Deny or Allow Real Time Internet Connections at 100GE based on defined attributes
Black List processing is an access control mechanism that denies access to internet connections or flows based on attributes such as email addresses, IP addresses, domain names, etc.. A Black List can be applied at various points in a security architecture (Firewalls, Intrusion Prevention Systems (IPS), Web Proxys, Authentication Gateways. As opposed to Black List processing, White List (allow list) processing only allows items on the list to pass through.
Real time implementations of Black/White List processing such as Authentication Gateways and Firewalls are required to handle demanding, high capacity (nx100G) Network Connections while executing complex security algorithms. These devices leverage the power of FPGA based Host Offload SmartNICs to process Complex Data Plane functions in real time without Host Intervention. Accolade’s implementation of the Black List feature on Xilinx Alveo SmartNICs supports real time processing of 200 million Black List addresses at 100Gbps. The Black List offload processing as implemented on the Xilinx Alveo U280 is illustrated in Figure 1 described below.
Figure 1: 100G Black List Processing Flow
A single 100G packet processing pipeline with IP traffic is illustrated in Figure 1. Internet Traffic entering the Ingress port encounters the Packet Parser Block which extracts the IP Packet payload and forwards the IP header to the Filter Block. The Static Filter Block then performs stateless filtering of IP addresses of interest. During the next stage the Flow Processor identifies and tags any new flow with a flow identity (ID) and manages Flow Table entry setup, teardown and metadata export.
All packets tagged with a Flow ID are then sent to the Black List Processor Block for IP source address checking. The Black List Processor accesses the Black List Table in DRAM which is maintained by the Host CPU, allowing the Host to add/remove items from the Black List Table while traffic is flowing. Only the first packet of a flow is processed for Black List match. Packets that have been classified and previously verified as a no match, are forwarded to the Egress port. Results of Black List processing are stored in a Result Table. Please note that this Black List processing offload flow sequence may easily be configured for White List processing as well.