Due to the bladed design, very little cabling is required to connect a system.
A common requirement of all the systems is a very fast separation of traffic that needs further inspection from traffic, which does not—in order to avoid overloading the inspection units. This also enables reduced latency both for all traffic flows.
Pre-Processing Stage (optional)
Due to the switched nature of the ATCA backplane architecture together with the large variety of available blades, an optional pre-processing stage can be introduced in the system by adding either an application-specific or general-purpose blade that supports the required function.
An example here could be the termination of tunnels that use a proprietary protocol, thus making the content of these available for inspection.
Another function might be pre-classification of certain traffic types, thus ensuring proper delegation to the correct inspection units in a later stage.
Switching and Load Balancing of Packet Flows
Switching – a cornerstone of the application architecture
On the switching side, only the fabric - high-bandwidth - part of a system is of interest for the application. Here, several requirements must be met. Today’s typical ATCA switch blades such as the Emerson Network Power ATCA-F140 feature up to 160Gbps external connectivity, resulting in 320Gbps external connectivity in the case of a redundant configuration. Next-generation product will offer even more. Connectivity to a node slot today is 40Gbps.
This leaves enough headroom inside the system to allow processing and inspection blades to be able to forward traffic to deeper inspection stages if required.
The even distribution of front and rear ports allows the cascading of multiple chassis if more processing power is required to process the traffic coming through.
Another core feature required for these applications is load balancing as an inherent function of the switch blade.
Software such as Emerson’s FlowPilot™
add-on package enables this functionality, using software and hardware capabilities of the 40G switch on Emerson’s ATCA-F140 switch blade.
Figure 5. Emerson’s FlowPilot software offers load balancing as an inherent function of the ATCA-F140 40G ATCA switch blade.
This ensures fast packet handling inside the system, with multiple configuration options to tailor the function of FlowPilot to the feature set actually required.
More important, FlowPilot will distribute flows across a number of configured blades according to configured parameters, ensuring they remain constant over time, and the same inspection device receives the entire flow. Additional functions include health check on an application level and link transparency, connecting left side and right side cables to a virtual connection.
Packet Processing and Inspection Units
The actual processing of packets takes place in these units. These units need to look into the packet header to retrieve information of source and destination, understand the protocols and understand the different fingerprints of certain applications in order to handle these appropriately.
Additionally, en-and decryption functions must be implemented in these units as well. All functions must be executed at extremely high speed to ensure minimal latency, while guaranteeing maximal throughput.
Today, out of a large number of possible contenders, two architectures in particular have risen to prominence in the market:
- Intel®, using the Intel® Data Plane Development Kit (DPDK), which allows high-speed handling and processing of packets using standard x86 architecture
- Cavium OCTEON is a packet processing engine that has been designed specifically for handling high-throughput, deep inspection of packet streams
Emerson Network Power has created two blades that use these main architectures to support packet processing and inspection functions: ATCA-7470 x86 packet processing blade; and ATCA-9405, dual Cavium OCTEON II-based packet processing blade.
All these packet processing functions require support through software packages that make life easier in developing software for DPI.
Intel’s Data Plane Development Kit (DPDK) and Cavium’s Development Kit both offer starting points when developing new DPI applications.
The Intel DPDK offers a revolutionary approach to processing packets on x86 architecture at high speed, thus enabling a flexible design of applications as well as deployment phase flexibility with respect to which board gets assigned which tasks.
Figure 6. 40G ATCA packet-processing blades feature Intel Xeon or Cavium OCTEON processors