TY - JOUR
T1 - Introducing smartnics in server-based data plane processing
T2 - The ddos mitigation use case
AU - Miano, Sebastiano
AU - Doriguzzi-Corin, Roberto
AU - Risso, Fulvio
AU - Siracusa, Domenico
AU - Sommese, Raffaele
N1 - Funding Information:
This work was supported in part by the European Union’s Horizon 2020 Research and Innovation Programme through decentralised technologies for orchestrated cloud-to-edge intelligence (DECENTER) under Grant 815141, and in part by the AddreSsing ThReats for virtualIseD services (ASTRID) Project under Grant 786922.
Publisher Copyright:
© 2013 IEEE.
PY - 2019
Y1 - 2019
N2 - In the recent years, the complexity of the network data plane and their requirements in terms of agility has increased significantly, with many network functions now implemented in software and executed directly in datacenter servers. To avoid bottlenecks and to keep up with the ever increasing network speeds, recent approaches propose to move the software packet processing in kernel space using technologies such as eBPF/XDP, or to offload (part of it) in specialized hardware, the so called SmartNICs. This paper aims at guiding the reader through the intricacies of the above mentioned technologies, leveraging SmartNICs to build a more efficient processing pipeline and providing concrete insights on their usage for a specific use case, namely, the mitigation of Distributed Denial of Service (DDoS) attacks. In particular, we enhance the mitigation capabilities of edge servers by transparently offloading a portion of DDoS mitigation rules in the SmartNIC, thus achieving a balanced combination of the XDP flexibility in operating traffic sampling and aggregation in the kernel, with the performance of hardware-based filtering. We evaluate the performance in different combinations of host and SmartNIC-based mitigation, showing that offloading part of the DDoS network function in the SmartNIC can indeed optimize the packet processing but only if combined with additional processing on the host kernel space.
AB - In the recent years, the complexity of the network data plane and their requirements in terms of agility has increased significantly, with many network functions now implemented in software and executed directly in datacenter servers. To avoid bottlenecks and to keep up with the ever increasing network speeds, recent approaches propose to move the software packet processing in kernel space using technologies such as eBPF/XDP, or to offload (part of it) in specialized hardware, the so called SmartNICs. This paper aims at guiding the reader through the intricacies of the above mentioned technologies, leveraging SmartNICs to build a more efficient processing pipeline and providing concrete insights on their usage for a specific use case, namely, the mitigation of Distributed Denial of Service (DDoS) attacks. In particular, we enhance the mitigation capabilities of edge servers by transparently offloading a portion of DDoS mitigation rules in the SmartNIC, thus achieving a balanced combination of the XDP flexibility in operating traffic sampling and aggregation in the kernel, with the performance of hardware-based filtering. We evaluate the performance in different combinations of host and SmartNIC-based mitigation, showing that offloading part of the DDoS network function in the SmartNIC can indeed optimize the packet processing but only if combined with additional processing on the host kernel space.
KW - DDoS
KW - eBPF
KW - NFV
KW - SmartNIC
KW - XDP
UR - http://www.scopus.com/inward/record.url?scp=85071241588&partnerID=8YFLogxK
U2 - 10.1109/ACCESS.2019.2933491
DO - 10.1109/ACCESS.2019.2933491
M3 - Article
AN - SCOPUS:85071241588
SN - 2169-3536
VL - 7
SP - 107161
EP - 107170
JO - IEEE Access
JF - IEEE Access
M1 - 8789414
ER -