Date: Thu, 12 Apr 2012 15:47:43 +0900
かなりマニアックな報告書 (第一報) です (32 pages)：
"Investigating the Effectiveness of Many-core Network Processors
for High Performance Cyber Protection Systems. Part I, FY2011."
Publication Date: 2011 Sep 01, Update Date; 2012 Jan 26
Robert E. Benner, et al. Sandia National Laboratories
"This report documents our first year efforts to address the use of
many-core processors for high performance cyber protection. ..."
1. Introduction to many-core processors and cyber protection
1.2. Overview of cyber protection tools
"In our work, we have focused on the target cyber application being
a firewall. In actuality, we have addressed two forms of firewalls
- stateless and stateful firewalls. ..."
"In the sections that follow, we provide a description of the aspects
of the firewall design we have focused on and a summary of our
accomplishments in those areas. The design aspects include the design
of an efficient front-end for packet I/O, the distribution of work
load to many-core systems and how this is affected by the logistics
of stateless versus stateful firewall."
2. Stateless Firewall
2.1. Design of firewall frontend
"... We developed the threads-based program on a Tilera many-core system
(TilePro processor) and showed the effects of explicitly pinning threads
to cores. ..."
"... In a similar setup, we performed the passive-wire experiment
but with increasing number of threads to see how using more cores
increase the throughput performance. ..."
2.2. Many-core implementation of stateless firewall processing
"We chose the replication method initially, so the way firewall
rules are organized will not depend on how we handled the multi-core
traffic handling design. This is because each core on the CPU will get
a packet and will have to analyze it against all the rules in
a specified configuration file. Thus, every core will need access
to the same read-only data structure created as a result of
the configuration file. .."
Figure 3. Packet processing rate as a function of number of rules
and number of cores in a TilePro (866 MHz) processor.
"Currently, our code has not been fully optimized ... However,
the scaling versus number of cores is almost linear (the horizontal
axis is logarithmic) indicating that the NUMA in TilePro did not
have significant impact at these rates. ..."
"Our next step is to properly profile the performance of our stateless
firewall and look for any bottlenecking function in the code,
so we can apply any applicable optimization to those areas. ..."
3. Stateful Firewall
"In the next section, we describe our development effort for
the latter on an Intel-based processor."
3.2. Extending iptables stateful firewall to many-core solution
"As our team began exploring potential solutions for porting stateful
firewall to many-core systems, it became apparent that Linux iptables
was the best starting point. ... Regardless, we explored iptables
and its functionality on a standard system builds and ported it
onto a Tilera with demonstrated effectiveness.
We then started with the next milestone of specifying which
processing core(s) we want an iptables chain to run on. We successfully
developed and demonstrated this feature on a TilePro processor using
modifications in its Linux kernel image. Finally, we integrated
the hashing function to allow for multiple spawning of cores
to process iptables rules simultaneously. ..."
4. Conclusion and future work
"In the next year, we anticipate the completion of a parallel
pipelined version of stateful firewall processing which we will
demonstrate on our many-core processors. In addition, we will
complete the optimization of our stateless firewall implementation
to increase its processing rate. Finally, we will conduct research
into auto load-balancing of tasks within a processing pipeline
and deploy our solutions to reduce latency and processing time."
Appendix A: Methods to achieve putting a Linux-based firewall
in passive-wire mode