vortiqa software with unified threat management for service … · 2016-03-12 · uniform...

TM

Freescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2009.

Performance Optimization on QorIQ™ P4080 Multicore Processor

VortiQa™ Software with Unified Threat Management for Service Provider Equipment

July 2009

Bharat MotaDirector of Engineering, Software Products Division

TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2009. 2

Suggested Pre-Requisite Sessions

►AN145: QorIQ P4080 Processor - Product Overview

►AN129: An Introduction to QorIQ Data Path Acceleration Architecture

►AN116: QorIQ P4080 Processor - Software Development Kit


Overview: VortiQa Software for Service Provider Equipment

TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2009.

► VortiQa software:a new brand of Freescale software for networking equipment that helpsaccelerate product development and increase the pace of innovation

► Four new VortiQa product lines of production-ready software applications:• VortiQa software for service provider equipment• VortiQa software for enterprise network equipment• VortiQa software for small business gateways• VortiQa software for SOHO/Residential gateways

► A comprehensive solution-centric approach for networking applications in targeted vertical segments:

• Silicon – QorIQ and PowerQUICC communications processors• Software – VortiQa software products• Expanded Ecosystem - hardware, OS, ISVs, system integrators

VortiQa Software – Announced on June 15, 2009

\vór · ti · ka\: A whirlwind of innovation


VortiQa Software - Feature Overview

Software Function Description

Stateful Firewall with NAT ► Controlled access to network resources► Network address translation

IPSec VPN► Confidentiality, Authentication and Integrity for

traffic between networks► Secure Remote Access

IDS and IPS ► Detect and prevent intrusions at L4-L7 and application level

Application Traffic Throttling ► Detect and throttle less-priority application traffic (e.g. P2P, IM)

Traffic Management and QoS ► Enforce QoS policies on network/application traffic

Virtualization (Data Center)► Support multiple virtual security instances

within single hardware► Instances mapped to customers


Multicore Optimized

► Superior Performance with Control Plane, Data Plane (CP-DP) Separation• DP uses a light weight executive eliminating OS overhead• Full control over fast path packet handling for optimal throughput, latency and connection rate• Predictable performance independent of feature usage and growth in CP

► Few To Many Core Scalability with Data Plane “Run To Completion” Model• Flexible CP-DP partitioning amongst cores• SMP, AMP and Hybrid models can be supported• Avoids pipelining and its inherent difficulty with distributing work evenly

► SMP Linux Control Plane enables ease of integration• Other SMP RTOSes (e.g. vxWorks) can be supported• Rich 3rd party ecosystem• Modular, well defined APIs

► Robust Concurrent Execution with Session Parallelization • Any given session handled by only one core at any time reducing locks and lock contention and

ensuring packet ordering within a session• Makes locks fine grain and read-only where possible


Architecture Overview

CP Cores > 1 implies SMP

Some items in memory must be shared between them

* * *

Data Plane Processing Control Plane Processing

e.g. SAD/SPD, Route Tables

Control Functions

Update Tables

Exception processing

Take packet from NI, and read tables (etc) to decide what to do with it or where to send it.

packets

DP Cores

Log

IKE

Management

CLIAPI

CP Cores

NI

Data Path

NI

Control and Data planes may have different views of data

Statistics

► Packets go to DP cores for security processing or CP cores for protocol termination► DP cores – low overhead “run-to-completion” model for fast path packet processing► CP cores – ease of use generic OS for control and management path

3rd PartyLWE Linux

API


Performance and Capacity Considerations

►Flexible Partitioning• 1-2 CP cores, 6-7 DP cores• Up to 1 GB CP RAM, 3 GB DP RAM

►High System Throughput• Multi-Gbps Firewall, IPsec and IPS throughput for IMIX traffic (390B average)

►Low Latency

►Fast Connection Rate• Multi-10K connection rates for Firewall TCP, ALG and IPS TCP and HTTP

►Large Capacity• 4K Virtual Security Gateway Instances• Firewall: 1 million concurrent sessions• IPsec: 100,000 VPN tunnels


VortiQa Software for Service Provider Equipment: Solution Overview

QorIQ P4080 Eight-core Processor QorIQ P4080 Eight-core Processor

DP

/C

P

Inte

rface

Co

ntr

ol P

lan

e

User space daemons - Configuration Databases, VSG, InterfacesUser space daemons - Configuration Databases, VSG, Interfaces Kernel Routing Table (VRF)Kernel Routing Table (VRF) ARP HelperARP Helper

Compiled with User Space ApplicationsCompiled with User Space Applications

Data

Pla

ne

DatabasesDatabases

CP-DP replicated information(VSG, I/F, Routes, ARP, Cache)CP-DP replicated information

(VSG, I/F, Routes, ARP, Cache)

DP MonitorDP Monitor

FirewallFirewall IPSecIPSec

IPSIPS URLFURLF

IPDBIPDB ServicesServices

HA(*) Stateful Sync, Monitor

HA(*) Stateful Sync, Monitor

Event Manager, DispatcherEvent Manager, DispatcherDNS CacheDNS Cache

IP ReassemblyIP Reassembly

Packet Processing EnginePacket Processing Engine

FirewallFirewall IPSecIPSec

ALGsALGs Traffic Mgmt(*)Traffic Mgmt(*)

IPSIPS P2PP2P

Session Mgmt.

Session Mgmt. HW Accelerators

InterfaceHW Accelerators

Interface

ManagementManagement

LoggerLogger TraceTrace

CLICLI LDSV EngineLDSV Engine

CP-DP DemuxCP-DP Demux CP-DP TransportCP-DP Transport QueuesQueues

Compiled with Kernel Space ApplicationsCompiled with Kernel Space Applications

Event Manager:Dispatcher/Generator/Receiver

Event Manager:Dispatcher/Generator/Receiver CP-DP Communication HandlerCP-DP Communication Handler Interface Demux/Packet AnnouncerInterface Demux/Packet Announcer

Interface HelperInterface Helper

ManagementManagement

CLICLI WEB-HTTP(*)WEB-HTTP(*)

LDSV EngineLDSV Engine Config DemuxConfig Demux

Signaling/MiscSignaling/Misc

LOGLOG IKEIKE

TRACETRACE DNSRD(*)DNSRD(*)

EVM-APIEVM-API

Route UpdaterRoute Updater

HA Monitor(*)HA Monitor(*)

Image upgrade(*)Image upgrade(*)

DP State MonitorDP State Monitor

Light-Weight Executive (LWE) for Data PlaneLight-Weight Executive (LWE) for Data Plane Linux SMP for Control PlaneLinux SMP for Control Plane

HypervisorHypervisor

Solution = VortiQa Software + Freescale Enablement Software + QorIQ P4080 Processor + Customer Software

This paradigm extends to ecosystem operating systems and stacks


QorIQ P4080 Multicore Processor: DPAA and Light Weight Executive (LWE) Review


Frame Manager

Parse, Classify,Distribute

Buffer

QorIQ P4080 Processor Block Diagram

RapidIO™MessageUnit (RMU)

2x DMA

PCIe

18-Lane 5 GHz SerDes

PCIe sRIOPCIe

CoreNet™

1024 KBFrontsideL3 Cache

64-bitDDR-2 / 3

Memory Controller

SRIO

WatchpointCross

Trigger

PerfMonitor

CoreNetTrace

Aurora

Security4.0

PatternMatchEngine

2.0

Queue Mgr.

BufferMgr.

eLBC

TestPort/SAP

1GE 1GE

1GE 1GE10GE

1024 KBFrontsideL3 Cache

64-bitDDR-2 / 3

Memory Controller

PAMU

Coherency FabricPAMUPAMUPAMU PAMU Peripheral

Access Mgmt Unit

eOpenPIC

Power Mgmt

2x USB 2.0/ULPI

SD/MMC

Clocks/Reset

2x DUART

4x I 2C

SPI

GPIO

PreBoot Loader

Security Monitor

Internal BootROM

CCSR

Power Architecture®

e500-mc Core

D-Cache I-Cache

128 KBBacksideL2 Cache 32 KB 32 KB

Frame Manager

Parse, Classify,Distribute

Buffer

1GE 1GE

1GE 1GE10GE

Real Time Debug


Datapath Acceleration Architecture (DPAA)

Offloads CPU intensive traffic handling► FMan accelerates parse, classify, distribution and

policing

► SEC and PME accelerators offload CPU intensive security and pattern matching operations, respectively

► BMan and QMan comprise the DPAA infrastructure for HW buffering and queuing

► QMan improves latency with cache stashing and congestion management and provides for a uniform programming interface to accelerators

ManageCongestion

Parse

Classify

SteerStash Context

Enqueue Police

Buffer

QMan BMan

FMan

QorIQ P4 Platform DPAA

Together with many cores and a multi-level cache hierarchy, DPAA simultaneously enables a lower complexity software environment as well as very high networking performance

Cores Accelerators

NetworkInterfaces


F/B/QMan Ingress Packet Processing

10G 1G 1G 1G 1G

Packets Arriving

Buffer Acquisition Request

Buffer ReferencePackets

in process

FMan

MURAM

QMan

16M Queues (Frame Queues)

Packet Data written to main memory subsystem

Bman

Frontside Cache DDR SDRAM

…

References to Packet

Packet Data Stored in H/W managed buffers

1

2

3

4

Classification driven enqueue distribution


F/B/QMan Egress Packet Processing

10G 1G 1G 1G 1G

Packets Transmitted

Buffer Release RequestPackets

in process

FMan MURAM

QMan

Bman

Frontside Cache DDR SDRAM

…

3

4

Class scheduler

8 Priority Work Queues

Packet Data read from main memory subsystem

2Priority based packet scheduling5

Optional packet response

1


QMan Software Portals

Power Architecture™Core

D-Cache I-Cache

L2 Cache

portal


D-Cache I-Cache

L2 Cache


D-Cache I-Cache

L2 Cache

QMan portal portal

channel

WQ

0

channel channel channel

WQ

1

WQ

2

WQ

3

WQ

4

WQ

5

WQ

6

WQ

7

WQ

0

WQ

1

WQ

2

WQ

3

WQ

4

WQ

5

WQ

6

WQ

7

WQ

0

WQ

1

WQ

2

WQ

3

WQ

4

WQ

5

WQ

6

WQ

7

WQ

0

WQ

1

WQ

2

WQ

3

WQ

4

WQ

5

WQ

6

WQ

7

Frame Queues

Packets “data units”references

Dedicated Channel Pool Channel

Cores can choose during run time to dequeue from dedicated or shared channels

10 CoreNet™ Software PortalsTwo dimensional queuing structure39 Channels

8 dedicated15 pool

16M Frame Queues16M Order restoration contexts256 Congestion Groups


Light Weight Executive

►Set of hardware abstraction libraries as C APIs• Core startup and initialization• Device tree parsing• Locks and atomic operations• Shared memory management• Portal creation and enqueue, dequeue to portals• Timers• Buffer management• Interrupts and exception handling

►Programming at a low level for high efficiency, but on hypervisor

FQFQ

FQFQ

…

priority

0

7

CoreIngress Channel

FQFQFQ

FQFQ

…

priority

0

7

Egress Channel

F


Light Weight Executive Usage

Crypto API Net Frame API PME APIIPC API

BMan API

VortiQa Networking Software Other APIs

QMan Buffer Mux/Demux

QMan API (Portal Access)

Physical Portals

►In effect, Qman and BMan usage


Architecture: VortiQa Software for Service Provider Equipment


Control Plane(User Space)

etc)

Application Processes

(IKE, RIP, etc..)

Management Modules

(CLI, log, etc..)

Ingress PktsMsgs

To CP

Egress PktsMessagesTo DP

Control Plane(Kernel Space)

pSeudo Ethernet Interface

CP-DPComm- Module

TCP/IPStack

Char pSeudo Driver

Demux

Egress Application

Pkts

Session Management

IPS

IPSec-VPN

Firewall

Data Plane

Non-IPNon-ARPTraffic

Local Application

Pkts(IP, ARP)

IngressPKT Queue

EgressPKT Queue

Glue Layer

Crypto Accelerator API, PME Engine API

ARP CacheRoute

CacheCP-DP Comm

Module

Control Plane, Data Plane (CP-DP) Architecture► Control Plane - SMP Linux®

• IKE, Routing Protocol daemons

• CLI, Log• Interface information

available to CP by DP via pseudo Ethernet interface

► Data Plane - LWE• Interface control –

Physical and VLAN• Packet processing• Subset of TCP/IP

functionsIP/TCP/UDP integrity checksIP reassembly and fragmentationRouting, ARP table management


Simple while loop

Runs on every Data plane core

Watch dog trigger, Get work (Dequeue Job) functions

Other modules will be called based on the processing that the packet undergoes

APIs for managing DPAA and various parts of the P4080 provided by LWE

Timer Expiry Notification

CP-DP Msg

Packet from CP

IngressPacket

CP-DP RingBufNotification

WatchDog service

Tasklet service

Deque Job

Identify Job Type

Packet Process CP-DP Message Process

Timer Process

Pkt from Accelerator

DP “Run To Completion” Processing Loop


Queue in Backlog Q

Received Packet

Session Lookup

Session ‘IN USE’ = NO, Set Session ‘IN USE’ Session Function 1 Backlog Q != EMPTY;

Dequeue PacketSession Function 2

Received Packet

Session ‘IN USE’ == YES

Session Lookup

Queue in Backlog Q

Received Packet


Session Lookup

Backlog Q Empty

Exit to Main Loop

Exit to Main loop

Core 1

t0 t1 t2 t3

DP Session Parallelization

Core 2

Core 3


Core 1

t0 t1 t2 t3


Core 2

Core 3


Received Packet

Session Lookup

Session ‘IN USE’ = NO, Set Session ‘IN USE’ Session Function 1

Received Packet

Backlog Q EmptyCore 1

t0 t1 t2 t3


Core 2

Core 3


Received Packet

Session Lookup

Session ‘IN USE’ = NO, Set Session ‘IN USE’ Session Function 1

Received Packet

Session Lookup

Received Packet

Backlog Q EmptyCore 1

t0 t1 t2 t3


Core 2

Core 3


Received Packet

Session Lookup

Session ‘IN USE’ = NO, Set Session ‘IN USE’ Session Function 1 Session Function 2

Received Packet


Session Lookup

Queue in Backlog Q

Received Packet

Backlog Q Empty

Exit to Main Loop

Core 1

t0 t1 t2 t3


Core 2

Core 3


Received Packet

Session Lookup



Received Packet


Session Lookup

Queue in Backlog Q

Received Packet

Session Lookup

Backlog Q Empty

Exit to Main Loop

Core 1

t0 t1 t2 t3


Core 2

Core 3


Queue in Backlog Q

Received Packet

Session Lookup



Received Packet


Session Lookup

Queue in Backlog Q

Received Packet


Session Lookup

Backlog Q Empty

Exit to Main Loop

Exit to Main loop

Core 1

t0 t1 t2 t3


Core 2

Core 3


RADIUS Client

Route Updater IKE

CP-DP Communication

Logger

User ModeKernel Mode

Linux SMP

CP-DP Communication

Firewall IPSec IPSRoutingARP

Control Plane

Data Plane

LWE

(DP cores)

Multi-core Infra.

Control API

Application

Web/cli/load-save/CMS agent

CPDP Comm Library

CPDP infrakernel/DP

CP Management and Control Functions


CP Management Configuration Service

Configuration funnels through Command InterpreterCommand Interpreter

De-multiplexes CP only, DP only and CP and DP commands

Sends DP Commands to DP using CP-DP communication module

Command de-multiplex module in DP calls application APIs


CP-DP Communication Approaches

►Acknowledgement based synchronous or asynchronous short message exchange between DP and CP

• Basic message passing using frame buffers• E.g. CLI command messages, events and event registration

►Large unknown size byte stream bi-directional data transfer between CP and DP

• Ring buffer between CP and DP using shared memory• E.g. Configuration load, signature database load, CLI output

►Low latency IP stack bypass notification mechanism from DP to CP• DP places pointer to data in shared memory• DP notifies CP (cross processor doorbell interrupt) • CP interrupt processing: read off data• E.g. syslog messages, IKE


VortiQa Software on QorIQ P4080 Processor: DPAA Resources Partitioning


CP – SMP Linux

DP- LWE

2 X 10Gig ports

CP-DP packet pathCP-DP message path

►VortiQa Software Partitioning• CP – 1-2 cores, run one copy of SMP Linux®

• DP – 6-7 cores running on LWE

• CP Apps - IKE, ROUTEd, ARPd, syslogd, CLI, LDSV

• DP Apps – Firewall, VPN, IIPS.

• All Ethernet ports controlled by Data plane

►Number of cores allocated to CP and DP can be changed depending application requirements

Core Partitioning


Memory Partitioning

Code

Data

BSS

Heap

Stack

DP SHM

SHM

Code

Data

BSS

Heap

Stack

DP SHM

SHM

Code

Data

BSS

Heap

Stack

DP SHM

SHM

Code

Data

BSS

Heap

Stack

DP SHM

SHMSHM

CP Linux®

Partition DP LWE Partition

Shared Code - 8 MB

Per Core Heap – Small

DP Shared Memory – 2 GB

Global Shared Memory – 512 MB

Per Core Data - 192 MB

Per Core Stack – 1 MB


Buffer Pool Allocation

Traffic Type Buffer Pool Description

Buffer Size Buffer Pool Default Size

Buffer Pool Max Size

CP-DP messages Control messaging 2048 1024 1024

SEC interfacing SEC Descriptor 192 10K 100K

PME interfacing PME Descriptor 192 10K 100K

Timer Frame DescriptorsFrame Queues

16128

10K120

250K120

CP TrafficDP Traffic

Ethernet frames 20489256

2048512

2048512

Packet processing structures

IP, UDP, ICMP ReassemblySession Management

64K512

100100K

1001M


Work Queue Assignments

► WQ 0 - CP-DP messages (highest priority) - configuration and dynamic update traffic between CP and DP

► WQ 1 - CP-DP packets - management access traffic to CP (e.g. ssh)• If NAT’ed, IP and Management IP are same so this will load WQ 1 with data traffic

► WQ 2 - Not Used

► WQ 3 - SEC/PME traffic from hardware blocks as well as any tasklet triggers

► WQ 4 - Timer Messages

► WQ 5 - Not Used

► WQ 6 - DP Data Traffic (higher priority, e.g. multi-media traffic)

► WQ 7 - DP Data Traffic


Fixed Frame Queue ID (FQID) Allocation

► Ingress packet processing: 10,000 FQIDs

► CP-DP packet flow: 2 FQIDs• One for queuing packets from DP to CP• One for queuing packets from CP to DP

► CP-DP messages: 2 FQIDs• One for queuing messages from DP to CP• One for queuing messages from CP to DP

► Egress packet flow: 80 FQIDs• 2 FMan instances• 5 ports per FMan instance (one channel per FMan port)• 8 priorities

► SEC, PME: 64 output FQIDs (Input allocated dynamically)• 8 output FQIDs per core times 8 cores• Higher priority needed for this output work queue (to reduce latency)

► Timer buckets: 120 FQIDs• Double the timer-range / granularity (e.g. 2 x 60 sec/1 sec = 120)


Dynamic Frame Queue ID (FQID) Allocation

►BMan pool of FQIDs will be created from which an FQID may be dynamically requested, used, and then released back into pool

• Useful for SEC interaction, so that each IPSec SA can be assigned a different FQID dynamically

• Use of PME (Pattern Matching Engine) also requires dynamic allocation

►SEC and PME will use a pool size of up to 100K FQIDs each

►QorIQ P4080 processor supports up to 16M frame queues


VortiQa Software on QorIQ P4080 Processor: Packet Flow


Packet Flow Overview

►F/B/QMan Ingress Offload• Buffer allocation• Checksum Verification• Traffic Policing• Work/Traffic prioritization and

distribution

►SEC, PME Look-Aside Offload• IPsec/IKE cipher, hash, crypto

algorithms• Intelligent IPsec protocol processing• Regular expression search• Stateful rule based matching

►F/B/QMam Egress Offload• Traffic Shaping / Scheduling

VortiQa™ Networking Software in Multicore Environment

Firewall IDS.., etcIPSec

Ingress Packets

F/B/QMan Ingress Offload

F/B/QMan Egress Offload

Egress Packets

SEC, PME Look-Aside

Offload


Packet Flow Overview

►F/B/QMan Ingress Offload• Buffer allocation• Checksum Verification• Traffic Policing• Work/Traffic prioritization and

distribution

►SEC, PME Look-Aside Offload• IPsec/IKE cipher, hash, crypto

algorithms• Intelligent IPsec protocol processing• Regular expression search• Stateful rule based matching

►F/B/QMam Egress Offload• Traffic Shaping / Scheduling

VortiQa™ Networking Software in Multicore Environment

Firewall IDS.., etcIPSec

Ingress Packets

F/B/QMan Ingress Offload

F/B/QMan Egress Offload

Egress Packets

SEC, PME Look-Aside

Offload

Complete Offload


• One pool channel for all CP cores

• For CP>DP communication

• WQ 0 – CP>DP messages

• WQ 6 – CP data packets

• Dedicated or one pool channel for all DP cores

• WQ 0 – DP>CP messages

• WQ 1 – Configuration Traffic

• WQ 3 – SEC / PME Traffic

• WQ 5 – Timer Messages

• WQ 6,7 – Data Traffic

Work Prioritization and Channel Distribution ModelFQ

FQ

FQFQ

…

0 7

FQFQ

FQFQ

…

0 6

FMAN

…DP #1

DP #2

DP #N

CP #1

CP #2

0 0

Pool Channels

0

CP-DP

1 3


• One pool channel for all CP cores

• For CP>DP communication

• WQ 0 – CP>DP messages

• WQ 6 – CP data packets

• Dedicated or one pool channel for all DP cores

• WQ 0 – DP>CP messages

• WQ 1 – Configuration Traffic

• WQ 3 – SEC / PME Traffic

• WQ 5 – Timer Messages

• WQ 6,7 – Data Traffic

Work Prioritization and Channel Distribution ModelFQ

FQ

FQFQ

…

0 7

FQFQ

FQFQ

…

0 6

FMAN

…DP #1

DP #2

DP #N

CP #1

CP #2

0 0

Pool Channels

0

CP-DPFQ

FQ

FQFQ

…

7

FQFQ

FQFQ

…

7FQ

FQ

FQFQ

…

7

…

1 1 1Dedicated Channels

333

1 3


• Use DSCP 3 bits, mapped to WQs 6 (multimedia), 7 (Data traffic)

• Use 5-bits from hash or SPI to make 8-bit index

• FQID mapping table preloaded for channel/WQ mappings

• Default FQ would be mapped to DP pool channel

Buffer Management Parsing KeyGen Policing

Schemas:hash(5-tuple selector), select 5 bits, concat DSCP fieldIPsec --> SPI field, select 5 bits, concat DSCP field

Coarse Classification:Values for IP addressesDestination ports

Ch 1, WQ 7

Ch 1, WQ 7

Ch 1, WQ 7

Ch 1, WQ 7

Ch 1, WQ 7

Ch 1, WQ 6

Ch 1, WQ 6

Ch 1, WQ 6

Ch 2, WQ 7

Ch 2, WQ 7

Ch 2, WQ 7

Ch 2, WQ 7

Ch 2, WQ 7

Ch 2, WQ 6

Ch 2, WQ 6

Ch 2, WQ 6

Ch 3, WQ 7

Ch 3, WQ 7

Ch 3, WQ 7

Ch 3, WQ 7

Ch 3, WQ 7

Ch 3, WQ 6

Ch 3, WQ 6

Ch 3, WQ 6

Ch 4, WQ 7

Ch 4, WQ 7

Ch 4, WQ 7

Ch 4, WQ 7

Ch 4, WQ 7

Ch 4, WQ 6

Ch 4, WQ 6

Ch 4, WQ 6

0

1

2

3

4

5

6

7

8

910

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

8-bit index FQID Mapping Table

Packet Distribution Criteria


Work Identification – Frame Queue Descriptor Usage

►When creating frame queues, the CONTEXT_B field of the frame queue descriptor will be set to indicate the purpose of that queue

• Context_B helps with de-multiplexing packet/message flows that go into a common channel

• Context_B is set to a SW module ID, structure pointer or function pointer

►Allows DP core retrieving a packet from the channel to identify the type of processing that is required on it (e.g. IPsec processing)

►Allows DP or CP retrieving a CP-DP packet or message to determine its function (e.g. timer event)


VortiQa Software IPSec (Data plane )

IHAPPI Interface

Shim Layer

SEC4.0 Intelligent Crypto Driver(LWE APIs)

SEC4.0 Hardware Crypto Accelerator

• IHAPPI is a proprietary Intelligent Hardware Accelerator Packet Processing Interface for IPSec. A shim layer below IHAPPI integrates SEC 4.0

• IHAPPI exposes functions and callbacks to create/manage SAs as well as for IPsec packet processing.

• Shim layer translates to SEC 4.0 specifics

• Asynchronous driver interface• SecCreateIPSecSession• SecDeleteIPSecSeesion• SecProcessIPSecPacket

• IPsec protocol processing and symmetric crypto acceleration

IPsec Acceleration with SEC


IPsec SEC Usage

►For each new SA, an input FQ is created• Used by SW to enqueue frames for crypto processing• Associated with a WQ and channel dedicated for SEC

►Many SAs can share an output FQ with the use of compound frames

• A compound frame holds both the input and output frames, thus avoiding the need of separate input/output FQ pairs to maintain the association

• Used by SEC to enqueue processed frames• Associated with a pool channel so SW on any core can process the result

►When creating frame queues, CONTEXT_A and CONTEXT_B field of the frame queue descriptor is set as follows

• Context_B set to FQID of Frame Queue to which SEC enqueues results• Context_A set to the memory address of Pre Header• The Pre Header contains SEC’s intelligent protocol processing instructions

►For IPsec packet processing for an existing SA, look up FQID forsession and enqueue compound frame to SEC


VortiQa Software Data Scanner (Data plane )

IHADSI Interface

Shim Layer

PME Driver(LWE APIs)

PME Hardware Accelerator

• IHADSI is a proprietary Intelligent Hardware Accelerator Data Scanning Interface for IPS. A shim layer below IHADSI integrates PME.

• IHADSI exposes functions and callbacks to create/manage PME scan sessions

• Shim layer translates to PME specifics

• Driver interface

• Pattern Matching acceleration

IPS Data Scan Acceleration with PME


IPS Data Scan Pattern Matching Engine (PME) Usage

► IPS Signature Manager in CP loads signatures into PME

►For each new data scanning session, an input FQ is created• Used by SW to enqueue data for pattern matching. • Associated with a WQ and channel dedicated for PME

►Many data scanning sessions can share an output FQ with the use of compound frames

• A compound frame holds both the input data and output results, thus avoiding the need of separate input/output FQ pairs to maintain the association

• Used by PME to enqueue results of processed data• Associated with a pool channel so SW on any core can process the result

►When creating frame queues, CONTEXT_A and CONTEXT_B field of the frame queue descriptor is set as follows

• Context_B set to FQID of Frame Queue to which PME enqueues results• Context_A set to the memory address of PME’s intelligent processing instructions

► For IPS data scanning for an existing session, look up FQID for session and enqueue compound frame to PME


Egress Distribution

►Egress packets are queued into the work queues of the dedicated QMan channel that is direct connected to the desired FMan port

►Work queues 2,3,4,5,6,7 (i.e. except the strict priority work queues 0 and 1) will be populated with one frame queue (FQID) each.

►The DSCP priority bits (3 bits or 8 values) of an egress packet will be mapped to one of 6 work queue IDs for the port, using a static mapping table indexed by the DSCP priority value

►Schedule weights can be assigned to the non-strict priority work queues

►Shaping bandwidth can be configured for the FMan ports


VortiQa Software on QorIQ P4080 Processor: Control Flow and Infrastructure Support


CPVLAN Interface Replication on DP

Address Change Notification to DP

Control Packet FlowPackets processed in DP

Identified as CP packets

Packets sent through CP-DP communication Library

Packets received by pseudo Ethernet driver

Pseudo Ethernet Driver announces it to TCP/IP Stack

VLANs and Control Packet Flow

VLAN INTERFACE DATABASE REPLICATED


VortiQa Software IKE (Control Plane)

IHAKMI Interface

Shim Layer

SEC4.0 Crypto Driver

SEC4.0 Hardware Crypto Accelerator

• IHAKMI is a proprietary Intelligent Hardware Accelerator Key Management Interface for multi-threaded IKE application

• Shim layer will use low-level driver/APIs for SEC 4.0

• Synchronous interface

• Asymmetric crypto acceleration

IKE Acceleration with SEC


• Uses dedicated buffer pool

• CP user application to Kernel mode Infrastructure

• CP kernel mode infra -> DP pool channel

• Any DP core may process the message

• Response optional from DP

• Two FQIDs used, one per direction

FQFQ

FQFQ

…

7

CP #1

0

CP Pool Channel

DeMux

CP-DP Comm

Support

Kernel mode

User mode

App #1

App #2

DP->CP messages

FQFQ

FQFQ

…

0 6

DP Pool Channel

…DP #1

DP #2

DP #N

Request

Response0

Control Plane, Data Plane (CP-DP) Messaging


• Realizes large number of timers

• Effort to minimize software overhead of monitoring timeout for millions of sessions

• Features

• Software to get a job when the timer expires

• Distributing timer expiration processing of sessions across cores

• Time between buckets will be timer period

• Number of buckets will be max time. Times greater than ‘n’ time units will be handled by timer module internally

• Timer interrupt handled by only one core

• Timer processing in many cores

FQ FQ FQ FQ FQ……….

0 1 2 n3

Next bucket to process

FD + Timer control structure from Timer pool

FQ

4

Granularity

Range

FQ Frame queues that point to Timer pool channel created in the inactive state

Timer HW Assist


Summary

►VortiQa software for Service Provider equipment requires high computing power

• To satisfy growing demands of bandwidth• To do deep-packet and data inspection to detect and prevent

sophisticated attacks

►QorIQ P4080 multicore processor meets the challenge• Designed for networking and security related appliances and markets• Combines 8 cores running each at 1.5 GHz with DPAA Engines SEC,

PME, FMAN, QMAN and BMANProvides acceleration engine at Ingress, Look Aside and at Egress level

• 2 Mbytes of L3 Cache in addition to L1 and L2 Caches with facility to position the code


Q&A

►Thank you for attending this presentation. We’ll now take a few moments for the audience’s questions and then we’ll begin the question and answer session.

vortiqa software with unified threat management for service … · 2016-03-12 · uniform...

Documents