Preparing for Client Authentication and GRE Tunnel Setup

A profile message coming into the router from an external source must first be authenticated.

Once the router recognizes the client as one that is permitted by its known policies, the application can proceed to establish the mechanisms for accepting client traffic.

In the sample application, client authentication takes place in the control module; once the client is accepted, the control module sets up a GRE tunnel for the client. The control module listens to the GRE signaling messages coming from the GRE gateway on each VRF, on separate threads.

In this sample, the client is a traffic generator that stands in for an external router.

The entry point for profile negotiation is the SESN_INIT_REQ message, which the client sends to the GRE gateway on the router. The request message type is defined along with the other GRE message types in the header file for the control module, jnx-gateway-ctrl.h, as follows:

/* GRE gateway signaling message types */
enum {

When it receives a session init message from the GRE gateway, the control module creates the gateway entry if an entry is not already present; validates the session; creates a session entry; selects an MS PIC that is enabled for data handling; and forwards the request to the data PIC. These operations take place in functions called from the jnx_gw_ctrl_sig_gre_session_add() function, which is defined in the jnx-gateway-ctrl_gre.c file.

jnx_gw_ctrl_sig_gre_session_add() uses the following structures:

Data Structures

The structures are declared as follows in the jnx-gateway-ctrl.h header file:

/* VRF structure: */
struct jnx_gw_ctrl_vrf_s {
    patnode            vrf_node;   /* add to the main control block */
    patnode            vrf_tnode;  /* add to the receive thread */
    uint32_t           vrf_id;     /* the key */
    int32_t            ctrl_fd;    /* gateway socket fd */
    uint8_t            vrf_status; /* vrf status */
    uint8_t            vrf_sig_status;
    uint8_t            vrf_flags;
    pthread_t          vrf_tid;

    /* gre key management information */
    uint32_t           vrf_gre_key_start;
    uint32_t           vrf_gre_key_end;
    uint32_t           vrf_gre_key_cur;

    /* data pic & tunnel information */
    uint32_t           gre_gw_count;
    uint32_t           ipip_gw_count;
    uint32_t           ctrl_policy_count;

    patroot            gre_gw_db;      /* gre gateway list */
    patroot            ipip_gw_db;     /* ipip gaeway list */
    patroot            ctrl_policy_db;
    patroot            vrf_intf_db;

    /* these are the socket resources for talking to the 
       client gateways */
    jnx_gw_ctrl_sock_list_t *vrf_socklist;
    jnx_gw_ctrl_rx_thread_t *vrf_rx_thread;
    uint32_t           gw_ip;         /* current gateway ip */
    uint16_t           gw_port;       /* current gateway port */
    pthread_mutex_t    vrf_send_lock; /* for send buffer */
    struct sockaddr_in send_sock;
    uint16_t           send_len;
    uint8_t            send_buf[JNX_GW_CTRL_MAX_PKT_BUF_SIZE];

    /* statistics */
    uint32_t           gre_sesn_count;
    uint32_t           gre_active_sesn_count;

/* gre gateway structure */
struct jnx_gw_ctrl_gre_gw_s {
    patnode            gre_gw_node;      /* add to the vrf structure */
    uint32_t           gre_gw_ip;        /* key, gateway IP address */
    uint32_t           gre_vrf_id;
    pthread_rwlock_t   gre_sesn_db_lock; /* lock for the gre sessions */
    patroot            gre_sesn_db;      /* list of sesns */
    jnx_gw_ctrl_vrf_t *pvrf;
    uint8_t            gre_gw_status;
    uint8_t            gre_gw_flags;
    uint16_t           gre_gw_port;

    /* gateway session statistics */
    uint32_t           gre_sesn_count;
    uint32_t           gre_active_sesn_count;

/* gre session structure */
struct jnx_gw_ctrl_gre_session_s {
    /* add to the gre gateway structure */
    patnode                   gre_sesn_node; 
    /* add to the ip-ip gateway structure */
    patnode                   gre_ipip_sesn_node;
    /* add to the user structure */
    patnode                   gre_user_sesn_node;

    /* ingress gre tunnel information */
    uint32_t                  ingress_gre_key;    /* key .. */
    uint32_t                  ingress_vrf_id; 
    uint32_t                  ingress_gw_ip;
    uint32_t                  ingress_intf_id;
    uint32_t                  ingress_self_ip;

    /* status & flags */
    uint32_t                  sesn_msgid;
    uint16_t                  sesn_resv1;
    uint8_t                   sesn_proftype;
    uint8_t                   sesn_resv0;
    uint8_t                   sesn_status;
    uint8_t                   sesn_flags;  /* egress-ipip/checksum/grekey/seq */
    uint8_t                   sesn_errcode; 

    /* session information */
    uint8_t                   sesn_proto;
    uint32_t                  sesn_client_ip;
    uint32_t                  sesn_server_ip;
    uint16_t                  sesn_sport;
    uint16_t                  sesn_dport;
    uint16_t                  sesn_id;     /* unique for the data/ctrl pic */
    uint16_t                  sesn_resv;   /* */
    uint32_t                  sesn_up_time;

    /* egress ipip information */
    uint32_t                  egress_vrf_id;
    uint32_t                  egress_intf_id;
    uint32_t                  egress_gw_ip;
    uint32_t                  egress_self_ip;

    /* data pic information */
    jnx_gw_ctrl_vrf_t        *pingress_vrf;
    jnx_gw_ctrl_vrf_t        *pegress_vrf;
    jnx_gw_ctrl_data_pic_t   *pdata_pic;
    jnx_gw_ctrl_intf_t       *pingress_intf;
    jnx_gw_ctrl_intf_t       *pegress_intf;
    jnx_gw_ctrl_gre_gw_t     *pgre_gw;
    jnx_gw_ctrl_ipip_gw_t    *pipip_gw;

    /* policy used information */
    jnx_gw_ctrl_user_t       *puser;

    /* this is the route set for the GRE connection;
       it represents the data PIC interface on the ingress VRF
       as the next hop */
    jnx_gw_ctrl_route_t      *pingress_route;

    /* if a host route is set for the client,
       in case of a  native server connection;
       otherwise, this represents the data PIC
       egress IP route
    jnx_gw_ctrl_route_t      *pegress_route;

2007-2009 Juniper Networks, Inc. All rights reserved. The information contained herein is confidential information of Juniper Networks, Inc., and may not be used, disclosed, distributed, modified, or copied without the prior written consent of Juniper Networks, Inc. in an express license. This information is subject to change by Juniper Networks, Inc. Juniper Networks, the Juniper Networks logo, and JUNOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Generated on Sun May 30 20:26:47 2010 for Juniper Networks Partner Solution Development Platform JUNOS SDK 10.2R1 by Doxygen 1.4.5