Abstract
In the recent years, the complexity of the network data plane and their requirements in terms of agility has increased significantly, with many network functions now implemented in software and executed directly in datacenter servers. To avoid bottlenecks and to keep up with the ever increasing network speeds, recent approaches propose to move the software packet processing in kernel space using technologies such as eBPF/XDP, or to offload (part of it) in specialized hardware, the so called SmartNICs. This paper aims at guiding the reader through the intricacies of the above mentioned technologies, leveraging SmartNICs to build a more efficient processing pipeline and providing concrete insights on their usage for a specific use case, namely, the mitigation of Distributed Denial of Service (DDoS) attacks. In particular, we enhance the mitigation capabilities of edge servers by transparently offloading a portion of DDoS mitigation rules in the SmartNIC, thus achieving a balanced combination of the XDP flexibility in operating traffic sampling and aggregation in the kernel, with the performance of hardware-based filtering. We evaluate the performance in different combinations of host and SmartNIC-based mitigation, showing that offloading part of the DDoS network function in the SmartNIC can indeed optimize the packet processing but only if combined with additional processing on the host kernel space.
Highlights
With the recent trend of ‘‘network softwarization’’, promoted by emerging technologies such as Network Function Virtualization (NFV) and Software Defined Networking (SDN), system administrators of data center and enterprise networks have started to replace dedicated hardware-based middleboxes with virtualized Network Functions (NFs) running on commodity servers and end hosts [1]–[6]
Thanks to the support from the Clang/LLVM compiler, extended Berkeley Packet Filter (eBPF) programs can be written in a restricted-C language, which is compiled into the corresponding eBPF object file that can be loaded into the kernel through the apposite bpf() system call
To avoid the above problem, we adopted a swappable dualmap approach, in which the userspace application reads data from a first eBPF map that represents a snapshot of the traffic statistics at a given time, while the XDP program computes the traffic information for the incoming packets received in the the previous timespan, and saved in a second map
Summary
With the recent trend of ‘‘network softwarization’’, promoted by emerging technologies such as Network Function Virtualization (NFV) and Software Defined Networking (SDN), system administrators of data center and enterprise networks have started to replace dedicated hardware-based middleboxes with virtualized Network Functions (NFs) running on commodity servers and end hosts [1]–[6]. Common solutions rely on kernel bypass approaches, such as DPDK [7] and Netmap [8], which map the network hardware buffers directly to user space memory, bypassing the operating system These technologies bring an unquestionable performance improvement, they have two major limitations. They take the ownership of one (or more) CPU cores, permanently stealing precious CPU cycles to other tasks (NFs deployed on the servers, or user applications running on the end hosts) They require to install additional kernel modules or to update the network card driver, operations that are not always possible in production networks.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
