Accelerating traffic with DPDK-optimized DPI

Tobias Roeder portrait

By Tobias Roeder
Published on: 06.09.2023

Reading time: ( words)

In 2020, Intel introduced the open-source Data Plane Development Kit (DPDK) framework to address packet performance issues in computing-intensive environments. Managed by the Linux Foundation, the framework aims to optimize data paths used to execute packet processing on multiple core CPUs. It achieves this by using a number of techniques such as the DMA access mode, a polling system instead of interrupts, SSE for massive data copying, Huge Pages for faster virtual to physical page conversions, thread affinity for better cache utilization, lock-free user-space multi-core synchronization using rings and NUMA awareness. Still mostly deployed on Intel and AMD x86 processors, DPDK is also available on ARM processors, such as BlueField, DPAA and Octeon as well as PPC processors, such as POWER1. DPDK enables developers to build their own packet forwarding applications, such as virtual routers and switches.

Understanding the packet journey

To understand how DPDK improves application performance, it is important to understand the role of network interface cards (NICs). A NIC connects the computer to Wi-Fi or Ethernet, and acts as an intermediary for incoming and outgoing packets. It executes a range of functions such as translating data into digital signals, executing I/O interrupts, detecting transmission errors and providing direct memory access.

In standard settings, a NIC is managed by the OS kernel. To initiate packet processing, a NIC generates CPU interrupts based on the interrupt moderation specifications, for example, maximum packets or time-outs. Packets are then copied out from the NIC to the kernel buffer queue, and then copied out to the user space, where these packets are processed by the respective application.

OS kernel bypass

DPDK on the other hand, bypasses the OS kernel, leveraging a set of libraries and a poll mode driver (PMD). Using APIs, DPDK’s PMD programs one or more cores to actively look for packets and fetch them as soon as they appear in the packet I/O path. DPDK pushes these packets to the application layer, enabling processing to begin as soon as a packet arrives. Using the interface provided by DPDK libraries, users access the NIC port and execute packet processing from the user space.

By circumventing various rounds of copying and by making packet buffers (DPDK mbufs) directly available in the user space, DPDK allows DPDK-based applications, such as a NGFW or an EPC, to expedite packet processing. In combination with other DPDK techniques, such as the DMA access mode, Huge Pages, NUMA awareness and a lock-free buffer queue, DPDK significantly improves the speed by which these applications execute their functionalities. It thus contributes to enhanced network throughputs, speeds and latencies.

DPDK is critical for applications deployed in heavy-compute environments like the cloud. It enables networking applications, such as NGFWs, EPC, 5G UPFs, SD-WAN/SASE, IP probes and IDS/IPS to expand their processing capacity and improve their outputs. Benefitting both virtualized and cloud-native environments, DPDK enhances the capacity of VNFs and CNFs to manage high traffic volumes and handle latency-sensitive applications.

Accelerating DPDK with deep packet inspection

ipoque’s deep packet inspection (DPI) software, R&S®PACE 2, is optimized to deliver the best performance within a DPDK environment. With various integration examples that demonstrate the analysis of mbufs within different DPDK utilities, users can seamlessly integrate the DPI engine R&S®PACE 2 within any DPDK-application that requires real-time traffic awareness. The integration allows applications to rapidly scale their traffic filtering and forwarding capacity while eliminating the risk of latencies often associated with a separate stream of packet inspection.

By integrating R&S®PACE 2, applications benefit from its cutting-edge traffic classification techniques which include statistical, behavioral and heuristic analyses, advanced machine learning and deep learning techniques. Using DPI’s traffic analysis, applications can draw real-time information on a wide range of attributes – including protocols, applications and services – using an extensive, weekly updated signature library. R&S®PACE 2 also delivers real-time threat intelligence, enabling applications to detect traffic that is malicious, anomalous or suspicious.

Visualization of ipoque's DPI engine capabilities in delivering real-time insights across a wide range of attributes, including protocols, applications, and services.
Diagram 1: Real-time traffic classification by DPI

DPI for DPDK-based networking tools

Merging DPDK-based applications that need real-time visibility with R&S®PACE 2 unleashes a powerful combination for managing today’s traffic flows. This is particularly important across a growing number of networking functions that depend on highly accurate, deep insights at a very granular level, and which are tasked with handling bandwidth-heavy and latency-sensitive applications, such as smart grid, V2V communications and industrial automation.

For example, R&S®PACE 2 equips networking solutions, such as SD-WAN/SASE, secure web gateways and EPCs, with the network intelligence needed to steer and control traffic flows. Let us take the example of a DPDK-based SASE solution. A SASE solution requires real-time traffic insights, specifically identification of applications and users, in order to authenticate access requests and secure traffic flows crossing the enterprise network borders. Using these insights, the solution can invoke relevant traffic policies such as prioritization, caching and compression. By tapping into R&S®PACE 2, a DPDK-based SD-WAN solution will have instantaneous access to a fine-grained traffic analysis that allows these policies to be tuned to the respective application, service, user, destination/source url and network metrics, such as speeds and latency, for any throughput.

Another example is a DPDK-based network packet broker (NPB). An NPB requires DPI information so that it can filter and forward traffic flows intelligently to other networking and security tools. This includes real-time identification of applications, services, users, devices and analytics, such as speeds, latencies and jitter. Again, R&S®PACE 2, with ready integration within a DPDK framework, can be easily deployed and integrated in a DPDK-based NPB to deliver super-fast network traffic detection.

DPI for DPDK-based security tools

Cybersecurity vendors with DPDK-based security applications can greatly improve the performance of their tools by leveraging R&S®PACE 2. A NGFW handling enormous traffic volumes requires DPI in order to keep tabs on traffic irregularities and malicious activities. This requires millions of packets to be logged, filtered and analyzed continuously so that threats such as DDoS, malware and phishing can be identified in real-time.

Armed with R&S®PACE 2, cybersecurity solutions can sieve through unlimited number of flows and detect threats accurately and in real-time while identifying the sources, devices and applications that are involved. R&S®PACE 2 enables this by harnessing DPDK accelerated data pathways to enhance its processing throughput. This equips the NGFW with the insights necessary to take down or quarantine infected packets and to raise alerts on the related users and sessions. It also helps the NGFW to effectively safeguard the network, prevent performance impairments and mitigate similar incidents in the future, even in the most demanding environments.

Diagram showing DPI-enhanced DPDK
Diagram 2: DPI-enhanced DPDK

Deep packet inspection: The perfect complement for DPDK

As the adoption of DPDK increases, networking and cybersecurity solutions will require traffic visibility solutions that are optimized and aligned to the latest packet processing technologies. R&S®PACE 2, by deploying the most advanced DPI techniques and by being DPDK-optimized, provides a cutting-edge, highly scalable visibility tool that is a perfect complement to today’s computing-intensive applications like the cloud.

DPI-enhanced DPDK for 5G User Plane

To learn more about DPI and DPDK, join Tobias in his session "DPI-enhanced DPDK for 5G User Plane" recorded at the DPDK Summit in Dublin, Ireland 2023.

Sources

[1] http://core.dpdk.org/supported/cpus/

Tobias Roeder portrait

Tobias Roeder

Contact me on LinkedIn

Tobias holds a degree in electrical engineering and has more than eight years of experience in product development. For a number of years, Tobias has been working as an application engineer for the deep packet inspection (DPI) software R&S®PACE 2 at ipoque, a subsidiary of the Rohde & Schwarz company. Tobias provides engineering services from the packet processing level up to the application level. In customer consulting, he identifies the optimal implementation to fulfill customer requirements and assists with the architectural decisions that go along with embedding DPI into network solutions. When he’s not at work, Tobias plays disc golf and enjoys doing CrossFit.

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility