Jan Korenek

Fast and scalable packet classification using perfect hash functions

Packet classification is an important operation for applications such as routers, firewalls or intrusion detection systems. Many algorithms and hardware architectures for packet classification have been created, but none of them can compete with the speed of TCAMs in the worst case. We propose new hardware-based algorithm for packet classification. The solution is based on problem decomposition and is aimed at the highest network speeds. A unique property of the algorithm is the constant time complexity in terms of external memory accesses. The algorithm performs exactly two external memory accesses to classify a packet. Using FPGA and one commodity SRAM chip, a throughput of 150 million packets per second can be achieved. This makes throughput of 100 Gbps for the shortest packets. Further performance scaling is possible with more or faster SRAM chips.

Software Defined Monitoring of application protocols.

Current high-speed network monitoring systems focus more and more on the data from the application layers. Flow data is usually enriched by the information from HTTP, DNS and other protocols. The increasing speed of the network links, together with the time consuming application protocol parsing, require a new way of hardware acceleration. Therefore we propose a new concept of hardware acceleration for flexible flow-based application level monitoring which we call Software Defined Monitoring (SDM). The concept relies on smart monitoring tasks implemented in the software in conjunction with a configurable hardware accelerator. The hardware accelerator is an application-specific processor tailored to stateful flow processing. The monitoring tasks reside in the software and can easily control the level of detail retained by the hardware for each flow. This way the measurement of bulk/uninteresting traffic is offloaded to the hardware while the advanced monitoring over the interesting traffic is performed in the software. The proposed concept allows one to create flexible monitoring systems capable of deep packet inspection at high throughput. Our pilot implementation in FPGA is able to perform a 100 Gb/s flow traffic measurement augmented by a selected application-level protocol parsing.

Packet header analysis and field extraction for multigigabit networks

Packet header analysis and extraction of header fields needs to be performed in all network devices. As network speed is increasing quickly, high speed packet header processing is required. We propose a new architecture of packet header analysis and fields extraction intended for high-speed FPGA-based network applications. The architecture is able to process 20 Gbps network links with less than 12 percent of available resources of Virtex 5 110 FPGA. Moreover, the presented solution can balance between network throughput and consumed hardware resources to fit application needs. The architecture for packet header processing is generated from standard XML protocol scheme and is strongly optimised for resource consumption and speed by an automatic HDL code generator. Our solution also enables to change the set of extracted header fields on-line without FPGA reconfiguration.

Software Defined Monitoring of Application Protocols

With the ongoing shift of network services to the application layer also the monitoring systems focus more on the data from the application layer. The increasing speed of the network links, together with the increased complexity of application protocol processing, require a new way of hardware acceleration. We propose a new concept of hardware acceleration for flexible flow-based application level traffic monitoring which we call Software Defined Monitoring. Application layer processing is performed by monitoring tasks implemented in the software in conjunction with a configurable hardware accelerator. The accelerator is a high-speed application-specific processor tailored to stateful flow processing. The software monitoring tasks control the level of detail retained by the hardware for each flow in such a way that the usable information is always retained, while the remaining data is processed by simpler methods. Flexibility of the concept is provided by a plugin-based design of both hardware and software, which ensures adaptability in the evolving world of network monitoring. Our high-speed implementation using FPGA acceleration board in a commodity server is able to perform a 100 Gb/s flow traffic measurement augmented by a selected application-level protocol analysis.

Netbench: Framework for Evaluation of Packet Processing Algorithms

Many algorithms and hardware architectures are proposed to increase processing speed of time-critical operations in the field of longest prefix matching, packet classification and regular expression matching. Despite this fact, there is still no free and easily extensible platform for evaluation, comparison and experiments with existing approaches. We propose the Net bench Framework which aims to serve as an independent platform for researchers seeking the easiest way to implement their algorithms, as well as the comparison of their algorithms with reference implementations of other approaches. The framework is provided as an open source and can be easily extended to support new algorithms or new comparison methodology. Net bench is publicly available at http://www.fit.vutbr.cz/netbench.

Netflow probe intended for high-speed networks

With growing speed of communication over the Internet there is a need for a reliable monitoring devices which are able to provide information about spectrum of traffic mix, attacks, applications, etc. This paper proposes architecture of network flow monitoring adapter based on hardware platform COMBO6. With use of field programmable gate arrays (FPGA) placed on these cards it is possible to monitor flows in high-speed environment. Component parts of the architecture and implementation platform are described. Several different models have been created to analyze and prove important characteristics of the architecture and results are derived. The probe is able to monitor 1 million simultaneous flows on an 2Gbps network link.

Low-latency modular packet header parser for FPGA

Packet parsing is the basic operation performed at all points of the network infrastructure. Modern networks impose challenging requirements on the performance and configurability of packet parsing modules, however the high-speed parsers often use very large chip area. We propose novel architecture of pipelined packet parser, which in addition to high throughput (over 100 Gb/s) offers also low latency. Moreover, the latency to throughput ratio can be finely tuned to fit the particular application. The parser is hand-optimized thanks to the direct implementation in VHDL, yet the structure is very uniform and easily extensible for new protocols.

Evolution of Non-Cryptographic Hash Function Pairs for FPGA-Based Network Applications

High-speed computer networks require rapid packet processing and flexibility which can be ensured by implementing network applications in field programmable gate arrays (FPGAs). Many network applications are based on fast lookup in hash tables. It is important to use such hash functions for these tables which utilize efficiently the limited memory resources of FPGAs. Cuckoo hashing improves this utilization by using more hash functions simultaneously. However, there is no known approach for selecting those functions which together produce the best results. Bio-inspired methods are used in this paper for evolving hash function pairs for FPGA-based network applications. The evolved hash functions are based on linear and non-linear feedback shift registers and can be efficiently implemented in FPGAs. The experiments were aimed at hashing of Internet Protocol addresses and it was shown that evolved solutions can achieve better table load factor in comparison with human-created solutions.

Hardware accelerated pattern matching based on Deterministic Finite Automata with perfect hashing

With the increased amount of data transferred by computer networks, the amount of the malicious traffic also increases and therefore it is necessary to protect networks by security systems such as firewalls and Intrusion Detection Systems (IDS) operating at multigigabit speeds. Pattern matching is the time critical operation of current IDS. This paper deals with the analysis of regular expressions used by modern IDS to describe malicious traffic. According to our analysis, more than 64 percent of regular expressions create Deterministic Finite Automaton (DFA) with less than 20 percent of saturation of the transition table which allows efficient implementation of pattern matching into FPGA platform. We propose architecture for fast pattern matching using perfect hashing suitable for implementation into FPGA platform. The memory requirements of presented architecture is closed to the theoretical minimum for sparse transition tables.

Methodology for Fast Pattern Matching by Deterministic Finite Automaton with Perfect Hashing

As the speed of current computer networks increases, it is necessary to protect networks by security systems such as firewalls and Intrusion Detection Systems operating at multigigabit speeds. Pattern matching is the time-critical operation of current IDS on multigigabit networks. Regular expressions are often used to describe malicious network patterns. This paper deals with fast regular expression matching using the Deterministic Finite Automaton (DFA) with perfect hash function. We introduce decomposition of the problem on two parts: transformation of the input alphabet and usage of a fast DFA, and usage of perfect hashing to reduce space/speed tradeoff for DFA transition table.