Accolade to Sponsor SuriCon Prague 2017
Resolve All Your Host CPU Bottlenecks: FPGA-based
Accolade Technology is proud to sponsor Suricon 2017 in Prague, the Czech Republic. SuriCon is a collaborative event made up of OISF members and the Suricata community to develop ideas, discuss projects and to build community.
Nov 15 – 17, 2017
Hotel Grandior Prague Na Poříčí 42 110 00 Praha 1-Florenc Czech Republic
Meet Accolade at SuriCon – Presentation Wed Nov 15, 2017 3:00pm – 3:30pm
[Preview Full SuriCon Agenda]
Hardware-based Flow Offload in Suricata — Alfredo Cardigliano, ntop
This talk covers the implementation of PF_RING enabled hardware flow shunting on Accolade 10/40/100 Gbit network adapters.
ABSTRACT: Suricata is a CPU bound application, its performance is hence affected by the number of processed packets. For years, Suricata performance has been improved by offloading selected tasks or using accelerated packet capture techniques that overcome typical operating system bottlenecks as well as reducing CPU cycles necessary to process a packet flow. In order to reduce the ingress rate, packet filtering techniques have been used with limited success, since filtering rules are static. It would be desirable for Suricata to directly instruct the packet capture system to drop or pass through selected packet flows. This technique, named flow offload, is currently implemented in Suricata in the NFQUEUE module, but unfortunately it does not significantly improve the overall performance.
This talk covers the implementation of PF_RING enabled hardware flow shunting on Accolade 10/40/100 Gbit network adapters. By exploiting the Accolade hardware-based flow classification engine, it is possible to request the network adapter to drop or forward packets from selected flows when flow shunting mode is enabled in Suricata. Depending on the NIC model, it is possible to offload up to 16 or 32 million active flows in hardware. Validation performed on real user traffic has demonstrated that the heavy flows affecting Suricata performance, are usually large downloads or video streams. By enabling flow shunting on the adapter, these heavy flows are dropped by hardware. The use of this technique makes it possible to combine both packet capture acceleration and hardware flow offload, and to enable Suricata to perform at 40 and 100 Gbps.