Overview
Programming Protocol-Independent Packet Processors (P4) is an open-source language for programming the data plane on networking devices. P4Runtime is an API for controlling the data plane on devices defined in a P4 program. The P4 language and P4Runtime specification are maintained at p4.org.
The SR Linux eXtensible Data Path (XDP) is not programmed in P4. However, SR Linux is packaged with a fixed P4 program that provides support for marking packets for trapping to a P4Runtime client via PacketIn messages, and transmitting packets from the P4Runtime client to an interface on the device via PacketOut messages. The following fields can be used to mark frames for extraction:
- VLAN ID
- Ethertype
- TTL
This could for example be used to redirect traceroute packets with TTL=0, TTL=1, or TTL=2 to a P4runtime client, so they can be enriched with information that is not visible to the device for the following ACL rules:
-
TTL=0, IPv4 (ethertype 0x0800)
-
TTL=1, IPv4 (ethertype 0x0800)
-
TTL=2, IPv4 (ethertype 0x0800)
-
TTL=0, IPv6 (ethertype 0x86DD)
-
TTL=1, IPv6 (ethertype 0x86DD)
-
TTL=2, IPv6 (ethertype 0x86DD)
Another use case is to use a free ethertype to allow the P4Runtime client to transmit and receive packets on all internal links on all devices in a network as a means of topology discovery.
To accommodate these use cases, the SR Linux runs a process p4rt_server
that runs a gRPC server that provides the interface between P4Runtime clients and SR
Linux.
SR Linux p4rt_server
process
SR Linux supports packet input/output to P4Runtime clients through the
p4rt_server
process. The p4rt_server
process
exposes instances of P4Runtime RPCs that P4Runtime clients can connect to, with
mandatory arbitration to elect a single P4Runtime client as the primary (see P4Runtime client arbitration).
Instead of running multiple processes, SR Linux runs a single
p4rt_server
process with multiple sockets. The
p4rt_server
process can expose sockets in multiple
network-instances, supporting both per network-instance configuration and UNIX-socket
configuration, allowing the p4rt_server
process to run on different
ports or use different authentication mechanisms within different network-instances.
The p4rt_server
process uses TCP port 57400 by default, but this port is
configurable. Communication between client and server is secured using TLS, so that
P4Runtime clients are authenticated using the settings in a TLS profile.
With authenticate-client
set to true
in the TLS
profile, new connections are mutually authenticated. Each entity validates the X.509
certificate of the remote entity to ensure that the remote entity is both known and
authorized to connect to the local system. See the "Using SPIFFE for client
authentication (mTLS)" section in the SR Linux Configuration Basics Guide for
information about using SPIFFE for client authentication in TLS sessions.
The p4rt_server
process runs as the p4rtrpc
user. The
p4rtrpc
user is installed in the tls
group, which
allows the p4rt_server
process to read and use certificates and keys
populated via linux_mgr
.
See Configuring SR Linux for P4Runtime for information about configuring
the p4rt_server
process.