Download Enabling Stateful Networking Solutions with Mellanox Indigo (NPS)

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts

RapidIO wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Network tap wikipedia , lookup

IEEE 1355 wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Airborne Networking wikipedia , lookup

Service-oriented architecture implementation framework wikipedia , lookup

Deep packet inspection wikipedia , lookup

Transcript 
SOLUTION BRIEF
Enabling Stateful Networking Solutions
with Mellanox Indigo™
BACKGROUND
HIGH PERFORMANCE CRYPTO
Mellanox has developed several key software libraries that when combined
with the flexibility of the Mellanox Indigo™ network processor enable high
performance stateful networking solutions.
Indigo provides hardware acceleration features for security applications
(SSL, IPsec, etc.) that deliver up to180Gb/s of encryption/decryption in
addition to packet processing. Mellanox provides a crypto library that
enables software developed on top of it to implement a full security
solution.
The need for more intelligence in the network has never being greater. The
threat of attacks and the level of analysis needed for operators to organize
their networks are increasing in complexity.
Adding intelligence means delving deeper into the packet or bytestream to
offer more understanding of the conversations or “flows” occurring in the
network. This requires ascending higher into the layers of packet processing,
usually referred to as Layers 4-7.
• Firewall/WAF (Web Application
Firewall)
• Lawful Interception
• Network Address Translation
• Data Loss Prevention
• WAN Optimization
• Virtual Private Network
• Detection Systems
• Distributed Denial of Service
• Application Delivery Controllers/
Load Balancers
• Software Defined Networking
• SBC Session Border Controllers
STATEFUL FLOW TABLE (SFT)
At the heart of every stateful packet-processing application, there is a
need to track the network flows. Flow-tracking usually represents a very
significant part of the processing overhead for tateful applications. Mellanox
provides an SFT library uniquely optimized to take advantage of the
massively parallel architecture of the Indigo provided by its 256 CTOP task
optimized processors.
Figure 1 illustrates a high-level view of Indigo data processing. End users
can develop their SFT clients to implement their specific business logic on
top of the Mellanox DPI and SFT applications.
Figure 1. Stateful Flow Table (SFT)
• Virtualized Networks
These applications share a common software infrastructure, and there
is a growing trend to consolidate these functions and co-locate them. A
significant amount of processing time and compute resources are being
spent in the common infrastructure software, understanding the flows and
what is running on them. Mellanox is focusing n this stateful infrastructure
and providing the best environment for it in terms of scale, performance and
flexibility. This enables application developers to focus on the development
of features developed on top of the stateful infrastructure.
Mellanox is bringing the following advanced software infrastructure
packages to the market:
• High performance crypto
• Stateful flow table (SFT), enabling stateful packet processing
• Deep packet inspection (DPI) engine and associated tools
In addition, Mellanox is working on providing significant acceleration to
a wide-range of Virtual Network Functions (VNF) running on standard x86
servers. VNFs for network services such as Session Border Controller,
BRAS, Carrier Grade NAT, firewall, SDN/GGSN gateways, and more can
benefit from the significant hardware accelerations provided by Indigo. This
method of providing acceleration for Network Function Virtualization (NFV) is
referred to as Accelerated Data Plane.
At a high level, the SFT provides the following feature set:
• 6-tuple key (Source IP, Source Port, Dest IP, Dest Port, Protocol, VPN, VTF,
Tunnel ID)
• Bi-directional flow; both unidirectional flows are maintained,
accommodating NAT awareness
• Seamless IPv4/IPv6 support
• IP fragmentation and out-of-order handling
• L4 support that includes an efficient TCP state machine
• Tunnel stripping
• Multiple client registration with SFT
• Support for elephant flows that require multi-thread processing
The Mellanox SFT is capable of delivering over 400Gb/s of flow processing
while handling 100 million flows with an average packet size of 400 bytes.
The expected peak capability is 600Gb/s while handling 200 million flows
with a 400-byte packet size.
2
DPI ENGINE
HARDWARE ACCELERATION FOR NFV
Application recognition (AR) is defined as the ability to map flows in the
network to one of approximately 3000 different known applications,
enabling an understanding of how network resources are being consumed
by each. AR is the basis for any Deep Packet Inspection solution and,
therefore, is the initial target of the Mellanox DPI solution. An L4-7
reporting library is also provided as part of the AR solution that generates
NetFlow v9 applicative reports.
The Mellanox DPI solution is composed of the following blocks:
A DPI compiler takes thousands of signatures as input. These signatures
describe in regular expressions the means to recognize various applications
or protocols. The DPI compiler compiles these signatures into a CDO file
that is loaded into the DPI engine on Indigo for application recognition
processing on the data stream. Through a partnership with Qosmos (www.
qosmos.com), Mellanox can provide extensive coverage of more than
3000 signatures. The DPI compiler processes the signatures in a definition
language defined by Qosmos and is compatible with all the signatures they
provide.
The DPI engine runs on Indigo as part of the data-path processing code.
The DPI engine processes the data stream while attempting to match the
incoming traffic to the set of signatures provided by the DPI compiler. The
DPI engine relies on the flow infrastructure provided by the SFT and is
therefore one of its clients.
Operators who are deploying VNFs on commodity servers are facing scale
and performance issues. Many of the VNFs have their performance limited
by small functional blocks in their software infrastructure. Mellanox’s
Accelerated Data Plane library will enable the business logic to run on x86
servers while the VNFs take advantage of the hardware acceleration on
Indigo for some of the infrastructure blocks. The programming of Indigo is
totally transparent to the VNF implementers, and the hardware acceleration
capabilities of Indigo are exported to the VNF programmer through an API
library on the x86.
Most of the VNFs can significantly benefit from the flow identification and
DPI hardware offload provided by the combination of Indigo and its SFT and
DPI libraries. Mellanox is developing a user API on the x86 that enables
access to those hardware accelerators transparently. In the long term, that
API will be published openly in an effort to standardize.
Figure 3. NFV Acceleration
Figure 2. DPI Architecture
Server
Compile
CDO
File
DPI Compiler
Signatures
Load
IDG4400
Packets
SFT
DPI Engine
Parsers
Traverser
Packets
AR framework
The DPI engine provides the following feature set:
AVAILABILITY
• Built on top of the SFT library
• Provides seamless cross-packet matching and extraction
• Enables classification code to be built in C and/or loaded after
compilation by the DPI compiler
• Maintains two sets of signatures, allowing for hitless upgrade capability
• Support for a set of 3000 signatures provided in partnership with Qosmos
• Enables customer-defined signatures to be added and complied
The Mellanox Crypto library, SFT and DPI solutions are available today as
part of the Indigo Software Development Kit. These SW libraries can be
used by chip-level system designers, or users of the IDG4400 Flex platform,
to form state-of-the-art stateful solutions running at peak performance on
Indigo.
The DPI engine delivers high performance, with more than 400Gb/s of DPI,
for 100M sessions, and 2.5M per second session creation.
350 Oakmead Parkway, Suite 100, Sunnyvale, CA 94085
Tel: 408-970-3400 • Fax: 408-970-3403
www.mellanox.com
© Copyright 2017. Mellanox Technologies. All rights reserved.
Mellanox and Mellanox logo are registered trademarks of Mellanox Technologies, Ltd. Indigo is a trademark of Mellanox Technologies, Ltd.
All other trademarks are property of their respective owners.
15-52424SB
Rev2.3
Related documents
Common Core State Standard Initiative
Common Core State Standard Initiative
Systemic dissemination of MCMV HaNa1 via non
Systemic dissemination of MCMV HaNa1 via non
Mickey Mouse Bush / Ochna Ochna serrulata
Mickey Mouse Bush / Ochna Ochna serrulata
European Respiratory Society Annual Congress 2013
European Respiratory Society Annual Congress 2013
Mellanox Technologies to Present at JP Morgan Technology and
Mellanox Technologies to Present at JP Morgan Technology and
40Gb/s Active Optical Cables
40Gb/s Active Optical Cables
CHINA- culture and textiles
CHINA- culture and textiles
Deep Packet Inspection - Colorado State University
Deep Packet Inspection - Colorado State University
Unpacking The Essential Standards_PARTICIPANTS
Unpacking The Essential Standards_PARTICIPANTS
Unit 3
Unit 3
Emily Saliers is one half of the duo Indigo Girls
Emily Saliers is one half of the duo Indigo Girls