Reprints from my posting to SAN-Tech Mailing List and ...


[san-tech][03524] Report: Many-core Network Processors for High Performance Cyber Protection, 2011 Sep 01, SNL

Date: Thu, 12 Apr 2012 15:47:43 +0900
かなりマニアックな報告書 (第一報) です (32 pages):

"Investigating the Effectiveness of Many-core Network Processors
 for High Performance Cyber Protection Systems. Part I, FY2011."
 Publication Date: 2011 Sep 01, Update Date; 2012 Jan 26
 Robert E. Benner, et al. Sandia National Laboratories

"This report documents our first year efforts to address the use of
 many-core processors for high performance cyber protection. ..."

1. Introduction to many-core processors and cyber protection
1.2. Overview of cyber protection tools

   "In our work, we have focused on the target cyber application being
    a firewall. In actuality, we have addressed two forms of firewalls
    - stateless and stateful firewalls. ..."

  "In the sections that follow, we provide a description of the aspects
   of the firewall design we have focused on and a summary of our
   accomplishments in those areas. The design aspects include the design
   of an efficient front-end for packet I/O, the distribution of work
   load to many-core systems and how this is affected by the logistics
   of stateless versus stateful firewall."

2. Stateless Firewall
2.1. Design of firewall frontend

  "... We developed the threads-based program on a Tilera many-core system
   (TilePro processor) and showed the effects of explicitly pinning threads
   to cores. ..."

  "... In a similar setup, we performed the passive-wire experiment
   but with increasing number of threads to see how using more cores
   increase the throughput performance. ..."

2.2. Many-core implementation of stateless firewall processing

  "We chose the replication method initially, so the way firewall
   rules are organized will not depend on how we handled the multi-core
   traffic handling design. This is because each core on the CPU will get
   a packet and will have to analyze it against all the rules in
   a specified configuration file. Thus, every core will need access
   to the same read-only data structure created as a result of
   the configuration file. .."

2.3. Results
  Figure 3. Packet processing rate as a function of number of rules
            and number of cores in a TilePro (866 MHz) processor.

  "Currently, our code has not been fully optimized ... However,
   the scaling versus number of cores is almost linear (the horizontal
   axis is logarithmic) indicating that the NUMA in TilePro did not
   have significant impact at these rates. ..."

  "Our next step is to properly profile the performance of our stateless
   firewall and look for any bottlenecking function in the code,
   so we can apply any applicable optimization to those areas. ..."

3. Stateful Firewall

  "In the next section, we describe our development effort for
   the latter on an Intel-based processor."

3.2. Extending iptables stateful firewall to many-core solution

  "As our team began exploring potential solutions for porting stateful
   firewall to many-core systems, it became apparent that Linux iptables
   was the best starting point. ... Regardless, we explored iptables
   and its functionality on a standard system builds and ported it
   onto a Tilera with demonstrated effectiveness.

   We then started with the next milestone of specifying which
   processing core(s) we want an iptables chain to run on. We successfully
   developed and demonstrated this feature on a TilePro processor using
   modifications in its Linux kernel image. Finally, we integrated
   the hashing function to allow for multiple spawning of cores
   to process iptables rules simultaneously. ..."

4. Conclusion and future work

  "In the next year, we anticipate the completion of a parallel
   pipelined version of stateful firewall processing which we will
   demonstrate on our many-core processors. In addition, we will
   complete the optimization of our stateless firewall implementation
   to increase its processing rate. Finally, we will conduct research
   into auto load-balancing of tasks within a processing pipeline
   and deploy our solutions to reduce latency and processing time."

5. References
Appendix A: Methods to achieve putting a Linux-based firewall
            in passive-wire mode

0 件のコメント: