View
7
Download
0
Category
Preview:
Citation preview
mCore: Running Suricata on DPDKPeter Cullen, Troy Hanson, Jordi Ros-Giralt, Sruthi Yellamraju, James Ezick, Alison Ryan, Erik Mogus, Richard Lethin
Reservoir Labs
What is mCore?● A vendor independent high-performance packet forwarding engine● Runs on any DPDK-capable NIC, leverages DPDK high-performance features● Forwards packets from the NIC to $N parallel applications, including Suricata
and Zeek● Suricata integration:
○ Utilizes multi-threaded workers for scalability○ Easy configuration through suricata.yaml○ Integrated with Suricata stats counters (packets, bytes, drops)
Base Architecture
High-Performance Optimizations
LongQE™ (Long queue emulation)
BQE™ (Lockless bimodal queues)
● Kernel bypass● Zero packet copy● Lockless data structures● Intelligent packet shunting
● NUMA affinity ● CPU/core affinity/pinning● Multi-core elastic scalability● Selective packet capture
Emulates forwarder, avoids compute and cache thrashing overhead
TailQE™ (Tail early dropping queue)
Upon congestion, prioritize packets that carry highest entropy
Lockless hash table: Negligible false positives,very low false negatives
Lockless algorithm to mutate from single-producer/no-consumer to single-producer/single-consumer queue.
● mCore controller: Inits, manages, terminates the forwarding engine
● mcore-net-util: User CLI● Plugins: Support for Zeek, Suricata, TAP● Can filter traffic using DPDK rte_flow
and BPF
Elephant (LFN) Tables™
Recommended