VortiQa Software Products Overview: Benefits, Functions and Roadmap

Transcription

1 August, 2010 VortiQa Software Products Overview: Benefits, Functions and Roadmap NET-F0745 John Chang

2 Agenda Multicore processing - quick overview VortiQa software functional and architecture overview Solution-centric approach Business model Roadmap Summary 2

3 Multicore Processing Quick Overview 3

4 The Software Challenges Virtualization Environment New Apps Data Plane Diagnostic Framework Software Architecture 3 rd Party SW Simulation Legacy Apps Control Plane Challenges: Migration of legacy applications Optimal utilization of hardware platform resources Adding new sophisticated applications to an already complex architecture Innovate faster and better Impact on Product Development: Increased cost of development and ongoing product maintenance Increased risk on developing a competitive product that best uses all platform resources Inflexible architecture choices limit product line expansion 4

5 What is VortiQa Software? Production-ready software applications Deliver integrated security and networking functionality to nextgeneration networking products \vór ti ka\: A whirlwind of innovation Accelerate product development and increase the pace of innovation We do the work that helps make your multicore solution development faster and better. Software optimized to leverage the complete capabilities of our QorIQ and PowerQUICC multicore processors Integration of the talent and mature software product line acquired as part of Intoto Inc. 5

6 VortiQa Software Functional and Architecture Overview 6

7 VortiQa Software Products Overview Delivers integrated networking and security functionality Software for Service Provider Equipment Software for Enterprise Network Equipment Software for Small Business Gateways Software for SOHO / Residential Gateways Freescale Silicon QorIQ processors (P4080) PowerQUICC III and QorIQ processors (MPC8377E, MPC8572E, P2020, P1020, P4080) PowerQUICC III and QorIQ processors (MPC8377E, P1020) PowerQUICC III and QorIQ processors (MPC8315E, MPC8314E, P1020) Example Applications Multi-service edge routers, switches, wireless infrastructure, security gateway Enterprise U, security appliances, secured routers and switches Multi-service business gateways xdsl, PON, FTTH, and other CPE devices Key Features Networking protocols L2 or L3 stateful packet inspection, firewall, NAT IPsec VPN + IKEv1 + IKEv2 Stateful deep packet inspection: P2P filtering Protocol anomaly Traffic anomaly QoS / traffic management Virtual security gateways Networking protocols L2 or L3 SPI firewall support IPsec enterprise VPN + IKEv + IKEv2 Stateful deep packet inspection: P2P filtering Protocol anomaly Traffic anomaly QoS / traffic management Antivirus and anti-spam HA support Networking protocols Advanced IPsec VPN + IKE supports SPI firewall + advanced NAT features + Dual WAN with load balancing / fail over Optional service provider provisioning Virtualized container architecture based on KVM Networking protocols SPI firewall + NAT + residential gateway IPsec VPN Optional service provider provisioning 7

8 Service Provider/Datacenter Deployment Server Farm Aggregation Switches With VortiQa Software Core Switches With VortiQa Software P4080E Up to 1500 MHz 8 Cores; 1 MB L2, DDR2/3, PCI Express, 10G/GbE, USB DPAA, Security P40X0 (DPAA equipped) Internet Up to 1500 MHz e500mc core; 1 MB L2, DDR2/3, PCI Express, 10G/GbE, USB DPAA, Security 8

9 VortiQa Software for Service Provider Equipment Scalability Features Highly suitable and optimized for scale, performance and better latency Virtual Instances (VSG) Up to 4K virtual instances; multiple zones in each VSG; overlapping addresses supported across VSGs VLAN mapping to zone and virtual instance Large number of sessions and tunnels (based on memory) highly scalable 1M session (firewall and IPS) 50K tunnels (IPsec VPN) DP with session establishment offload DP also does session establishment Traditional fast path only offloads packet processing 9

10 Data Plane Control Plane Architecture: VortiQa for Service Provider Equipment Management Signaling/Misc Management LOG IKE v1/v2/pki DP State Monitor HA Monitor(*) CLI UCM (*) TRACE DNSRD Image upgrade(*) Route Updater LDSV Engine Config Demux EVM-API User space daemons - Configuration Databases, VSG, Interfaces Linux Name Spaces Interface Helper ARP Helper Event Manager: Dispatcher/Generator/Receiver CP-DP Communication Handler Linux/Other SMP OS Interface Demux/Packet Announcer HA(*) Stateful Sync, Monitor DNS Cache DP Monitor Event Manager, Dispatcher Packet Processing Engine Management Databases Firewall IPSec Logger Trace Firewall IPS IPSec IPDB ALGs IPS(*) Session Mgmt. QoS(*) P2P(*) CP-DP replicated information (VSG, I/F, Routes, ARP Caches) Fast Path Session Lookup Firewall IPsec QoS Policing & Shaping (*) IP Reassembly IP Fragmentation Ethernet Interfaces, VLAN, Bridging Light-Weight Executive (LWE) Freescale QorIQ (P40XX DPAA equipped) HW Accelerators (*) Under development 10

11 Enterprise Deployment P4080E Up to 1500 MHz 8 Cores; 1 MB L2, DDR2/3, PCI Express, 10G/GbE, USB DPAA, Security MPC8572E Up to 1500 MHz Dual- e500 core; Logging 1 MB L2, Admin 800 MHz DDR2/3, PCI Express, Console 4xGbE, USB Console SRIO, Security ENTERPRISE NETWORK Security Domain 4 MPC8315 MARKETING SUBNET 400 MHz Marketing Users Other Internal Users 2 x GbE (SGMII) PCI, PCI Express USB, DDR1/2, Security Security 400 MHz Domain 2 MALICIOUS HACKERS BRANCH OFFICE Internet VortiQa Software DoS Attacks Access Control Lists Security Domain 1 Confidential Data HOMEOFFICE App Server Server EDI Server Security Domain 3 Finance Users MPC8548 FINANCE SUBNET Web Confidential Server Up Data to 1500 MHz Single Core; 512 KB L2, DDR2/3, PCI Express, 4xGbE, USB Trojan Attack SRIO, Security TELECOMMUTER Policies for individual security domains Policies for Individual users Policies for user groups Allow remote access Allow access to web server Deny access to finance server Deny access to confidential data 11

12 Highly suitable for feature-rich U applications Stateful packet inspection firewall IPS / deep packet inspection IPsec VPN Anti-spam and antivirus Extendable transparent proxy framework High availability VortiQa for Enterprise Network Equipment Feature Richness 12

13 Architecture: VortiQa for Enterprise Network Equipment CMS/Embedded Management: CLI, HTTP, LDSV, SYSLOG, , SNMP SSLVPN* Reverse Proxy Socks App Tunnel L2 Tunnel Portal AV/AS SMTP/S Proxy POP3/s Proxy HTTP Proxy FTP Proxy AV DB AS DB IPS Manager IKEv1/v2 PKI (SCEP, OCSP, LDAP) XAUTH, EAP IRAC IRAS Authentication Services LDAP Client RADIUS Client Local User Space TCP/ IP Firewall Policy Mgmt Traffic Policing Transparent Proxy Support Application Level Gateway Session Management and Packet processing Drop-in Clustering Intrusion Detection/ Prevention Engine IPSec Packet Processing Traffic Shaping Kernel Space Ethernet, Bridging and WAN Protocols Hardware Layer Ethernet Controllers Crypto Acceleration Pattern Matching Acceleration 13

14 Small Business Deployment VortiQa Software for SMB Networks MPC8378E VPN Tunnel MHz 2 x GbE (SGMII) PCI, PCI Express USB, DDR1/2, Security, SATA 667 MHz MPC8377E Internet Branch Office P2020 Dual e500 Cores, MHz 512 KB L2 Cache SMB Network Telecommuters & Road Warriors 14

15 Highly suitable and optimized for small business gateway applications Stateful packet inspection firewall, NAT and ALGs IPsec VPN Dual WAN load balancing and failover Service provider provisioning support with TR-069 and TR-098 protocols VortiQa Software for Small Business Gateways 15

16 Architecture: VortiQa for Small Business Gateways 16

17 SOHO/Residential Gateway Deployment MPC8358E MPC8360E FRIENDS ONLINE SCHOOL WORK e300 core with MHz and QUICC Engine support INTERNET FRIENDS ONLINE SCHOOL WORK Malicious Hackers BANKING SHOPPING NEWS AND ENTERTAINMENT TRAVEL AND LEISURE VoIP DoS Attacks OFFICE VPN CONNECTION Confidential Data VPN URL Keyword Filtering Firewall Trojan Attack BANKING SHOPPING NEWS AND ENTERTAINMENT TRAVEL AND LEISURE HOME OFFICE EDI Server Server x Unauthorized Users LAPTOP WITH WIRELESS LAN CONNECTION A/B/G Wireless Security 17

18 VortiQa Software for SOHO/Residential Gateways Highly suitable and optimized for SOHO/ residential business gateway applications Stateful packet inspection firewall IPsec VPN Service provider provisioning support with TR-069 and TR-098 protocols Intuitive GUI interface 18

19 Architecture: VortiQa for SOHO /Residential Gateways 19

20 VortiQa Software Delivers Architectural Flexibility AMP, SMP or Hybrid AMP+SMP Architecture Architecture Benefits Asymmetric multiprocessing (AMP) architecture Simplifies legacy migration by minimizing changes to existing software Efficient use of individual core cache Symmetric multiprocessing (SMP) architecture Better utilization of processing capacity Cores are not reserved for specific functions Improves latency by eliminating issues with pipelining Hybrid architecture Provides functional scalability by taking advantage of both SMP and AMP architectures Provides optimal solution for pipelining and latency issues 20

21 Simplifies migration to multicore processors Delivers optimized performance Crypto acceleration Datapath acceleration Frame managers Pattern matching acceleration Delivers architectural flexibility and choice Ability to create differentiated products Ability to add new applications and services Ability to expand product line Speeds time to market Shortens product development cycle on custom features Provides off the shelf functionality Provides a stable software framework Better return on investment Benefits of VortiQa Software 21

22 Solutions-Centric Approach 22

23 Combination of: What is Freescale s Solutions-Centric Approach? PowerQUICC and QorIQ product families Four VortiQa software product lines Expanded ecosystem of hardware partners and ODMs, OS and tool vendors, ISVs and system integrators Customer benefits: Better business value to technology investment; faster return on investment Enables ability to target market verticals Provides more choices and flexibility to create differentiated products 23

24 Example Solution for enodeb System Integration (Customer and/or SI partner) Services Data Plane Control Plane Fn TP / TS RRC F3 IPsec GTP enodeb F2 Routing IKEv2 F1z ETHERNET OAM X1-AD Base station Linux L2 Cache AMP Linux L2 Cache L2 Cache L2 Cache Light Weight Executive AMP L2 Cache (Light RTOS) L2 Cache 3 rd Party OS SMP L2 Cache L2 Cache This is a simple representation of a complex solution. Power Architecture Core D-Cache I-Cache Power Architecture Core D-Cache I-Cache Power Architecture Core D-Cache I-Cache Power Architecture Core D-Cache I-Cache Power Architecture Core COTS or Custom hardware platform (based on QorIQ processors) D-Cache I-Cache Power Architecture Core D-Cache I-Cache Power Architecture Core D-Cache I-Cache Power Architecture Core D-Cache I-Cache Diagram Key: Functions from FSL Functions from Ecosystem Partner/Customer 24

25 Example Solution for Secure Storage Server System Integration (Customer, SI partner, or Hardware ODM) Secure Storage Server Configuration, management and logging Open services for 3 rd party apps Media server and sharing Backup management (cloud agent) Configuration, management and logging SSLVPN Access Control and Authentication QoS Network Attached Storage This is a simple representation of a complex solution. File server Networking Protocols Linux or 3 rd Party OS from OS Partners MPC 83xx or MPC 85xx COTS or Custom H/W platform (based on PowerQUICC / QorIQ processors) Diagram Key: Functions from FSL Functions from Ecosystem Partner/Customer 25

26 Third-Party Partners Hardware Design and Development Software Design and Development Integration, Testing, Support and Maintenance Hardware Partners and ODMs RTOS and Tools and Development Independent Software Vendors System Integrators Optimal Use of Processor Resources 26

27 Provides flexibility and choice of vertical market solutions Expanded Ecosystem VortiQa Software Example verticals: -U appliances -Secured routers -Small business gateways -Residential gateways Complex Networking Applications and Equipment Independent Software Vendors Example verticals: -LTE/4G wireless -NAS/storage -Unified communications -Small business gateways -Video conferencing -Triple play OPEN SOURCE Software Example verticals: -PBX -NAS/storage 27

28 Why Our Approach is Better Freescale is tackling the multicore software problem head-on Ecosystems are required when it comes to embedded multicore and most include software, and Freescale pairs production-ready software with a world-class ecosystem We believe that the best way to help customers get up and running quickly on multicore technology is to provide off-the-shelf, preparallelized application software that is optimized for our specific communications platforms 28

29 Business Model 29

30 Software Business Model Terms and Deliverables LICENSING DELIVERABLES SUPPORT Development license Source license Terms: ability to modify, enhance, make derivatives Run-time distribution license License to sublicense only in binary form as included with FSL silicon based hardware product Term Five years with automatic annual extensions thereafter Indemnity Covered for software delivered by Freescale Warranty 30 days initial warranty Thereafter, defects are covered under support agreement Toolkit libraries Library files required to complete integration and link with customer application modules Complete source code and make files for customer to modify the product, integrate and link with other application modules Other deliverables Release notes Image on target platform To jumpstart the usage of the product by development team API documentation User/Admin guide for GUI/CLI where applicable Test documents including test reports, test plans and test cases Term of support Minimum of 2 years subject to support payments Support provided for current release and most-recent previous release Training Fee based training either onsite or Freescale location Modes of support Telephone Instant messaging Web-based defect tracking system 30

31 Roadmap 31

32 Roadmap VortiQa Product Line VortiQa for Service Provider Equipment VortiQa for Enterprise Network Equipment VortiQa for Small Business Gateways VortiQa for SOHO/ Residential Gateways Roadmap IPv6 Firewall IPv6 Firewall TR-098 Firewall TR-098 Firewall IPv6 VPN IPv6 VPN TR-098 VPN TR-098 VPN IPv6 IPS IPv6 IPS TR-104 VoIP IPv6 Antivirus IPv6 Anti-spam WAN Optimization

33 Summary 33

34 VortiQa software on QorIQ and PowerQUICC processors Answer to challenges faced by the network equipment vendors Functionality including networking and security functions Highly optimized and performance tuned solution to get the most out of Freescale silicon capabilities Cost-effective mechanisms to go to market Cost-effective mechanisms to maintain the product Accelerate time to market with a comprehensive system solution not just silicon or software Support from the developers who have experience with silicon and software Expanded ecosystem working with independent vendors Summary 34

35

36 Optimization Techniques Run to completion All cores run all software pieces No pipe lining (traffic patterns are different and difficult to divide the work evenly) Usage of OS/hardware specific locks to protect critical sections. Read and write locks Thread semaphores RCUs for lookup tables and configuration structures Session parallelization Maintain FIFO order of packets within a session, tunnel Eliminate the locks in packet processing Packet ordering capability to reduce duplicate session/tunnel creation Wherever possible takes advantage of hardware features Avoiding garbage collection of run time entries No timer based garbage collection (if timer is small, may lead to system instabilities; if timer is high, may lead to memory exhaustion) One timer per session Usage of software directed pre-fetching capabilities: Prefetch session entry, tunnel entry while doing some operations Statistics Maintained on per core basis for sessions/sas Consolidated as part of management API Global statistics using decorated storage (no locks necessary) Memory pools Maintained on per core basis Cache optimizations Keep the relevant members together Code related to common processing functionality together (via likely/unlikely compiler directives) Asynchronous usage of hardware accelerators IPsec offload accelerator Pattern matching accelerator (used by IPS, application detection modules) Hardware cache stashing P4080 capability to stash the cache with user defined memory location and also some part of packet buffer Reuses hash generated by hardware (avoid calculation of hash for lookup tables) Leverage: Hardware field extraction BMAN for packet buffer allocation and free QMAN for inter core queuing

37 VortiQa for Enterprise on SMP OS Ex: Linux User Space Kernel Space Socket library Openssl Library TCP/IP Pkt Reception (NetFilter Hooks) TCP/IP API (Route lookup, IP Address, Transmit Pkt) VortiQa (User Space) Char Driver (For Configuration) VortQa (Kernel Space) Memory API Tasklet API Synchroni zation Locks Libc functions Pthread library OS Architecture Overview For every OS related function, VortiQa defines a wrapper function VortiQa modules never invoke any OS related functions directly. Rather they use wrapper functions. This allows portability of VortiQa modules across different OS Character device driver is used for communication between kernel space modules and user space applications Loopback sockets (or Unix domain sockets) are used to communicate between user space processes User processes: State machine oriented. Multiple threads may be present, but each thread handles multiple sessions (Eg. IKEv1/IKEv2, Proxies for AV/AS)

38 VortiQa Software for Enterprise Equipment Security architecture SSL - VPN Antivirus VortiQa modules IPSEC-VPN, IPS, traffic mgmt registers to firewall ecosystem TCP/IP Stack Pkts IN Session Management Ecosystem Infrastructure Packets OUT Pkts IN Pkts OUT IPsec VPN IPS Firewall Traffic Mgmt Hardware Eco-System Hardware Eco-System Glue Layers Hardware Accelerator SDK (DFA/Crypto,etc) VortiQa core security session management module firewall captures packets from TCP/IP stack After firewall functionality (policy enforcement, attack verifications) done, session management ecosystem dispaches packets to registered modules in priority basis IPSEC-VPN, IPS may use their hardware ecosystem interface to utilize hardware accelerator services Each module may consume or return packets to firewall ecosystem Firewall ecosystem finally dispatches packets onto network

39 Functionality Differentiation Between Various Products Recap Key Feature / Benefit VortiQa software for Service Provider Equipment Enterprise Equipment Small Business Gateway SOHO / RG Common Utilities and Network Access Function Stateful Packet Inspection (SPI) Firewall and NAT IPS DHCP server, client, relay, DNS relay, Dynamic DNS etc SPI Firewall, 1/1 & n/1 NAT, Application Filters, Multi-cast Firewall, Association Reservation, Fine grained configuration Deep Packet Inspection, P2P/IM detection DHCP server, client, relay, DNS relay, Dynamic DNS etc SPI Firewall, 1/1 & n/1 NAT, Application Filters, Multi-cast Firewall, Association Reservation, Fine grained configuration Deep Packet Inspection, P2P/IM detection DHCP server, client, relay, DNS relay, Dynamic DNS etc SPI Firewall, 1/1 & n/1 NAT, Medium grained configuration DHCP server, client, relay, DNS relay, Dynamic DNS etc VPN IPSec, IKEv1, IKEv2 & PKI IPSec, IKEv1, IKEv2 & PKI IPSec, IKEv1 & PKI IPSec, IKEv1 Anti-X High Availability Configuration Management Interfaces QoS and Traffic Management Extensive CLI and Programmatic API Layer 3 Traffic Shaping & Traffic Policing Anti-Virus, Anti-Spam Active Backup highavailability Extensive GUI, CLI and Programmatic API Layer 3 Traffic Shaping & Traffic Policing Extensive CLI, GUI, Programmatic API and TR- 069 & TR-098 support ToS based QoS SPI Firewall, n/1 NAT, Easy & intuitive configuration Extensive CLI, GUI, Programmatic API and TR- 069 & TR-098 support ToS based QoS Virtual Security Gateways Multiple Virtual Security Gateways support 39

40 VortiQa Software for SOHO/Residential Gateways Example Business Model Template Option 1 Option 2 Source code Development License Dollar amount Source code Development License Dollar amount Per unit Run-time License Dollar amount Per unit Run-time License % of Invoice ASP Annual Support & Maintenance (200 person-hour block) Dollar amount Annual Support & Maintenance (200 person-hour block) Dollar amount Professional Services (if applicable) Based on effort estimates Professional Services (if applicable) Based on effort estimates 40