Using a virtual iproute2 port as an egress port on the device

P4 Dev
1

I am trying to implement a basic Mininet scenario for testing purposes, where I’d like demonstrate how a switch would encapsulate macsec frames for a legacy device that is incapable doing so on their own. I originated my project using p4lang’s ‘basic’ excercise

For now, I don’t want to use an RPC controller for Macsec, and would like to take advantage of iproute2’s macsec implementation on switch s1.

Here is a drawing of the network setup that i’m trying to achieve: Imgur

My issue is, that the packets coming from h1 don’t reach the macsec1 interface.
macsec1 is set up by a script that i currently run manually once Mininet is up and running, using xterm s1 then ./scripts/s1_macsec.sh.

This is my ./scripts/s1_macsec.sh file:

#!/bin/sh
 
ip link add link s1-eth2 macsec1 type macsec validate strict
 
ip macsec add macsec1 tx sa 0 pn 1 on key 01 12345678901234567890123456789012
 
 
ip link set dev macsec1 up
ifconfig macsec1 10.0.1.3

Trying the set the switch up with setting the egress port in runtime.json to port#2 is successful, and forwards the incoming frame to s1-eth2.

Below is the corresponding part of my s1-topology.json file:

    {
      "table": "MyIngress.mac_exact",
      "match": {
        "hdr.ethernet.dstAddr": "01:0c:cd:04:00:01"
      },
      "action_name": "MyIngress.mac_forward",
      "action_params": {
        "dstAddr": "01:0c:cd:04:00:01",
        "port": 2
      }

The p4 program running on thsi switch is simply forwarding ethernet frames based on their dstAddr.

I can’t seem find the port number associated with the macsec port of the mininet host which is created by the script after mininet is up and running.
I’ve tried changing the egress port number to different numbers, but none of them worked.

I confirmed that the Macsec port is working by sending forged frames from s1 mininet host through it’s macsec1 interface.

Is there any way of solving this? Does p4 have to have an interface already set up when the configuration data is recieved from the Controller in order for the interface to recieve a port number? Can ports that are later added to the switch recieve an egress port number too?

Thank you for your help in advance!

2

Hi @nebulator0,

Could you please show us which command do you use to run the switch and how the flowrules are defined?

3

Certainly!

My environment runs using the exercise environment created in p4lang tutorials repository.

I created a new sub-folder in the exercises directory, duplicating the basic directory.
The only modification in my p4 code compared to the basic exercise solution is that the forwarding decisions are based on the mac addresses and are using exact matches.

After issuing the make command in the project folder, my flowrules defined in the runtime.json files are compiled into p4info.txt and json files that the P4Runtime uses to configure the switches using p4c-bm2-ss.

p4c-bm2-ss --p4v 16 --p4runtime-files build/macsec-test-3_1.p4.p4info.txt -o build/macsec-test-3_1.json macsec-test-3_1.p4

The run-exercise.py file then creates the mininet topology:

sudo python3 ../../utils/run_exercise.py -t pod-topo/topology.json -j build/macsec-test-3_1.json -b simple_switch_grpc

Finally, the environment uses simple_switch_grpc commands to start the grpc servers.

simple_switch_grpc -i 1@s1-eth1 -i 2@s1-eth2 --pcap /home/p4/devenv/exercises/macsec-test-3_1/pcaps --nanolog ipc:///tmp/bm-0-log.ipc --device-id 0 build/macsec-test-3_1.json --log-console --thrift-port 9090 -- --grpc-server-addr 0.0.0.0:50051
 
simple_switch_grpc -i 2@s2-eth2 -i 1@s2-eth1 --pcap /home/p4/devenv/exercises/macsec-test-3_1/pcaps --nanolog ipc:///tmp/bm-1-log.ipc --device-id 1 build/macsec-test-3_1.json --log-console --thrift-port 9091 -- --grpc-server-addr 0.0.0.0:50052

Finally, P4Runtime inserts the table entries into the switches.
I’ve uploaded my whole s1-topology.json file here ( Pastebin )

4

From what I’m understanding you want to manage the s1 switch interfaces via the script

s1_macsec.sh

So you cannot do that because the interfaces assigned to the the switch are in promiscuous mode, so they simply pass the packets to the bmv2 switch without applying any network configuration.