6WIND Mission – Democratize Networking Provide the future of networking with software on white box servers, giving customers independence from expensive networking hardware at a fraction of the cost, while delivering the high performance necessary for software to replace hardware ©6WIND 2020 2 6WIND Software for High Performance Networking Management Build-Your-Own vRouter 6WINDGate Network Applications Complete L2-4 networking stack Routing A la carte modules Security CG-NAT vRouter for Network Appliances IP Routing Software Infrastructure IPsec VPNs Source Hypervisor Code Acceleration CG-NAT Foundation vRouter for Hypervisor Server Hardware Virtual Accelerator ©6WIND 2020 3 The TCP Problem Performance of TCP applications is limited by Linux 6WINDGate provides a high performance TCP stack relying on the 6WINDGate architecture to offload packet processing from Linux High throughput Low latency Large number of simultaneous sessions Fast session establishment rate Let’s take two examples using TCP Proxy and TCP Termination ©6WIND 2020 5 SSL Inspection for Cyber Threat Protection Cyber Threat Protection Devices (UTM, IPS, IDS etc.) include SSL Inspection solutions built Security Applications on TCP proxies Application talks to Linux kernel socket TCP proxy performance is SSL Inspection layer limited by Linux kernel This image cannot currently be displayed. bottlenecks that cripple SSL Inspection speed TCP Proxy Linux kernel bottleneck High performance TCP Linux Kernel proxy solutions are required to remove the UTM, IPS, IDS, etc. Linux bottlenecks Client Server Secure SSL Inspected Packet SSL Packet ©6WIND 2020 6 6WINDGate High Performance TCP Proxy For SSL Inspection Number of concurrent sessions: 8 million UTM, IPS, Connection rate: IDS, etc. 1 million CPS Userland Transaction rate: Security Application Application Talks to 7.1 million TPS 6WIND’s Throughput: SSL Inspection Transparent TCP Proxy APIs 12 Gbps per core Latency: 24 µs 6WIND Fast Integrated with 6WINDGate Linux Kernel Path Removes L2-L3 protocol stacks Linux Bottleneck including Linux synchronization Dedicated Transparent TCP Client Server Proxy APIs Secure SSL Inspected Packet SSL Packet ©6WIND 2020 7 Test and Measurement Solutions for TCP Networks Test and Measurement solutions are built on TCP stacks with growing Application talks to performance requirements Test And Measurement Application Linux kernel socket TCP stack performance is layer limited by Linux kernel This image cannot currently be displayed. bottlenecks Linux kernel High performance TCP TCP Stack bottleneck stacks are required to remove the Linux Receive Response Linux Kernel bottlenecks Bare Metal or Virtual Generate TCP Traffic Networks Test TCP Networks ©6WIND 2020 8 6WINDGate High Performance TCP Stack For Test And Measurement Solutions Number of concurrent sessions: 6 million Application Talks to Connection rate: 6WIND’s TCP Stack 1.4 million CPS Userland APIs Transaction rate: Test & 7.1 million TPS Measurement Throughput: Application 12 Gbps per core 6WIND Fast Latency: 24 µs Path Removes Linux Integrated with 6WINDGate Bottlenecks L2-L3 protocol stacks Linux Kernel Receive including Linux Response synchronization Extensible APIs to Generate Bare Metal or collect statistics TCP Traffic Test TCP Networks Networks Virtual ©6WIND 2020 9 Accelerated Layer 2-4 Stacks Synchronized with Linux Multicast sFlow VRRP DMS Routing SNMP Routing, L2TP, Firewall / OVS Security Virtual PPPoE NETCONF CLI KPIs ARP / NDP IPsec/IKE NAT Routing BRAS Control Plane Management High Availability VRF Linux / Fast Path Synchronization IPsec IPsec L2TP/PPPoE Tunneling Segment QoS QoS VXLAN IPv4/IPv6 SVTI BRAS (IPinIP) Routing v6 Basic Advanced IPv4/IPv6 IPv4/IPv6 IPv4/IPv6 Filtering Policy-based TCP/UDP NAT GRE CG-Firewall Forwarding Multicast Reassembly IPv4/IPv6 Routing Termination Filtering Link Ethernet MPLS/VPLS Flow OVS VLAN Ethernet TLS/DTLS CG-NAT Aggregation Bridging Encapsulation Inspection Acceleration Bridging Roadmap Fast Path FPN - SDK Intel® Multi- Intel® Virtio Host Buffer QuickAssist PMD Crypto Crypto Supported NICs 6WINDGate DPDK ©6WIND 2020 11 6WINDGate TCP/UDP Termination Software TCP/UDP-based Application 6WINDGate source code license including the TCP modules and others 6WIND modules depending on the customer use case Fast Path Socket Integration Layer Integrated with L2-L3 6WINDGate modules Fast Path Fast Path TCP/UDP TLS/DTLS Termination TCP stack configuration through dedicated CLI L2-L3 Fast Path TCP/UDP-based application must be integrated with Linux / Fast Path Socket Integration Layer VLAN, Bridge, GRE, Fast Linux IPv4/IPv6 Forwarding, Path Kernel Filtering/NAT, IPsec, VRF, Sync etc. ©6WIND 2020 12 6WINDGate TCP Implementation Stack implementation Redesigned and fully optimized for multi-core execution environments Highly scalable processing of parallel establishment / shutdown of TCP connections High performance data exchanges on a huge number of TCP/UDP sockets on established TCP connections Event driven notifications from the stack to the application Plugin support for custom TCP/UDP applications including bridged and routed transparent proxy support with configurable IP bypass lists Socket API Full support of TCP and UDP sockets over IPv4 and IPv6 POSIX-compliant socket API and Zero-copy based socket APIs VRF-aware sockets Netstat like support to dump state and statistics of the sockets ©6WIND 2020 13 Architecture TCP application performance suffers from Linux networking stack bottlenecks TCP application Linux Networking Stack Linux socket API ©6WIND 2020 14 Architecture Fast Path TCP/UDP termination TCP/UDP protocols are processed in the Fast Path TCP application Linux Networking Stack Full featured TCP/UDP stack using BSD-like socket API Fast Path Socket Integration Layer Timers are re-designed to get more scalability Locks are removed Fast Path socket API Memory footprint is reduced TCP/UDP Performance configuration TCP/UDP termination Scale: 8M active concurrent TCP sockets TCP/UDP Throughput: 40+ Gbps statistics FastPath CPS: 1.47M TCP connections per second Shared Memory TPS: 7.1M TCP transactions per second Forwarding Latency TTFB: 24 µs IPsec Filtering/NAT IPv4/IPv6 MPLS/VPLS VLAN/GRE/VXLAN Bridge / OVS Encapsulation Optimized Fast Path TCP/UDP socket implementation Using event-based socket callbacks Tunneling (IPinIP) Link Aggregation Flow Inspection Latency of socket calls is minimized ©6WIND 2020 15 6WINDGate TCP Features Details Available 20/Q1 20/Q3 and next TCP_SACK and TCP_FACK Per socket rate-limit PATH MTU discovery and ICMP support (SO_MAX_PACING_RATE) TCP_QUICKACK Duplicate SACK (RFC 3708), challenge ack Initial congestion window per route (initcwnd) limit Socket options to retrieve/Set TTL, MSS, TOS, DF bit Cubic congestion algorithm TCP fast RTO (RFC 5682) Reno, New Reno TCP early retransmit (RFC 5827) Slow Start After Idle (RFC 5681) ECN support (RFC 3168) TCP Fast Open (RFC 7413) L2 bridge plugin enhancement for Transparent proxy TCP Protection against wrapped sequence Optimizations number QinQ Mbuf clone support: avoid copy on TCP Appropriate Byte Counting (RFC 3465) transmit side VxLAN TCP Segment Offload (TSO) support Bulk API PPPoE Window Scaling L2 bridge plugin enhancement for GTP-U Transparent proxy L2 bridge hook for transparent proxy L2TPv2/v3 Support L2 flow association with socket UDP transparent proxy Full transparency: Socket creation in (ETH/VLAN) connected state TLS v1.2/v1.3 support TCP syn cookies DTLS v1.2/v1.3 ©6WIND 2020 16 Benchmarks Platform Tester is IXIA XT80 using IxLoad 8.01.106.3 Node under test CPU: 2 x Intel(R) Xeon(R) Platinum 8170 CPU @ 2.10GHz Fast path RAM: 48 GB DDR3 socket API path Fast TCP/UDP TCP/UDP Application Termination NICs: 4 x Intel X520 and 82599ES dual port 10G eth3_0 eth4_0 eth5_0 eth6_0 eth7_0 eth8_0 eth9_0 Benchmarks eth2_0 Proxy Server CPS CPS Bandwidth TPS Bandwidth Latency ©6WIND 2020 17 Proxy Benchmarks TCP connection rate Reported result is system TCP continuous socket open and close per second Fast path capacity socket API path Fast TCP/UDP Application TCP/UDP TCP sockets are opened first to reach socket objective (10K to 8M sockets) Proxy Termination Once objective is reached, sockets are continuously closed and opened at maximum rate eth3_0 eth4_0 eth5_0 eth6_0 eth7_0 eth8_0 eth9_0 eth2_0 The connection rate reported is the average rate measured TCP bandwidth Reported result is throughput received by IXIA TCP sockets are opened first to reach socket objective (10K to 2M+ sockets) New sockets opened are used for traffic emission and reception ©6WIND 2020 18 Proxy Connection Rate Test Client Proxy Server 6WINDGate TCP proxy application running on node under test SYN SYN Single port 80 is used (worst case) SYN-ACK SYN-ACK IXIA establishes connections until concurrent socket objective is ACK ACK reached HTTP GET HTTP GET HTTP OK (1B) Once done, sockets are continuously opened and closed HTTP OK (1B) FIN-ACK IXIA measures maximum number of sockets per second FIN-ACK FIN-ACK The test is successful when all sockets are opened and closed FIN-ACK correctly ACK ACK one connection = 2 sockets ©6WIND 2020 19 Proxy Connection Rate Results Up to 1M socket per second using 16 cores and 8M concurrent sockets All connections are established properly The number of concurrent connections impact is limited ©6WIND 2020 20 Proxy Bandwidth Test Client Proxy Server 6WINDGate is running
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages46 Page
-
File Size-