Block List/Allow List Processing
Deny or Allow Real Time Internet Connections at 100GE based on defined attributes
Block List processing (formerly known as Black List processing) is an access control mechanism that denies access to internet connections or flows based on attributes such as email addresses, IP addresses, domain names, etc. A Block List can be applied at various points in a security architecture (Firewalls, Intrusion Prevention Systems (IPS), Web Proxys, Authentication Gateways. As opposed to Block List processing, Allow List processing only allows items on the list to pass through.
Real-time implementations of Block/Allow List processing such as Authentication Gateways and Firewalls are required to handle demanding, high capacity (nx100G) Network Connections while executing complex security algorithms. These devices leverage the power of FPGA based Host Offload SmartNICs to process Complex Data Plane functions in real-time without Host Intervention. Accolade’s implementation of the Block List feature on Xilinx Alveo SmartNICs supports real-time processing of 200 million Block List addresses at 100Gbps. The Block List offload processing as implemented on the Xilinx Alveo U280 is illustrated in Figure 1 described below.
A single 100G packet processing pipeline with IP traffic is illustrated in Figure 1. Internet Traffic entering the Ingress port encounters the Packet Parser Block which extracts the IP Packet payload and forwards the IP header to the Filter Block. The Static Filter Block then performs stateless filtering of IP addresses of interest. During the next stage the Flow Processor identifies and tags any new flow with a flow identity (ID) and manages Flow Table entry setup, teardown and metadata export.
All packets tagged with a Flow ID are then sent to the Block List Processor Block for IP source address checking. The Block List Processor accesses the Block List Table in DRAM which is maintained by the Host CPU, allowing the Host to add/remove items from the Block List Table while traffic is flowing. Only the first packet of a flow is processed for Block List match. Packets that have been classified and previously verified as a no-match, are forwarded to the Egress port. Results of Block List processing are stored in a Result Table. Please note that this Block List processing offload flow sequence may easily be configured for Allow List processing as well.