News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

Content-inspection coprocessors ship with Linux SDK

Jul 20, 2009 — by Eric Brown — from the LinuxDevices Archive — 30 views

Cavium Networks is sampling four content-inspection coprocessors for network security devices. The Nitrox DPI CN17XX Layer 7 coprocessors provide 4Gpbs to 20Gbps of deterministic performance with low latency, support unlimited pattern rule-sets and flows, and ship with a Linux-ready hardware/software kit, says Cavium.

The Nitrox DPI (deep packet inspection) processors are primarily designed for use with Cavium's MIPS-based Octeon and Octeon Plus multi-core system-on-chips (SoCs), and are aimed at applications including application-level firewalls, as well as intrusion prevention (IPS), gateway anti-virus, and unified threat management systems. In addition, the processors can be used for content-based QoS (Quality of Service) for integrated voice, video, and data traffic in routers, switches, appliances, and services blades, says Octeon.

Networking equipment designed to address both security and QoS content processing requires deterministic performance with low latency, says Cavium. Unlike some competing products, whose limited pattern rule-sets are designed to fit in on-chip memory, the Nitrox DPI chips can support a growing number of content-inspection signatures and traffic flows without limiting performance, Cavium claims.


Nitrox DPI CN17XX block diagram

(Click to enlarge)

The coprocessors represent a third generation of Cavium's Nitrox deep-packet inspection technology, which has been previously integrated into its Octeon and Octeon Plus networking SoCs. The coprocessors are primarily targeted at designs incorporating these multi-core, networking-oriented SoCs, but are said to also run with other general-purpose processors, including x86-based CPUs.

The Nitrox DPI coprocessors, which come in four versions that step up between 4Gbps and 20Gbps, are said to increase DPI performance to as much as 20Gbps when used with an Octeon Plus design. The chips combine PCI Express I/O and graphics management circuitry with on-chip Hyper Finite Automata (HFA) content processing engines.

These same third-generation "look-aside" L7 engines are already incorporated in Cavium's new Octeon II family of SoCs. Although not currently targeted for use with the Octeon II, the Nitrox DPI coprocessors are said to be software-compatible with the new multi-core SoCs. When used together "in future designs," they will be able to achieve up to 40Gbps performance, claims the company.


Nitrox DPI CN17XX in typical Octeon Plus deployment

(Click to enlarge)

The Nitrox DPI coprocessors offer multiple clusters of HTEs (Hyper-Finite-Automata Threading Engines) that include both Nondeterministic Finite Automata (NFA) and Deterministic Finite Automata (DFA) capability, says Cavium. Additional features include DMA for packet input and match output, as well as support for look-aside RegEx processing.

Features and benefits listed for the Nitrox DPI CN17XX processors include:

  • Performance up to 20Gbps with Octeon Plus
  • Choice of deterministic and nondeterministic modes
  • On-chip cache for lower latency and higher throughput
  • Supports look-aside RegEx processing
  • HFA DPI technology allows commodity memory for patterns
  • Supports up to 4GB external pattern memory
  • DMA for packet input and match output
  • Unique match-length reporting
  • Commodity memory for regular expression pattern rule-sets
  • 15x smaller memory footprint for regular expression patterns
  • No limit on number of rule-sets and number of patterns in rule-set
  • Small flow state for matching across multiple packets of same flow
  • Small memory footprint for regular expression pattern
  • PCIe and DDR2 support
  • Supports Perl Compatible Regular Expression (PCRE) and POSIX

Nitrox DPI SDK

The Nitrox DPI CN17XX Software Development Kit (SDK) includes a RegEx compiler, a functional simulator, and a SNORT XL toolkit, among other features (see list below). The SDK includes drivers for Linux/Simple Executive on Octeon Plus, as well as drivers for Linux on x86, says Cavium.

The SDKs are also matched with four development boards that target the four different CN17xx processor versions, says the company, but it did not offer more information on the boards.

Features listed for the Nitrox DPI CN17XX SDK include:

  • Linux drivers for Octeon Plus, x86 and other general-purpose processors
  • Simple executive drivers for Octeon Plus
  • Regular Expression compiler on Linux for Octeon Plus and x86 processors
  • PCRE, POSIX Regex syntax and string signatures, with support for fast incremental compilation and hot updates
  • Optimized C libraries/API for regular expression processing offload
  • Functional simulator and profiling tools
  • Development toolkit support for SNORT XL
  • Support for RegEx apps, including commercially available AV and IPS signatures
  • Support for highly complex RegEx patterns from a number of networking OEMs

Stated Rajiv Khemani, VP and GM, Networking and Communications at Cavium Networks, "Our new Nitrox DPI product line with HFA technology has solved key fundamental issues which previously prevented mass deployment of deep packet inspection across a range of networking applications."

Stated Bob Wheeler, senior analyst at The Linley Group. "The Nitrox DPI family expands the Cavium NITROX product line into layer 7 security with sophisticated new DPI technology that eliminates the tradeoff between performance and pattern rule-set size found in other solutions."

Availability

The Nitrox DPI CN17XX  coprocessors are sampling now, says Cavium, with pricing available upon request. The chips are available in four scalable options ranging from 4Gbps to 20 Gbps, with each processor matched with a corresponding development board product. More information may be found here.


 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.