10 Gbps Line Speed Programmable Hardware for Open Source Network Applications*



Similar documents
Parallel Programming

Middleware and Distributed Systems. Introduction. Dr. Martin v. Löwis

Scalability and Classifications

Networking Virtualization Using FPGAs

QRadar Security Intelligence Platform Appliances

Service and Resource Discovery in Smart Spaces Composed of Low Capacity Devices

Driving force. What future software needs. Potential research topics

Reconfigurable Architecture Requirements for Co-Designed Virtual Machines

Chapter 2 Parallel Architecture, Software And Performance

Securing the Intelligent Network

Compiling PCRE to FPGA for Accelerating SNORT IDS

Introduction to GPU Programming Languages

Securing Local Area Network with OpenFlow

EAGLE EYE IP TAP. 1. Introduction

Introduction to Cloud Computing

LSN 2 Computer Processors

Computer Architecture TDTS10

A Security Specification Language (SSL) for Run-Time Policy Enforcement

Service Description DDoS Mitigation Service

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Router Architectures

Achieving Nanosecond Latency Between Applications with IPC Shared Memory Messaging

A Framework for End-to-End Proactive Network Management

White Paper Abstract Disclaimer

Accelerating the Data Plane With the TILE-Mx Manycore Processor

Parallel Computing. Benson Muite. benson.

Lecture 23: Multiprocessors

Definition of a White Box. Benefits of White Boxes

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

Exploiting Stateful Inspection of Network Security in Reconfigurable Hardware

SDN/Virtualization and Cloud Computing

A Low Latency Library in FPGA Hardware for High Frequency Trading (HFT)

Cisco Bandwidth Quality Manager 3.1

Decomposition into Parts. Software Engineering, Lecture 4. Data and Function Cohesion. Allocation of Functions and Data. Component Interfaces

Bro at 10 Gps: Current Testing and Plans

Xeon+FPGA Platform for the Data Center

Foundation for High-Performance, Open and Flexible Software and Services in the Carrier Network. Sandeep Shah Director, Systems Architecture EZchip

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

How Router Technology Shapes Inter-Cloud Computing Service Architecture for The Future Internet

An Open Architecture through Nanocomputing

An Introduction to Parallel Computing/ Programming

Enhance Service Delivery and Accelerate Financial Applications with Consolidated Market Data

Restorable Logical Topology using Cross-Layer Optimization

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Lustre Networking BY PETER J. BRAAM

PCI Express: The Evolution to 8.0 GT/s. Navraj Nandra, Director of Marketing Mixed-Signal and Analog IP, Synopsys

Open Flow Controller and Switch Datasheet

DPtech ADX Application Delivery Platform Series

UNITE: Uniform hardware-based Network Intrusion detection Engine

How To Use The Cisco Wide Area Application Services (Waas) Network Module

Extreme Networks CoreFlow2 Technology TECHNOLOGY STRATEGY BRIEF

COURSE OUTLINE Survey of Operating Systems

Swordfish

Systolic Computing. Fundamentals

The new frontier of the DATA acquisition using 1 and 10 Gb/s Ethernet links. Filippo Costa on behalf of the ALICE DAQ group

Facilitating Network Management with Software Defined Networking

Beyond Monitoring Root-Cause Analysis

Software Defined Networking

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

Network Technologies for Next-generation Data Centers

A Network Management Framework for Emerging Telecommunications Network.

Network/Internet Forensic and Intrusion Log Analysis

Using Fuzzy Logic Control to Provide Intelligent Traffic Management Service for High-Speed Networks ABSTRACT:

The Past, Present, and Future of Software Defined Networking

FPGA-based MapReduce Framework for Machine Learning

Enabling Cloud Architecture for Globally Distributed Applications

Application Centric Infrastructure Object-Oriented Data Model: Gain Advanced Network Control and Programmability

Multi-core Programming System Overview

Automated Mitigation of the Largest and Smartest DDoS Attacks

Resource Utilization of Middleware Components in Embedded Systems

A very short history of networking

Blue Planet. Introduction. Blue Planet Components. Benefits

Intrusion Detection in AlienVault

CFD Implementation with In-Socket FPGA Accelerators

How To Set Up Foglight Nms For A Proof Of Concept

REAL-TIME STREAMING ANALYTICS DATA IN, ACTION OUT

Bricata Next Generation Intrusion Prevention System A New, Evolved Breed of Threat Mitigation

PRODUCTS & TECHNOLOGY

Principle and Implementation of. Protocol Oblivious Forwarding

CHAPTER 5 FINITE STATE MACHINE FOR LOOKUP ENGINE

Software Defined Networking & Openflow

Big data platform for IoT Cloud Analytics. Chen Admati, Advanced Analytics, Intel

High Performance Computing

Configurable String Matching Hardware for Speeding up Intrusion Detection. Monther Aldwairi*, Thomas Conte, Paul Franzon

Cisco Wireless Security Gateway R2

Design Issues in a Bare PC Web Server

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Integration Guide. EMC Data Domain and Silver Peak VXOA Integration Guide

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Putting it on the NIC: A Case Study on application offloading to a Network Interface Card (NIC)

RoCE vs. iwarp Competitive Analysis

White Paper Increase Flexibility in Layer 2 Switches by Integrating Ethernet ASSP Functions Into FPGAs

Transcription:

10 Gbps Line Speed Programmable Hardware for Open Source Network Applications* Livio Ricciulli livio@metanetworks.org (408) 399-2284 http://www.metanetworks.org *Supported by the Division of Design Manufacturing Industrial Innovation of the National Science Foundation (Award #0339343) and Rome Laboratories.

Brief History Active Networks (DARPA Program) Change behavior of network components (routers) dynamically (add new protocols, flow control algorithms, monitoring, etc..) Discrete. Update network through separate management operations. Integrated. Packets cause network to update itself Broad scope did not result in industry adoption Lack of killer application Too much too soon

Brief History (Cont.) Metanetworks bottom-up approach Achieve programmability reusing current infrastructure Augment networks with non-invasive technology Application-driven rather than design-driven Revisit hardware computational model

10 Gbps IDS/IPS Hardware Open architecture to leverage open source software More robust, more flexible, promotes composition Directly support Snort signatures Abstract hardware as a network interface from OS prospective

10 Gbps IDS/IPS Hardware (Cont.) Retain high-degree of programmability New threat models (around the corner) Extend to application beyond IDS/IPS Line-speed/low latency to allow integration in production networks Hardware support for adaptive information management

1-10Gb Hardware Architecture Latency < 0.5 µs PHY L-1 PHY Block + Read Only FPGA State RAM RAM Packets >1M Concurrent Flows < 1500 Static Policies Synthesis + firmware update IPS/ IDS < 100 Dynamic Policies Compilation + runtime update

MIMD Instructions Flynn s Computer Taxonomy Get packet Compare to rules MISD Alert Reduction Network Memory Memory Memory Memory Processor Processor Processor Processor Data Alert P0 P1.... Instructions Pn Data SISD Instructions Memory Processor Data Get packet Compare to rules Alert SIMD Reduction Network P0 P1.... Data Alert Pn Instructions

MISD Programmable Hardware Block FPGA Stateful Analysis Reduction Network R1 R2.... Rn Receive Clock Data Valid Data Stream Match Memory Host Interface

Static analysis of large number of IDS signatures CA CATCHTHISONE SO NE 1 MA TC HT HI S 1 MATCHTHIS Transform Snort rules or BPF expressions into a low-level declarative language Extract fine-grain parallelism across thousands of signatures Define independent FSMs each implementing a signature Share comparison logic across multiple FSMs Synthesizer further optimizes Merge multiple FSMs sharing intermediate states Eliminate redundant rules

Some Rule Compression Results Component Counts 8000 7000 6000 5000 4000 3000 2000 1000 0 0 500 1000 1500 Comp Edges Comp saved Snort Rules

10Gbps Information bandwidth management Host bandwidth is approximately 1/100th of fast-path Flooding not to be used to compromise blocking capability Flooding can be exploited to reduce efficacy of monitoring Need to find needle in a haystack but needs to cope with flood of packets Hardware stateful analysis (implemented) Intelligent Monitoring Application-level programmability

Intelligent Monitoring (work in progress) Rule 1 2 3 4 5... n Σ > T? Switch off lower priority rules and report number of triggers only (NOT entire packet). T = maximum amount of alerts tolerable

Application-level programmability API to let user write adhoc wire-speed code Data parallel architecture provides determinism It either fits or it does not fit in the FPGA It either meets timing or does not meet timing Load/store network processing much harder to predict Capture User Defined Payload Host Interface Applications Applications Reduction Network Valid Offset Block Payload Address Data RW Common Functions Block Memory Interface PCI Interface FPGA Capture User Defined Payload Valid Offset Payload Packet Proc. Block Capture Standard OS Layer-1

Summary Bottom-up design approach promising in delivering line speed hardware programmability Extremely low latency design enables a wide variety of deployment options Can (cost-effectively) scale to 10 Gbps Ethernet Processing paradigm lends itself to ad-hoc application level programmability More work needed in hardware support for effectively managing floods of information Much work needed to support composabilty Livio Ricciulli livio@metanetworks.org (408) 399-2284 www.metanetworks.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information