Overview

Programming Protocol-Independent Packet Processors (P4) is an open-source language for programming the data plane on networking devices. P4Runtime is an API for controlling the data plane on devices defined in a P4 program. The P4 language and P4Runtime specification are maintained at p4.org.

The SR Linux eXtensible Data Path (XDP) is not programmed in P4. However, SR Linux is packaged with a fixed P4 program that provides support for marking packets for trapping to a P4Runtime client via PacketIn messages, and transmitting packets from the P4Runtime client to an interface on the device via PacketOut messages. The following fields can be used to mark frames for extraction:

  • VLAN ID
  • Ethertype
  • TTL

This could for example be used to redirect traceroute packets with TTL=0, TTL=1, or TTL=2 to a P4runtime client, so they can be enriched with information that is not visible to the device for the following ACL rules:

  • TTL=0, IPv4 (ethertype 0x0800)

  • TTL=1, IPv4 (ethertype 0x0800)

  • TTL=2, IPv4 (ethertype 0x0800)

  • TTL=0, IPv6 (ethertype 0x86DD)

  • TTL=1, IPv6 (ethertype 0x86DD)

  • TTL=2, IPv6 (ethertype 0x86DD)

Another use case is to use a free ethertype to allow the P4Runtime client to transmit and receive packets on all internal links on all devices in a network as a means of topology discovery.

To accommodate these use cases, the SR Linux runs a process p4rt_server that runs a gRPC server that provides the interface between P4Runtime clients and SR Linux.

SR Linux p4rt_server process

SR Linux supports packet input/output to P4Runtime clients through the p4rt_server process. The p4rt_server process exposes instances of P4Runtime RPCs that P4Runtime clients can connect to, with mandatory arbitration to elect a single P4Runtime client as the primary (see P4Runtime client arbitration).

Instead of running multiple processes, SR Linux runs a single p4rt_server process with multiple sockets. The p4rt_server process can expose sockets in multiple network-instances, supporting both per network-instance configuration and UNIX-socket configuration, allowing the p4rt_server process to run on different ports or use different authentication mechanisms within different network-instances.

The p4rt_server process uses TCP port 9559 by default, but this port is configurable. Communication between client and server is secured using TLS, so that P4Runtime clients are authenticated using the settings in a TLS profile.

With authenticate-client set to true in the TLS profile, new connections are mutually authenticated. Each entity validates the X.509 certificate of the remote entity to ensure that the remote entity is both known and authorized to connect to the local system. See the "Using SPIFFE for client authentication (mTLS)" section in the SR Linux Configuration Basics Guide for information about using SPIFFE for client authentication in TLS sessions.

The p4rt_server process runs as the p4rtrpc user. The p4rtrpc user is installed in the tls group, which allows the p4rt_server process to read and use certificates and keys populated via linux_mgr.

See Configuring SR Linux for P4Runtime for information about configuring the p4rt_server process.