SlideShare a Scribd company logo

DPDK layer for porting IPS-IDS

Download as PPTX, PDF
Vipin Varghese
Vipin Varghese

Step by Step look into bottlenecks and performance affecting in porting IDS/IPS application to run with DPDK multi-core VNF environment.

Software
1 of 28
Porting IDS/IPS Applications to DPDK Platform
2 Agenda • IDS/IPS Application Packet Pipeline • Explore into Bottlenecks Solutions I/O PCIe Slot-NUMA map CPU Custom Libraries Application Packet Filter, Lookup, Distribution and Modeling Ecosystem ViritI/O, Proc-Info, SIMD, Custom Lookup
Look into Suricata 3 Worker Thread RX NIC Capture Decode Stream Detect Output TX NIC Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata's multi-threaded architecture can support high performance multi-core and multiprocesser systems, Jonkman said." -- (Computerworld) Flow identification Stream Identification Stream Capture Buffers & Flows limit Copies Exact match Pattern match
4 IDS-IPS in Passive & Active mode Network I/O (Multiple 10Gbit/s Interfaces) Control, Configuration and Stats (CLI and Socket interface) High Speed User Space TCP and SSL stack configured in proxy mode. Clear Text Encrypted Encrypted
Dive into Bottlenecks Do we need to re-invent the Intrusion Detection, Intrusion Prevention or Network Security Monitoring utility?
6 SoC using PCIe virtual dev library Network I/O Config & Mgmt TCP SSL StackDPDK PMD & MBUF Manager User Space • Keep packet in User Space • Reduce latency between NIC to NIC • Smart Filter DPDK PMD library to rescue the I/O bottleneck
7 0 100 200 300 400 500 600 700 800 900 1000 64 byte RX 64 byte TX 1500 byte RX 1500 byte TX 480 150 780 220 625 273 944 473 MBITS/SEC PACKET SIZE Packet NIC to NIC PCIe 1 queue SOC allowed up to 32 bi directional PCIe user space queues
Worker Threads Offloading DPDK worker threads for running RX-TX with Suricata workers (CPU & Application Model) 8
9 Suricata using DPDK RX NIC TX NIC Capture Decode Stream Detect Output Worker Threads Capture Decode Stream Detect Output RSS HASH Parse for metadata Match for rule set Buffer & Zero Copy
10 Improvement (No Pkt Process) DPDK AF-Workers DPDK AF-Workers Byte 64 Byte 1500 P1 RX 1000 499 1000 826 P1 TX 382 251 1000 416 P2 RX 1000 475 1000 825 P2 TX 382 213 1000 472 1000 499 1000 826 382 251 1000 416 1000 475 1000 825 382 213 1000 472 0 200 400 600 800 1000 1200 MBITS/SEC P1 RX P1 TX P2 RX P2 TX
Eco-System
12 Setup Super micro 4 core Xeon at 2.6Ghz and onboard 2 * 1G i350 (2x PCIe Gen2) DPDK 1 core - 2 worker cores, 1 DPDK RX-TX. AF-Workers - 3 worker cores • Distributed lcore and NIC. ie: single socket interfaces single NIC (4 * 10G). • Single Machine for processing, filter, flow and Suricata. • Reduced packet latency, since there no inter NIC-NIC transmission. • Localized user DPDK and custom Suricata helps in zero copy. Learnings
Reality Check - All Done? Unexpected Follow on!!!
14 Feed back 1. Works Partially 2. Worse Throughput EXPECTATION
15 ./testSlot.py +++ DPDK NIC to Physical slot Mapping +++ ++++++++++++++++++++++++++++++++++ Bus: 04:00.2 Slot: 5 Node: 0 Driver: igb_uio Bus: 08:00.3 Slot: 1 Node: 0 Driver: igb_uio Bus: 08:00.0 Slot: 1 Node: 0 Driver: igb_uio Bus: 83:00.1 Slot: 2 Node: 1 Driver: igb_uio Bus: 85:00.1 Slot: 4 Node: 1 Driver: igb_uio Bus: 85:00.2 Slot: 4 Node: 1 Driver: igb_uio Bus: 85:00.3 Slot: 4 Node: 1 Driver: igb_uio ---------------------------------------------------- PCIe address: Numa Slot: Physical slot
16 • populateNodeInfo() & displayNodeInfo() INFO: DPDK Ver: DPDK 16.11.0 rte_eal_process_type: Primary!! NODE: 0 -- PORT -- ^^ 1G ports: 0x0 count: 0 // nodePtr->port1G_map[0] ^^ 10G ports: 0x7 count: 3 // nodePtr->port10G_map[0] ^^ 40G ports: 0x0 count: 0 // nodePtr->port40G_map[0] NODE: 1 -- PORT -- ^^ 1G ports: 0x0 count: 0// nodePtr->port1G_map[1] ^^ 10G ports: 0xf count: 4 // nodePtr->port10G_map[1] ^^ 40G ports: 0x0 count: 0 // nodePtr->port40G_map[1] • port1G_init, port10G_init, port40G_init • getCount1gPorts, getCount10gPorts, getCount40gPorts Numa Wrapper - Coremask & PortMask per NUMA
17 VirtIO Hurdles 1. Device start & stop not working 2. Link state set up & down fails 3. LSR call back does not work 4. Application proc-info does not shows stats for right primary application. 5. Application proc-info corrupts rte_dev_data when pcap in use
Timer Hurdles 18 1. Timers used in 1. Reassembly – IP 2. Protocols – TCP, Path Monitoring, ARP 3. Scheduling, Event expiry 4. Stats 2. Latency 1. tick to Software 2. Expiry 3. Application notification 4. Starting 5. Threshold tick values (demo)
19 __attribute__((always_inline)) inline int avxChecksumV2(const char * const target, size_t targetLength) { unsigned int checksum = 0; size_t offset = 0; uint16_t *buff = NULL; __m256i vec, lVec, hVec, sum; if(targetLength >= 32) { for(; offset <= targetLength - 32; offset += 32) { vec = _mm256_loadu_si256((__m256i const *)(target + offset)); lVec = _mm256_unpacklo_epi16(vec, (__m256i) {(uint64_t) 0x0, (uint64_t) 0x0, (uint64_t) 0x0, (uint64_t) 0x0}); hVec = _mm256_unpackhi_epi16(vec, (__m256i) {(uint64_t) 0x0, (uint64_t) 0x0, (uint64_t) 0x0, (uint64_t) 0x0}); sum = _mm256_add_epi32(lVec, hVec); sum = _mm256_hadd_epi32(sum, sum); sum = _mm256_hadd_epi32(sum, sum); sum = _mm256_hadd_epi32(sum, sum); checksum += _mm256_extract_epi16(sum, 0) + _mm256_extract_epi16(sum, 15); } } if (targetLength - offset >= 2) { for(;(targetLength -offset) >= 2; offset+=2) checksum += (*(uint16_t *) ((uint8_t *) target + offset) ); offset -= 2; } if (targetLength - offset) checksum += *((uint8_t *) target + offset); checksum = ((checksum & 0xffff0000) >> 16) + (checksum & 0xffff); checksum = ((checksum & 0xffff0000) >> 16) + (checksum & 0xffff); return checksum; } Comparison: 0.468157 task-clock (msec) # 0.461 CPUs utilized ( +- 1.66% ) 0 context-switches # 0.000 K/sec 0 cpu-migrations # 0.000 K/sec 42 page-faults # 0.091 M/sec ( +- 0.58% ) 5,63,229 cycles # 1.203 GHz ( +- 1.82% ) <not supported> stalled-cycles-frontend <not supported> stalled-cycles-backend 4,04,106 instructions # 0.72 insns per cycle ( +- 0.43% ) 78,541 branches # 167.765 M/sec ( +- 0.50% ) 3,538 branch-misses # 4.50% of all branches ( +- 0.30% ) 0.446172 task-clock (msec) # 0.471 CPUs utilized ( +- 4.43% ) 0 context-switches # 0.000 K/sec 0 cpu-migrations # 0.000 K/sec 42 page-faults # 0.095 M/sec ( +- 0.47% ) 5,39,201 cycles # 1.209 GHz ( +- 3.08% ) <not supported> stalled-cycles-frontend <not supported> stalled-cycles-backend 4,03,597 instructions # 0.75 insns per cycle ( +- 0.64% ) 78,162 branches # 175.184 M/sec ( +- 0.53% ) 3,199 branch-misses # 4.09% of all branches ( +- 6.27% ) SIMD Checksum Vectorization isn’t something that will work for all programs, but if yours is data-intensive, perhaps running simulations, processing graphics, or repeated financial calculations, consider vectorization. It might only take a slight rewrite of your program’s data structures and layout to have the compiler auto-vectorize it.
Guest OS Final Solution
21 References • https://blog.selectel.com/introduction-dpdk-architecture-principles/ • https://github.com/vipinpv85?tab=repositories • http://blog.talosintelligence.com/2010/07/innovation-you-keep-using- that- word.html?utm_source=feedburner&utm_medium=feed&utm_campaig n=Feed:+Vrt+(Sourcefire+VRT+- +Vulnerability+Research,+Snort+Rules+and+Explosions • http://blog.talosintelligence.com/2010/06/single-threaded-data- processing.html
22
PROC-INFO Enhancement for fetching Primary Application Port stats 23
Primary Port Details • Intf: 0 Speed: 10000 Duplex: Full Status: up • - driver:; - if_index: 0 • - driver: Pcap PMD; - if_index: 5 • - driver: net_virtio PMD; - if_index: 7 • -- ADDR - domain:bus:devid:function 0000:0000:06.0; == PCI ID - vendor:device:sub- vendor:sub-device 1af4:1000:1af4:0001 • - driver: net_virtio; - if_index: 0 • -- ADDR - domain:bus:devid:function 0000:0000:07.0; == PCI ID - vendor:device:sub- vendor:sub-device 1af4:1000:1af4:0001 • Intf: 0 Speed: 10000 Duplex: Full Status: up • - driver: net_virtio; - if_index: 0 • - driver: Pcap PM; - if_index: 5 • - driver: Pcap PMD; - if_index: 7 • -- ADDR - domain:bus:devid:function 0000:0000:06.0; == PCI ID - vendor:device:sub- vendor:sub-device 1af4:1000:1af4:0001 • - driver: net_virtio; - if_index: 0 • -- ADDR - domain:bus:devid:function 0000:0000:07.0; == PCI ID - vendor:device:sub- vendor:sub-device 1af4:1000:1af4:0001 24
25 New proc-info stats• ######################## NIC statistics for port 0 ######################## • - name: eth_pcap0; - DPDK Port id: 05: veth_fp_adk1@veth_k_adk1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000; link/ether a2:dd:48:c2:65:33 brd ff:ff:ff:ff:ff:ff • ######################## NIC statistics for port 1 ######################## • - name: eth_pcap1; - DPDK Port id: 17: veth_fp_adk2@veth_k_adk2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000; link/ether 0e:42:c4:8b:bf:4c brd ff:ff:ff:ff:ff:ff • ######################## NIC statistics for port 2 ######################## • - name: 0000:00:06.0; - DPDK Port id: 2; - numa node: -1 mtu: 1500 dev_started: 1 promiscuous: 1; - dev_link: speed: 10000 duplex: 1 autoneg: 0 status: 1; - kdrv: 1 • - mac_addrs: 52:54:00:c3:1d:a8; - min_rx_buf_size: 2176; - all_multicast: 0 dev_flags: 1; - nb_rx_queues: 1 nb_tx_queues: 1 • ######################## NIC statistics for port 3 ######################## • - name: 0000:00:07.0; - DPDK Port id: 3; - numa node: -1 mtu: 1500 dev_started: 1 promiscuous: 1; - dev_link: speed: 10000 duplex: 1 autoneg: 0 status: 1; - kdrv: 1 • - mac_addrs: 52:54:00:b5:95:1b; - min_rx_buf_size: 2176; - all_multicast: 0 dev_flags: 1; - nb_rx_queues: 1 nb_tx_queues: 1
Custom Lookup 16pt Intel Clear Subhead 26
27
28 1600 950 625 8000 2400 2970 30000 12000 7500 0 5000 10000 15000 20000 25000 30000 35000 1024 2048 4096 CONNECTION/SEC KEY SIZE Linked List Array Hash Array

Recommended

Dpdk frame pipeline for ips ids suricata
Dpdk frame pipeline for ips ids suricataDpdk frame pipeline for ips ids suricata
Dpdk frame pipeline for ips ids suricataVipin Varghese
 
Poll mode driver integration into dpdk
Poll mode driver integration into dpdkPoll mode driver integration into dpdk
Poll mode driver integration into dpdkVipin Varghese
 
1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hwvideos
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101SUSE Labs Taipei
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFBrendan Gregg
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In DepthKernel TLV
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
DPDK
DPDKDPDK
DPDKymtech
 

Recommended

Dpdk frame pipeline for ips ids suricata
Dpdk frame pipeline for ips ids suricataDpdk frame pipeline for ips ids suricata
Dpdk frame pipeline for ips ids suricataVipin Varghese
 
Poll mode driver integration into dpdk
Poll mode driver integration into dpdkPoll mode driver integration into dpdk
Poll mode driver integration into dpdkVipin Varghese
 
1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hwvideos
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101SUSE Labs Taipei
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFBrendan Gregg
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In DepthKernel TLV
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
DPDK
DPDKDPDK
DPDKymtech
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applicationsVipin Varghese
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 
Dpdk performance
Dpdk performanceDpdk performance
Dpdk performanceStephen Hemminger
 
Smart NIC
Smart NICSmart NIC
Smart NICDarniss R
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrackAchmad Mardiansyah
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmicsDenys Haryachyy
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interfaceDenys Haryachyy
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 
Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018Cheng-Chun William Tu
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityBrendan Gregg
 
Pci express transaction
Pci express transactionPci express transaction
Pci express transactiony38y38
 
IPMI is dead, Long live Redfish
IPMI is dead, Long live RedfishIPMI is dead, Long live Redfish
IPMI is dead, Long live RedfishBruno Cornec
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree艾鍗科技
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelNetronome
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part IIIAlkin Tezuysal
 

More Related Content

What's hot

Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmicsDenys Haryachyy
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 
Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018Cheng-Chun William Tu
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityBrendan Gregg
 
Pci express transaction
Pci express transactionPci express transaction
Pci express transactiony38y38
 
IPMI is dead, Long live Redfish
IPMI is dead, Long live RedfishIPMI is dead, Long live Redfish
IPMI is dead, Long live RedfishBruno Cornec
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelNetronome
 

What's hot (20)

Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applications
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver
 
Dpdk performance
Dpdk performanceDpdk performance
Dpdk performance
 
Smart NIC
Smart NICSmart NIC
Smart NIC
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrack
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmics
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interface
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018Fast Userspace OVS with AF_XDP, OVS CONF 2018
Fast Userspace OVS with AF_XDP, OVS CONF 2018
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
 
Pci express transaction
Pci express transactionPci express transaction
Pci express transaction
 
IPMI is dead, Long live Redfish
IPMI is dead, Long live RedfishIPMI is dead, Long live Redfish
IPMI is dead, Long live Redfish
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream Kernel
 

Similar to DPDK layer for porting IPS-IDS

BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part IIIAlkin Tezuysal
 
Disruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxDisruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxNaoto MATSUMOTO
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全維泰 蔡
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.Naoto MATSUMOTO
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPFIvan Babrou
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & TroubleshootingAPNIC
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...RISC-V International
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m Agus Awaludin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringOSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringNETWAYS
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PROIDEA
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 

Similar to DPDK layer for porting IPS-IDS (20)

BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
 
Disruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxDisruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on Linux
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
Klessydra t - designing vector coprocessors for multi-threaded edge-computing...
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m
 
Tos tutorial
Tos tutorialTos tutorial
Tos tutorial
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringOSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUT
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 

More from Vipin Varghese

Debug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpointsDebug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpointsVipin Varghese
 
Dpdk – IoT packet analyzer
Dpdk – IoT packet analyzerDpdk – IoT packet analyzer
Dpdk – IoT packet analyzerVipin Varghese
 
Optimizations for ssl tls certificate lookup
Optimizations for ssl tls certificate lookupOptimizations for ssl tls certificate lookup
Optimizations for ssl tls certificate lookupVipin Varghese
 
Optimizations for ssl tls certificate caching on multicore
Optimizations for ssl tls certificate caching on multicoreOptimizations for ssl tls certificate caching on multicore
Optimizations for ssl tls certificate caching on multicoreVipin Varghese
 
Fast i pv4 lookup using local memory
Fast i pv4 lookup using local memoryFast i pv4 lookup using local memory
Fast i pv4 lookup using local memoryVipin Varghese
 

More from Vipin Varghese (8)

Dynamic user trace
Dynamic user traceDynamic user trace
Dynamic user trace
 
Debug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpointsDebug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpoints
 
Debug generic process
Debug generic processDebug generic process
Debug generic process
 
Dpdk – IoT packet analyzer
Dpdk – IoT packet analyzerDpdk – IoT packet analyzer
Dpdk – IoT packet analyzer
 
Mmap failure analysis
Mmap failure analysisMmap failure analysis
Mmap failure analysis
 
Optimizations for ssl tls certificate lookup
Optimizations for ssl tls certificate lookupOptimizations for ssl tls certificate lookup
Optimizations for ssl tls certificate lookup
 
Optimizations for ssl tls certificate caching on multicore
Optimizations for ssl tls certificate caching on multicoreOptimizations for ssl tls certificate caching on multicore
Optimizations for ssl tls certificate caching on multicore
 
Fast i pv4 lookup using local memory
Fast i pv4 lookup using local memoryFast i pv4 lookup using local memory
Fast i pv4 lookup using local memory
 

Recently uploaded

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Recently uploaded (20)

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

DPDK layer for porting IPS-IDS

  • 1. Porting IDS/IPS Applications to DPDK Platform
  • 2. 2 Agenda • IDS/IPS Application Packet Pipeline • Explore into Bottlenecks Solutions I/O PCIe Slot-NUMA map CPU Custom Libraries Application Packet Filter, Lookup, Distribution and Modeling Ecosystem ViritI/O, Proc-Info, SIMD, Custom Lookup
  • 3. Look into Suricata 3 Worker Thread RX NIC Capture Decode Stream Detect Output TX NIC Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata's multi-threaded architecture can support high performance multi-core and multiprocesser systems, Jonkman said." -- (Computerworld) Flow identification Stream Identification Stream Capture Buffers & Flows limit Copies Exact match Pattern match
  • 4. 4 IDS-IPS in Passive & Active mode Network I/O (Multiple 10Gbit/s Interfaces) Control, Configuration and Stats (CLI and Socket interface) High Speed User Space TCP and SSL stack configured in proxy mode. Clear Text Encrypted Encrypted
  • 5. Dive into Bottlenecks Do we need to re-invent the Intrusion Detection, Intrusion Prevention or Network Security Monitoring utility?
  • 6. 6 SoC using PCIe virtual dev library Network I/O Config & Mgmt TCP SSL StackDPDK PMD & MBUF Manager User Space • Keep packet in User Space • Reduce latency between NIC to NIC • Smart Filter DPDK PMD library to rescue the I/O bottleneck
  • 7. 7 0 100 200 300 400 500 600 700 800 900 1000 64 byte RX 64 byte TX 1500 byte RX 1500 byte TX 480 150 780 220 625 273 944 473 MBITS/SEC PACKET SIZE Packet NIC to NIC PCIe 1 queue SOC allowed up to 32 bi directional PCIe user space queues
  • 8. Worker Threads Offloading DPDK worker threads for running RX-TX with Suricata workers (CPU & Application Model) 8
  • 9. 9 Suricata using DPDK RX NIC TX NIC Capture Decode Stream Detect Output Worker Threads Capture Decode Stream Detect Output RSS HASH Parse for metadata Match for rule set Buffer & Zero Copy
  • 10. 10 Improvement (No Pkt Process) DPDK AF-Workers DPDK AF-Workers Byte 64 Byte 1500 P1 RX 1000 499 1000 826 P1 TX 382 251 1000 416 P2 RX 1000 475 1000 825 P2 TX 382 213 1000 472 1000 499 1000 826 382 251 1000 416 1000 475 1000 825 382 213 1000 472 0 200 400 600 800 1000 1200 MBITS/SEC P1 RX P1 TX P2 RX P2 TX
  • 12. 12 Setup Super micro 4 core Xeon at 2.6Ghz and onboard 2 * 1G i350 (2x PCIe Gen2) DPDK 1 core - 2 worker cores, 1 DPDK RX-TX. AF-Workers - 3 worker cores • Distributed lcore and NIC. ie: single socket interfaces single NIC (4 * 10G). • Single Machine for processing, filter, flow and Suricata. • Reduced packet latency, since there no inter NIC-NIC transmission. • Localized user DPDK and custom Suricata helps in zero copy. Learnings
  • 13. Reality Check - All Done? Unexpected Follow on!!!
  • 14. 14 Feed back 1. Works Partially 2. Worse Throughput EXPECTATION
  • 15. 15 ./testSlot.py +++ DPDK NIC to Physical slot Mapping +++ ++++++++++++++++++++++++++++++++++ Bus: 04:00.2 Slot: 5 Node: 0 Driver: igb_uio Bus: 08:00.3 Slot: 1 Node: 0 Driver: igb_uio Bus: 08:00.0 Slot: 1 Node: 0 Driver: igb_uio Bus: 83:00.1 Slot: 2 Node: 1 Driver: igb_uio Bus: 85:00.1 Slot: 4 Node: 1 Driver: igb_uio Bus: 85:00.2 Slot: 4 Node: 1 Driver: igb_uio Bus: 85:00.3 Slot: 4 Node: 1 Driver: igb_uio ---------------------------------------------------- PCIe address: Numa Slot: Physical slot
  • 16. 16 • populateNodeInfo() & displayNodeInfo() INFO: DPDK Ver: DPDK 16.11.0 rte_eal_process_type: Primary!! NODE: 0 -- PORT -- ^^ 1G ports: 0x0 count: 0 // nodePtr->port1G_map[0] ^^ 10G ports: 0x7 count: 3 // nodePtr->port10G_map[0] ^^ 40G ports: 0x0 count: 0 // nodePtr->port40G_map[0] NODE: 1 -- PORT -- ^^ 1G ports: 0x0 count: 0// nodePtr->port1G_map[1] ^^ 10G ports: 0xf count: 4 // nodePtr->port10G_map[1] ^^ 40G ports: 0x0 count: 0 // nodePtr->port40G_map[1] • port1G_init, port10G_init, port40G_init • getCount1gPorts, getCount10gPorts, getCount40gPorts Numa Wrapper - Coremask & PortMask per NUMA
  • 17. 17 VirtIO Hurdles 1. Device start & stop not working 2. Link state set up & down fails 3. LSR call back does not work 4. Application proc-info does not shows stats for right primary application. 5. Application proc-info corrupts rte_dev_data when pcap in use
  • 18. Timer Hurdles 18 1. Timers used in 1. Reassembly – IP 2. Protocols – TCP, Path Monitoring, ARP 3. Scheduling, Event expiry 4. Stats 2. Latency 1. tick to Software 2. Expiry 3. Application notification 4. Starting 5. Threshold tick values (demo)
  • 19. 19 __attribute__((always_inline)) inline int avxChecksumV2(const char * const target, size_t targetLength) { unsigned int checksum = 0; size_t offset = 0; uint16_t *buff = NULL; __m256i vec, lVec, hVec, sum; if(targetLength >= 32) { for(; offset <= targetLength - 32; offset += 32) { vec = _mm256_loadu_si256((__m256i const *)(target + offset)); lVec = _mm256_unpacklo_epi16(vec, (__m256i) {(uint64_t) 0x0, (uint64_t) 0x0, (uint64_t) 0x0, (uint64_t) 0x0}); hVec = _mm256_unpackhi_epi16(vec, (__m256i) {(uint64_t) 0x0, (uint64_t) 0x0, (uint64_t) 0x0, (uint64_t) 0x0}); sum = _mm256_add_epi32(lVec, hVec); sum = _mm256_hadd_epi32(sum, sum); sum = _mm256_hadd_epi32(sum, sum); sum = _mm256_hadd_epi32(sum, sum); checksum += _mm256_extract_epi16(sum, 0) + _mm256_extract_epi16(sum, 15); } } if (targetLength - offset >= 2) { for(;(targetLength -offset) >= 2; offset+=2) checksum += (*(uint16_t *) ((uint8_t *) target + offset) ); offset -= 2; } if (targetLength - offset) checksum += *((uint8_t *) target + offset); checksum = ((checksum & 0xffff0000) >> 16) + (checksum & 0xffff); checksum = ((checksum & 0xffff0000) >> 16) + (checksum & 0xffff); return checksum; } Comparison: 0.468157 task-clock (msec) # 0.461 CPUs utilized ( +- 1.66% ) 0 context-switches # 0.000 K/sec 0 cpu-migrations # 0.000 K/sec 42 page-faults # 0.091 M/sec ( +- 0.58% ) 5,63,229 cycles # 1.203 GHz ( +- 1.82% ) <not supported> stalled-cycles-frontend <not supported> stalled-cycles-backend 4,04,106 instructions # 0.72 insns per cycle ( +- 0.43% ) 78,541 branches # 167.765 M/sec ( +- 0.50% ) 3,538 branch-misses # 4.50% of all branches ( +- 0.30% ) 0.446172 task-clock (msec) # 0.471 CPUs utilized ( +- 4.43% ) 0 context-switches # 0.000 K/sec 0 cpu-migrations # 0.000 K/sec 42 page-faults # 0.095 M/sec ( +- 0.47% ) 5,39,201 cycles # 1.209 GHz ( +- 3.08% ) <not supported> stalled-cycles-frontend <not supported> stalled-cycles-backend 4,03,597 instructions # 0.75 insns per cycle ( +- 0.64% ) 78,162 branches # 175.184 M/sec ( +- 0.53% ) 3,199 branch-misses # 4.09% of all branches ( +- 6.27% ) SIMD Checksum Vectorization isn’t something that will work for all programs, but if yours is data-intensive, perhaps running simulations, processing graphics, or repeated financial calculations, consider vectorization. It might only take a slight rewrite of your program’s data structures and layout to have the compiler auto-vectorize it.
  • 21. 21 References • https://blog.selectel.com/introduction-dpdk-architecture-principles/ • https://github.com/vipinpv85?tab=repositories • http://blog.talosintelligence.com/2010/07/innovation-you-keep-using- that- word.html?utm_source=feedburner&utm_medium=feed&utm_campaig n=Feed:+Vrt+(Sourcefire+VRT+- +Vulnerability+Research,+Snort+Rules+and+Explosions • http://blog.talosintelligence.com/2010/06/single-threaded-data- processing.html
  • 22. 22
  • 23. PROC-INFO Enhancement for fetching Primary Application Port stats 23
  • 24. Primary Port Details • Intf: 0 Speed: 10000 Duplex: Full Status: up • - driver:; - if_index: 0 • - driver: Pcap PMD; - if_index: 5 • - driver: net_virtio PMD; - if_index: 7 • -- ADDR - domain:bus:devid:function 0000:0000:06.0; == PCI ID - vendor:device:sub- vendor:sub-device 1af4:1000:1af4:0001 • - driver: net_virtio; - if_index: 0 • -- ADDR - domain:bus:devid:function 0000:0000:07.0; == PCI ID - vendor:device:sub- vendor:sub-device 1af4:1000:1af4:0001 • Intf: 0 Speed: 10000 Duplex: Full Status: up • - driver: net_virtio; - if_index: 0 • - driver: Pcap PM; - if_index: 5 • - driver: Pcap PMD; - if_index: 7 • -- ADDR - domain:bus:devid:function 0000:0000:06.0; == PCI ID - vendor:device:sub- vendor:sub-device 1af4:1000:1af4:0001 • - driver: net_virtio; - if_index: 0 • -- ADDR - domain:bus:devid:function 0000:0000:07.0; == PCI ID - vendor:device:sub- vendor:sub-device 1af4:1000:1af4:0001 24
  • 25. 25 New proc-info stats• ######################## NIC statistics for port 0 ######################## • - name: eth_pcap0; - DPDK Port id: 05: veth_fp_adk1@veth_k_adk1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000; link/ether a2:dd:48:c2:65:33 brd ff:ff:ff:ff:ff:ff • ######################## NIC statistics for port 1 ######################## • - name: eth_pcap1; - DPDK Port id: 17: veth_fp_adk2@veth_k_adk2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000; link/ether 0e:42:c4:8b:bf:4c brd ff:ff:ff:ff:ff:ff • ######################## NIC statistics for port 2 ######################## • - name: 0000:00:06.0; - DPDK Port id: 2; - numa node: -1 mtu: 1500 dev_started: 1 promiscuous: 1; - dev_link: speed: 10000 duplex: 1 autoneg: 0 status: 1; - kdrv: 1 • - mac_addrs: 52:54:00:c3:1d:a8; - min_rx_buf_size: 2176; - all_multicast: 0 dev_flags: 1; - nb_rx_queues: 1 nb_tx_queues: 1 • ######################## NIC statistics for port 3 ######################## • - name: 0000:00:07.0; - DPDK Port id: 3; - numa node: -1 mtu: 1500 dev_started: 1 promiscuous: 1; - dev_link: speed: 10000 duplex: 1 autoneg: 0 status: 1; - kdrv: 1 • - mac_addrs: 52:54:00:b5:95:1b; - min_rx_buf_size: 2176; - all_multicast: 0 dev_flags: 1; - nb_rx_queues: 1 nb_tx_queues: 1
  • 26. Custom Lookup 16pt Intel Clear Subhead 26
  • 27. 27
  • 28. 28 1600 950 625 8000 2400 2970 30000 12000 7500 0 5000 10000 15000 20000 25000 30000 35000 1024 2048 4096 CONNECTION/SEC KEY SIZE Linked List Array Hash Array