Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multiple vDPI Functions using DPDK and Hyperscan on OVS-DPDK Platform

Published byThomas Pålsson Modified over 5 years ago

Similar presentations

Presentation on theme: "Multiple vDPI Functions using DPDK and Hyperscan on OVS-DPDK Platform"— Presentation transcript:

1 Multiple vDPI Functions using DPDK and Hyperscan on OVS-DPDK Platform
Cheng-Chien SU Fang-Chen KUO LIONIC Corp.

2 What is Deep Packets Inspection?
Application Identification Content Inspection Device Identification Packets flow pass through the network Malicious Websites Viruses Hack’s Intrusion . . . . . . . . . Router / Setup-Box Gateway

3 Deep Packet Inspection Problem
(Snort2.9.11) Packet 1 Gbps (Line rate) reduced 96% throughput 0.038 Gbps Note: Intel Atom C3958 Platform

4 Agenda DPI Workflow How to improvement DPI throughput in Intel Platform DPDK Hyperscan Content Merging Multiple vDPI Function on OVS-DPDK Platform Throughput Comparison

5 DPI Workflow (1/2) Flow Management Pre-Filter Post-Checker Flow Action
Multiple Pattern Matching for Payload Packet In Packet Out Network Interface Controller

6 Network Interface Controller
DPI Workflow (2/2) Flow Management Pre-Filter Post-Checker Flow Action L3&L4 header matching More exactly pattern matching Packet In Packet Out Network Interface Controller

7 Network Interface Controller
DPI - Example Flow Management Pre-Filter Post-Checker Flow Action alert tcp any any -> /16 any (msg:”VIRUS”; content:”virus”; dsize:300<>400; sid:10000;) alert tcp any any -> /24 any (msg:”SKYPE”; content:”skype”; pcre:”/^skype=[0-9a-z]{10}/”; sid:20000;) alert UDP /16 any -> any 53 (msg:”DNS Query”; content:”google”; pcre:”/\x01\x00.*google0x03.com/”; sid:30000;) Packet In Packet Out Network Interface Controller

8 How to improvement DPI throughput in Intel Platform
Flow Management Pre-Filter via Hyperscan Pre-Filter Post-Checker Flow Action Packet In via DPDK Packet In Packet Out via DPDK Packet Out Network Interface Controller

9 Content Merging (1/2) Pre-filter support regular expression
Increase the complexity of pattern to reduce the number of post check Compatible with snort format

10 Content Merging (2/2) alert tcp $EXTERNAL_NET any -> $HOME_NET any (content:"|12 01|"; content:"| |"; within:5; distance:2;) Pattern: “\x01\x00\x00\x00” Regular Expression: “\x12\x01.{2,3}\x01\x00\x00\x00”

11 Lionic DPI SDK (1/2) Lionic DPI-SDK provide antivirus, intrusion prevention system, application identification, device identification and web content filtering. Lionic DPI-SDK is compatible with snort rule format. Lionic DPI-SDK supports DPDK and Hyperscan.

12 Lionic DPI SDK (2/2) Lionic DPI SDK Signature Database IPS Signature
Virus Signature Anti-Virus IPS Signature Intrusion Prevention System Device Signature Device Identification Application Signature Application Identification Web Content Cloud Database Web Content Filtering Signature Database Applications Services Hardware DPI – LA3000 Pattern Matching Processor (Silicon IP) Software DPI Pattern Matching Library DPI Engine Lionic DPI SDK

13 Multiple vDPI Function on OVS-DPDK Platform
DPDK vHost Acceleration NIC VM vDPI Function with Hyperscan VirtIO DPDK IPS App Ident Antivirus ovs-vswitchd ofproto

14 Test Platform Specification
Hardware – NEXCOM vDNA 1160 Intel Atom C3958 SoC 16 2GHz Memory: 32GB NIC: Intel i350 AM4 1GbE*4, Marvell PHY 1GbE*2 OS: Debian 9.4 OvS version: 2.9.0 DPDK version: Hyperscan version: 4.7.0 Snort Version: All the VMs are created by KVM and emulated by QEMU Run IXIA IxLoad (version ) on the provided environment

15 Test Environment NIC NIC HTTP Traffic Guest VM vDPI Function
with Hyperscan VirtIO DPDK HTTP Traffic OvS-DPDK NIC NIC

16 Throughput Comparison
vDPI Function Throughput (Mbps) Impact No inter-VM 872.29 0% Snort (NFQ, Aho-Corasick) 38.71 96% Snort (NFQ, Hyperscan) 95.84 89% Snort (DPDK, Hyperscan) 269.39 69% Lionic-IPS (DPDK, Hyperscan) 795.02 9% Lionic-App_Ident (DPDK, Hyperscan) 864.77 1% Note: IPS rules are 9791, App_Ident rules are1858

17 Snort Resource Snort access packets via DAQ module
Patch for DAQ available at: Follows the instruction on the page to build Snort with patched DAQ module Snort 2.9.x does not support using Hyperscan as MPSE Patch for Snort are available at: ?langredirect=1 Some modification based on the patch to support Snort

18 THANK YOU!

Download ppt "Multiple vDPI Functions using DPDK and Hyperscan on OVS-DPDK Platform"

Similar presentations

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.
Efficient VM Introspection in KVM and Performance Comparison with Xen

Efficient VM Introspection in KVM and Performance Comparison with Xen
1 Ally: OS-Transparent Packet Inspection Using Sequestered Cores Jen-Cheng Huang 1, Matteo Monchiero 2, Yoshio Turner 3, Hsien-Hsin Lee 1 1 Georgia Tech.

1 Ally: OS-Transparent Packet Inspection Using Sequestered Cores Jen-Cheng Huang 1, Matteo Monchiero 2, Yoshio Turner 3, Hsien-Hsin Lee 1 1 Georgia Tech.
Accelerating the Path to the Guest

Accelerating the Path to the Guest
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.

Gregex: GPU based High Speed Regular Expression Matching Engine Date:101/1/11 Publisher:2011 Fifth International Conference on Innovative Mobile and Internet.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Kamalapurkar Shounak Rajarshi Salil Joshi Rohan Bhavsar Sagar Pai Sandesh Low Latency Publisher-Subscriber Network for Stock Market Application Team WhiteWalkers.

Kamalapurkar Shounak Rajarshi Salil Joshi Rohan Bhavsar Sagar Pai Sandesh Low Latency Publisher-Subscriber Network for Stock Market Application Team WhiteWalkers.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Similar presentations

Ads by Google