AltraMayor / gatekeeper

The first open-source DDoS protection system
https://github.com/AltraMayor/gatekeeper/wiki
GNU General Public License v3.0
1.34k stars 232 forks source link

Explore new DPDK features that Gatekeeper may benefit from #398

Open mengxiang0811 opened 4 years ago

mengxiang0811 commented 4 years ago

Gatekeeper may benefit from some new DPDK features:

  1. Fast mbuf free: This feature requires that per queue, all mbufs come from the same mempool and has refcnt = 1. Therefore, we expect most blocks except for the SOL blocks (which hold mbufs from different mempools) will benefit from this feature.

  2. Intel I/O Acceleration Technology for memory copy offloading, and DPDK support it with IOAT rawdev driver. For now, we don't expect this technology can bring significant improvement for Gatekeeper due to (1) DDIO technology injects the packets directly into the CPU's last level cache; (2) Gatekeeper doesn't have much memory copy workload.

  3. Some rawdev drivers for DMA engines, thus DPDK applications can initiate DMA transactions internally from/to host without core intervention.

  4. Devices with HW mempool support can complete the Ethdev Rx buffer allocation and Tx buffer recycling in HW to save CPU cycles. In DPDK 20.02, it added mbuf pool with pinned external memory. Gatekeeper may not see a significant improvement from this feature, as currently each block maintains its own thanks to our closed patch #377 , which allows Gatekeeper to create a mbuf pool for each lcore. The allocation/de-allocation overhead should be small.

  5. DPDK 19.11 added support for dynamic fields and flags in mbuf, which is typically used for specific offload features. This feature combined with potential features merged in the near future will better enable the adoption of SmartNIC-based solutions.

Although we won't update our current DPDK to the latest version for the first deployment due to two facts: (1) our new patches need extra work to go upstream; (2) some APIs used by Gatekeeper have been deprecated and we need to replace them with the latest APIs. Any potential new DPDK features related to our 100+ Gbps deployment should be recorded/discussed in this thread.

mengxiang0811 commented 4 years ago

Some efforts from Intel and Barefoot Networks are to enable P4 in DPDK. P4 is being extended to the CPU, FPGA and ASIC targets, which could allow Gatekeeper to easily adopt new NICs with special hardware features in the near future. Stay tuned for the release of this work.