April 2009: Packet Processors - "The Rise of Packet Processors"
Embedded Insider: April 2009 - Volume 4, Issue 1
The Rise of Packet Processors
Packet processors are a distinct class of purpose-built processors that have evolved in response to constantly increasing network traffic loads. They are in large part a response to growth in the use of search engines, cloud computing, mobile devices, Web 2.0 and online gaming. This class of intelligent, high performance processors offloads packet processing from the host system, preserving the resources of the host CPU for other important functions.
Packet processing is the act of data identification, inspection, extraction, manipulation or otherwise accessing the elements of a data packet. Its purpose is to gather statistics, interpret data, provide secure communications and perform traffic shaping and routing. When the data packet has been examined, a pre-defined action is taken based on its contents. Packet processors offer several advantages over traditional network processors because their hardware is tailored for packet movement, which gives them the ability to perform at gigabit line rates.
Packet Processors Improve Network Management
Packet processing is critical to the packet-dependent applications that are at the heart of today’s networks – applications such as Session Border Control, Secure Access (IPsec) , Firewalls, Network Address Translation (NAT), Traffic Management, Routers, Switches and Packet Inspection.
As networks expand and become more complex, they place an additional processing burden on communications systems. Packet processors can perform traffic shaping, security algorithms, compression, encryption and so on, prior to the network traffic reaching a server – and thus they represent a cost-effective alternative to upgrading server host processors.
The increasing demand for network security and content management has placed severe demands on network service providers. In order to truly control their networks, providers need to know where traffic originates, where it is going, and most importantly what the traffic contains. This means that all layers of individual packets must be analyzed for content, a process known as “Deep Packet Inspection” or DPI.
Deep Packet Inspection
Convergence on IP networks has not been without its challenges. One of the thorniest issues has been network security. The migration from the LAN to wider public networks introduced scourges such as denial of service attacks, spam, worms, viruses, hackers, malware and spyware.
In response to these threats, network users and administrators turned to tactics such as VPNs, tunneling, firewalls, anti-virus software, network address translation, MAC filtering and encryption for wireless networks. But most of these strategies focused on how message envelopes are passed through the network when the heart of the issue is what’s inside the envelope—the message itself. Deep Packet Inspection addresses this issue head-on and DPI is one of the key capabilities of packet processors.
DPI gives network managers the ability to examine a packet at Layer 2 through Layer 7 including IP packet headers, data protocol structures and the actual data content (payload) of a message. It can be used to search for non-protocol compliance violations, look for viruses, spam, network intrusions and provide pre-defined decision criteria to determine if an IP Packet should be:
- Blocked or passed through only a certain point in the network
- Routed to a different destination
- Marked or tagged (e.g. for QoS)
- Collected as statistical information (e.g. billing or traffic related)
Controlling network usage has become another major factor behind the deployment of DPI. With DPI, it is possible for network managers to understand in granular detail the amount of traffic generated by each user and each application. Based on this information, they can make intelligent management decisions. For example, limiting the amount of bandwidth available to peer-to-peer traffic is a matter of economic survival to some providers, and DPI gives them the tools they need.
The following diagram illustrates some of the points in today's networks where packet processors are playing a key role:
Packet Processors plus Software Equal Applications
By combining the capabilities of our extensive selection of packet processors with middleware from our industry partners, we’ve been able to demonstrate that valuable applications can be built from commercial off-the-shelf products. These are precisely the kind of applications which network designers and administrators are struggling to deploy in their existing and next generation communications networks. Below is a selection of packet processor-based applications using GE Fanuc Intelligent Platforms hardware and software from our strategic industry partners.
Application Examples using Packet Processors and 6WINDGate™ Open Network Engine on the Telum™ NPA-38x4/58x4 AdvancedMC™
6WINDGate™ networking software running on a GE Fanuc Intelligent Platforms Telum™ NPA-38x4/58x4 AdvancedMC with the Cavium 12-core OCTEON™ processor provides a full- featured networking solution including IPv4 and IPv6 routing, virtual routing, IPsec, Layer 2 (GRE, VLAN), QoS functions, NAT, filtering, multicast and compression for multi-gigabit per second applications. The 6WINDGate software is a ready-to-use, scalable, modular and portable networking software solution optimized for multi-core processors. 6WINDGate is a complete, integrated solution built upon three layers: Fast Path modules, Optimized Linux stack and Control Plane modules. A standard API between layers hides multi-core complexity from the application-level software; consequently, 6WINDGate is perfect for new product development or upgrades to existing products.
6WINDGate’s scalable architecture delivers performance ranging from several Gbps using 6WINDGate ADS with a Linux stack optimized for multi-processing environments, up to 10 Gbps-class performance using 6WINDGate SDS which employs Fast Path in conjunction with an optimized Linux stack. Both the 6WINDGate ADS and SDS versions take full advantage of Telum NPA 38x4/58x4 OCTEON processor features such as the streamlined Cavium Simple Executive OS that boosts performance and efficiency, the built-in crypto-processors, and QoS dedicated hardware. 6WINDGate’s powerful distributed architecture permits several Telum packet processor modules to work together for greater capacity. Additionally, 6WINDGate provides a unique XML-based management interface that eases integration of third-party and customer specific software.
- Telum NPA-38x4/58x4 IP Packet Processor AdvancedMC with multi-core OCTEON processor
- 6WINDGate Open Network Engine software running on multiple processor cores
- Complete networking software suite including Fast Path modules, Optimized Linux stack for multi-core processors, and Control Plane modules
- Comprehensive feature set including IPv4 and IPv6 routing, virtual routing, IPsec, Layer 2 (GRE, VLAN), QoS functions, NAT, filtering, multicast, and compression
- Smart architecture with multi-core networking layer eases Linux application-level software integration
- Up to 10 Gbps-class performance on a single processor with architecture scalable across multiple boards
- XML-based management system
Example Application: ASN Gateway for WiMAX Architectures
- 6WINDGate Fast Path provides a fast packet processing framework (IP forwarding, IPinIP, GRE, IPsec) allowing smooth integration of customers’ R3, R4 and R6 flow processing
- WiMAX IP flows are forwarded by the Fast Path, and Control Plane flows are exceptions for the Slow Path due to 6WINDGate’s Fast Path Virtual Interface (FPVI)
- 6WINDGate Slow Path and its Cache Manager allow reuse of customers’ Control Plane features
- Slow Path and Control Plane can run on a dedicated core of the OCTEON processor or on a 32-bit / 64-bit IA CPU connected to the Telum™ Processor AdvancedMC via the backplane; see diagram
Example Application: IPsec Concentrators
- 6WINDGate software runs on the OCTEON processor of each Telum Packet Processor AdvancedMC. Certain cores are dedicated to IPsec while the remaining cores are used for IPsec Control Plane signaling protocols (IKE / IKEv2)
- If Security Associations are available at the Fast Path level, incoming packets are decrypted by IPsec Fast Path
- If a new session is detected, signaling packets are forwarded to Control Plane cores to perform IKE protocol (key negotiation, key renewal) and build a new Security Association in Fast Path shared memory
- Outgoing packets are encrypted by Fast Path
- Clear traffic is available for further processing
Application Examples using Qosmos™ Deep Packet Inspection (DPI) on Telum™ NPA-38x4/58x4 AdvancedMC
Qosmos™ Qoala™ Deep Packet Inspection(DPI) software running on a GE Fanuc Intelligent Platforms Telum™ NPA-38x4/58x4 IP packet processor AdvancedMC with a Cavium 12-core OCTEON™ processor provides a highly versatile blade. Qoala software, which runs on the multiple processor cores, services incoming traffic in real time, classifies all packets and tags them with rich session-level information. A client's application specifies the protocol attributes in which it is interested and requests callbacks from the programmable Event Handler module. Using the Packet Handler module, the application makes decisions based upon packet contents.
A wide variety of applications can thus manipulate, shape and re-export traffic based upon sophisticated DPI intelligence. Qoala DPI technology actually parses the protocol stack rather than employing signature detection. Qoala’s protocol library, an ever-growing and evolving knowledge base of over 300 communications protocols, enables recognition of application data that may be nested several layers deep. This unique ability provides highly accurate identification of individual flows. Qoala Session inheritance methodology then associates related flows allowing applications to recognize and manage traffic by session. GE Fanuc's compact, versatile Telum NPA- 38x4/58x4 modules with powerful, efficient OCTEON multi-core processors ensure that Qoala DPI and the client’s handler programs function at high speed and with low latency. A MicroTCA platform such as GE Fanuc’s MP Series Modular Platforms or an AdvancedTCA carrier blade can accept several Telum packet processor modules working together for greater capacity and versatility.
- Telum NPA-38x4/58x4 IP packet processor AdvancedMC with multi-core OCTEON processor
- Qosmos Qoala DPI engine running on multiple processor cores
- Surpasses traditional pattern matching techniques, parses protocol stack, supports complex encapsulations in real time at line speed
- Identification based on protocol behavior
- Session inheritance management makes visible applications, services and users
- Library of over 300 protocol and application signatures, over 3000 protocol attributes
- Flexible: packet classification and session-level tagging supports a wide variety of client applications
- Optionally write data to disk through a storage AdvancedMC such as the Telum 200-SATA
Example Application: Policy Enforcement
Qosmos™ Qoala™ Deep Packet Inspection (DPI) software running on a GE Fanuc’s Telum™ NPA-38x4/58x4 IP packet processor AdvancedMC with its multi-core OCTEON™ processor permits network operators to enable value-added services for their clients based upon sophisticated traffic parsing. Simple content recognition based upon port numbers will not be successful in correctly identifying many types of flows. Even more sophisticated signature-based schemes will fail in cases where identification depends upon the ability to reconstruct content across multiple packets. Qoala DPI provides the application-layer content as raw material for flow classification.
- Qosmos Qoala DPI software running on each Telum NPA-38x4/58x4 IP packet processor AdvancedMC with Cavium OCTEON multicore processor classifies packets and tags them with session-level information
- Qoala's client-programmed Event Handler takes action based upon the packets’ protocol attributes
- Qoala's client-programmed Packet Handler takes action based upon the application-layer data extracted from the packets
- Client’s application on a Telum ASLP10 Intel Pentium M Processor AdvancedMC sets overall policy, allowing the handler modules to block and redirect traffic as needed
Example Application: Data Retention
- Qosmos Qoala DPI software running on each Telum NPA-38x4/58x4 IP packet processor AdvancedMC with Cavium OCTEON multicore processor identifies flows and groups them by call
- Qoala's client-programmed Event Handler recognizes the packets that belong to protocols of interest for record keeping
- Qoala's client-programmed Packet Handler extracts Call Detail Records (CDRs) from the packets’ application-layer contents, exporting the CDRs to a Telum ASLP10 Intel Pentium M Processor AdvancedMC via a MicroTCA backplane interconnect
- The client's application on the Telum ASLP10 aggregates CDRs and exports them to a Telum 200-SATA storage AdvancedMC via MicroTCA backplane interconnect
- The Telum 200-SATA storage AdvancedMC writes CDRs to disk in real time
Qosmos™ Qoala™ Deep Packet Inspection (DPI) software running on a GE Fanuc's Telum™ NPA-38x4/58x4 IP packet processor AdvancedMC with multi core OCTEON™ processor allows telecommunications operators to retain call data for billing purposes or to meet legal requirements such as EU Directive 2006/24/EC.
A call in today's communications environment does not necessarily correspond to a single flow. To properly identify a call, one must tie its signaling to the multiple multimedia flows (audio, video, etc.) that might appear or terminate over the course of the call. Qoala DPI's Session Inheritance technology parses the signaling data to ensure accurate matching of calls to end-users.
Increased network traffic, and demands for network security, have spawned a new class of processors known as packet processors, which supplement the capabilities of the host system. Packet processors allow network service providers to see where traffic originates, where it is going, and most importantly what the traffic contains.
Packet processors are able to analyze all layers of individual packets at full line speed, a process known as “Deep Packet Inspection” or DPI. The network devices that incorporate this DPI technology are increasingly being designed to open, scalable and modular architectures, and GE Fanuc Intelligent Platforms offers an extensive selection of packet processors and partner software that fully addresses this need.