Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed Network A Approaches for High Speed Network A h h f f Hi h S Hi h S d N t d N t k k Security Security Security Security APAN 32 nd Meeting New Delhi 22 22 – 26 August 2011 26 A t 2011 C-DAC
Challenges In High Speed Packet Challenges In High Speed Packet Processing for Security Processing for Security � Volume of network Traffic is High � Current day attacks are � Current day attacks are more complex and network more complex and network intensive in nature � Packet prossing includes multiple subsystem P k t i i l d lti l b t Network card driver � Capturing stack of the operating system � Th The monitoring application it i li ti � � If any of these subsystems faces performance problems, it y y p p , will affects the system performance APAN 2011 2
Bandwidth Vs Packet Processing Time Bandwidth Vs Packet Processing Time g Bandwidth Number of Packets Per Packet Processing Time ( Nano Seconds) ( Nano Seconds) 128 Kb 256 3906250 256 Kb 512 1953125 1 Mb 2048 488281 200 Mb 409600 2442 500 Mb 1024000 977 1 Gb 2097152 477 2 Gb 2 Gb 4194304 4194304 239 239 10 Gb 20971520 48 * Considered 64 Byte Packet for Calculation APAN 2011 3
Hardware Hardware - a d a e a d a e - Approaches Approaches pp oac es pp oac es � Since CPUs are designed g for Generic purpose p p computation, specially designed Hardwares are used for high speed packet processing. ASIC (Application Specific Integrated Circuit ) Well-designed ASICs can be much faster than CPUs, W ll d i d ASIC b h f t th CPU � but they are difficult and expensive to develop ASICs usually have limited programmability and must � be redesigned as protocols and interfaces change � Network Processors Network processor tries to bridge the divide between N t k t i t b id th di id b t � ASICs and CPUs by providing a device that is as programmable as a CPU but as fast as an ASIC programmable as a CPU but as fast as an ASIC. APAN 2011 4
S ft Software S ft Software - - Approaches Approaches A A h h � Multi-Core Based Approach M lti C B d A h � GPU Based Approach � GPU Based Approach APAN 2011 5
Hyper Threading and Multi Hyper Threading and Multi- ype ype ead g a d ead g a d u t u t co e -core core co e � Hyper Threading (HT) Single execution core is shared among multiple Si l ti i h d lti l � threads When multiple threads are running, HT � Technology interleaves the instructions in the execution pipeline � Multi-core � Multi core Multi-core processors embed two or more � independent i d d t execution ti cores i t into a single i l processor package. APAN 2011 6
P P Packet Splitting Approaches Packet Splitting Approaches k t S litti k t S litti A A h h Divide & Divide & Conquer Task Data Data Splitting Splitting Pi Pipeline li Splitting Hardware Software Software Application Hash Based Based APAN 2011 7
Packet Processing in Multi Packet Processing in Multi Packet Processing in Multi-core Packet Processing in Multi core core core � Data Parallelism Each Core executes an Identical version of same E h C t Id ti l i f – packet processing algorithm � Task Parallelism Executes the components which are Executes the components which are – independent each other in parallel � Pipeline Parallelism Pi li P ll li multiple tasks need to be executed in a multiple tasks need to be executed in a � � specific pre-defined order for each incoming packet incoming packet APAN 2011 8
Multicore Based Approach Multicore Based Approach Data parallelism Data parallelism APAN 2011 9
Multi Core Based Approach Multi Core Based Approach Task Parallelism Task Parallelism NIC Packet Capture & Decode & Decode Anomaly Detection Signature Detection State Detection Core-2 Core-n Core-1 APAN 2011 10
Multi Core Based Approach Multi Core Based Approach Pipeline Parallelism Pipeline Parallelism NIC Packet Capture & Decode & Decode Content Analysis Header Analysis Core-2 Core-1 APAN 2011 11
Data Spliting Data Spliting Data Spliting Data Spliting - - Details Details Details Details Hash based techniques Application based techniques • For Deployment no Prior For Deployment Prior understanding of the Network understanding of the Network required required required required for for partitioning partitioning the the traffic Balanced traffic splitting Difficult to ensure balanced t traffic splitting ffi litti APAN 2011 12
Hash Based Packet Splitting Using Hash Based Packet Splitting Using Hash Based Packet Splitting Using Hash Based Packet Splitting Using NFQUEUE NFQUEUE Netfiler system provides a special target NFQUEUE • used to queue packets to user space programs q p p p g Uses source_ip, destination_ip, source_port, destination port, protocol for hashing destination_port, protocol for hashing Ensures connection stream (sessions) Leverage the multi-core environment using multiple processes APAN 2011 13
Queue Balancing using NFQUEUE Queue Balancing using NFQUEUE Queue Balancing using NFQUEUE Queue Balancing using NFQUEUE Packets are Balanced Across the given Queues Packets are Balanced Across the given Queues • • Packets belonging to the same connection are put into • same nfqueue q Start Multiple instances of the user space program on • Queue Queue IPTABLE -A FORWARD -p <protocol> -j NFQUEUE --queue- b l balance 1:N 1 N APAN 2011 14
Packet Splitting Using NFQUEUE Packet Splitting Using NFQUEUE - - Test Test R R Results Results lt lt Number of Number of Processor Processor Memory Memory Number of Number of Throughpu Throughpu Process Cores t Intel Xeon 2 Gb 4 270 Mbps 3 Processors (3.16 Ghz) ( Two Dual Core ) Core ) Xeon 4 Gb 8 960 Mbps 7 CPU(X5460) 3.16Ghz 3 16Gh ( 2 Quad ( 2 Quad Core) APAN 2011 15
GPU Based Packet Processing GPU Based Packet Processing G U G U ased ased ac et ac et ocess g ocess g � GPUs (Graphical Processing Units ) are specialized for computationally intensive and specialized for computationally intensive and highly parallel operations for graphic processing � Modern GPUs have low design cost and their increased programmability makes them more p g y flexible for network processing. � Vendor provides high-level APIs that o er high Vendor provides high level APIs that o er high programming capabilities APAN 2011 16
GPU Based Packet Processing GPU Based Packet Processing G U G U ased ased ac et ac et ocess g ocess g Gnort Gnort � Implementation of Snort IDS in GPU provides maximum traffic processing throughput of 2.3 Gbps p Copy batch of packets to the GPU – P tt Pattern matching on GPU t hi GPU – Transferring the results to CPU – APAN 2011 17
Header Analysis for Highspeed Header Analysis for Highspeed eade eade a ys s o a ys s o g speed g speed Networks Networks Flow Based Traffic Analysis Flow Flow IP flow is a unidirectional series of IP packets of a given protocol traveling between a source and a destination IP/port pair within a certain period of time IP/port pair within a certain period of time Aggregate information from different packets in • to a flow to a o Compared to packet based analysis , volume of • data is very less data is very less – suitable for high speed suitable for high speed network traffic analysis APAN 2011 18
Header Analysis for High speed Header Analysis for High speed y y g g p p Networks Networks APAN 2011 19
References References References References Exploiting Commodity Mulch-core Systems for Network Traffic Analysis Exploiting Commodity Mulch core Systems for Network Traffic Analysis � � Lucas Devi, Francisco Fusion Improving Network Performance in Mulch-Core Systems – Intel white Improving Network Performance in Mulch Core Systems Intel white � � paper An Architecture for Exploiting Multi-Core Processors to Parallelize p g � Network Intrusion Prevention - Vern Paxson,Robin Sommer Comparing and Improving Current Packet Capturing Solutions based on � Commodity Hardware Lothar Braun, Alexander Didebulidze, Nils Kammenhuber, Georg Carle Gnort: High Performance Network Intrusion Detection Using Graphics � Processors - Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos P. Markatos, and Sotiris Ioannidis y , g , APAN 2011 20
Thank you Thank you murali@cdac.in 21 @ APAN 2011
Recommend
More recommend
