Open-source flexible packet parser for high data rate agile network probe.

The development of a network centered life has increased overall data rates in core networks. Thus, data centers face the challenge to provide always more services at higher data rates while reacting quickly to complex failures and more powerful attacks thanks to efficient network forensics. Moreover, Software-Defined Networking (SDN) becomes a standard which offers agility but also requires forensic devices able to handle multiple configurations. Although conventional software probes are programmable and thus agile, they cannot support high data rate packet processing any more. Probes could benefit from Application Specific Integrated Circuits (ASIC) to cope with high data rates, but ASICs development time of many months makes them unable to satisfy agility requirements. With reconfiguration ability and high throughput processing without packet loss, Field Programmable Gate Arrays (FPGA) are the key technology chosen by some companies, such as Microsoft, Amazon and OVH, to be integrated into smart Network Interface Cards (NIC). Nevertheless, while high performance criteria is fulfilled, current FPGA probes benefit from an agility still limited to their conventional firmware upgrades which require proprietary tools and hardware-design time and knowledge. This paper proposes the first solution to offer FPGA probes with runtime agility thanks to a flexible packet parser which can be parameterized continuously by a software, endorsing complex tasks and SDN control. This allows a live adaptation of protocol processings from computer host alongside handling packets at line rate without data loss. The proposed parser is open-source and easily usable by network engineers through a Python software API. Benchmark results illustrate the performance of the agile high-level probe implemented on a NetFPGA SUME board, with XC7VX690T FPGA. 60 millions of 64-byte packets are counted based on features provided at runtime. These are selected by the software part, allowing the detection of different volumetric attacks within a few tens of microseconds. This represents a 40 Gb/s traffic of smallest Ethernet packets with no packet loss. With adequate boards, the generic design of the probe offers 160 Gb/s data rates and beyond on modern hardware, assuring probe scalability.