RSA CONFERENCE -- Netronome, a leader in high-performance intelligent networking solutions, today announced the release of eBPF/XDP offload for Agilio SmartNICs. This provides a foundation for building high-performance, kernel-compliant firewalls, DDoS protection and load balancing products that complement and build on the momentum in the Linux community to drive highly secure, scalable applications needed to optimally secure the exponential growth of users, devices and data. The unique upstreamed, kernel-based Netronome offload and just-in-time (JIT) compiler, combined with the existing low power Agilio® CX 10/25/40GbE SmartNICs, Agilio CX 25/50GbE OCP v2.0 SmartNICs and the new Agilio FX 10/25GbE SmartNICs, allow operators building infrastructures for data center core and enterprise edge applications to marry the benefits of the eBPF framework with transparent hardware acceleration, resulting in up to 10X higher price/performance benefits and 3X power savings.

The new high-performance offload provides an interface to any technology stack that utilizes the underlying flexibility and scalability of eBPF with the performance of XDP. XDP allows users to eliminate kernel bypass through the provision of performance at the base of the kernel stack, eliminating the need for users to have to choose between scalability and performance.

“The new cloud native world of containers needs fast in-kernel networking and security policy enforcement,” said Thomas Graf, founder of the Cilium project. “Programs using eBPF can be changed on the fly and can be transparently offloaded to hardware, combining the flexibility of software-defined data planes with the efficiencies of hardware. eBPF enables Cilium to provide secure microservices with a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.”

“Many useful eBPF networking applications have been created by the Linux community; for example DDoS mitigation apps, load balancers, and more recently, the new bpfilter project for firewalls,” said Alexei Starovoitov, upstream BPF subsystem co-maintainer. “The ability to flexibly run these applications using multiple interfaces in the kernel, and now also in hardware, opens many new possibilities in how this technology can be used in the near future.”

“eBPF is a highly exciting and rapidly growing key part of the Linux kernel. Thanks to its flexibility and performance eBPF allows for a vast number of use cases in different areas such as tracing, security and networking. In particular in networking, eBPF/XDP has become a game changing technology. By providing an in-kernel, high-performance programmable datapath with extremely low per packet costs, XDP is suitable for tailoring custom applications in the field of DDoS mitigation, firewalling, load-balancing, monitoring or any sort of networking stack pre-processing,” said Daniel Borkmann, who maintains the BPF subsystem with Mr. Starovoitov. “The ability to easily offload such eBPF programs entirely into a SmartNIC takes the performance to another level by providing line-rate processing without affecting application performance.”

“The extremely important shift to eBPF/XDP for securing valuable user data is happening now at large data centers,” said Niel Viljoen, CEO and founder of Netronome. “As one of the top networking companies contributing to the Linux community in this vital space, we are proud to be in the forefront bringing true software-defined security with hardware acceleration to the industry as it braces for the tsunami of data growth from new applications and devices.”

By using the proposed bpfilter mechanism, traditional netfilter-based approaches used for implementing security will be easily transferrable to the more flexible, higher performance BPF-based environment. This ensures compliance with existing security management and orchestration tools, yet provides the ability to change dynamically, making it more suitable for ephemeral environments like with containers and edge computing. The Linux community is actively driving these innovations, bringing significant benefits to data center operators as they upgrade their infrastructures for tighter security.

For users who do not run Linux as the host kernel, the new Agilio FX 10/25GbE SmartNIC, which combines the NFP-4000 processor with a quad-core Arm v8, makes it possible to run BPF on the NFP with the Arm running Linux. As a result, vital eBPF/XDP-based security and load balancing features can now be implemented with a broad set of host operating systems.

The Agilio SmartNIC family fully and transparently offloads virtual switch and router datapath processing for networking functions such as overlays, security, load balancing and telemetry, enabling servers used for networking and cloud computing to conserve critical CPU cores for application processing while maintaining significantly higher networking throughput.

Available today, users can download the Agilio eBPF/XDP offload solution via the Netronome support site.

Visit Netronome at the RSA Conference

Netronome will be exhibiting at the RSA Conference, April 16-20, at booth 2610 with details about the need for more dynamic and performant security solutions and how such challenges can be addressed with its Linux upstreamed eBPF/XDP solutions. Netronome will also showcase the new Agilio FX SmartNIC and its applicability toward enhancing security for bare metal servers.

Supporting Resources

• Read Netronome’s blog on bpfilter
• More information on Agilio eBPF/XDP Acceleration Solutions
• More information on Agilio CX SmartNICs
• More information on Agilio FX SmartNICs

Article source - Business Wire, all right reserved. Copyright 2018
Trademarks, logos, pictures and other items may be copyright of firms mentioned in this article.