2.3 Network properties setting
9 Test setup when using 2 FPGA boards
9.1 Environment setup when using 2 FPGA boards
9.2.1 Set parameters and start a server
9.2.2 Transmit data test (server to client)
9.2.3 Receive data test (Client to server)
This document describes the instruction to demonstrate the operation of TLS1.3 Client 10Gbps IP Core (TLS10GC-IP) on ZCU106 Evaluation Board. In this demonstration, TLS10GC-IP is used to establish a secure connection using the Transport Layer Security protocol version 1.3 over TCP. This involves handling the TLS1.3 handshake, encrypting and decrypting data transferred between the user and server. Additionally, HTTPS is selected as the application layer protocol to simplify the testing of data transfer between a standard server and the TLS10GCdemo.
This instruction explains the process for users to use TLS10GCdemo as a client for uploading or downloading data patterns from the provided example node.js server, obtaining results similar to use a web browser. This instruction also covers the use of the “server” application to test transfer speed between a PC and TLS10GCdemo, as well as the comparison of test results between two FPGA boards.
1 Environment Setup
To operate TLS10GC-IP demo, please prepare following test environment.
1) FPGA development boards (ZCU106 board).
2) Test PC with 10 Gigabit Ethernet or connecting with 10 Gigabit Ethernet card.
3) 10 Gb Ethernet cable:
a) 10 Gb SFP+ Passive Direct Attach Cable (DAC) which has 1-m or less length
b) 10 Gb SFP+ Active Optical Cable (AOC)
c) 2x10 Gb SFP+ transceiver (10G BASE-R) with optical cable (LC to LC, Multimode)
4) Micro USB cable for JTAG connection connecting between ZCU106 board and Test PC.
5) Micro USB cable for UART connection connecting between ZCU106 board and Test PC.
6) Vivado tool for programming FPGA installed on Test PC.
7) Serial console software such as TeraTerm installed on PC. The setting on the console is
Baudrate=115200, Data=8-bit, Non-parity and Stop=1.
8) Batch file named TLS10GCIPTest.bat” (To download these files, please visit our web site at www.design-gateway.com)
Figure 1‑1 TLS10GCIP demo environment on ZCU106 board
2 PC Setup
Before running demo, please check the network setting on PC. The example of setting 10 Gb Ethernet card is described as follows.
2.1 IP setting
Figure 2‑1 Setting IP address for PC
1) Open Local Area Connection Properties of 10 Gb connection, as shown in the left window of Figure 2‑1.
2) Select “TCP/IPv4” and then click Properties.
3) Set IP address = 192.168.7.26 and Subnet mask = 255.255.255.0, as shown in the right window of Figure 2‑1.
2.2 Speed and duplex setting
Figure 2‑2 Set Link Speed = 10 Gbps
1) On Local Area Connection Properties window, click “Configure”, as shown in Figure 2‑2.
2) On Advanced Tab, select “Speed and Duplex”. Set the value to “10 Gbps Full Duplex” for running 10 Gigabit transfer test, as shown in Figure 2‑2.
2.3 Network properties setting
Some of network parameter setting may affect to network performance. The example of network properties setting as follows.
1) On “Interrupt Moderation” window, select “Disabled” to disable interrupt moderation which would minimize the latency during transferring data, as shown in Figure 2‑3.
Figure 2‑3 Interrupt Moderation
2) On “Interrupt Moderation Rate” window, set value to “OFF”, as shown in Figure 2‑4.
Figure 2‑4 Interrupt Moderation Rate
3) On “Jumbo packet” window, set value to “9014 Bytes”, as shown in Figure 2‑5.
Figure 2‑5 Jumbo packet
4) On “Receive Buffers” window, set value to the maximum value, as shown in Figure 2‑6.
Figure 2‑6 Receive Buffers
5) On “Transmit Buffers” window, set value to the maximum value, as shown in Figure 2‑7.
Figure 2‑7 Transmit buffers
3 Node.js server
In this demonstration, a sample server is created using Node.js. The server opens port 60001 for HTTPS connection. The required files for running the server are provided in server folder which contains the file as follow,
1) serverDemo.js for running server.
2) key.pem and cert.pem as a sample RSA key information and server’s certificate.
3) uploadMenu.html for making web browser can upload data to server via POST method.
4) server/log folder for containing files, DG.html, bike.html, pinkpanther.html and rex.html. Users can add files to server/log folder to be the resource for downloading.
When serverDemo.js is executed, IP address and port number of server are displayed on console, as shown in Figure 3‑1.
Figure 3‑1 Server console when serverDemo.js is executed
Figure 3‑2 Server console when enabling verifying data
In case of client cannot access node.js server, please check firewall setting as below,
1) Go to Windows Defender Firewall with Advanced Security
2) Click on “Inbound Rules”
3) Search for “Node.js JavaScript Runtime” and open its properties
4) Go to “Protocols and Ports” tab and set Protocol type = TCP, Local port = Specific Ports that server on PC open. By default, the sample node.js server opens port 60001. Local port number is set to 60001, as shown in Figure 3‑3.
5) Go to “Advanced” tab and mark the profile boxes that match the network profile of ethernet card, as shown in Figure 3‑4.
Figure 3‑3 Protocols and Ports setting
Figure 3‑4 Advanced setting
Clients can download data patterns or existing files in the server/log folder by sending a GET command with URL.
For downloading data pattern, there are 4 data patterns which are increasing binary, decreasing binary, increasing text and decreasing text pattern. When a server receives a GET request, data pattern and length of requested data are displayed on the server console, as shown in Figure 3‑5.
Figure 3‑5 Server console when client download data pattern
For downloading html file in server/log folder, when a server receives a GET request, file path of requested data is displayed on the server console, as shown in Figure 3‑6.
Figure 3‑6 Server console when client download ./log/DG.html
Clients can upload data to the server by sending a POST command followed by uploaded data. After completely transferring, received data, length of data and transfer speed are displayed on the server console, as shown in Figure 3‑7. If data length is more than 16 kB, the server console shows only data length and transfer speed.
Figure 3‑7 Server console when client upload data
4 Test software on PC
Due to the encrypting/decrypting process in the TLS protocol, Node.js server on the PC cannot achieve full-speed data transfer between PC and TLS10GC-IP. The “server” application is designed to run on the PC similar to the Node.js server for testing the performance of TLS10GC-IP via ethernet. The server opens port 60001 for HTTPS connection. Users can select the ethernet IP address for testing corresponding to the IP address of the 10 Gb Ethernet card, as shown in Figure 4‑1.
Figure 4‑1 Server application console
For upload speed testing, after the handshake process is completed, “server” application will receive TxData from the client and count the number of received data to validate whether it matches the value form the URL. To achieve optimal data transfer speed, the received data will remain undecrypted and unverified. Then the transfer speed is displayed on the server console, as shown in Figure 4‑2.
For download speed testing, after the handshake process is completed, “server” application will prepare the encrypted data pattern corresponding to the data pattern from the URL and continuously send it to the client. The download speed will be displayed on the server application console, as shown in Figure 4‑3.
Figure 4‑2 Server application console when testing upload speed
Figure 4‑3 Server application console when
testing download speed
5 Client web browser
Users can use a web browser for downloading data from server by GET method and uploading data to the server via POST method.
For downloading data pattern, user can input URL in the following format,
https://ip:port/direction/pattern/length
Where ip represent server’s IP address in dot-decimal notation
port represent server’s port number
direction represent download or upload
pattern represent data pattern
b1: increasing binary pattern, t1: increasing text pattern,
b0: decreasing binary pattern, t0: decreasing text pattern
length represent data length in byte
For example, server’s IP address is 192.168.7.26, port number is 60001 and the user's URL is https://192.168.7.26:60001/download/t1/123. Secure connection is established, the 123-byte increasing text pattern is displayed in the web browser, as shown in Figure 5‑1.
Figure 5‑1 Increasing text pattern shown in web browser
Remark
- Our tested web browser is Google Chrome version 116.0.5845.141.
- The RSA certificate used in this demonstration is self-signed, meaning it was not issued by a certification authority (CA). When attempting to access the server with a self-signed certificate, the web browser may display a "Not Secure" alert.
For downloading existing files in server/log folder, users can input URL in the following format,
https://ip:port/download/log/filename
When user inputs https://192.168.7.26:60001/download/log/DG.html and DG.html exists in log folder. The secure connection is established, the html page is downloaded and displayed on the web browser, as shown in Figure 5‑2.
Figure 5‑2 DG.html shown in web browser
Users can securely upload data through web browser by requesting uploadMenu.html from https://192.168.7.26:60001/upload/menu. Upload menu is displayed in the web browser, as shown in Figure 5‑3. Users can select the data pattern and data length. The HTML page will prepare the data and send a POST command along with the data pattern to the server when the “POST” button is pressed. Because the length of the data is greater than or equal to 16,000 bytes, only the data length and transfer speed are displayed on server console when the upload is completed, as shown in Figure 5‑4.
Figure 5‑3 Secured upload page
Figure 5‑4 Server’s console when client upload large data
6 Board setup
1) Make sure power switch is off and connect power supply to FPGA development board.
2) Connect two USB cables between FPGA board and PC via micro-USB ports.
3) Power on system.
4) Download configuration file and firmware to FPGA board by following step,
a) open Vivado TCL shell.
b) change current directory to download folder which includes demo configuration file.
c) Type “TLS10GCTest.bat”, as shown in Figure 6‑1.
Figure 6‑1 Example command script for
download configuration file
7 Serial Console
Users can set the parameters, download and upload data by using the following command. The TLS10GCdemo commands and their usage will be displayed, as shown in Figure 7‑1. Detailed information about each command is described in topic 8.
Figure 7‑1 Serial console
8 Command detail
command> setip ddd.ddd.ddd.ddd
This command is used to set FPGA’s IP address in dotted-decimal format. The default FPGA’s IP address is 192.168.7.42. Users can input setip command followed by a valid IP address, as shown in Figure 7‑1.
command> setport ddddd
This command is used to set the static port number of FPGA in decimal format. By default, the FPGA’s port number is set to be dynamic. Dynamic ports range from 49152 to 65535. Users can enable dynamic port again after specifying a port number by using “setport dynamic” command, as shown in Figure 7‑1.
command> setmac hh-hh-hh-hh-hh-hh
This command is used to set FPGA’s MAC address in hexadecimal format. The default FPGA’s MAC address is 00-01-02-03-04-05.
command> showkey <1: enable, 0: disable>
This command is used to enable showkey mode. When showkey mode is enabled, the TLS traffic ticket for encryption/decryption is displayed on the serial console, as shown in Figure 8‑1. Users can use the TLS traffic ticket as (Pre)-Master-Secret log file for Wireshark* to decrypt transferred data between the client and server.
*Wireshark, a network packet analyzer tool used for network troubleshooting, analysis, and security purposes.
Figure 8‑1 Serial console when showkey mode is enabled
8.5 Enable showcert mode
command> showcert <1: enable, 0: disable>
This command is used to enable showcert mode. When showcert mode is enabled, the server’s certificate stored in CertRam is displayed on the serial console, as shown in Figure 8‑2. The certificate information is displayed in hexadecimal format, which corresponds to the result obtained by using openssl command: openssl x509 -in cert.pem -outform der | hexdump -C, as shown in Figure 8‑3.
Figure 8‑2 Serial console when showcert mode is enabled
Figure 8‑3 Certificate information from openssl command
command> myGET protocol://ip:port/download/pattern/length
This command simulates GET method of HTTP to download data from the server. Users can input a URL and then received data is displayed on the serial console. For download data pattern, the verification feature is enabled. If the received data matches the expected data, the total length of received data and download speed are displayed on the serial console.
In case of the downloaded data length exceeds 16kB, “Data Length is too large, Show only Transfer speed” is displayed instead of the received data, as shown in Figure 8‑4.
Figure 8‑4 Serial console when downloading large data
In this demonstration, the maximum data length is limited at 2 GB for testing with the test software and 1 GB for testing with serverDemo.js, respectively. When users request to download data exceeding the maximum length, an error message is sent from server, causing the verification to fail, and the actual data and expected data will be displayed on the serial console.
For downloading HTML page, the verification feature is disabled. The received data is displayed on the serial console, as shown in Figure 8‑5.
Figure 8‑5 Serial console when downloading DG.html
command> myPOST protocol://ip:port/upload/pattern/length
This command simulates POST method of HTTP to upload data to the server. Users can specify the data pattern and data length in the URL. After the upload is completed, the data length and upload speed are displayed, as shown in Figure 8‑6 and Figure 8‑7. On the server’s console, the number of data sent from the client and transfer speed is displayed. If the data length is less than 16 kB, the received data is also displayed, as shown in Figure 8‑8.
Figure 8‑6 Serial console when uploading large data
Figure 8‑7 Serial console when uploading 123-byte data
Figure 8‑8 Server console when uploading 123-byte data
command> myFullduplex protocol://ip:port/fullduplex/pattern/length
This command is used to transfer data between the client and server in full duplex mode. It simulates POST method of HTTP with the fullduplex URL, which requests a data pattern from the server and uploads the data pattern to the server. Users can specify the data pattern and data length in the URL. After the transmission and reception of data are complete, the data length and transfer speed are displayed, as shown in Figure 8‑9.
Figure 8‑9 Serial console when full duplex mode is tested
9 Test setup when using 2 FPGA boards
9.1 Environment setup when using 2 FPGA boards
To operate TLS10GC-IP demo with TLS10GS-IP demo, please prepare following test environment.
5) FPGA development boards (ZCU106 as a client and ZCU102 as a server).
6) 10 Gb Ethernet cable:
a) 10 Gb SFP+ Passive Direct Attach Cable (DAC) which has 1-m or less length
b) 10 Gb SFP+ Active Optical Cable (AOC)
c) 2x10 Gb SFP+ transceiver (10G BASE-R) with optical cable (LC to LC, Multimode)
7) Micro USB cable for JTAG connection connecting between FPGA board and Test PC.
8) 2 Micro USB cable for UART connection connecting between ZCU102 board and Test PC and between ZCU106 board and Test PC.
9) Vivado tool for programming FPGA installed on Test PC.
10) Serial console software such as TeraTerm installed on PC. The setting on the console is
Baudrate=115200, Data=8-bit, Non-parity and Stop=1.
11) Batch file named TLS10GCIPTest.bat” and TLS10GSIPTest.bat” (To download these files, please visit our web site at www.design-gateway.com)
Figure 9‑1 TLS10GC-IP demo environment when using 2 FPGA boards
Follow step 1)-8) of Topic 6 Board setup to prepare FPGA boards for running the demo. Run “TLS10GCTest.bat” to download configuration file and firmware to ZCU106 board as a client and run “TLS10GSTest.bat” to download configuration file and firmware to ZCU102 board as a server. The details of supported commands and their usage for TLS10GC-IP demo is described in the following link.
https://www.dgway.com/products/IP/TLS-IP/TLS10GSIP-instruction-xilinx-en/
9.2 Test sequence
9.2.1 Set parameters and start a server
1) Set network parameters of each FPGA board: IP address, port number, and mac address.
2) Set server’s certificate and RSA key information via serial console of server.
3)
Start a server by entering the
following command in server’s console:
listenFor <client’s IP address> on <server’s port number> as shown in Figure 9‑2.
Figure 9‑2 Server and client console when parameters are set
9.2.2 Transmit data test (server to client)
Enter the command myGET protocol://ip:port/download/pattern/length through client’s console to request the data pattern from TLS10GS demo. Once the data transfer is complete, the transfer results and speed will be presented on both client’s and server’s consoles, as shown in Figure 9‑3.
Figure 9‑3 Server and client console when transfer data from server to client
9.2.3 Receive data test (Client to server)
Enter the command myPOST protocol://ip:port/upload/pattern/length through client’s console to transmit the data pattern from TLS10GC demo to TLS10GS demo. Once the data transfer is complete, the transfer results and speed will be presented on both client’s and server’s consoles, as shown in Figure 9‑4.
Figure 9‑4 Server and client console when transfer data from client to server
9.2.4 Full duplex test
Enter the command myFullduplex protocol://ip:port/fullduplex/pattern/length through client’s console to test transfer data in full duplex mode between TLS10GS demo and TLS10GC demo. Once the data transfer is complete, the transfer results and speed will be presented on both client’s and server’s consoles, as shown in Figure 9‑5.
Figure 9‑5 Server and client console when transfer data in full duplex mode
10 Test results
This demonstration, TLS10GCdemo is showcased for its ability to function as a secure client. The HTTPS protocol is chosen as the application layer to demonstrate that TLS10GC-IP can implement TLS1.3 to secure HTTP communication. The subsequent section details the test results when transferring data between each component, covering 2 main aspects: functionality testing and performance testing.
10.1 Functionality testing
TLS10GCdemo is designed to send HTTPS request to a server, demonstrating that TLS10GC-IP can handle TLS1.3 connection similar to a web browser. As shown in Figure 10‑1 and Figure 10‑2, a web browser requests a data pattern via the GET command and displays the received HTTP payload from the server on the browser, producing the same result on the serial console of TLS10GCdemo.
In the case of uploading data, TLS10GCdemo is capable of transmitting a data pattern with HTTP header to the server. The receiving results shown on the server console upon completing the reception of data from TLS10GCdemo, as shown as Figure 10‑4, are similar to when receiving data from a web browser, as shown as Figure 10‑3.
Figure 10‑1 Test results when web browser download data from node.js server
Figure 10‑2 Test results when TLS10GCdemo download data from node.js server
Figure 10‑3 Test results when web browser upload data to node.js server
Figure 10‑4 Test results when TLS10GCdemo upload data to node.js server
10.2 Performance testing
When the example node.js server is used as a server to communicate with TLS10GCdemo, the CPU manages encryption/decryption during data transfer, causing a decrease in transfer speed. To achieve the maximum throughput, the "server" application is used instead.
“Server” application is designed to encrypt data before transmission through the network in Tx mode, decrypt the last data block and verify the total received data size only in Rx mode. As shown in Figure 10‑5 and Figure 10‑6, the transfer speed is nearly by 10 Gbps and the utilization of the Intel i7 CPU is approximately 100%, as monitored by the PC's task manager. This indicates that if the CPU is tasked with encrypting/decrypting data while transferring data through the network, the transfer speed will be reduced.
Figure 10‑5 Test results when TLS10GCdemo download data from “server” application
Figure 10‑6 Test results when TLS10GCdemo upload data to “server” application
For full duplex mode, the transfer speed between “server” application and TLS10GCdemo decreases, as shown in Figure 10‑7. This suggests that the CPU cannot handle both receiving and transmitting task in a secure connection to maintain the 10 Gbps throughput.
In the testing scenario between two FPGA boards, where TLS10GCdemo acts as a client and TLS10GSdemo as a server, cryptographic tasks, including encryption/decryption, are entirely offloaded to hardware. As shown in Figure 10‑8, the throughput increases to 9360 Mbps, representing the maximum throughput achievable with TCP/IP in this demonstration.
Figure 10‑7 Full duplex test results between TLS10GCdemo and “server” application
Figure 10‑8 Full duplex test results between TLS10GSdemo and TLS10GCdemo
11 Revision History
|
Revision |
Date |
Description |
|
1.02 |
5-Mar-2024 |
Add test results between 2 FPGA boards |
|
1.01 |
22-Dec-2023 |
Add full duplex test |
|
1.00 |
8-Sep-2023 |
Initial version release |