Article: Peeking under the hood of SnapGear’s uClinux-powered VPN appliances
Jan 29, 2003 — by LinuxDevices Staff — from the LinuxDevices Archive — 9 viewsLinuxDevices.com technical editor Jerry Epplin takes a look at SnapGear's award-winning uClinux-based VPN appliances from the perspective of a developer's ability to customize them — and in the process, becomes a uClinux convert . . .
With the impressive improvements made in uClinux in the last couple of years, it has become increasingly practical to implement the networking capabilities of Linux in a small-footprint device. Perhaps the most obvious network-oriented devices for which uClinux is appropriate are firewall/routers, which need all the latest protocols and capabilities, but are in a highly competitive environment in which cost is paramount.
SnapGear's line of VPN router products makes extensive use of this growing uClinux phenomenon — to which SnapGear has been a major contributor.
This review takes a quick look at SnapGear's product and uClinux in general, with an emphasis on the developer perspective. The end user perspective on the SnapGear products has been covered sufficiently elsewhere.
First impressions
I looked at the LITE+ model, a VPN router based on the Motorola MCF5272 Coldfire processor, and having a four-port switch on its LAN side; and at the SME550, SnapGear's latest model, having a SuperH processor and a dedicated chip for hardware acceleration of VPN functions.
The SnapGear LITE+
SnapGear LITE+ I/O panel
The SnapGear SME550
SnapGear SME550 I/O panel
From the end-user perspective, my own experience was similar to that of the earlier reviewers: some aspects of the setup were less than intuitive (such as the unit's insistence on being configured through a DHCP client running on its LAN port), but the SnapGear units have an impressive array of features, and are unencumbered by the obnoxious per-client licensing fees some other VPN routers have. I'd also like to see SnapGear make some improvements in the documentation and web-based setup interface — this would make it likelier that an average SOHO administrator, who cannot be expected to be a networking expert, would be able to get going quickly.
To an engineer these issues may seem minor; but to an unsophisticated SOHO user they add unnecessary complexity to an already inherently difficult network configuration job.
Getting friendly with uClinux
But enough of that — of greater interest to many LinuxDevices.com readers is one's ability to change any aspect of the unit that you don't like. The router code is based on the uClinux project code, so you can add or subtract features at will.
I found the uClinux project to be well organized and easy to work with. The developers have taken the time to think through the organization of the source code, write usable documentation, and organize the build process in a way that makes the project a pleasure to work with.
The project has ported an impressive array of well-known open source applications to uClinux, with an understandable tilt toward networking apps like FreeS/WAN. Porting typical applications to uClinux is reportedly usually straightforward — this might be expected, in light of the effort made by the project to integrate uClinux with Linux itself (an effort that has succeeded, as Linus has begun to merge the uClinux patch into the development kernel).
uClinux is probably the most exciting development in embedded Linux today, and perhaps in the larger Linux world as well. If, like me, you were skeptical of uClinux because the idea of redesigning a desktop operating system to work in the most deeply embedded devices just seems wrong, you really need to take a look at the project now.
uClinux is real Linux, with the modifications necessary to run it on processors without memory management units. The project participants have uClinux running productively on a variety of ten-dollar processors like those from the Coldfire and ARM7TDMI families. These chips often come integrated with many of the peripheral capabilities of microcontrollers such as UARTs, SPIs, timers, and digital I/O, as well as with higher level capabilities like SDRAM and Ethernet controllers. So a practical uClinux-based system today consists of little more than a processor and one or two megabytes of flash and DRAM. This puts Linux within sight of all but the most extreme cost-sensitive designs requiring highly integrated eight and sixteen bit microcontrollers. Frankly, I did not believe it would happen — I thought specialized open source embedded operating systems such as eCos would fill the need for mid-level embedded systems. But the uClinux project has done it, and in an impressively short period of time.
The contributions of SnapGear engineers to the success of the uClinux project have been pivotal, and not only with code contributions, but with invariably friendly and patient help to others and with general advocacy. The uClinux participants, including those from SnapGear, have been consistently patient with — and helpful to — the stream of newcomers to the very active uClinux mailing list.
And uClinux is surprisingly well-documented, with well-written documents and background papers at . . .
- the uClinux project website
- SnapGear's website
- uCDot, a recently launched uClinux information and community site
Although it is fair to say that uClinux is still not a short-learning-curve technology, the community is remarkably welcoming and helpful to those wishing to learn.
In short, uClinux has acquired the flexibility that mid-level embedded operating systems must have. It runs on many architectures, boots from and operates from a variety of root filesystem media, and now has the ability to execute in place (XIP) from ROM or Flash. So depending on your system's needs, you might choose to compress your kernel or root filesystem and uncompress them into RAM on bootup, or simply hold either or both of them in flash and use XIP for the kernel and applications.
Configuration and build process
The uClinux configuration and build process is a straightforward extension of the standard Linux “make xconfig” process. You first select one of the supported platforms, configure the kernel in the usual way, then select those applications you wish to include on the target. The process is nearly seamless, and experienced Linux users should have no trouble with it. So a sophisticated user wishing to customize his or her VPN router box can do so, all with tools easily available for free. Try that with your SonicWall unit.
There are, however, some limitations on an independent user's ability to hack the SnapGear routers. The firmware build shipped with the unit contains some differences from the software available from the uClinux project, as follows . . .
- The web-based configuration software is not found in uClinux.
- The IPSec startup program contains some differences from the one provided by freeswan.
- The SnapGear firmware has the ability, not present in uClinux, to failover from the WAN Ethernet interface to the serial port.
- The SnapGear firewall setup program is not present in uClinux .
- The driver for the SME550's cryptographic accelerator chip is proprietary.
So an independent developer attempting to hack a SnapGear router would have to ask for them as binaries from SnapGear, replace them with open source substitutes, or rewrite them. But keep in mind that SnapGear is targeting two distinct markets for their routers: SOHO end users, who are simply looking for routing and VPN capabilities (they won't be hacking their network appliances); and OEMs, who will develop customized applications with the active cooperation of SnapGear, and can therefore obtain the missing components in source or binary form as needed.
General observations and comments
What strikes one most immediately when working simultaneously with the low-end LITE+ and the higher-end SME550 is the consistency of the experience, on both the user and the developer level. Both units are configured and operated in the same way — they come with the same manual. The only discernible user-level difference is in the throughput. For the developer, both are built from the some source code base, with only device drivers and cross-development toolchains distinguishing them. Porting old code and developing new code for one unit essentially gets you code that works on the others as well, unless you're working with some very specific resource such as the SME550's encryption acceleration chip.
SnapGear has an opportunity to do well with their line of VPN routers. They have the hardware in place to provide VPN service to a wide range of organizations; the LITE+ should handle the needs of home and the smallest offices (claiming 0.5 Mbps throughput when using Triple-DES based IPSec), and other models ranging up to the SME550 have sufficient power (the SME550 claims 10 Mbps VPN throughput) for medium-sized networks.
The LITE+ has a 66 Mhz MCF5272 Coldfire processor with 2 MB of flash and 4 MB of RAM. It retails for $299.
The LITE+'s embedded computer
The SME550, at $499, is powered by a SH-4 processor with 8 MB of flash and 16 MB of RAM, and has a SafeNet SafeXcel 1141 encryption accelerator chip. The 1141 accelerates an impressive variety of cryptographic algorithms and protocols, including: DES, Triple-DES, and AES encryption; MD5 and SHA-1 one-way hashes; Diffie-Hellman, RSA, and DSA public-key operations; and hardware random number generation. With the 1141 and the SH-4 processor, the SME550 should meet the firewall and VPN requirements of the majority of midsize organizations.
The SME550's embedded computer
Besides the LITE+ and SME550, SnapGear has other models based on Coldfire and SuperH processors, as well as some based on AMD's x86-compatible SC520.
That SnapGear succeeded in providing consistent user- and developer-level experiences for such a disparate range of hardware is a testament not only to their hard work but to the flexibility of the operating system they used. Moreover, through careful hardware and software design, and thanks to uClinux, SnapGear has managed to embed the power of Linux in a small, flexible, low-cost intelligent appliance — resulting in a great example of where Embedded Linux is increasingly being used.
About the author: Jerry Epplin is Technical Editor of LinuxDevices.com and an independent developer of embedded systems, with an emphasis on medical device software. He's been playing with and working with Linux since . . . uh, well, . . . he's not sure when, but they didn't have loadable modules back then.
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.