Jarrod SiketDesigners of networking and communications equipment can feel the Earth moving beneath their feet. These dramatic changes have been caused by the increasing need to process traffic as stateful flows instead of individual packets. Until recently, packet processing requirements were typically met by specialized ASICs and NPUs or various forms of general purpose processors utilizing the MIPS, x86 or PowerPC architecture. However, more challenging requirements for higher bandwidth and greater instructions per packet have reinforced the need for a new class of flow processor in communications designs.

While the tremors are being felt in the latest networking equipment design cycles, the tectonic plates moved a long time ago as a result of several changes in the networking industry. Metro Ethernet, 4G wireless, and next generation data centers, have all contributed to the shortest generation in bandwidth evolution that the industry has experienced, driving 10 Gbps networks to 40 and 100 Gbps in only a few short years. An ever increasing set of connected devices and an unpredictable set of applications saturate networks with millions of simultaneous connections at a time. This large number of flows and extreme throughputs provide expanded hiding places for intentional attacks from viruses and malware, and further opportunity for accidental leakage of confidential data.

Most network and security equipment based on general purpose processors and NPUs make simple forwarding decisions based on coarse criteria by parsing packet header fields, often expressed as 2-, 3-, 5- and 7-tuple lookups. This means that state is not kept on each forwarding decision, and there is no memory of previous packets or how they were handled. These designs are sufficient for traditional switches and routers, but they do not meet the stringent requirements for intelligent Ethernet forwarding devices or cyber security equipment. These types of products must support the necessary bandwidth requirements without compromising the visibility needed to keep communications secure. To do so, the architectures must be able to statefully meet the security processing, content processing and deep packet inspection requirements for millions of simultaneous conversations.

Figure 1-Netronome

Enter the notion of the flow. A flow is defined as a unidirectional conversation between two network endpoints sharing a common set of packet-header values. A few key attributes have created marked separation between packet processing and flow processing. Flow processing requires the need to look into as many as 35 unique criteria in the packet headers, and in many cases even deeper into the packet payloads. It also requires state to be kept and explicit rules to be followed for all packets in a flow, for millions of concurrent flows at incredibly high data rates of 300M packets per second on 100 gigabit links.

While these requirements may seem lofty, they are table-stakes in many products and can most often be found in security appliances such as next-generation firewall, intrusion prevention systems, load balancers and many other devices found in carrier and enterprise data center networks. Recently, new trends in software defined networking (SDN) and standardization of the emerging OpenFlow specification are moving these complex processing requirements beyond security appliances and into the basic plumbing for networks in standard Ethernet switches and IP routers.

Figure 2-Netronome

As a result, a new class of processor has emerged that artfully integrates all of the programmability of general purpose processors, the efficiency found from RISC-based network processors and the intelligence found in security processors. Flow processors have filled this void and are becoming the foundation of an increasing number of intelligent networking designs. Current processors offer 40 Gbps of stateful flow processing for millions of simultaneous flows, providing the necessary throughput and intelligence for designs ranging from 10 to 100 Gbps.