Block List/Allow List Processing

Deny or Allow Real Time Internet Connections at 100GE based on defined attributes

Block List processing (formerly known as Black List processing) is an access control mechanism that denies access to internet connections or flows based on attributes such as email addresses, IP addresses, domain names, etc. A Block List can be applied at various points in a security architecture (Firewalls, Intrusion Prevention Systems (IPS), Web Proxys, Authentication Gateways. As opposed to Block List processing, Allow List processing only allows items on the list to pass through.

Real-time implementations of Block/Allow List processing such as Authentication Gateways and Firewalls are required to handle demanding, high capacity (nx100G) Network Connections while executing complex security algorithms. These devices leverage the power of FPGA based Host Offload SmartNICs to process Complex Data Plane functions in real-time without Host Intervention. Accolade’s implementation of the Block List feature on Xilinx Alveo SmartNICs supports real-time processing of 200 million Block List addresses at 100Gbps. The Block List offload processing as implemented on the Xilinx Alveo U280 is illustrated in Figure 1 described below.

black list flow logic for alveo

Figure 1: 100G Block List Processing Flow

A single 100G packet processing pipeline with IP traffic is illustrated in Figure 1. Internet Traffic entering the Ingress port encounters the Packet Parser Block which extracts the IP Packet payload and forwards the IP header to the Filter Block. The Static Filter Block then performs stateless filtering of IP addresses of interest. During the next stage the Flow Processor identifies and tags any new flow with a flow identity (ID) and manages Flow Table entry setup, teardown and metadata export.

All packets tagged with a Flow ID are then sent to the Block List Processor Block for IP source address checking. The Block List Processor accesses the Block List Table in DRAM which is maintained by the Host CPU, allowing the Host to add/remove items from the Block List Table while traffic is flowing. Only the first packet of a flow is processed for Block List match. Packets that have been classified and previously verified as a no-match, are forwarded to the Egress port. Results of Block List processing are stored in a Result Table. Please note that this Block List processing offload flow sequence may easily be configured for Allow List processing as well.

wdt_ID Speed 1G 10G 10G 10G 10G/40G 10G/40G 100G 100G 100G
1 Model 4Ku 20ku 40ku 40kq 80ku ATLAS-1100 Service Node ANIC-200KFlex ANIC-100Kq ANIC-200Kq
2 Port/Type 4X1G SFP 2X10G SFP+ 4X10G SFP+ 1X40G QSFP+ 4X10G SFP+ 2X40G QSFP+ 8X10G SFP+ 4x10G SFP+ 1x40G QSFP+ 2x100G QSFP28 2x40G QSFP28 1X100G QSFP28 2X100G QSFP28
3 PCIe Interface Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x16 Gen3 x16 Gen3 x16
4 Dimensions(H x L inches) 4.25 x 6.5   4.25 x 6.25 4.25 x 6.25 4.25 x 6.25 4.25 x 6.25 1.75 x12.28x14 4.25 x 6.5 4.25 x 10.5 4.25 x 10.5
5 Memory 32MB 4G 4G 4G 4G 16/32G 8G 12G 12G
6 Timestamp 5.7 nS 5.7 nS 5.7 nS 5.7 nS 5.7 nS 5.7 nS 4 nS 4 nS 4 nS
7 100% Packet
Capture
8 Gigamon, AristaTimestamp
9 Packet Merging
10 Packet Parsing

About Accolade

Accolade is the technology leader in FPGA-based Host CPU Offload and 100% Packet Capture PCIe NIC’s and Scalable 1U Platforms. Accolade’s line of 1-100GE products enable 100% packet capture, flow classification, flow shunting, deduplication, packet filtering and more. Our customers are global leaders in network monitoring & cybersecurity applications as well as in the network test and measurement, telecom and video stream monitoring markets.

FPGA Acceleration Features

100% Packet Capture | Flow Classification | Flow Shunting | Precise Time Stamping | Packet Merging | Packet Slicing | Packet Parsing | Packet Filtering | Deduplication | Host Packet Buffer | Packet Steering | Direct Memory Access (DMA) | Statistics (RMON1)

Free Product Evaluation

Resolve all your host CPU offload bottlenecks. Share Your Technical Requirements with our FPGA and software experts to tailor the optimal solution. Accolade offers a 60 day free product evaluation for qualified customers to fully test and evaluate our products.