Multicore Based Packet Splitting Multicore Based Packet Splitting - - PowerPoint PPT Presentation

multicore based packet splitting multicore based packet
SMART_READER_LITE
LIVE PREVIEW

Multicore Based Packet Splitting Multicore Based Packet Splitting - - PowerPoint PPT Presentation

Jan 03, 2024 236 likes •459 views

Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed Network A Approaches for High Speed Network A h h f f Hi h S Hi h S d N t d N t k k Security Security Security Security APAN 32 nd Meeting

slide-1
SLIDE 1

Multicore Based Packet Splitting Multicore Based Packet Splitting A h f Hi h S d N t k A h f Hi h S d N t k Approaches for High Speed Network Approaches for High Speed Network Security Security Security Security

APAN 32nd Meeting New Delhi 22 26 A t 2011 22 – 26 August 2011 C-DAC

slide-2
SLIDE 2

Challenges In High Speed Packet Challenges In High Speed Packet Processing for Security Processing for Security

Volume of network Traffic is High Current day attacks are

more complex and network

Current day attacks are

more complex and network intensive in nature P k t i i l d lti l b t

Packet prossing includes multiple subsystem

  • Network card driver
  • Capturing stack of the operating system

Th it i li ti

  • The monitoring application

If any of these subsystems faces performance problems, it

y y p p , will affects the system performance

APAN 2011 2

slide-3
SLIDE 3

Bandwidth Vs Packet Processing Time Bandwidth Vs Packet Processing Time g

Bandwidth Number of Packets Per Packet Processing Time ( Nano Seconds) ( Nano Seconds) 128 Kb 256 3906250 256 Kb 512 1953125 1 Mb 2048 488281 200 Mb 409600 2442 500 Mb 1024000 977 1 Gb 2097152 477 2 Gb 4194304 239 2 Gb 4194304 239 10 Gb 20971520 48

APAN 2011 3

* Considered 64 Byte Packet for Calculation

slide-4
SLIDE 4

Hardware Hardware -

  • Approaches

Approaches a d a e a d a e pp oac es pp oac es

Since

CPUs are designed for Generic purpose g p p computation, specially designed Hardwares are used for high speed packet processing. ASIC (Application Specific Integrated Circuit ) W ll d i d ASIC b h f t th CPU

  • Well-designed ASICs can be much faster than CPUs,

but they are difficult and expensive to develop

  • ASICs usually have limited programmability and must

be redesigned as protocols and interfaces change

Network Processors

N t k t i t b id th di id b t

  • Network processor tries to bridge the divide between

ASICs and CPUs by providing a device that is as programmable as a CPU but as fast as an ASIC

APAN 2011 4

programmable as a CPU but as fast as an ASIC.

slide-5
SLIDE 5

S ft S ft A h A h Software Software -

  • Approaches

Approaches

M lti C B d A h

Multi-Core Based Approach GPU Based Approach GPU Based Approach APAN 2011 5

slide-6
SLIDE 6

Hyper Threading and Multi Hyper Threading and Multi-

  • core

core ype ead g a d u t ype ead g a d u t co e co e

Hyper Threading (HT)

Si l ti i h d lti l

  • Single execution core is shared among multiple

threads

  • When

multiple threads are running, HT Technology interleaves the instructions in the execution pipeline

Multi-core Multi core

  • Multi-core

processors embed two

  • r

more i d d t ti i t i l independent execution cores into a single processor package.

APAN 2011 6

slide-7
SLIDE 7

P k t S litti A h P k t S litti A h Packet Splitting Approaches Packet Splitting Approaches

Divide & Divide & Conquer Data Task Splitting Pi li Data Splitting Splitting Pipeline Software Hardware Software Application Based Hash Based

APAN 2011 7

slide-8
SLIDE 8

Packet Processing in Multi Packet Processing in Multi core core Packet Processing in Multi Packet Processing in Multi-core core

Data Parallelism

E h C t Id ti l i f – Each Core executes an Identical version of same packet processing algorithm

Task Parallelism

Executes the components which are – Executes the components which are independent each other in parallel

Pi li P ll li

Pipeline Parallelism

  • multiple tasks need to be executed in a
  • multiple tasks need to be executed in a

specific pre-defined order for each incoming packet

APAN 2011 8

incoming packet

slide-9
SLIDE 9

Multicore Based Approach Multicore Based Approach Data parallelism Data parallelism

APAN 2011 9

slide-10
SLIDE 10

Multi Core Based Approach Multi Core Based Approach Task Parallelism Task Parallelism

Packet Capture & Decode

NIC

& Decode Signature Detection State Detection Anomaly Detection

Core-1 Core-2 Core-n

APAN 2011 10

slide-11
SLIDE 11

Multi Core Based Approach Multi Core Based Approach Pipeline Parallelism Pipeline Parallelism

Packet Capture & Decode

NIC

& Decode Header Analysis Content Analysis

Core-1 Core-2

APAN 2011 11

slide-12
SLIDE 12

Data Spliting Data Spliting Details Details Data Spliting Data Spliting -

  • Details

Details

Hash based techniques Application based techniques

  • For

Deployment no Prior understanding of the Network required For Deployment Prior understanding of the Network required for partitioning the required required for partitioning the traffic Balanced traffic splitting Difficult to ensure balanced t ffi litti traffic splitting

APAN 2011 12

slide-13
SLIDE 13

Hash Based Packet Splitting Using Hash Based Packet Splitting Using Hash Based Packet Splitting Using Hash Based Packet Splitting Using NFQUEUE NFQUEUE

  • Netfiler system provides a special target

NFQUEUE used to queue packets to user space programs q p p p g Uses source_ip, destination_ip, source_port, destination port, protocol for hashing destination_port, protocol for hashing Ensures connection stream (sessions) Leverage the multi-core environment using multiple processes

APAN 2011 13

slide-14
SLIDE 14

Queue Balancing using NFQUEUE Queue Balancing using NFQUEUE Queue Balancing using NFQUEUE Queue Balancing using NFQUEUE

  • Packets are Balanced Across the given Queues
  • Packets are Balanced Across the given Queues
  • Packets belonging to the same connection are put into

same nfqueue q

  • Start Multiple instances of the user space program on

Queue Queue

IPTABLE -A FORWARD -p <protocol> -j NFQUEUE --queue- b l 1 N balance 1:N

APAN 2011 14

slide-15
SLIDE 15

Packet Splitting Using NFQUEUE Packet Splitting Using NFQUEUE -

  • Test

Test R lt R lt Results Results

Processor Memory Number of Number of Throughpu Processor Memory Number of Cores Number of Process Throughpu t

Intel Xeon Processors (3.16 Ghz) 2 Gb 4 ( Two Dual Core )

3

270 Mbps Core ) Xeon CPU(X5460) 3 16Gh 4 Gb 8 ( 2 Quad

7

960 Mbps 3.16Ghz ( 2 Quad Core)

APAN 2011 15

slide-16
SLIDE 16

GPU Based Packet Processing GPU Based Packet Processing G U ased ac et

  • cess g

G U ased ac et

  • cess g

GPUs

(Graphical Processing Units ) are specialized for computationally intensive and specialized for computationally intensive and highly parallel operations for graphic processing

Modern GPUs have low design cost and

their increased programmability makes them more p g y flexible for network processing. Vendor provides high level APIs that o er high

Vendor provides high-level APIs that o er high

programming capabilities

APAN 2011 16

slide-17
SLIDE 17

GPU Based Packet Processing GPU Based Packet Processing G U ased ac et

  • cess g

G U ased ac et

  • cess g

Gnort Gnort

Implementation of Snort IDS in GPU provides

maximum traffic processing throughput of 2.3 Gbps p

– Copy batch of packets to the GPU P tt t hi GPU – Pattern matching on GPU – Transferring the results to CPU

APAN 2011 17

slide-18
SLIDE 18

Header Analysis for Highspeed Header Analysis for Highspeed eade a ys s o g speed eade a ys s o g speed Networks Networks

Flow Based Traffic Analysis

Flow Flow

IP flow is a unidirectional series of IP packets of a given protocol traveling between a source and a destination IP/port pair within a certain period of time IP/port pair within a certain period of time

  • Aggregate information from different packets in

to a flow to a o

  • Compared to packet based analysis , volume of

data is very less suitable for high speed data is very less – suitable for high speed network traffic analysis

APAN 2011 18

slide-19
SLIDE 19

Header Analysis for High speed Header Analysis for High speed y g p y g p Networks Networks

APAN 2011 19

slide-20
SLIDE 20

References References References References

  • Exploiting Commodity Mulch-core Systems for Network Traffic Analysis
  • Exploiting Commodity Mulch core Systems for Network Traffic Analysis

Lucas Devi, Francisco Fusion

  • Improving Network Performance in Mulch-Core Systems – Intel white
  • Improving Network Performance in Mulch Core Systems

Intel white paper

  • An Architecture for Exploiting Multi-Core Processors to Parallelize

p g Network Intrusion Prevention - Vern Paxson,Robin Sommer

  • Comparing and Improving Current Packet Capturing Solutions based on

Commodity Hardware Lothar Braun, Alexander Didebulidze, Nils Kammenhuber, Georg Carle

  • Gnort: High Performance Network Intrusion Detection Using Graphics

Processors - Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos P. Markatos, and Sotiris Ioannidis y , g ,

APAN 2011 20

slide-21
SLIDE 21

Thank you Thank you

murali@cdac.in @

APAN 2011 21