VortiQa Software with Unified Threat Management for Service Provider Equipment

Transcription

1 July 2009 VortiQa Software with Unified Threat Management for Service Provider Equipment Performance Optimization on QorIQ P4080 Multicore Processor Bharat Mota Director of Engineering, Software Products Division service names are the property of their respective owners. Freescale Semiconductor, Inc

2 Suggested Pre-Requisite Sessions AN145: QorIQ P4080 Processor - Product Overview AN129: An Introduction to QorIQ Data Path Acceleration Architecture AN116: QorIQ P4080 Processor - Software Development Kit service names are the property of their respective owners. Freescale Semiconductor, Inc

3 Overview: VortiQa Software for Service Provider Equipment service names are the property of their respective owners. Freescale Semiconductor, Inc

4 VortiQa Software Announced on June 15, 2009 VortiQa software: a new brand of Freescale software for networking equipment that helps accelerate product development and increase the pace of innovation \vór ti ka\: A whirlwind of innovation Four new VortiQa product lines of production-ready software applications: VortiQa software for service provider equipment VortiQa software for enterprise network equipment VortiQa software for small business gateways VortiQa software for SOHO/Residential gateways A comprehensive solution-centric approach for networking applications in targeted vertical segments: Silicon QorIQ and PowerQUICC communications processors Software VortiQa software products Expanded Ecosystem - hardware, OS, ISVs, system integrators service names are the property of their respective owners. Freescale Semiconductor, Inc

5 VortiQa Software - Feature Overview Software Function Stateful Firewall with NAT IPSec VPN IDS and IPS Application Traffic Throttling Traffic Management and QoS Virtualization (Data Center) Description Controlled access to network resources Network address translation Confidentiality, Authentication and Integrity for traffic between networks Secure Remote Access Detect and prevent intrusions at L4-L7 and application level Detect and throttle less-priority application traffic (e.g. P2P, IM) Enforce QoS policies on network/application traffic Support multiple virtual security instances within single hardware Instances mapped to customers service names are the property of their respective owners. Freescale Semiconductor, Inc

6 Multicore Optimized Superior Performance with Control Plane, Data Plane (CP-DP) Separation DP uses a light weight executive eliminating OS overhead Full control over fast path packet handling for optimal throughput, latency and connection rate Predictable performance independent of feature usage and growth in CP Few To Many Core Scalability with Data Plane Run To Completion Model Flexible CP-DP partitioning amongst cores SMP, AMP and Hybrid models can be supported Avoids pipelining and its inherent difficulty with distributing work evenly SMP Linux Control Plane enables ease of integration Other SMP RTOSes (e.g. vxworks) can be supported Rich 3rd party ecosystem Modular, well defined APIs Robust Concurrent Execution with Session Parallelization Any given session handled by only one core at any time reducing locks and lock contention and ensuring packet ordering within a session Makes locks fine grain and read-only where possible service names are the property of their respective owners. Freescale Semiconductor, Inc

7 Architecture Overview Packets go to DP cores for security processing or CP cores for protocol termination DP cores low overhead run-to-completion model for fast path packet processing CP cores ease of use generic OS for control and management path Data Plane Processing Control Plane Processing NI * * * NI Data Path API packets DP Cores LWE Take packet from NI, and read tables (etc) to decide what to do with it or where to send it. Some items in memory must be shared between them API Statistics e.g. SAD/SPD, Route Tables CP Cores Exception processing Control Functions Update Tables Linux Control and Data planes may have different views of data Management CLI Log IKE 3 rd Party CP Cores > 1 implies SMP service names are the property of their respective owners. Freescale Semiconductor, Inc

8 Flexible Partitioning 1-2 CP cores, 6-7 DP cores Up to 1 GB CP RAM, 3 GB DP RAM Performance and Capacity Considerations High System Throughput Multi-Gbps Firewall, IPsec and IPS throughput for IMIX traffic (390B average) Low Latency Fast Connection Rate Multi-10K connection rates for Firewall TCP, ALG and IPS TCP and HTTP Large Capacity 4K Virtual Security Gateway Instances Firewall: 1 million concurrent sessions IPsec: 100,000 VPN tunnels service names are the property of their respective owners. Freescale Semiconductor, Inc

9 VortiQa Software for Service Provider Equipment: Solution Overview Solution = VortiQa Software + Freescale Enablement Software + QorIQ P4080 Processor + Customer Software Control Plane CLI LDSV Engine Management WEB-HTTP(*) Config Demux User space daemons - Configuration Databases, VSG, Interfaces Event Manager: Dispatcher/Generator/Receiver LOG TRACE Signaling/Misc IKE DNSRD(*) EVM-API CP-DP Communication Handler DP State Monitor Image upgrade(*) Kernel Routing Table (VRF) HA Monitor(*) Route Updater Interface Helper ARP Helper Interface Demux/Packet Announcer DP/CP Interface Compiled with User Space Applications CP-DP Demux CP-DP Transport Compiled with Kernel Space Applications Queues Data Plane HA(*) Stateful Sync, Monitor Firewall IPS IPDB Databases IPSec URLF Services Session Mgmt. DNS Cache IP Reassembly Packet Processing Engine Firewall ALGs IPS IPSec Traffic Mgmt(*) P2P DP Monitor HW Accelerators Interface Event Manager, Dispatcher Logger CLI Management Trace LDSV Engine CP-DP replicated information (VSG, I/F, Routes, ARP, Cache) Light-Weight Executive (LWE) for Data Plane Hypervisor QorIQ P4080 Eight-core Processor Linux SMP for Control Plane This paradigm extends to ecosystem operating systems and stacks service names are the property of their respective owners. Freescale Semiconductor, Inc

10 QorIQ P4080 Multicore Processor: DPAA and Light Weight Executive (LWE) Review service names are the property of their respective owners. Freescale Semiconductor, Inc

11 QorIQ P4080 Processor Block Diagram Power Architecture 128 KB e500-mc Core Backside L2 Cache 32 KB 32 KB D-Cache I-Cache 1024 KB Frontside L3 Cache 1024 KB Frontside L3 Cache 64-bit DDR-2 / 3 Memory Controller 64-bit DDR-2 / 3 Memory Controller eopenpic PreBoot Loader Security Monitor Internal BootROM CoreNet Coherency Fabric PAMU PAMU PAMU PAMU PAMU Peripheral Access Mgmt Unit Power Mgmt SD/MMC SPI elbc Security 4.0 Queue Mgr. Frame Manager Parse, Classify, Distribute Frame Manager Parse, Classify, Distribute RapidIO Message Unit (RMU) 2x DMA Real Time Debug Watchpoint Cross Trigger 2x DUART 4x I 2C 2x USB 2.0/ULPI Test Port/ SAP Pattern Match Engine 2.0 Buffer Mgr. 10GE Buffer 1GE 1GE 1GE 1GE 10GE Buffer 1GE 1GE 1GE 1GE PCIe PCIe SRIO PCIe srio Perf CoreNet Monitor Trace Aurora Clocks/Reset GPIO CCSR 18-Lane 5 GHz SerDes service names are the property of their respective owners. Freescale Semiconductor, Inc

12 Offloads CPU intensive traffic handling FMan accelerates parse, classify, distribution and policing SEC and PME accelerators offload CPU intensive security and pattern matching operations, respectively BMan and QMan comprise the DPAA infrastructure for HW buffering and queuing QMan improves latency with cache stashing and congestion management and provides for a uniform programming interface to accelerators Together with many cores and a multi-level cache hierarchy, DPAA simultaneously enables a lower complexity software environment as well as very high networking performance Datapath Acceleration Architecture (DPAA) Manage Congestion Stash Context Enqueue Cores QorIQ P4 Platform DPAA QMan Parse FMan Buffer BMan Network Interfaces Classify Police Steer Accelerators service names are the property of their respective owners. Freescale Semiconductor, Inc

13 F/B/QMan Ingress Packet Processing 16M Queues (Frame Queues) References to Packet 3 QMan 4 Frontside Cache DDR SDRAM Classification driven enqueue distribution FMan Packets in process Packet Data written to main memory subsystem 2 Buffer Acquisition Request Buffer Reference Bman Packet Data Stored in H/W managed buffers MURAM 10G 1G 1G 1G 1G 1 Packets Arriving service names are the property of their respective owners. Freescale Semiconductor, Inc

14 QMan 8 Priority Work Queues F/B/QMan Egress Packet Processing 5 Optional packet response Class scheduler Priority based packet scheduling 1 Packet Data read from main memory subsystem 2 Frontside Cache DDR SDRAM Buffer Release Request Packets in process 4 Bman FMan MURAM 10G 1G 1G 1G 1G 3 Packets Transmitted service names are the property of their respective owners. Freescale Semiconductor, Inc

15 QMan Software Portals Power Architecture Core D-Cache L2 Cache I-Cache Cores can choose during run time to dequeue from dedicated or shared channels Power Architecture Core D-Cache L2 Cache I-Cache Power Architecture Core D-Cache L2 Cache I-Cache portal QMan portal portal Dedicated Channel Pool Channel channel channel channel channel WQ7 WQ6 WQ5 WQ4 WQ3 WQ2 WQ1 WQ0 WQ7 WQ6 WQ5 WQ4 WQ3 WQ2 WQ1 WQ0 WQ7 WQ6 WQ5 WQ4 WQ3 WQ2 WQ1 WQ0 WQ7 WQ6 WQ5 WQ4 WQ3 WQ2 WQ1 WQ0 Frame Queues Packets data units references 10 CoreNet Software Portals Two dimensional queuing structure 39 Channels 8 dedicated 15 pool 16M Frame Queues 16M Order restoration contexts 256 Congestion Groups service names are the property of their respective owners. Freescale Semiconductor, Inc

16 Light Weight Executive Set of hardware abstraction libraries as C APIs Core startup and initialization Device tree parsing Locks and atomic operations Shared memory management Portal creation and enqueue, dequeue to portals Timers Buffer management Interrupts and exception handling Programming at a low level for high efficiency, but on hypervisor Ingress Channel 0 FQ FQ 7 FQ FQ priority FQ Core F Egress Channel 0 FQ FQ 7 FQ FQ priority service names are the property of their respective owners. Freescale Semiconductor, Inc

17 In effect, Qman and BMan usage Light Weight Executive Usage VortiQa Networking Software Crypto API Net Frame API IPC API PME API Other APIs BMan API QMan Buffer Mux/Demux QMan API (Portal Access) Physical Portals service names are the property of their respective owners. Freescale Semiconductor, Inc

18 Architecture: VortiQa Software for Service Provider Equipment service names are the property of their respective owners. Freescale Semiconductor, Inc

19 Control Plane, Data Plane (CP-DP) Architecture Control Plane - SMP Linux IKE, Routing Protocol daemons CLI, Log Interface information available to CP by DP via pseudo Ethernet interface Data Plane - LWE Interface control Physical and VLAN Packet processing Subset of TCP/IP functions IP/TCP/UDP integrity checks IP reassembly and fragmentation Routing, ARP table management Egress Pkts Egress Application Pkts etc) Application Processes (IKE, RIP, etc..) pseudo Ethernet Interface Non-IP Non-ARP Traffic TCP/IP Stack Demux Local Application Pkts (IP, ARP) Ingress Pkts Msgs To CP Session Management Ingress PKT Queue CP-DP Comm Module Egress PKT Queue Management Modules (CLI, log, etc..) Char pseudo Driver CP-DP Comm- Module Route Cache Messages To DP ARP Cache Firewall IPSec-VPN IPS Control Plane (User Space) Control Plane (Kernel Space) Data Plane Glue Layer Crypto Accelerator API, PME Engine API service names are the property of their respective owners. Freescale Semiconductor, Inc

20 DP Run To Completion Processing Loop WatchDog service Simple while loop Tasklet service Runs on every Data plane core Deque Job Watch dog trigger, Get work (Dequeue Job) functions Pkt from Accelerator Ingress Packet Packet from CP Identify Job Type Timer Expiry Notification CP-DP Msg CP-DP RingBuf Notification Other modules will be called based on the processing that the packet undergoes APIs for managing DPAA and various parts of the P4080 provided by LWE Packet Process Timer Process CP-DP Message Process service names are the property of their respective owners. Freescale Semiconductor, Inc

21 DP Session Parallelization Received Packet Session Lookup Core 1 Backlog Q Empty Session IN USE = NO, Set Session IN USE Session Function 1 Session Function 2 Backlog Q!= EMPTY; Dequeue Packet Received Packet Core 2 Session Lookup Session IN USE == YES Queue in Backlog Q Exit to Main Loop Received Packet Session Lookup Core 3 Session IN USE == YES Queue in Backlog Q Exit to Main loop t0 t1 t2 t3 service names are the property of their respective owners. Freescale Semiconductor, Inc

22 DP Session Parallelization Core 1 Core 2 Core 3 t0 t1 t2 t3 service names are the property of their respective owners. Freescale Semiconductor, Inc

23 DP Session Parallelization Received Packet Session Lookup Core 1 Backlog Q Empty Session IN USE = NO, Set Session IN USE Session Function 1 Received Packet Core 2 Core 3 t0 t1 t2 t3 service names are the property of their respective owners. Freescale Semiconductor, Inc

24 DP Session Parallelization Received Packet Session Lookup Core 1 Backlog Q Empty Session IN USE = NO, Set Session IN USE Session Function 1 Received Packet Core 2 Session Lookup Received Packet Core 3 t0 t1 t2 t3 service names are the property of their respective owners. Freescale Semiconductor, Inc

25 DP Session Parallelization Received Packet Session Lookup Core 1 Backlog Q Empty Session IN USE = NO, Set Session IN USE Session Function 1 Session Function 2 Received Packet Core 2 Session Lookup Session IN USE == YES Queue in Backlog Q Exit to Main Loop Received Packet Core 3 t0 t1 t2 t3 service names are the property of their respective owners. Freescale Semiconductor, Inc

26 DP Session Parallelization Received Packet Session Lookup Core 1 Backlog Q Empty Session IN USE = NO, Set Session IN USE Session Function 1 Session Function 2 Backlog Q!= EMPTY; Dequeue Packet Received Packet Core 2 Session Lookup Session IN USE == YES Queue in Backlog Q Exit to Main Loop Received Packet Session Lookup Core 3 t0 t1 t2 t3 service names are the property of their respective owners. Freescale Semiconductor, Inc

27 DP Session Parallelization Received Packet Session Lookup Core 1 Backlog Q Empty Session IN USE = NO, Set Session IN USE Session Function 1 Session Function 2 Backlog Q!= EMPTY; Dequeue Packet Received Packet Core 2 Session Lookup Session IN USE == YES Queue in Backlog Q Exit to Main Loop Received Packet Session Lookup Core 3 Session IN USE == YES Queue in Backlog Q Exit to Main loop t0 t1 t2 t3 service names are the property of their respective owners. Freescale Semiconductor, Inc

28 CP Management and Control Functions Linux SMP RADIUS Client Route Updater Web/cli/loadsave/CMS agent Logger IKE Multi-core Infra. Application User Mode Kernel Mode CPDP Comm Library Control Plane CP-DP Communication Control API CPDP infra kernel/dp Data Plane CP-DP Communication LWE ARP Routing Firewall IPSec IPS (DP cores) service names are the property of their respective owners. Freescale Semiconductor, Inc

29 CP Management Configuration Service Configuration funnels through Command Interpreter Command Interpreter De-multiplexes CP only, DP only and CP and DP commands Sends DP Commands to DP using CP-DP communication module Command de-multiplex module in DP calls application APIs service names are the property of their respective owners. Freescale Semiconductor, Inc

30 CP-DP Communication Approaches Acknowledgement based synchronous or asynchronous short message exchange between DP and CP Basic message passing using frame buffers E.g. CLI command messages, events and event registration Large unknown size byte stream bi-directional data transfer between CP and DP Ring buffer between CP and DP using shared memory E.g. Configuration load, signature database load, CLI output Low latency IP stack bypass notification mechanism from DP to CP DP places pointer to data in shared memory DP notifies CP (cross processor doorbell interrupt) CP interrupt processing: read off data E.g. syslog messages, IKE service names are the property of their respective owners. Freescale Semiconductor, Inc

31 VortiQa Software on QorIQ P4080 Processor: DPAA Resources Partitioning service names are the property of their respective owners. Freescale Semiconductor, Inc

32 Core Partitioning VortiQa Software Partitioning CP 1-2 cores, run one copy of SMP Linux DP 6-7 cores running on LWE CP SMP Linux DP- LWE CP Apps - IKE, ROUTEd, ARPd, syslogd, CLI, LDSV DP Apps Firewall, VPN, IIPS. All Ethernet ports controlled by Data plane 2 X 10Gig ports Number of cores allocated to CP and DP can be changed depending application requirements CP-DP packet path CP-DP message path service names are the property of their respective owners. Freescale Semiconductor, Inc

33 Memory Partitioning CP Linux Partition DP LWE Partition Code Code Code Code Shared Code - 8 MB Data Data Data Data Per Core Data MB BSS Heap BSS Heap BSS Heap BSS Heap Per Core Heap Small Stack Stack Stack Stack Per Core Stack 1 MB DP SHM DP SHM DP SHM DP SHM DP Shared Memory 2 GB SHM SHM SHM SHM SHM Global Shared Memory 512 MB service names are the property of their respective owners. Freescale Semiconductor, Inc

34 Buffer Pool Allocation Traffic Type Buffer Pool Description Buffer Size Buffer Pool Default Size Buffer Pool Max Size CP-DP messages Control messaging SEC interfacing SEC Descriptor K 100K PME interfacing PME Descriptor K 100K Timer Frame Descriptors Frame Queues K K 120 CP Traffic DP Traffic Ethernet frames Packet processing structures IP, UDP, ICMP Reassembly Session Management 64K K 100 1M service names are the property of their respective owners. Freescale Semiconductor, Inc

35 Work Queue Assignments WQ 0 - CP-DP messages (highest priority) - configuration and dynamic update traffic between CP and DP WQ 1 - CP-DP packets - management access traffic to CP (e.g. ssh) If NAT ed, IP and Management IP are same so this will load WQ 1 with data traffic WQ 2 - Not Used WQ 3 - SEC/PME traffic from hardware blocks as well as any tasklet triggers WQ 4 - Timer Messages WQ 5 - Not Used WQ 6 - DP Data Traffic (higher priority, e.g. multi-media traffic) WQ 7 - DP Data Traffic service names are the property of their respective owners. Freescale Semiconductor, Inc

36 Ingress packet processing: 10,000 FQIDs CP-DP packet flow: 2 FQIDs One for queuing packets from DP to CP One for queuing packets from CP to DP CP-DP messages: 2 FQIDs One for queuing messages from DP to CP One for queuing messages from CP to DP Egress packet flow: 80 FQIDs 2 FMan instances 5 ports per FMan instance (one channel per FMan port) 8 priorities Fixed Frame Queue ID (FQID) Allocation SEC, PME: 64 output FQIDs (Input allocated dynamically) 8 output FQIDs per core times 8 cores Higher priority needed for this output work queue (to reduce latency) Timer buckets: 120 FQIDs Double the timer-range / granularity (e.g. 2 x 60 sec/1 sec = 120) service names are the property of their respective owners. Freescale Semiconductor, Inc

37 Dynamic Frame Queue ID (FQID) Allocation BMan pool of FQIDs will be created from which an FQID may be dynamically requested, used, and then released back into pool Useful for SEC interaction, so that each IPSec SA can be assigned a different FQID dynamically Use of PME (Pattern Matching Engine) also requires dynamic allocation SEC and PME will use a pool size of up to 100K FQIDs each QorIQ P4080 processor supports up to 16M frame queues service names are the property of their respective owners. Freescale Semiconductor, Inc

38 VortiQa Software on QorIQ P4080 Processor: Packet Flow service names are the property of their respective owners. Freescale Semiconductor, Inc

39 Packet Flow Overview F/B/QMan Ingress Offload Buffer allocation Checksum Verification Traffic Policing Work/Traffic prioritization and distribution SEC, PME Look-Aside Offload IPsec/IKE cipher, hash, crypto algorithms Intelligent IPsec protocol processing Regular expression search Stateful rule based matching VortiQa Networking Software in Multicore Environment Firewall F/B/QMan Ingress Offload Ingress Packets IPSec SEC, PME Look-Aside Offload IDS.., etc F/B/QMan Egress Offload Egress Packets F/B/QMam Egress Offload Traffic Shaping / Scheduling service names are the property of their respective owners. Freescale Semiconductor, Inc

40 Packet Flow Overview F/B/QMan Ingress Offload Buffer allocation Checksum Verification Traffic Policing Work/Traffic prioritization and distribution SEC, PME Look-Aside Offload IPsec/IKE cipher, hash, crypto algorithms Intelligent IPsec protocol processing Regular expression search Stateful rule based matching VortiQa Networking Software in Multicore Environment Firewall F/B/QMan Ingress Offload Ingress Packets IPSec SEC, PME Look-Aside Offload Complete Offload IDS.., etc F/B/QMan Egress Offload Egress Packets F/B/QMam Egress Offload Traffic Shaping / Scheduling service names are the property of their respective owners. Freescale Semiconductor, Inc

41 Work Prioritization and Channel Distribution Model CP #1 CP #2 DP #1 DP #2 DP #N One pool channel for all CP cores For CP>DP communication Pool Channels CP-DP WQ 0 CP>DP messages WQ 6 CP data packets FQ FQ FQ FQ FQ FQ FMAN FQ FQ 0 Dedicated or one pool channel for all DP cores WQ 0 DP>CP messages WQ 1 Configuration Traffic WQ 3 SEC / PME Traffic WQ 5 Timer Messages WQ 6,7 Data Traffic service names are the property of their respective owners. Freescale Semiconductor, Inc

42 Work Prioritization and Channel Distribution Model CP #1 CP #2 DP #1 DP #2 DP #N One pool channel for all CP cores For CP>DP communication Pool Channels CP-DP WQ 0 CP>DP messages WQ 6 CP data packets FQ FQ FQ FQ FQ FQ FQ FQ 0 Dedicated or one pool channel for all DP cores WQ 0 DP>CP messages FQ FQ FQ FQ FMAN FQ FQ FQ FQ Dedicated Channels FQ FQ 3 FQ FQ 7 WQ 1 Configuration Traffic WQ 3 SEC / PME Traffic WQ 5 Timer Messages WQ 6,7 Data Traffic service names are the property of their respective owners. Freescale Semiconductor, Inc

43 Packet Distribution Criteria Buffer Management Parsing Schemas: hash(5-tuple selector), select 5 bits, concat DSCP field IPsec --> SPI field, select 5 bits, concat DSCP field 8-bit index FQID Mapping Table Ch 1, WQ 7 Ch 1, WQ 7 Ch 1, WQ 7 Ch 1, WQ 7 Ch 1, WQ 7 Ch 1, WQ 6 Ch 1, WQ 6 Ch 1, WQ 6 Ch 2, WQ 7 Ch 2, WQ 7 Ch 2, WQ Ch 2, WQ 7 Ch 2, WQ 7 Ch 2, WQ 6 Ch 2, WQ 6 Ch 2, WQ 6 Ch 3, WQ 7 Ch 3, WQ 7 Ch 3, WQ 7 Ch 3, WQ 7 Ch 3, WQ 7 Ch 3, WQ 6 KeyGen Policing Coarse Classification: Values for IP addresses Destination ports Ch 3, WQ 6 Ch 3, WQ 6 Ch 4, WQ 7 Ch 4, WQ 7 Ch 4, WQ 7 Ch 4, WQ 7 Ch 4, WQ 7 Ch 4, WQ 6 Ch 4, WQ 6 Ch 4, WQ 6 Use DSCP 3 bits, mapped to WQs 6 (multimedia), 7 (Data traffic) Use 5-bits from hash or SPI to make 8-bit index FQID mapping table preloaded for channel/wq mappings Default FQ would be mapped to DP pool channel service names are the property of their respective owners. Freescale Semiconductor, Inc

44 Work Identification Frame Queue Descriptor Usage When creating frame queues, the CONTEXT_B field of the frame queue descriptor will be set to indicate the purpose of that queue Context_B helps with de-multiplexing packet/message flows that go into a common channel Context_B is set to a SW module ID, structure pointer or function pointer Allows DP core retrieving a packet from the channel to identify the type of processing that is required on it (e.g. IPsec processing) Allows DP or CP retrieving a CP-DP packet or message to determine its function (e.g. timer event) service names are the property of their respective owners. Freescale Semiconductor, Inc

45 IPsec Acceleration with SEC VortiQa Software IPSec (Data plane ) IHAPPI Interface Shim Layer SEC4.0 Intelligent Crypto Driver (LWE APIs) SEC4.0 Hardware Crypto Accelerator IHAPPI is a proprietary Intelligent Hardware Accelerator Packet Processing Interface for IPSec. A shim layer below IHAPPI integrates SEC 4.0 IHAPPI exposes functions and callbacks to create/manage SAs as well as for IPsec packet processing. Shim layer translates to SEC 4.0 specifics Asynchronous driver interface SecCreateIPSecSession SecDeleteIPSecSeesion SecProcessIPSecPacket IPsec protocol processing and symmetric crypto acceleration service names are the property of their respective owners. Freescale Semiconductor, Inc

46 IPsec SEC Usage For each new SA, an input FQ is created Used by SW to enqueue frames for crypto processing Associated with a WQ and channel dedicated for SEC Many SAs can share an output FQ with the use of compound frames A compound frame holds both the input and output frames, thus avoiding the need of separate input/output FQ pairs to maintain the association Used by SEC to enqueue processed frames Associated with a pool channel so SW on any core can process the result When creating frame queues, CONTEXT_A and CONTEXT_B field of the frame queue descriptor is set as follows Context_B set to FQID of Frame Queue to which SEC enqueues results Context_A set to the memory address of Pre Header The Pre Header contains SEC s intelligent protocol processing instructions For IPsec packet processing for an existing SA, look up FQID for session and enqueue compound frame to SEC service names are the property of their respective owners. Freescale Semiconductor, Inc

47 IPS Data Scan Acceleration with PME VortiQa Software Data Scanner (Data plane ) IHADSI Interface Shim Layer PME Driver (LWE APIs) PME Hardware Accelerator IHADSI is a proprietary Intelligent Hardware Accelerator Data Scanning Interface for IPS. A shim layer below IHADSI integrates PME. IHADSI exposes functions and callbacks to create/manage PME scan sessions Shim layer translates to PME specifics Driver interface Pattern Matching acceleration service names are the property of their respective owners. Freescale Semiconductor, Inc

48 IPS Data Scan Pattern Matching Engine (PME) Usage IPS Signature Manager in CP loads signatures into PME For each new data scanning session, an input FQ is created Used by SW to enqueue data for pattern matching. Associated with a WQ and channel dedicated for PME Many data scanning sessions can share an output FQ with the use of compound frames A compound frame holds both the input data and output results, thus avoiding the need of separate input/output FQ pairs to maintain the association Used by PME to enqueue results of processed data Associated with a pool channel so SW on any core can process the result When creating frame queues, CONTEXT_A and CONTEXT_B field of the frame queue descriptor is set as follows Context_B set to FQID of Frame Queue to which PME enqueues results Context_A set to the memory address of PME s intelligent processing instructions For IPS data scanning for an existing session, look up FQID for session and enqueue compound frame to PME service names are the property of their respective owners. Freescale Semiconductor, Inc

49 Egress Distribution Egress packets are queued into the work queues of the dedicated QMan channel that is direct connected to the desired FMan port Work queues 2,3,4,5,6,7 (i.e. except the strict priority work queues 0 and 1) will be populated with one frame queue (FQID) each. The DSCP priority bits (3 bits or 8 values) of an egress packet will be mapped to one of 6 work queue IDs for the port, using a static mapping table indexed by the DSCP priority value Schedule weights can be assigned to the non-strict priority work queues Shaping bandwidth can be configured for the FMan ports service names are the property of their respective owners. Freescale Semiconductor, Inc

50 VortiQa Software on QorIQ P4080 Processor: Control Flow and Infrastructure Support service names are the property of their respective owners. Freescale Semiconductor, Inc

51 VLANs and Control Packet Flow VLAN INTERFACE DATABASE REPLICATED CP VLAN Interface Replication on DP Address Change Notification to DP Control Packet Flow Packets processed in DP Identified as CP packets Packets sent through CP-DP communication Library Packets received by pseudo Ethernet driver Pseudo Ethernet Driver announces it to TCP/IP Stack service names are the property of their respective owners. Freescale Semiconductor, Inc

52 IKE Acceleration with SEC VortiQa Software IKE (Control Plane) IHAKMI Interface Shim Layer SEC4.0 Crypto Driver IHAKMI is a proprietary Intelligent Hardware Accelerator Key Management Interface for multi-threaded IKE application Shim layer will use low-level driver/apis for SEC 4.0 Synchronous interface Asymmetric crypto acceleration SEC4.0 Hardware Crypto Accelerator service names are the property of their respective owners. Freescale Semiconductor, Inc

53 Control Plane, Data Plane (CP-DP) Messaging CP #1 App #1 App #2 CP-DP Comm Support User mode Kernel mode Uses dedicated buffer pool CP user application to Kernel mode Infrastructure CP kernel mode infra -> DP pool channel Any DP core may process the message Response optional from DP Two FQIDs used, one per direction DeMux DP #1 DP #2 DP #N CP Pool Channel FQ FQ FQ FQ 0 7 DP->CP messages FQ FQ FQ FQ 0 6 DP Pool Channel Request Response service names are the property of their respective owners. Freescale Semiconductor, Inc

54 Timer HW Assist FQ n FQ FQ FQ FQ FQ FQ Granularity Next bucket to process. FD + Timer control structure from Timer pool Range Realizes large number of timers Effort to minimize software overhead of monitoring timeout for millions of sessions Features Frame queues that point to Timer pool channel created in the inactive state Software to get a job when the timer expires Distributing timer expiration processing of sessions across cores Time between buckets will be timer period Number of buckets will be max time. Times greater than n time units will be handled by timer module internally Timer interrupt handled by only one core Timer processing in many cores service names are the property of their respective owners. Freescale Semiconductor, Inc

55 VortiQa software for Service Provider equipment requires high computing power To satisfy growing demands of bandwidth To do deep-packet and data inspection to detect and prevent sophisticated attacks Summary QorIQ P4080 multicore processor meets the challenge Designed for networking and security related appliances and markets Combines 8 cores running each at 1.5 GHz with DPAA Engines SEC, PME, FMAN, QMAN and BMAN Provides acceleration engine at Ingress, Look Aside and at Egress level 2 Mbytes of L3 Cache in addition to L1 and L2 Caches with facility to position the code service names are the property of their respective owners. Freescale Semiconductor, Inc

56 Q&A Thank you for attending this presentation. We ll now take a few moments for the audience s questions and then we ll begin the question and answer session. service names are the property of their respective owners. Freescale Semiconductor, Inc

57