Our customer wanted to design a high-performance Linux based UTM as a virtual appliance that could run on COTS (Commercial Off the Shelf) system. The requirement was to design a system using only open source components that would support 10Gbps packet processing throughput
The UTM needed to have the following capabilities
- Multiple security zones for LAN, WAN, DMZ and wireless networks
- Firewall rules for incoming, outgoing, internal, external traffic
- DHCP, DNS, web proxy, im-proxy, pop3 proxy, sip proxy services
- VPN service using openvpn
- QoS and Bandwidth Control
The goal was to ensure that all the above features would be supported at 10GBps. This was primarily achieved using DPDK for fast path acceleration.
- The Benison team optimized an open-source UTM (100Mbps) to support 10Gbps that can be deployed on variety of COTS systems.
- We picked a software architecture that leverages Linux Network Stack and Netfilter framework for slowPath and Intel DPDK for fast path acceleration. This helped achieve Time to Market goals.
- We built the complete solution from evaluation, selection and implementation of open source components that included Linux kernel, service daemons, packet processing framework (Intel DPDK), build and release system, user interface framework and other software components
The software architecture comprised of:
- Control and Management plane implemented using open source software as Linux user processes
- Linux kernel network Stack and NetFilter Framework for Slowpath data plane processing.
- Packet processing accelerated by fork-lifting established connections from Linux kernel netfilterconntrack module to Intel DPDK based packet processing application running in user space
The accelerated Dataplane designed using Intel DPDK comprised of:
- One or more cores running Packet Forwarding Engine (PFE). The PFE provides high performance network data path, supplanting the Linux stack and kernel for data plane processing
- The Packet Forwarding Daemon, akin to a FIB manager is responsible for fork lifting required kernel state from Route/ARP/Firewall/IPsec tables in kernel and translate to table structures essential for fast path processing. Linux netlink and netfilter events are used by Packet Forwarding Daemon to get kernel state
- A special Packet Forwarding Engine called Control PFE, receives events from Packet Forwarding Daemon (pFwd) and populates all tables required for packet forwarding by PFE
- The system is designed as ASM (Asynchronous Multicore Processing) Solution, which flexible configuration options for resource allocation.
Packet Processing Acceleration achieved through
- Core isolation for Linux stack and Packet processing application
- Intel DPDK Poll Mode Drivers and Zero copy processing
- RSS to distribute packets across cores and to achieve Flow pinning
- Lockless design
- NUMA aware design, with intelligent placement of data structures to avoid access across NUMA nodes over QPI bus