TLS10GC-IP Demo Instruction

 

1      Environment Setup. 1

2      PC Setup. 3

2.1      IP setting. 3

2.2      Speed and duplex setting. 4

2.3      Network properties setting. 5

3      Node.js server 8

4      Test software on PC. 12

5      Client web browser 13

6      ZCU106 board setup. 16

7      Serial Console. 16

8      Command detail and testing result 17

8.1      Set FPGA’s IP Address. 17

8.2      Set FPGA’s Port Number 17

8.3      Set FPGA’s MAC address. 17

8.4      Enable showkey mode. 17

8.5      Enable showcert mode. 19

8.6      Download data. 21

8.7      Upload data. 23

8.8      Full duplex test 24

9      Revision History. 25

 

This document describes the instruction to demonstrate the operation of TLS 1.3 Client 10Gbps IP Core (TLS10GC-IP) on ZCU106 Evaluation Board. In the demonstration, TLS10GC-IP are used to establish a secure connection using the Transport Layer Security protocol version 1.3 over TCP by handling TLS1.3 handshake, encrypting and decrypting data transferred between user and server. User can set network parameters to TOE10GLL-IP, download payload and upload payload to server by inputting supported command via serial console.

 

1       Environment Setup

To operate TLS10GC-IP demo, please prepare following test environment.

1)    FPGA development boards (ZCU106 board).

2)    Test PC with 10 Gigabit Ethernet or connecting with 10 Gigabit Ethernet card.

3)    10 Gb Ethernet cable:

a)    10 Gb SFP+ Passive Direct Attach Cable (DAC) which has 1-m or less length

b)    10 Gb SFP+ Active Optical Cable (AOC)

c)    2x10 Gb SFP+ transceiver (10G BASE-R) with optical cable (LC to LC, Multimode)

4)    Micro USB cable for JTAG connection connecting between ZCU106 board and Test PC.

5)    Micro USB cable for UART connection connecting between ZCU106 board and Test PC.

6)    Vivado tool for programming FPGA installed on Test PC.

7)    Serial console software such as TeraTerm installed on PC. The setting on the console is

Baudrate=115200, Data=8-bit, Non-parity and Stop=1.

8)    Batch file named TLS10GCIPTest_ZCU106.bat” (To download these files, please visit our web site at www.design-gateway.com)

 

Figure 11 TLS10GCIP demo environment on ZCU106 board

 

2       PC Setup

Before running demo, please check the network setting on PC. The example of setting 10 Gb Ethernet card is described as follows.

2.1      IP setting

 

Figure 2‑1 Setting IP address for PC

 

1)    Open Local Area Connection Properties of 10 Gb connection, as shown in the left window of Figure 2‑1.

2)    Select “TCP/IPv4” and then click Properties.

3)    Set IP address = 192.168.7.25 and Subnet mask = 255.255.255.0, as shown in the right window of Figure 2‑1.

 

2.2      Speed and duplex setting

 

Figure 2‑2 Set Link Speed = 10 Gbps

 

1)    On Local Area Connection Properties window, click “Configure” as shown in Figure 2‑2.

2)    On Advanced Tab, select “Speed and Duplex”. Set the value to “10 Gbps Full Duplex” for running 10 Gigabit transfer test, as shown in Figure 2‑2

 

2.3      Network properties setting

Some of network parameter setting may affect to network performance. The example of network properties setting as follows.

1)    On “Interrupt Moderation” window, select “Disabled” to disable interrupt moderation which would minimize the latency during transferring data, as shown in Figure 2‑3.

 

 

Figure 2‑3 Interrupt Moderation

 

2)    On “Interrupt Moderation Rate” window, set value to “OFF”, as shown in Figure 2‑4.

 

Figure 2‑4 Interrupt Moderation Rate

 

3)    On “Jumbo packet” window, set value to “9014 Bytes”, as shown in Figure 2‑5.

 

Figure 2‑5 Jumbo packet

 

4)    On “Receive Buffers” window, set value to the maximum value, as shown in Figure 2‑6.

 

Figure 2‑6 Receive Buffers

 

5)    On “Transmit Buffers” window, set value to the maximum value, as shown in Figure 2‑7.

 

Figure 2‑7 Transmit buffers

3       Node.js server

In this demonstration, a sample server is created using Node.js. The server opens port 60001 for HTTPs connection. The required files for running the server are provided in server folder which contains the file as follow,

1)    serverDemo.js for running server.

2)    key.pem and cert.pem as a sample RSA certificate of server.

3)    uploadMenu.html for making web browser can upload data to server via POST method.

4)    server/log folder for containing files, DG.html, bike.html, pinkpanther.html and rex.html. User can add files to server/log folder to be the resource for downloading.

When serverDemo.js is executed, IP address and port number of server are displayed on console as shown in Figure 3‑1.



Figure 31 Server console when serverDemo.js is executed

 

By default, serverDemo.js is disabled verifying data feature to optimal transfer speed. User can enable verifying data feature by input “-v” parameter while execute serverDemo.js as shown in Figure 3‑2.



Figure 32 Server console when enabling verifying data

 

In case of client cannot access node.js server, please check firewall setting as below,

1)    Go to Windows Defender Firewall with Advanced Security

2)    Click on “Inbound Rules”

3)    Search for “Node.js JavaScript Runtime” and open its properties

4)    Go to “Protocols and Ports” tab and set Protocol type = TCP, Local port = Specific Ports that server on PC open. By default, the sample node.js server opens port 60001. Local port number is set to 60001 as shown in Figure 3‑3.

5)    Go to “Advanced” tab and mark the profile boxes that match the network profile of ethernet card as shown in Figure 3‑4.

 

 

Figure 3‑3 Protocols and Ports setting

 

 

Figure 3‑4 Advanced setting

 

Clients can download data patterns or existing files in the server/log folder by sending a GET command with URL.

For downloading data pattern, there are 4 data patterns which are increasing binary, decreasing binary, increasing text and decreasing text pattern. When a server receives a GET request, data pattern and length of requested data are displayed on the server console as shown in Figure 3‑5.

 

Figure 3‑5 Server console when client download data pattern

 

For downloading html file in server/log folder, when a server receives a GET request, file path of requested data is displayed on the server console as shown in Figure 3‑6.

 

Figure 3‑6 Server console when client download ./log/DG.html

 

Clients can upload data to the server by sending a POST command followed by uploaded data. After completely transferring, received data, length of data and transfer speed are displayed on the server console as shown in Figure 3‑7. If data length is more than 16 kB, the server console shows only data length and transfer speed.

 

Figure 3‑7 Server console when client upload data

 

4       Test software on PC

Because encrypting/decrypting process in TLS protocol, Node.js server on PC cannot provide full speed data transferring between PC and TLS10GC-IP. “server” application is designed to run on PC similar to Node.js server for testing performance of TLS10GC-IP via ethernet. The server opens port 60001 for HTTPs connection. User can choose ethernet IP address for testing corresponding to 10 Gb Ethernet card IP address as shown in Figure 4‑1.

 

Figure 4‑1 Server application console

 

For upload speed testing, after finished handshake process, “server” application will receive TxData from client and count the number of received data to validate whether the number of received data is matched the value form URL. To optimal data transfer speed, the received data will remain undecrypted and be not verified. Then the transfer speed is displayed on server console as shown in Figure 4‑2.

For download speed testing, after finished handshake process, “server” application will prepare the encrypted data pattern corresponding to data pattern from URL and send to client continuously. The download speed will be displayed on server application console as shown in Figure 4‑3.

 

Figure 4‑2 Server application console when testing upload speed

 

 

Figure 4‑3 Server application console when testing download speed

5       Client web browser

User can use a web browser for downloading data from server by GET method and uploading data to the server via POST method.

For downloading data pattern, user can input URL in the following format,

https://ip:port/direction/pattern/length

Where ip                      represent server’s ip address in dot-decimal notation

port                  represent server’s port number

direction            represent download or upload

pattern              represent data pattern

                        b1: increasing binary pattern,     b0: decreasing binary pattern,

t1 : increasing text pattern,        t0 : decreasing text pattern

length               represent data length in byte

For example, server’s IP address is 192.168.11.26, port number is 60001 and the user's URL is https://192.168.11.26:60001/download/t0/123. Secure connection is established, the 123-byte decreasing text pattern is displayed in the web browser as shown in Figure 5‑1.

 

Figure 5‑1 Decreasing text pattern shown in web browser

 

Remark

-       Our tested web browser is Google Chrome version 116.0.5845.141.

-       The RSA certificate used in this demonstration is a self-signed certificate that was not issued by a certification authority (CA). When accessing the server, the web browser may display a "Not Secure" alert.

 

In case of downloading binary pattern, “Save as” dialog window appears. User can save file and view the binary data after downloading process is done.

For downloading existing files in server/log folder, user can input URL in the following format,

https://ip:port/download/log/filename

When user inputs https://192.168.11.26:60001/download/log/DG.html and DG.html exists in log folder. The secure connection is established, the html page is downloaded and displayed on the web browser as shown in Figure 5‑2.

 

Figure 5‑2 DG.html shown in web browser

 

User can secure upload data with web browser by requesting uploadMenuHTTPs.html from https://192.168.11.26:60001/upload/menu. Upload menu is displayed in the web browser as shown in Figure 5‑3. User can choose data pattern and data length. Html page will prepare data and send POST command following by data pattern to the server when “POST” button is pressed. Because the length of data is greater than or equal to 16,000 bytes, when uploading is completed, only data length and transfer speed are displayed on server console as shown in Figure 5‑4.

 

Figure 5‑3 Secured upload page

 

 

Figure 5‑4 Server’s console when client upload large data

 

6       ZCU106 board setup

1)    Make sure power switch is off and connect power supply to FPGA development board.

2)    Connect two USB cables between FPGA board and PC via micro-USB ports.

3)    Power on system.

4)    Download configuration file and firmware to FPGA board by following step,

a)    open Vivado TCL shell.

b)    change current directory to download folder which includes demo configuration file.

c)    Type “TLS10GCTest.bat”, as shown in Figure 6‑1.

 

Figure 61 Example command script for download configuration file

7       Serial Console

User can set the parameters, download and upload data by using the following command. TLS10GCdemo command and usage will be displayed as shown in Figure 7‑1. The detailed information of each command is described in topic 8.

 

Figure 71 Serial console

8       Command detail and testing result

8.1      Set FPGA’s IP Address

command> setip ddd.ddd.ddd.ddd

This command is used to set FPGA’s IP address in dotted-decimal format. The default FPGA’s IP address is 192.168.7.42. User can input setip command following by valid IP address as shown in Figure 7‑1.

 

8.2      Set FPGA’s Port Number

command> setport ddddd

This command is used to set the static port number of FPGA in decimal format. By default, FPGA’s port number is set to be dynamic. Dynamic ports are in the range 49152 to 65535. User can enable dynamic port again after specifying a port number by using “setport dynamic” command as shown in Figure 7‑1.

 

8.3      Set FPGA’s MAC address

command> setmac hh-hh-hh-hh-hh-hh

This command is used to set FPGA’s MAC address in hexadecimal format. The default FPGA’s MAC address is 00-01-02-03-04-05.

 

8.4      Enable showkey mode

command> showkey <1: enable, 0: disable>

This command is used to enable showkey mode. When showkey mode is enabled, the TLS traffic ticket for encryption/decryption is displayed on the serial console as shown in Figure 8‑1. User can use the TLS traffic ticket as (Pre)-Master-Secret log file for Wireshark* to decrypt transferred data between client and server.

*Wireshark, a network packet analyzer tool used for network troubleshooting, analysis, and security purposes.

 



Figure 81 Serial console when showkey mode is enabled.

 

8.5      Enable showcert mode

command> showcert <1: enable, 0: disable>

This command is used to enable showcert mode. When showcert mode is enabled, the server’s certificate stored in CertRam is displayed on the serial console as shown in Figure 8‑2. The certificate information is displayed in hex format which is matched to the result of using openssl command: openssl x509 -on cert.pem -outform der | hexdump -C as shown in Figure 8‑3.

 

Figure 8‑2 Serial console when showcert mode is enabled.

 

 

Figure 8‑3 Certificate information from openssl command

 

8.6      Download data

command> myGET protocol://ip:port/download/pattern/length

This command simulates GET method of HTTP to download data from the server. User can input URL and then received data is displayed on the serial console. For download data pattern, verification feature is enabled. If the received data is matched with expected data, the total length of received data and transfer speed are displayed on serial console.

In case of downloaded data length is more than 16kB, “Data Length is too large, Show only Transfer speed” is shown instead of received data as shown in Figure 8‑4.

 

Figure 8‑4 Serial console when downloading large data

 

In this demonstration, the maximum data length is limited at 1 GB and 2 GB for testing with serverDemo.js and test software respectively. When user requests to download data more than the maximum length, error message is sent from server and make verification is failed and the actual data and expected data will be displayed on serial console.

For downloading html page, verification feature is disabled. The received data is displayed on serial console as shown in Figure 8‑5.

 

Figure 8‑5 Serial console when downloading DG.html

 

8.7      Upload data

command> myPOST protocol://ip:port/upload/pattern/length

This command simulates POST method of HTTP to upload data to the server. User can indicate data pattern and data length in URL. After uploading is done, data length and uploading speed is displayed as shown in Figure 8‑6 and Figure 8‑7. On server’s console, the number of sending data from client and transfer speed is displayed. In case of the data length is less than 16 kB, the received data is also displayed as shown in Figure 8‑8.

 

 

Figure 8‑6 Serial console when uploading large data

 

 

Figure 8‑7 Serial console when uploading 123-byte data

 

 

Figure 8‑8 Server console when uploading data

8.8      Full duplex test

command> myFullduplex protocol://ip:port/fullduplex/pattern/length

This command is used to transfer data between client and server in full duplex mode. It simulates POST method of HTTP with the fullduplex URL that request data pattern from server and also upload data pattern to the server. User can indicate data pattern and data length in URL. After transmitting and receiving data are done, data length and transfer speed are displayed as shown in Figure 8‑9.

 

Figure 8‑9 Serial console when full duplex mode is tested

9       Revision History

Revision

Date

Description

1.00

8-Sep-2023

Initial version release

1.01

22-Dec-2023

Add full duplex test