Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

Yisong Chang,Ke Zhang,Sally A. McKee,Lixin Zhang,Mingyu Chen,Liqiang Ren,Zhiwei Xu

DOI: https://doi.org/10.1109/iccd.2016.7753261

2016-01-01

Abstract:The need to perform data analytics on exploding data volumes coupled with the rapidly changing workloads in cloud computing places great pressure on data-center servers. To improve hardware resource utilization across servers within a rack, we propose Direct Extension of On-chip Interconnects (DEOI), a high-performance and efficient architecture for remote resource access among server nodes. DEOI extends an SoC server node's on-chip interconnect to access resources in adjacent nodes with no protocol changes, allowing remote memory and network resources to be used as if they were local. Our results on a four-node FPGA prototype show that the latency of user-level, cross-node, random reads to DEOI-connected remote memory is as low as 1.16µs, which beats current commercial technologies. We exploit DEOI remote access to improve performance of the Redis in-memory key-value framework by 47%. When using DEOI to access remote network resources, we observe an 8.4% average performance degradation and only a 2.52µs ping-pong latency disparity compared to using local assets. These results suggest that DEOI can be a promising mechanism for increasing both performance and efficiency in next-generation data-center servers.

Zhengyan Zhou,Hanze Chen,Lingfei Chen,Dong Zhang,Chunming Wu,Xuan Liu,Muhammad Khurram Khan

DOI: https://doi.org/10.1109/tgcn.2024.3432781

2024-01-01

IEEE Transactions on Green Communications and Networking

Abstract:Radio access network (RAN) enables large-scale collection of sensitive data. Privacy-preserving techniques aim to learn knowledge from sensitive data to improve services without compromising privacy. However, as the data scale increases, enforcing privacy-preserving techniques on sensitive data may consume a considerable amount of system resources and impose performance penalties. To reduce system resource consumption, we present NetDP, an in-network architecture for privacy-preserving techniques by leveraging programmable switches to improve resource efficiency (i.e., CPU cycles, network bandwidth, and privacy budgets). The key idea of NetDP is to accommodate and exploit cryptographic operators to reduce resource consumption rather than repetitively and exhaustively suppressing the impact of these techniques. To the best of our knowledge, this is the first time that privacy-preserving techniques in a large-scale data processing system have been enforced on programmable switches. Our experiments based on Tofino switches indicate that NetDP significantly reduces computation latency (e.g., 40.2%-55.8% latency in computations) without impacting fidelity.

Jinli Meng,Xinming Chen,Zhen Chen,Chuang Lin,Beipeng Mu,Lingyun Ruan

DOI: https://doi.org/10.1007/978-3-642-25283-9_3

2011-01-01

Abstract:Providing secure, reliable communications is a big challenge to guarantee confidentiality, integrity, and anti-replay protection, especially between endpoints in current Internet. As one of the popular secure communication protocol, IPsec usually limits the throughput and increases the latency due to its heavy encryption/decryption processing. In this paper, we propose a hardware solution to accelerate it. To achieve high performance processing, we have successfully designed and implemented IPsec on Cavium OCTEON 5860 multi-core network processor platform. We also compare the performance under different processing mechanisms and discover that pipleline works better than run-to-completion for different sizes of packets in our experiments. In order to achieve the best performance, we select different encryption algorithms and core numbers. Experimental results on 5860 processors show that our work achieves 20 Gbps throughput with AES128 encryption, 16 cores for 512-byte packet traffic.

Yun Niu,Li-ji Wu,Yang Liu,Xiang-min Zhang,Hong-yi Chen

DOI: https://doi.org/10.1631/jzus.c1200370

2013-01-01

Journal of Zhejiang University SCIENCE C

Abstract:This paper deals with an in-line network security processor (NSP) design that implements the Internet Protocol Security (IPSec) protocol processing for the 10 Gbps Ethernet. The 10 Gbps high speed data transfer, the IPSec processing including the crypto-operation, the database query, and IPSec header processing are integrated in the design. The in-line NSP is implemented using 65 nm CMOS technology and the layout area is 2.5 mm×3 mm with 360 million gates. A configurable crossbar data transfer skeleton implementing an iSLIP scheduling algorithm is proposed, which enables simultaneous data transfer between the heterogeneous multiple cores. There are, in addition, a high speed input/output data buffering mechanism and design of high performance hardware structures for modules, wherein the transfer efficiency and the resource utilization are maximized and the IPSec protocol processing achieves 10 Gbps line speed. A high speed and low power hardware look-up method is proposed, which effectively reduces the area and power dissipation. The post simulation results demonstrate that the design gives a peak throughput for the Authentication Header (AH) transport mode of 10.06 Gbps with the average test packet length of 512 bytes under the clock rate of 250 MHz, and power dissipation less than 1 W is obtained. An FPGA prototype is constructed to verify the function of the design. A test bench is being set up for performance and function verification.

Yun Niu,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.4304/jcp.8.2.319-325

2013-01-01

Journal of Computers

Abstract:The IP security protocol (IPSec) is an important and widely used security protocol in the IP layer. But the implementation of the IPSec is a computing intensive work which greatly limits the performance of the high speed network. In this paper, a high performance IPSec accelerator used in a 10Gbps in-line network security processor (NSP) is presented. The design integrates the protocol processing and the cryptographic processing; the transport/tunnel mode of the AH, ESP security protocols and the AES, HMAC-SHA-1 cryptographic algorithms are realized by hardware. An efficient partial crossbar data transfer skeleton with iSLIP scheduling algorithm is adopted to realize the maximum utilization of the computation resources in the accelerator. The number of AH, ESP, AES, HMAC-SHA-1 cores in the design can be configured to meet the different applications. By simulation, with 8 protocol IP-cores and 24 crypto IP-cores connected to the crossbar in the IPSec accelerator, the design gives a peak throughput for the AH protocol transport mode of 11.28Gbps at the average of 512 bytes packet length under a clock rate of 300MHz. The hardware verification is implemented on a Virtex-5 XC5VSX95T based FPGA board. Low power design methods are also used in the design to reduce the power dissipation.

Xuzheng Chen,Jie Zhang,Ting Fu,Yifan Shen,Shu Ma,Kun Qian,Lingjun Zhu,Chao Shi,Yin Zhang,Ming Liu,Zeke Wang

2024-08-13

Abstract:Network speeds grow quickly in the modern cloud, so SmartNICs are introduced to offload network processing tasks, even application logic. However, typical multicore SmartNICs such as BlueFiled-2 are only capable of processing control-plane tasks with their embedded processors that have limited memory bandwidth and computing power. On the other hand, cloud applications evolve rapidly, such that a limited number of fixed hardware engines in a SmartNIC cannot satisfy the requirements of cloud applications. Therefore, SmartNIC programmers call for a programmable datapath accelerator (DPA) to process network traffic at line rate. However, no existing work has unveiled the performance characteristics of the existing DPA. To this end, we present the first architectural characterization of the latest DPA-enhanced BlueFiled-3 (BF3) SmartNIC. Our evaluation results indicate that BF3's DPA is significantly wimpier than the off-path Arm processor and the host CPU. However, we still identify that DPA has three unique architectural characteristics that unleash the performance potential of DPA. Specifically, we demonstrate how to take advantage of DPA's three architectural characteristics regarding computing, networking, and memory subsystems. Then we propose three important guidelines for programmers to fully unleash the potential of DPA. To demonstrate the effectiveness of our approach, we conduct detailed case studies regarding each guideline. Our case study on key-value aggregation achieves up to 4.3$\times$ higher throughput by using our guidelines to optimize memory combinations.

Networking and Internet Architecture

伍卫国,杜哲君,刘娟,董小社,胡雷钧

DOI: https://doi.org/10.3969/j.issn.1000-7180.2004.09.041

2004-01-01

Abstract:InfiniBand is new type inter-connection structure, which can improve the transportation rate between CPUs, servers devices, network domains. SDP is a lightweight protocol in InfiniBand,which keeps TCP/IP's SOCK_STREAM semantics, by kernel bypass capability, it deploys memory zero-copy, improves transportation rate dramatically. This paper introduces inter-connection structure and transportation model of InfiniBand, analyses structure model of SDP, and the execution process from buffer management model, connection setup session, and data transport mechanism.

Hao Yin,Zhangxi Tan,Chuang Lin,Guangxi Zhu

DOI: https://doi.org/10.1007/978-3-540-30141-7_60

2004-01-01

Abstract:With the increasing need of security, cryptographic processing becomes a crucial issue for network devices. Traditionally security functions are implemented with Application Specific Integrated Circuit (ASIC) or General-Purposed Processors (GPPs). Network processors (NPs) are emerging as a programmable alternative to the conventional solutions to deliver high performance and flexibility at moderate cost. This work compares and analyzes architectural characteristics of many widespread cryptographic algorithms on Intel IXP2800 network processor. In addition, we investigate several implementation and optimization principles that can improve the cryptographic performance on NPs. Most of the results reported here should be applicable to other network processors since they have similar components and architectures.

Abraham Cano Aguilera,Carlos Rubio Garcia,Daniel Lawo,José Luis Imaña,Idelfonso Tafur Monroy,Juan José Vegas Olmos

DOI: https://doi.org/10.1038/s41598-024-71861-x

2024-09-11

Abstract:The development of quantum computers poses a risk to the cryptographic algorithms utilized by current public key infrastructure (PKI). High performance computing (HPC), inter- and intra-datacenter communications, and governmental communications are particularly vulnerable to security attacks by quantum computers. In response, there are on-going efforts on implementing post-quantum cryptography (PQC) despite the considerable overhead involved in processing PQC encrypted data packets in comparison with their classical counterparts. This work aims to help with the transition to quantum resistant cryptographic schemes by means of providing a thorough experimental performance comparison of the four algorithms selected by the National Institute of Standards and Technology (NIST) for standardization when implemented in a data processing unit (DPU). The experiments are conducted at line-rate, demonstrating for the first time operation at almost 100 Gbit/s and hence suitability for high-capacity data center environments.

Gilad Shainer,Ali Ayoub,Pak Lui,Tong Liu,Michael Kagan,Christian R. Trott,Greg Scantlen,Paul S. Crozier

DOI: https://doi.org/10.1007/s00450-011-0157-1

2011-04-08

Abstract:The usage and adoption of General Purpose GPUs (GPGPU) in HPC systems is increasing due to the unparalleled performance advantage of the GPUs and the ability to fulfill the ever-increasing demands for floating points operations. While the GPU can offload many of the application parallel computations, the system architecture of a GPU-CPU-InfiniBand server does require the CPU to initiate and manage memory transfers between remote GPUs via the high speed InfiniBand network. In this paper we introduce for the first time a new innovative technology—GPUDirect that enables Tesla GPUs to transfer data via InfiniBand without the involvement of the CPU or buffer copies, hence dramatically reducing the GPU communication time and increasing overall system performance and efficiency. We also explore for the first time the performance benefits of GPUDirect using Amber and LAMMPS applications.

Haixin Wang,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1007/s11265-009-0371-2

2009-01-01

Journal of Signal Processing Systems

Abstract:This paper presents a high performance Network Security Processor (NSP) system architecture implementation intended for both Internet Protocol Security (IPSec) and Secure Socket Layer (SSL) protocol acceleration, which are widely employed in Virtual Private Network (VPN) and e-commerce applications. The efficient data transfer skeleton and optimized integration scheme of the parallel crypto engine arrays lead to a Gbps rate NSP, which is programmable with domain specific descriptor-based instructions for Gbps throughput IPSec and SSL applications. The descriptor-based control flow fragments large data packets and distributes them to the parallel crypto engine arrays, which fully utilizes the computation resources and improves the overall system data throughput. A prototyping platform for this NSP design is implemented with Xilinx XC3S5000 based FPGA chip set. Results show that the design gives a peak throughput for the IPSec ESP tunnel mode of 1.851 Gbps with over 1600 full SSL handshakes per second at a clock rate of 150 MHz.

Yun Niu,Liji Wu,Li Wang,Xiangmin Zhang,Jun Xu

DOI: https://doi.org/10.1109/cis.2011.154

2011-01-01

Abstract:A configurable IPSec processor for a high performance in-line network security processor that integrates two embedded 32-bit CPU cores, and an IPSec protocol processor on a SoC is presented. The IPSec processor can implement the transport/tunnel mode AH and ESP protocol of the IPSec, and support AES-128/192/256, HMAC-SHA-1 algorithm. The number of AH, ESP, AES, HMAC-SHA-1 IP-cores in the design can be configured for different use such as 10 Gigabit Ethernet and Gigabit Ethernet, even for the next generation 40/100G Network. Low power is also considered in the design. In the IPSec processor, crossbar switch architecture for multi-core data transfer is adopted. With four parallel AH, ESP, AES, HMAC-SHA-1 IP-cores separately connected to an 8x8 crossbar switch in the IPSec processor, a throughput of 1.5Gbps at 200MHz is achieved and hardware verification is implemented by FPGA. By simulation, the IPSec protocol operation can achieve 10Gbps wire speed with 32 IPSec protocol IP-cores and cryptographic IP-cores configured in the IPSec processor.

Reese Kuper,Ipoom Jeong,Yifan Yuan,Jiayu Hu,Ren Wang,Narayan Ranganathan,Nam Sung Kim

DOI: https://doi.org/10.1145/3620665.3640401

2024-01-30

Abstract:As semiconductor power density is no longer constant with the technology process scaling down, modern CPUs are integrating capable data accelerators on chip, aiming to improve performance and efficiency for a wide range of applications and usages. One such accelerator is the Intel Data Streaming Accelerator (DSA) introduced in Intel 4th Generation Xeon Scalable CPUs (Sapphire Rapids). DSA targets data movement operations in memory that are common sources of overhead in datacenter workloads and infrastructure. In addition, it becomes much more versatile by supporting a wider range of operations on streaming data, such as CRC32 calculations, delta record creation/merging, and data integrity field (DIF) operations. This paper sets out to introduce the latest features supported by DSA, deep-dive into its versatility, and analyze its throughput benefits through a comprehensive evaluation. Along with the analysis of its characteristics, and the rich software ecosystem of DSA, we summarize several insights and guidelines for the programmer to make the most out of DSA, and use an in-depth case study of DPDK Vhost to demonstrate how these guidelines benefit a real application.

Hardware Architecture,Performance

Yun Niu,Liji Wu,Jun Xu

DOI: https://doi.org/10.1109/WOCC.2010.5510643

2010-01-01

Abstract:Design of a Gigabit In-Line scalable Network Security Processor on one chip is presented. With 8 parallel chips array and some control logic, the design may be used in 10 Gigabit Ethernet. Moreover, custom-specific off-chip crypto algorithms can replace the standard one on the chip through pr-reserved data interface, which improves the scalability of the design in crypto operation.

Jianshen Liu,Carlos Maltzahn,Matthew L. Curry,Craig Ulmer

DOI: https://doi.org/10.48550/arXiv.2210.06827

2022-10-13

Abstract:Many distributed applications implement complex data flows and need a flexible mechanism for routing data between producers and consumers. Recent advances in programmable network interface cards, or SmartNICs, represent an opportunity to offload data-flow tasks into the network fabric, thereby freeing the hosts to perform other work. System architects in this space face multiple questions about the best way to leverage SmartNICs as processing elements in data flows. In this paper, we advocate the use of Apache Arrow as a foundation for implementing data-flow tasks on SmartNICs. We report on our experiences adapting a partitioning algorithm for particle data to Apache Arrow and measure the on-card processing performance for the BlueField-2 SmartNIC. Our experiments confirm that the BlueField-2's (de)compression hardware can have a significant impact on in-transit workflows where data must be unpacked, processed, and repacked.

Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture,Performance

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Wenjie Xiong,Liu Ke,Dimitrije Jankov,Michael Kounavis,Xiaochen Wang,Eric Northup,Jie Amy Yang,Bilge Acun,Carole-Jean Wu,Ping Tak Peter Tang,G. Edward Suh,Xuan Zhang,Hsien-Hsin S. Lee

DOI: https://doi.org/10.1109/HPCA53966.2022.00026

2022-01-01

Abstract:Today’s data-intensive applications increasingly suffer from significant performance bottlenecks due to the limited memory bandwidth of the classical von Neumann architecture. Near-Data Processing (NDP) has been proposed to perform computation near memory or data storage to reduce data movement for improving performance and energy consumption. However, the untrusted NDP processing units (PUs) bring in new threats to workloads that are private and sensitive, such as private database queries and private machine learning inferences. Meanwhile, most existing secure hardware designs do not consider off-chip components trustworthy. Once data leaving the processor, they must be protected, e.g., via block cipher encryption. Unfortunately, current encryption schemes do not support computation over encrypted data stored in memory or storage, hindering the adoption of NDP techniques for sensitive workloads.In this paper, we propose SecNDP, a lightweight encryption and verification scheme for untrusted NDP devices to perform computation over ciphertext and verify the correctness of linear operations. Our encryption scheme leverages arithmetic secret sharing in secure Multi-Party Computation (MPC) to support operations over ciphertext, and uses counter-mode encryption to reduce the decryption latency. The security of the encryption and verification algorithm is formally proven. Compared with a non-NDP baseline, secure computation with SecNDP significantly reduces the memory bandwidth usage while providing security guarantees. We evaluate SecNDP for two workloads of distinct memory access patterns. In the setting of eight NDP units, we show a speedup up to 7.46× and energy savings of 18% over an unprotected non-NDP baseline, approaching the performance gain attained by native NDP without protection. Furthermore, SecNDP does not require any security assumption on NDP to hold, thus, using the same threat model as existing secure processors. SecNDP can be implemented without changing the NDP protocols and their inherent hardware design.

Liang CHEN,Jian WANG,Yong ZHAO

DOI: https://doi.org/10.3778/j.issn.1002-8331.1606-0006

2017-01-01

Abstract:In order to meet the security requirements of modern high bandwidth Internet application environment, an IPSec VPN architecture based on Tilera GX36 multi-core network processor is proposed, and program function modules of control plane and data plane are designed according to SDN architecture to achieve flexible security control on network traffic. To meet the security strategy retrieval performance requirement, a three-level security policy flow-table structure based on Hash algorithm is put forward, and a security policy search method is designed using security association flow-table cached on tile CPUs as fast retrieval data source. The test results show that the system can achieve the processing performance in 40 Gb/s Internet applications under the typical short, medium and long package-length circumstance.

Xu Zhang,Ke Liu,Yisong Chang,Ke Zhang,Mingyu Chen

2024-10-30

Abstract:Emerging interconnects, such as CXL and NVLink, have been integrated into the intra-host topology to scale more accelerators and facilitate efficient communication between them, such as GPUs. To keep pace with the accelerator's growing computing throughput, the interconnect has seen substantial enhancement in link bandwidth, e.g., 256GBps for CXL 3.0 links, which surpasses Ethernet and InfiniBand network links by an order of magnitude or more. Consequently, when data-intensive jobs, such as LLM training, scale across multiple hosts beyond the reach limit of the interconnect, the performance is significantly hindered by the limiting bandwidth of the network infrastructure. We address the problem by proposing DFabric, a two-tier interconnect architecture. We address the problem by proposing DFabric, a two-tier interconnect architecture. First, DFabric disaggregates rack's computing units with an interconnect fabric, i.e., CXL fabric, which scales at rack-level, so that they can enjoy intra-rack efficient interconnecting. Second, DFabric disaggregates NICs from hosts, and consolidates them to form a NIC pool with CXL fabric. By providing sufficient aggregated capacity comparable to interconnect bandwidth, the NIC pool bridges efficient communication across racks or beyond the reach limit of interconnect fabric. However, the local memory accessing becomes the bottleneck when enabling each host to utilize the NIC pool efficiently. To the end, DFabric builds a memory pool with sufficient bandwidth by disaggregating host local memory and adding more memory devices. We have implemented a prototype of DFabric that can run applications transparently. We validated its performance gain by running various microbenchmarks and compute-intensive applications such as DNN and graph.

Distributed, Parallel, and Cluster Computing,Hardware Architecture,Emerging Technologies