Pigasus 2.0: FPGA‐Accelerated Intrusion Detection/Prevention System
lowkeyact
42 views
8 slides
Jun 21, 2024
Slide 1 of 8
1
2
3
4
5
6
7
8
About This Presentation
Pigasus 2.0: FPGA‐Accelerated
Intrusion Detection/Prevention System
Slide Content
Crossroads 3D‐FPGA
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐1
Pigasus 2.0: FPGA‐Accelerated
Intrusion Detection/Prevention System
Zhipeng Zhao, Nirav Atre, Joe Melber, Shashank Obla,
Hugo Sadok, Siddharth Sahay,
James C. Hoe, Vyas Sekar, Justine Sherry
Carnegie Mellon University
Intel/VMware Crossroads 3D-FPGA Academic Research Center
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐1
Pigasus 2.0: FPGA‐Accelerated
Intrusion Detection/Prevention System
Zhipeng Zhao, Nirav Atre, Joe Melber, Shashank Obla,
Hugo Sadok, Siddharth Sahay,
James C. Hoe, Vyas Sekar, Justine Sherry
Carnegie Mellon University
Intel/VMware Crossroads 3D-FPGA Academic Research Center
Crossroads 3D‐FPGA
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐2
100Gbps IDS/IPS on 1 FPGA NIC + 1 CPU
FPGA
NIC
core
core
core
core
……
90+% traffic
cleared by FPGA
under 5usec 100Gbps inbound
[OSDI’2020]
Stratosphere Traces
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐2
100Gbps IDS/IPS on 1 FPGA NIC + 1 CPU
FPGA
NIC
core
core
core
core
……
90+% traffic
cleared by FPGA
under 5usec 100Gbps inbound
[OSDI’2020]
Stratosphere Traces
Crossroads 3D‐FPGA
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐3
Common‐Case Optimized Design
Ethernet
100 Gbps
TCP flow
reassembly
100 Gbps
“fast
pattern”
matching
100 Gbps
“non‐fast
pattern”
matching
~15 Gbps
offloading
to CPU
~5 Gbps
regex
matching
(on CPU)
OSDI’20, Zhao, et al.
http://github.com/cmu‐snap/pigasus
~85%
~10%
~5%
Eth
IP
core
packet buffer
parser
flow
table
OOO
linked
list
data
mover
shift‐
OR
hash
tables
rule
reduce
block
gen.
FPGA
ring
buf
DMA
PCIe
IP
core
CPU
ring
buf 1
port
group
match
TCP assemblyMulti‐String
Fast Pattern Matcher
check
packet
buf
full
matcher 1
DMA Engine
non‐
fast
pattern
match
…
CPU
ring
buf N
full
matcher N
Non‐Fast
Pattern Matcher
safe packets
forwarded on
bad
safe
safe
safe
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐3
Common‐Case Optimized Design
Ethernet
100 Gbps
TCP flow
reassembly
100 Gbps
“fast
pattern”
matching
100 Gbps
“non‐fast
pattern”
matching
~15 Gbps
offloading
to CPU
~5 Gbps
regex
matching
(on CPU)
OSDI’20, Zhao, et al.
http://github.com/cmu‐snap/pigasus
~85%
~10%
~5%
Eth
IP
core
packet buffer
parser
flow
table
OOO
linked
list
data
mover
shift‐
OR
hash
tables
rule
reduce
block
gen.
FPGA
ring
buf
DMA
PCIe
IP
core
CPU
ring
buf 1
port
group
match
TCP assemblyMulti‐String
Fast Pattern Matcher
check
packet
buf
full
matcher 1
DMA Engine
non‐
fast
pattern
match
…
CPU
ring
buf N
full
matcher N
Non‐Fast
Pattern Matcher
safe packets
forwarded on
bad
safe
safe
safe
Crossroads 3D‐FPGA
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐4
Why not make Pigasus an ASIC?
•Pigasus got performance and efficiency by playing
to the common case
–make sure common case is fast
–skimp on rare‐case performance to spend more on
common‐case
•But what happens when “common‐case” changes
– different deployment settings
–same setting overtime
•With ASIC, it is one design for all
–must compromise/commit up front
– “detuned” design (over‐provisioned/generalized)
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐4
Why not make Pigasus an ASIC?
•Pigasus got performance and efficiency by playing
to the common case
–make sure common case is fast
–skimp on rare‐case performance to spend more on
common‐case
•But what happens when “common‐case” changes
– different deployment settings
–same setting overtime
•With ASIC, it is one design for all
–must compromise/commit up front
– “detuned” design (over‐provisioned/generalized)
Crossroads 3D‐FPGA
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐5
Pigasus 2.0 for FPGA:
One Deployment, One Design
•Compile timechoices
–re‐tune for large vs small FPGA part choices
–re‐tune for same FPGA part for different deployments
•Runtimechoices
– adjust datapath to changing operating conditions
– add/change FPGA usage to changing conditions
•Specializing(compile time and/or runtime) by
substituting or inserting custom nodes
FPGA is more than ASIC; don’t use it as less
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐5
Pigasus 2.0 for FPGA:
One Deployment, One Design
•Compile timechoices
–re‐tune for large vs small FPGA part choices
–re‐tune for same FPGA part for different deployments
•Runtimechoices
– adjust datapath to changing operating conditions
– add/change FPGA usage to changing conditions
•Specializing(compile time and/or runtime) by
substituting or inserting custom nodes
FPGA is more than ASIC; don’t use it as less
Crossroads 3D‐FPGA
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐6
Don’t view Pigasus 2.0 as
“RTL” or “a single design”
•A design space template abstracted as
–a streaming network of nodes with standardized
elastic streaming interface
– “plug‐and‐play” component nodes, parameterized
to instantiate at desired cost and perf. tradeoff
SW
serv
ices
TCP
assembly
service
fast
pattern
match
service
port
group
match
service
HW/SW
hand‐off
service
Eth
IP
core
PCIe
IP
core
non‐fast
pattern
matcher
service
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐6
Don’t view Pigasus 2.0 as
“RTL” or “a single design”
•A design space template abstracted as
–a streaming network of nodes with standardized
elastic streaming interface
– “plug‐and‐play” component nodes, parameterized
to instantiate at desired cost and perf. tradeoff
SW
serv
ices
TCP
assembly
service
fast
pattern
match
service
port
group
match
service
HW/SW
hand‐off
service
Eth
IP
core
PCIe
IP
core
non‐fast
pattern
matcher
service
Crossroads 3D‐FPGA
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐7
safe
Moving Ahead: Dynamic Pigasus with PR
overflow bypass
flagged
suspect
traffic
100% of overflow
down‐selected
suspects
to CPU
Helper NFPM
down‐selected
suspects
Helper NFPM
(bigger, faster variant)
to helper
NFPMs on
remote FPGAs
safe
Common‐Case NFPM
(20 Gbps typical)
baseline
allocate‐
on‐demand
on
multitenant
fabric
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐7
safe
Moving Ahead: Dynamic Pigasus with PR
overflow bypass
flagged
suspect
traffic
100% of overflow
down‐selected
suspects
to CPU
Helper NFPM
down‐selected
suspects
Helper NFPM
(bigger, faster variant)
to helper
NFPMs on
remote FPGAs
safe
Common‐Case NFPM
(20 Gbps typical)
baseline
allocate‐
on‐demand
on
multitenant
fabric
Crossroads 3D‐FPGA
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐8
Crossroads FPGA for Datacenter Servers
www.crossroadsfpga.org
Programmable active dataplane (switching and processing):
1. lend smarts to single‐minded commodity HW
2. manipulate on‐the‐move data
3. fine‐grain intervention of SW
other
GPU
CPU
mem
SSD
net
XRD
CMU/ECE/CALCM/HoeCyLab Partners Conference, October 2021, slide‐8
Crossroads FPGA for Datacenter Servers
www.crossroadsfpga.org
Programmable active dataplane (switching and processing):
1. lend smarts to single‐minded commodity HW
2. manipulate on‐the‐move data
3. fine‐grain intervention of SW
other
GPU
CPU
mem
SSD
net
XRD
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 42
- Slides 8
- Age 528 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views