PRODUCT HOW-TO: Use multicore flow processing to boost network router/security appliance throughput

Many appliance manufacturers for these network security applications are frequently confronted with the decision to integrate regular expression capability via specialized hardware, or leverage multicore x86 processors and use software packages and libraries, such as the Perl Compatible Regular Expression (PCRE) library.

In either case, accelerated network processing is required to reach the 10 to 40 Gbps data rate that many network applications demand. In most instances, specifically with standard Linux applications, developers prefer the use of software packages such as PCRE for two primary reasons.

First it is a widely adopted package across the open source community and security applications, and second is it is a free technology, unlike that of specialized regular expression hardware. The challenge with a software-implemented solution is meeting performance requirements.

Appliance manufacturers are developing network and security appliances requiring 5 to 10 Gbps of security processing today, with rates rapidly moving to 40 and 100 Gbps.

These requirements would typically convince appliance manufacturers of the need for specialized RegEx hardware; however, a new trend is evolving throughout the network appliance industry, mostly due to significant advances in standard Intel x86 processors and Netronome's network flow processors.

Many current network appliance designs are built on single or dual-socket Xeon quad-core processors operating at up to 3.0Ghz frequencies. The x86 instruction set is ideal for complex data processing such as regular expression matching, and these designs are supporting up to 1 to 3 Gbps of regular expression matching on network traffic without the assistance of network flow processors.

Adding regular expression hardware to the design via a PCIe card will not increase the network throughput as these designs are network I/O constrained. With the recent release of the Westmere Xeon CPUs, which supports six-dual threaded CPU cores, processing capacities are tripled with costs staying relatively low although network I/O remains a problem.

The new challenge which emerges from this increase in processing capacity is pushing the network I/O capability to meet the full processing potential of these x86 processors.