networkZONE Products for the week of March 13, 2006
NetLogic Microsystems Says…
NetLogic Microsystems Layer 7 Content Processors Support
10-Gbit/s Content Processor
NetLogic Microsystems, Inc. has announced the launch of its new NETL7 family of Layer 7 content processors. The first product in the NETL7 family is the NLS1000 content processor, which is the industry's first content processor capable of processing application networking and security functions with a single 10 Gigabit-per-second engine. The high-performance NLS1000 content processor accelerates compute-intensive pattern and signature recognition tasks for enterprise and carrier-class networks, and is used to perform 10 Gbps wire-speed content inspection of packets traveling through the network.
The NLS1000 content processor complements NetLogic Microsystems' existing line of knowledge-based processors, which are already incorporated into today's leading 10 Gigabit Ethernet switches and routers. Knowledge-based processors are typically used for processing packet headers, thereby enabling network-awareness within advanced networking systems. The NLS1000 extends these processing capabilities into the packet payload, thereby enabling the design and deployment of next-generation networking systems that can make packet processing decisions based on an awareness of the packet content. Typical applications for the NLS1000 content processor include Layer 7 application switches and routers, unified threat management (UTM) appliances, intrusion detection and prevention systems (IDS/IPS), and anti-virus gateways.
"The new NETL7 family of Layer 7 content processors represents the next phase of our growth and diversification strategy," said Ron Jankov, president and CEO of NetLogic Microsystems. "In addition to expanding our product portfolio, the NETL7 family allows us to expand our global market footprint and customer base by offering our high-performance processors to a broader set of customers in the communications, networking, security appliance, software provider and computing markets."
The market for application-layer networking and network security is expected to be one of the fastest growing segments within the technology sector over the next decade, as service providers, enterprises, consumers and government agencies continue their migration toward Layer 7 routing and security systems. IDC predicts the market for network security products alone to reach $12.8 billion by 2008.
"The ability to perform full content inspection at 10 Gbps line rate and across multiple packets is essential to enabling the next generation of application-layer switches, routers, and network security equipment," said Kelvin Khoo, director of strategic marketing at NetLogic Microsystems. "By accelerating the most demanding processing tasks, the NLS1000 content processor minimizes bottlenecks typically associated with content inspection, and enables original equipment manufacturers (OEMs) to deliver new levels of performance and functionality to their customers."
The NLS1000 content processor is interoperable with all leading host and network processors, and is compatible with industry-leading security software. This allows customers to accelerate time to market and minimize systems cost by leveraging their investments in existing hardware and software platforms.
"Delivering complete packet payload inspection at wire speeds of
10Gbps and above using a single engine is a complex and difficult problem
for network equipment OEMs," said Ian Eigenbrod, senior research analyst
at IDC. "Multi-gigabit network co-processing solutions that are cost
effective, low power, and can support advanced features such as stateful
packet inspection and simultaneous processing of millions of input streams
can drive the market for application routing and enhanced multi-factor network
security."
analogZONE Says . . .
The growing need for deep packet inspection has caused a rapid maturation of search engine technology from generic TCAM and other standard memory-like products to more specialized devices like NetLogic's recently-released NETL7 10 Gbit/s content processor. It reflects the move we're seeing across the industry from simple packet header inspection towards advanced services like regular expression (RegEx) detection to provide full inspection of traffic for viruses, hacker attacks, spams, etc. And as we'll see, its Layer-7 analysis also permits actual routing based on content that prioritization and segmentation of traffic as well as enable policy-based security and management.
Targeting applications like Layer 7 routing/switching, unified threat management and intrusion detection/prevention systems, anti-Virus gateways, and XML processing, the NETL7 addresses a similar market space as products from Tarari, Sensory Networks, and whatever arises from Freescale's recent acquisition of Seaway. But it is the first device to do so at 10 Gbit/s speeds and offers a few unique twists on packet inspection. While there is still a souped-up TCAM lurking within the NETL7's innards, it's been surrounded with lots of specialized logic that offload some functions, and also serve as a fine-tuned funnel to most effective use every last lookup cycle.
It's interesting to note that NetLogic's "souped-up TCAM" differs from most conventional CAM-based search engines in several important ways, including being able to support multiple parallel searches without performance degradation It even allows the same packet to be searched 32 times in the same clock period. The device's large, flexible context memory allows it to support inspection across packet boundaries to detect signatures and patterns that would elude a lesser device or take much more input from the control plane. This capability lets it scan across multiple packets of a file and perform either "anchored" or "unanchored" signature recognition. In other words it can be directed to look for a signature beginning anywhere within a packet, or simply sweep across a large search field.
The first incarnation of the NETL7 architecture
separates the payload (ie content) processor and payload data processor
functions onto two separate chips -- the NLS1000 (announced above) and the
NLS1022 respectively (see Fig.
1). The NLS1000 payload processor uses its own
DMA mechanism to get packets from the host CPU's memory, extracts the payload
and passes it to the NLS1022 data processor (the "souped-up CAM"
part of the engine) for high-speed string matching. Once the lookups are
done, the search results from the data processor are passed back to the
content processor (along with pattern match reports) for RegEx processing.
Rather than try to use on-chip memory to hold the RegEx rules, string match
results from the search engine, and system configuration parameters, the
NETL7 relies on two banks of commercial DDR II RAM.
This pairing of a powerful RegEx and search engine technologies also gives the NETL7 the ability to perform L7 routing where packets are routed at the application layer rather than at the IP layer. By using the information in packet content to route traffic, networks can be aware of the applications that run on them.
Since the NETL7 content engine is an aggregate of several complex processors, I had questions about what latency to expect from it. Rather than try to explain it myself, I'd rather let you read what Mike Ichiriu, Senior Director of Applications Engineering, told me:
"Regarding latency, the paradigm is quite a bit different for content scanning than it is for header lookups. For header lookups the packet processor typically parses a packet and pushes the packet header to the KBP (knowledge based processor). Latency is not dependent on the packet size or packet header."
Mike continues:
"For content scanning, we need to scan each byte of payload, and so the total processing time of the content scanning operation is therefore dependent on the packet size. If you define "latency" to mean the time from when the last byte of packet payload is sent to our part to when the last match comes out, we expect that time delay to be relatively small, on the order of few microseconds."
The current NLS1000/NLS1022 chipset sports a HyperTransport (HT) interface that communicates with most x86, MIPS or RISC host processors in a look-aside mode like any other offload engine. NetLogic says that the next version of the NETL7 will offer both PCIe/PCIx and HT interfaces. This was a bit confusing since the presentation in the briefing I received indicated that the part had a XAUI/XGMII-based flow-through data path, but I'd assume that while they can't deliver it now.
When I inquired with NetLogic, they replied that the look-aside configuration used in the NLS1000 is designed for accelerating existing applications such as routing and security boxes, and that their forthcoming NLS1008 and NLS408 will support the inline configuration and be able to add security features to boxes which are not currently performing any security (such as layer 3 enterprise switches). My guess is that this first-generation engine builds on much of the earlier architecture and that the low-risk development path would be to leave as much of the original HT-based design in place for the early two-chip implementation.
It will be interesting to see how NetLogic goes about integrating the two functions in the third-generation single-chip NETL7 product, especially since it will likely incorporate significant bits of technology derived from the Trie-based search engine recently acquired when they bought Cypress Semi's "Sahasra" product line and design team. Since the Sahasra architecture contains much of its search space in external SRAM, it could cut the overall cost and power consumption of a one-chip engine significantly.
Of course there will be some bumps along the way since the current incarnation of the Sahasra chip has certain limitations due to the narrow focus of the application it currently serves (Layer 3) that make it unsuitable as a complete replacement for TCAMs. But NetLogic says that the fundamental algorithmic techniques the Sahasra team developed to break down the search problem still apply to Layer 7. But since the acquisition is only a month or two old it will be a while before the technology is fully integrated into the company and its product roadmap. NetLogic says that they expect that the first products that incorporate Sahasra technology will come out around Q1 2007.
While I have good faith that NetLogic will be able to work out any hardware issues required to implement their new product, and follow-on variants that integrate a flow-through interface and Sahasra search technology, some concerns about development tools remain. Most of my questions are about what kind of tools it will take to efficiently develop and manage the rapidly-growing bases of rules and policies required to implement the complex traffic routing, management, and threat-detection products that this chip set is capable of powering. Hopefully, the software and hardware development kits and the behavioral models supplied by NetLogic will be up to the task. If they do, the raw speed and flexibility delivered by the NETL7 chip set should give Tarari, Sensory, and Freescale some very stiff competition.
The NLS1000 is sampling with evaluation kits to early access customers. 10-G solution samples at $500, with substantial volume discounts. Data sheet upon request.
|
| ||||
