benthomas

Author: Michel Machado – michel@digirati.com.br

Overview 

Originally developed at Boston University, Gatekeeper is the brainchild of researchers who looked at the state of distributed denial-of-service (DDoS) attacks and realized that the community lacked an affordable, performant, and deployable solution to defending against such attacks. On one hand, cloud companies offer DDoS protection as a service, but this can be costly. On the other hand, many research proposals have been developed to allow Internet operators to protect their own networks, but none of these ideas have yielded production-quality software systems. Gatekeeper puts theory into practice by providing network operators with an instantly deployable and affordable solution for defending against DDoS attacks, and does so without sacrificing performance by leveraging DPDK as a key enabling technology.

The Challenge

Part of the challenge in defending against DDoS attacks is differentiating good traffic from bad traffic in seconds. To do so most effectively requires capturing the qualities of individual flows as they pass through the DDoS mitigation system — this allows the system to rate limit flows, apply policies based on the traffic features, and punish flows that misbehave by blocking them completely. Capturing these qualities for each packet that passes through the system requires an extreme amount of CPU and memory resources, especially during attacks that nowadays stretch beyond 1 Tbps. To withstand attacks of this magnitude, DDoS mitigation systems either need to be widely deployed in parallel (which is expensive), or need to be especially careful in how they process packets. The latter is where Gatekeeper utilizes DPDK to be able to work efficiently and affordably.

The Solution

To be able to process packets at this scale, kernel bypass is absolutely necessary. We chose DPDK as a kernel bypass solution because of its stability and support from industry, as well as the feature set that it supports. In fact, the feature set of DPDK is so rich that it significantly reduced our time to market since we did not have to write everything from scratch.

Gatekeeper heavily relies on three key features in DPDK: (1) NUMA-aware memory management, (2) burst packet I/O, and (3) eBPF. These features allow Gatekeeper to enforce policies as programs instead of firewall rules, and to do so efficiently. This gives operators a lot of flexibility in determining how flows are processed by Gatekeeper without having to sacrifice performance.

On occasion, we found some shortcomings in DPDK libraries. For example, the LPM6/FIB6/RIB6 libraries that perform longest prefix matching on IPv6 were not a good fit, and we had to implement our own. But for each issue we have come across, we’ve found huge success with other libraries as described below. Furthermore, the community is hard at work to address production demands such as dynamically setting memory zones (see rte_memzone_max_set() for details), which previously required patching DPDK to change.

The Results

With DPDK, Gatekeeper achieves the following benefits:

• NUMA-aware memory management allows Gatekeeper to reduce memory access latency by enabling CPU cores to access local memory instead of remote memory.
• Burst packet I/O reduces the per-packet cost of accessing and updating queues, enabling Gatekeeper to keep up with volumetric attacks.
• eBPF (integrated in DPDK) enables deployers to write policies that are impossible to express in other solutions such as requiring TCP friendliness, bandwidth per flow, and quotas for auxiliary packets (e.g. ICMP, TCP SYN, fragments) per flow. Thanks to the guarantee of termination of eBPF programs, Gatekeeper can gracefully continue processing packets even when an eBPF program is buggy.

Many other DPDK features, including prefetching, the kernel-NIC interface, and packet filters play key supporting roles. With DPDK’s help, a modest Gatekeeper server can track 2 billion flows while processing at the very least 10 Mpps through eBPF program policies to decide how to allow, rate limit, or drop traffic.

Gatekeeper puts DDoS defense back on the hands of network operators, administrators and the general Open Source community. What was until recently only available via opaque and expensive third-party services can now be deployed by anyone with the appropriate infrastructure, with levels of flexibility and control that simply did not formerly exist. Andre Nathan – Digirati

The Benefits

DDoS attacks cause great financial, political, and social damage, and are only increasing in magnitude, complexity, and frequency. With Gatekeeper, network operators have a production-quality, open source choice in the market to defend their infrastructure and services. With the aid of technologies like DPDK, Gatekeeper is able to flexibly and efficiently defend against attacks, lowering the cost of deployment and enabling many stakeholders to protect themselves. To date, Gatekeeper has been deployed by Internet service providers, data centers, and gaming companies, and hopes to reach new deployers to eventually eradicate DDoS attacks.

Check out their GitHub here

White paper link 

Have a user story of your own that you would like to share across the DPDK and Linux foundation communities? Submit one here.

---

The Company / Product

SmartShare Systems is a small privately held company founded in 2006 by Morten Brørup in Denmark. SmartShare Systems develops innovative network appliances and related services with R&D in Denmark and hardware manufacturing in Taiwan. Their solutions have quickly become popular and are currently used by schools, commercial businesses, apartment buildings, hotels, military bases, cruise ships and internet service providers. The products are sold through value-added resellers, with expertise in the field of networks and system integration. SmartShare’s main product line, the StraightShaper products, is focused on WAN Optimization. WAN Optimization is typically used to reduce the data consumption on a costly WAN link. However, the primary purpose of the StraightShaper appliance is to make the WAN link (typically an internet connection) run smoothly for every user. WAN Optimization is relevant when users don’t have access to unlimited WAN bandwidth, or if the network infrastructure doesn’t have infinite bandwidth capacity, e.g:

• A drilling rig crew sharing a VSAT satellite internet connection.
• Soldiers in a military camp in the middle of nowhere, sharing whatever internet connection is available.
• Cruise ship guests using on-board Wi-Fi, sharing the ship’s LTE/5G antenna array or Starlink satellite internet connection while at sea.
• Students taking their final exams online at the school gym, sharing the school’s fiber internet connection.
• (But probably not for a family of four sharing a gigabit fiber internet connection at home.)

The key WAN Optimization technologies in the StraightShaper products are:

• User Load Balancing: Distributing the available bandwidth to the active users ensures that everyone has bandwidth all the time. This can include configuration options to assign various priorities and bandwidths to individual subscribers.
• Bufferbloat Prevention: All network products have buffers, where the packets can queue up and
  cause increased latency. This is known as “network lag” by online gamers and “bufferbloat” by network professionals. By managing the buffers with this in mind, bufferbloat can be prevented, so the users are not exposed to excessive delays when using the internet.
• Dynamic Quality of Service: Automatically detecting and prioritizing voice packets over data packets ensures good sound quality for IP telephony.
• Caching: Caching e.g. DNS replies reduces the total time it takes to load a web page, if someone else has recently visited the same web site.
• Content Filtering: By optionally blocking certain internet services that use a lot of bandwidth, internet link capacity is freed up for other purposes.

“Development velocity is much higher with DPDK than it was with our Linux kernel-based product line. With DPDK, we only have to develop what we need, and it makes our application code cleaner than when trying to fit our code into some other framework.”
MORTEN BRØRUP, CTO, SMARTSHARE SYSTEMS

The Challenge – WAN Optimization and the Linux kernel:

Some years ago, as bandwidth demands increased, SmartShare’s initial StraightShaper product, based on the Linux kernel, started facing challenges as Linux is not designed for highly specialized packet processing, nor does it support it well. This presented two main challenges:

• Performance: The Linux kernel’s “qdisc” shaping system does not scale to multiple cores per network interface, and rewriting the kernel would be a major effort; the product could not scale beyond a few gigabits per second, which customers were starting to look for.
• Complexity: The Linux kernel’s IP stack is extremely advanced and feature-rich, which is great for many purposes. In the Linux kernel, each packet passes through a large number of predefined functions and hooks, and depending on various criteria, packets take different routes through these functions and hooks. SmartShare’s products only use very few of these features, and don’t always fit perfectly into the predefined routes of the functions and hooks. Those other features, however,
  would sometimes get in the way and create unwanted complexity for SmartShare’s developers.

It became clear that with customer demand for bandwidths beyond 1 Gbit/s on the rise, the Linux kernel-based StraightShaper was not scalable.

“We have customers today that we wouldn’t have if we didn’t use DPDK, leading to revenue that would not be generated otherwise.”
MORTEN BRØRUP, CTO, SMARTSHARE SYSTEMS

The Solution

Given the scalability issues of the Linux kernel in specialized packet processing, combined with anticipation of increased customer demands for high bandwidth, SmartShare Systems decided to develop the next generation StraightShaper solutions using DPDK instead of the Linux kernel. DPDK enables developers to decide which functions the packets pass through, and when. This allows
developers to design their own flow (vs. adapting to pre-set routes through the system), and can pick and choose from DPDK libraries and functions.

However, this meant writing a whole new architecture from scratch to support and scale to multiple cores for increased processing, analysis and egress packet scheduling. Most publicly known DPDK projects are based on a “run-to-completion” design. The SmartShare StraightShaper CSP uses a lot of packet buffering, so SmartShare chose a “pipeline” design and developed its framework such that
available CPU cores are assigned to one or more pipeline stages as appropriate.

The Results

When we started using DPDK, it was more or less an ambition to create a version of the existing product, but based on DPDK to generate added performance (e.g. more than 1 Gbit/s). It quickly became clear that working with DPDK makes it much easier to develop these network appliances; and
DPDK’s well-documented library of functions is robust, mature and reliable.

Performance Impact

When the development of the DPDK based StraightShaper CSP firmware began back in 2016 — with the goal of creating a version of the existing product but with added performance — it was internally named “the 10 Gbit/s project”, because that was the problem it was supposed to solve. However, when the new DPDK based product was ready for testing, it was quickly apparent that not only did it push 10 Gbit/s, but easily pushed much more. Referring to it as “the 100 Gbit/s project” would be more appropriate, as the DPDK based firmware easily handles that, and more.

“When we started development of our DPDK based StraightShaper CSP firmware back in 2016, we named it ‘the 10 Gbit/s project’ because that was the problem it was supposed to solve. Now, we know that ‘the 100 Gbit/s project’ would be more appropriate, as our DPDK based firmware can easily handle that, and more!”

MORTEN BRØRUP, CTO, SMARTSHARE SYSTEMS

The Benefits – Impact on Complexity

As mentioned previously, DPDK enables developers to pick and choose which functions packets pass through, and when. This greatly simplifies the entire process and generates results faster and more efficiently.

DPDK enables adding more advanced features to the product, such as specific bandwidth allocation, bufferbloat prevention, and bandwidth shaping within the network core (i.e. inside the SmartShare appliance vs. in low-cost switches at the edge of the network).

Because the SmartShare manages the bandwidth in the core of the network, where the bandwidth capacity is extremely high, bursts and microbursts can be easily absorbed and smoothed out, so they don’t reach the edge of the network and cause packet drops and/or latency issues.

Currently, SmartShare Systems maintains both the Linux kernel-based product line (“StraightShaper”) and the more high-end DPDK-based product line (“StraightShaper CSP”). The new StraightShaper CSP has been deployed in customers’ production networks since 2019, and is a fully mature product,
which continuously evolves with improvements and new features with each firmware release.

Looking ahead, SmartShare Systems has plans to add all features of the initial Linux kernel-based product into the DPDK version. They are also looking at other new projects that leverage DPDK for other use cases, still under development