Accelerated Firewall Software on DPDK-ready x86 Hardware Platforms

high performance software x86 packet processingVirtualization has massively evolved cloud computing and computer networking, with VNF’s now available and sufficient for many network functions previously performed through dedicated hardware. Yet even today, achieving the near real-time performance expected of networking hardware is a still challenge for virtualized network functions typically running on open compute x86-based network hardware.

Firewalls and intrusion detection/protection systems all perform deep packet inspection requiring highly efficient, scalable packet processing. Any overheads and bottlenecks in the hardware-software packet workflow will ultimately limit the overall throughput of these kinds of systems.

For this reason PFSense, the most popular open source firewall software in the world is soon to release its 3rd iteration, bringing with it DPDK enhancements that will increase packet processing performance several times over on supported hardware configurations. This optimized software will bring enhancements in packet-processing capabilities for standard x86 processors, with over 600% performance increases for certain workloads per core.

Linux has become the backbone OS of many systems with a dominating market share for cloud deployments, baremetal servers and IoT devices. While it is a jack of all trades, Linux’s I/O stack has always been lacking in many aspects of high-performance packet processing. Principally due to the many steps packets have to traverse along with fragmentation in software support and the NIC drivers. This greatly reduced packet processing performance even with highly optimizes VirtIO kernel drivers.

The Data Plane Development Kit (DPDK)– now managed by the Linux foundation–was first developed by Intel to resolve performance issues with packet processing born from inherent inefficiencies in the Linux kernel I/O stack. Instead of traversing the entire linux kernel-mode driver stack (left) it utilizes minimal user-mode drivers to bypass kernel bloat and optimizes packet processing with efficient hugepage memory buffers (right).

DPDK and Intel’s Hyperscan library for high-performance regular expression matching are optimized from the ground up and ideal for the I/O and compute heavy workloads modern deep packet processing firewalls and IPS/IDS systems need.


How DPDK evolved packet processing:

  • Freed Network cards from kernel control and bloat
  • Minimal User-mode drivers originating from the DPDK
  • User space memory buffers are used to optimize memory usage
  • Abstraction layers for applications (Firewalls, vSwitches, vRouters, DPI’s…) to talk to the DPDK

This greatly improved packet processing software, massively reduced memory usage and removed potential vulnerabilities and issues that can arise from the larger Linux kernel-mode driver stack.


Proven Security & Performance on Scalable DPDK compatible x86 Networking Hardware

High-throughput software packet processing for pattern matching are best served running on capable hardware with multi-core hyper-threaded x86 architectures. This high-compute density enables deep network security with high throughput in a cost-effective form-factor.

Lanner’s NCA-5710 fills all of these requirements and more, with Intel®’s Xeon®  Scalable Processors allowing for dual-CPU support, great I/O flexibility  with 4x NIC expansion slots that can be outfitted with DPDK compatible NIC’s. These scalable platforms are deigned to improve Deep Packet Inspection (DPI) performance by 600% using integrated DPDK and Hyperscan accelerators.


Modern Hardware. Modern Software. Modern Network Appliance.

With virtualization on the forefront of computer networking, software now largely dictates what devices and appliances will do whether its a simple hardware firewall, secure VPN tunnel,  SD-WAN edge gateway or all of the above (uCPE). Perfecting this software affords x86 hardware appliances more flexibility and frees up cores for a myriad of software than can simplify everyday deployments and reduce costs while keeping internal networks safer than ever.



Accelerated Firewall Software on DPDK-ready x86 Hardware Platforms was last modified: July 27th, 2020 by James Piedra
Hand-picked posts from our blog, delivered to your email.