FPGA-Assisted DPI Systems: 100 Gbit/s and Beyond

Abstract

Carrying out deep packet inspection (DPI) in aggregated network connections remains a continuous requirement even though the line rate reaches and exceeds 100 Gb/s. The increasing packet-arrival rate necessitates efficient solutions for on-the-fly packet parsing, packet classification, and distribution for parallelized, software-based payload inspection. Inspection complexity and real-time processing are competing requirements. The deep analysis capabilities of software-based approaches can be enhanced by hardware-based support on time-critical packet parsing and classification. Moreover, some payload inspection tasks can be carried out in hardware as well, further reducing the resources spent on software-based solutions. This paper aims at presenting the state-of-the-art and describing a set of best practices in field programmable gate arrays (FPGA)-based packet processing, which can be applied for DPI-related tasks at 100 Gb/s and beyond. Accordingly, we provide an architectural view of the DPI systems throughout the paper. Besides summarizing the limitations of hardware- and software-based solutions for the three processing phases within a DPI system (packet parsing, packet classification, and payload inspection), this paper reveals the possible trade-offs for choosing the different technical approaches. These limitations include operating frequency, bus size, available memory, on-chip physical resources for hardware-based implementations, and CPU time for software-based solutions.