}PARSER_IPV4stateparse_ipv4{pkt.extract(hdr.ipv4);ipv4_checksum.add(hdr.ipv4);transitionselect(hdr.ipv4.ihl){:parse_ipv4_no_options;:parse_ipv4_options;default:accept;}}PARSER_IPV4_OPTIONSstateparse_ipv4_options{pkt.extract(hdr.ipv4_option);transitionparse_ipv4_no_options;}PARSER_IPV4_NO_OPTIONSstateparse_ipv4_no_options{transitionselect(tocol,hdr.ipv4.frag_offset){(IP_PROTOCOLS_ICMP,0):parse_icmp;(IP_PROTOCOLS_IGMP,0):parse_igmp;(IP_PROTOCOLS_TCP,0):parse_tcp;(IP_PROTOCOLS_UDP,0):parse_udp;(IP_PROTOCOLS_IPV4,0):parse_ipinip;default:accept;}}PARSER_ARPstateparse_arp{pkt.extract(hdr.arp);transitionaccept;}PARSER_VLANstateparse_vlan{pkt.extract(hdr.vlan_tag.next);transitionselect(hdr.vlan_tag.last.ether_type){ETHERTYPE_ARP:parse_arp;ETHERTYPE_IPV4:parse_ipv4;ETHERTYPE_VLAN:parse_vlan;ETHERTYPE_IPV6:parse_ipv6;default:accept;}}PARSER_IPV6stateparse_ipv6{pkt.extract(hdr.ipv6);transitionselect(hdr.ipv6.next_hdr){IP_PROTOCOLS_ICMPV6:parse_icmp;IP_PROTOCOLS_TCP:parse_tcp;IP_PROTOCOLS_UDP:parse_udp;IP_PROTOCOLS_IPV4:parse_ipinip;IP_PROTOCOLS_IPV6:parse_ipv6inip;default:accept;}}PARSER_UDPstateparse_udp{pkt.extract(hdr.udp);transitionselect(hdr.udp.dst_port){udp_port_vxlan:parse_vxlan;UDP_PORT_ROCEV2:parse_rocev2;default:accept;}}PARSER_TCPstateparse_tcp{pkt.extract(hdr.tcp);transitionaccept;}PARSER_ICMPstateparse_icmp{pkt.extract(hdr.icmp);transitionaccept;}PARSER_IGMPstateparse_igmp{pkt.extract(hdr.igmp);transitionaccept;}PARSER_ROCEV2stateparse_rocev2{transitionaccept;}stateparse_vxlan{pkt.extract(hdr.vxlan);transitionaccept;}pkt.emit(hdr.ethernet);pkt.emit(hdr.vlan_tag);pkt.emit(hdr.arp);pkt.emit(hdr.ipv4);pkt.emit(hdr.ipv4_option);pkt.emit(hdr.ipv6);pkt.emit(hdr.udp);pkt.emit(hdr.tcp);pkt.emit(hdr.icmp);pkt.emit(hdr.igmp);pkt.emit(hdr.rocev2_bth);pkt.emit(hdr.vxlan);P4應用案例P4-16PARSER,DEPARSERMATCH-ACTION部分，以及一些控制層邏輯。流量實時統(tǒng)計流量統(tǒng)計轉(zhuǎn)發(fā)層設(shè)計P4P4COUNTER上我們可以先定義counter數(shù)組，然后根據(jù)報文的特征把報文關(guān)聯(lián)到多個counter上//bit<64>countervalue; bit<16>counterindexCounter<bit<64>,counter；

bit<32>>(10240,CounterType_t.PACKETS_AND_BYTES)我們可以定義如下MATCH-ACTION把報文關(guān)聯(lián)到counter上actionset_counter_id(bit<32> counterid ig_md.counter.id=counterid;}tablecounter_merter_id{key={ig_md.l4_sip:ternary;ig_md.l4_dip:ternary;ig_md.vni :ternary;ig_md.ip_proto :ig_md.l4_sport :ternary;ig_md.l4_dport :ternary;}actions={set_counter_id;NoAction;}constdefault_action=NoAction;size=table_size;}然后對這些id進行流量統(tǒng)計action do_count(){counter.count(ig_md.counter.id);}Apply{Do_count();}流量統(tǒng)計控制層設(shè)計sip，dip，proto，vni，sport，dport等維度（可設(shè)計掩碼匹配）關(guān)ounteidounteidp4-runtime下發(fā)到芯片上。match-actionidbpspps維度的統(tǒng)計，然后通過控制層p4-runtime（或芯片廠商提供的接口）特征報文復制特征報文復制轉(zhuǎn)發(fā)層設(shè)計//根據(jù)芯片的不同，報文復制mirror這部分的操作方式可能有所不同，以下以barefoot芯片為例actionset_mirror_session(bit<9>session_id){mirror_md.session_id=session_id;}tablemirror_table{key={ig_md.l4_sip:ternary;ig_md.l4_dip:ternary;ig_md.vni :ternary;ig_md.ip_proto :ig_md.l4_sport :ternary;ig_md.l4_dport :ternary;}actions={set_mirror_session;NoAction;}Size=10240;}apply{mirror_table.apply();}在deparser中mirror.emit<mirror_metadata_h>(ig_md.mirror.session_id,{mirror_metadata_h 字段實例})征報文復制轉(zhuǎn)發(fā)層設(shè)計通過芯片提供的fixed功能，將match住的報文發(fā)到指定的出端口上。HASH網(wǎng)關(guān)HASH網(wǎng)關(guān)轉(zhuǎn)發(fā)層設(shè)計//viptcphashviphashrealserverip；bit<32>hash;Hash<bit<32>>(HashAlgorithm_t.CRC32)hashgo;actioncal_hash(){hash=hashgo.get({hdr.ipv4.src_addr,hdr.ipv4.dst_addr,hdr.ipv4.ip_proto,hdr.tcp.sport,hdr.tcp.dport});}actionset_real_server_ip(bit<32>ip){hdr.ipv4.dst_addr=ip;}tablevip_to_real_server{key={hdr.ipv4.dst_addr:exact;hash[8:0]:exact;}action={set_rs_ip;}size=1024*256;}apply{cal_hash();vip_to_real_server.apply();}HASH網(wǎng)關(guān)控制層設(shè)計ECMP情況hashvip，hashserveripviphash8bitrealserver2564個realserver，256/4=64；所以我們將Viphash0-63p4-runtimevaluerealserverAip；Viphash值為64-127的都通過p4-runtime下發(fā)value為realserverB的ip；Vip+hash128-191p4-runtimevaluerealserverC的ip；Vip+hash值為192-255的都通過p4-runtime下發(fā)value為realserverD的ip；此時理論上已形成4臺realserver的ECMP；后端節(jié)點刪除情況ArealserverAhashABCD1/n;所以則只需要調(diào)整控制層邏輯為（2.1）BCD對應的流量保持不變，所以以下表項不用調(diào)整Viphash值為64-127的都通過p4-runtime下發(fā)value為realserverB的ip；Vip+hash128-191p4-runtimevaluerealserverC的ip；Vip+hash值為192-255的都通過p4-runtime下發(fā)value為realserverD的ip；（2.2）A的流量分攤到BCD上,64/3=21(忽略最后1/64的影響)Viphash0-20p4-runtimevaluerealserverBip；Vip+hash21-41p4-runtimevaluerealserverCVip+hash42-62p4-runtimevaluerealserverDip；Vip+hash63p4-runtimevaluerealserverBip；//B,C,D任選一個即可后端節(jié)點新增的情況realserverEhashhash1/n256/4=64,256/5=51(1),realserver64-51=13E注收到影響的流量為13*452, 52/256約1/5即可保證最終一致性HSH效果。按照上述思想控制層需要下發(fā)表項可如下：Viphash0-50p4-runtimevaluerealserverAip；Vip+hash51-63p4-runtimevaluerealserverEViphash值為64-114的都通過p4-runtime下發(fā)value為realserverB的ip；Vip+hash115-127p4-runtimevaluerealserverE的ip；Vip+hash值為128-178的都通過p4-runtime下發(fā)value為realserverC的ip；Vip+hash值為179-191的都通過p4-runtime下發(fā)value為realserverE的ip；Vip+hash值為192-242的都通過p4-runtime下發(fā)value為realserverD的ip；Vip+hash值為243-255的都通過p4-runtime下發(fā)value為realserverE的ip；realserver1/nhash網(wǎng)關(guān)效果。VPCEIP卸載VPCEIP卸載轉(zhuǎn)發(fā)層設(shè)計VPC本案例假設(shè)vpc報文為vxlan報文。IPvxlanipvpcip。actionset_vpc_innerip(bit<32>vni,bit<32>nc_ip,bit<32> ig_md.vni=vni;ig_md.nc_ip=nc_ip;ig_md.inner_dip=inner_dip;}tableeip_to_vpc{key={hdr.ipv4.dst_addr:exact;}action={set_vpc_innerip;}size=1024*32;}然后進行hdr.vxlan.setValid()，對相應vxlan報文的各字段進行賦值，最后pk.emit(hdr.vxlan)即可，常規(guī)操作，略去代碼。VPC報文轉(zhuǎn)公網(wǎng)出核心為通過報文的vni和sip這兩個vpc的信息，轉(zhuǎn)換為出口eipactionset_vpc_eip(bit<32>eip){ig_md.sip=eip;}tablevpc_to_eip{key={hdr.vxlan.vni:exact;hdr.vxlan.ipv4.sip:exact;}action={set_vpc_eip;}size=1024*256;}然后進行hdr.vxlan.setInvalid()，對相應hdr.ipv4.sip=ig_md.sip進行賦值,常規(guī)操作，略去代碼。VPCEIP卸載控制層設(shè)計eipvni+vpcinneripvnivpcinneripeip安全防火墻安全防火墻轉(zhuǎn)發(fā)層設(shè)計//根據(jù)芯片的不同，防火墻這部分的操作方式可能有所不同，以下以barefoot芯片為例actionset_fwd_port(bit<8>port){fw_md.out_port=port;}tablefw_table{key={ig_md.l4_sip:lpm;ig_md.l4_dip:lpm;ig_md.vni :ig_md.ip_proto :exact;ig_md.l4_sport :range;ig_md.l4_dport :range;}actions={set_fwd_port;NoAction;}apply{fw_table.apply();}Cpuport收到的包通過DPDK進行包過濾，需要轉(zhuǎn)發(fā)的包再下發(fā)給barefoot芯片進行轉(zhuǎn)發(fā)；安全防火墻控制層設(shè)計控制層上，主要完成mac地址學習，路由學習等功能，流表信息更新;四層網(wǎng)關(guān)卸載四層網(wǎng)關(guān)卸載快速路徑設(shè)計//根據(jù)芯片的不同，防火墻這部分的操作方式可能有所不同，以下以barefoot芯片為例actionset_session_inf(bit<32>ip,bit<16>port){gw_md.ip=ip;gw_md.port=port;}actionset_cpu_port(bit<8>port){gw_md.cpu_port=port;}tablesession_table{key={ig_md.l4_sip:exact;ig_md.l4_dip:exact;ig_md.vniig_md.ip_proto:exact;:exact;ig_md.l4_sportig_md.l4_dport}:exact;:exact;actions={set_session_inf;@defaultonlyset_cpu_port;}apply{session_table.apply();}四層網(wǎng)關(guān)卸載慢速路徑設(shè)計Cpuport收到的包通過DPDK進行慢速處理，并把大象流對應sessionoffload到芯片里面；四層網(wǎng)關(guān)卸載控制層設(shè)計控制層完成mac地址學習，路由學習以及流表配置等功能；應用服務鏈應用服務鏈轉(zhuǎn)發(fā)層設(shè)計servicechainvxlan，gre，ipinipipfpgaservicechain。案例如下：actionsend_to_chain1(bit<32>dip){add_header_chain1(dip);//modfiy_header();}actionsend_to_chain2(bit<32>dip){add_header_chain2(dip);//modfiy_header();}actionsend_to_chain3(bit<32>dip){add_header_chain2(dip);//modfiy_header();}actionsend_to_chain4(bit<9>phy_port){send_to_port(phy_port);}tabledipatch_table{key={ig_md.l4_sip:ternary;ig_md.l4_dip:ternary;ig_md.ip_proto :ig_md.l4_sport :ternary;ig_md.l4_dport :ternary;}actions={send_to_chain1;send_to_chain2;send_to_chain3;send_to_chain4;NoAction;}size=10240;}apply{dipatch_table.apply()}PAGEPAGE37P4可編程應用案例技術(shù)白皮書（中文版）P4可編程應用案例技術(shù)白皮書（中文版）應用服務鏈控制層設(shè)計chainservicechian對應的后端服務器或直連的硬件端口信息。chainchain已經(jīng)處理完成。servicechainservicechain的處理即可。PTP戶帶來自主可控的網(wǎng)絡(luò)。下面以星融元對PTP這一