This document discusses the capabilities of SmartNICs and how they can address challenges in modern data centers. It describes how SmartNICs can offload processing tasks from servers to improve efficiency. It also explains how SmartNICs provide security benefits through isolation and embedded computing functions. The document provides examples of how SmartNICs can implement network functions like firewalls through open virtual switch software and customized packet processing rules. It suggests SmartNICs could potentially access host memory to gain visibility into the server for monitoring and security applications while running analysis functions in an isolated trusted domain on the SmartNIC.

1. 1© 2018 Mellanox Technologies
SmartNICs ..are awesome!

2. 2© 2018 Mellanox Technologies
Agenda
 Data center trends
 Enter the SmartNIC
 The SmartNIC data center
 Beyond the network

3. 3© 2018 Mellanox Technologies
The Compute Problem
 Everything is getting closer to the data
 “Smart edge, dumb pipe”
 Infrastructure and appliances both are
virtualized onto servers
 Higher network speeds + more
network infrastructure on host ==
severely decreased software efficiency
You don’t want to hear more about this, right?

4. 4© 2018 Mellanox Technologies
The Attack Surface Problem
 Services consolidate on the same host
 User applications, infrastructure, data plane
services all sharing the same resources
 Lots of software running with escalated
privileges
 Traditional trust domains are now squashed
together
Host-based security is…oh boy…

5. 5© 2018 Mellanox Technologies
1988
Ping Pong
Virus
Stateful
Firewall
1990
1994
Application
Layer Firewalls
Microsoft
Windows 98
1999
Software
Security
Goes
Mainstream
2000
The Year
of the
Worm
2012
Sandboxing
2013
Next
Generation
Endpoint
Packet Filters
Microsoft
Windows 95
1995
1998
Network
Intrusion
Detection
Stuxnet
2010
2017
WannaCry
Petya
2018
Meltdown
Spectre
2014
SSLv3 Protocol
Vulnerability and
POODLE attack
TLS 1.3
DNS Cache
Poisoning
GNU Bash
Remote Code
Execution
Vulnerability
OpenSSL
Heartbleed
Conficker
Worm
2015
Venom
2008
The Morris
Worm
2005
Advanced
Persistent
Threats (APT)
2006
SSL is
Invented
30 Years of Total Host Failures
"I think a lot of people think the nation states, they're running on this engine of
zero-days. You go out with your master skeleton key and unlock the door and
you're in. It's not that. Take these big, corporate networks, these large
networks, any large network -- I will tell you that persistence and focus will get
you in, will achieve that exploitation, without the zero-days.”
- Rob Joyce, TAO @ NSA

6. 6© 2018 Mellanox Technologies
(With strict power consumption restrictions)
A SmartNIC is a computer

7. 7© 2018 Mellanox Technologies
The “must-haves”
SmartNIC at its core
 High speed networking performance
 Robust and useful accelerators and offloads
 Supports networking virtualization and scaling
 Security and trust bonuses
 Software flexibility
 Management infrastructure

8. 8© 2018 Mellanox Technologies
SmartNIC at a glance

9. 9© 2018 Mellanox Technologies
SmartNIC Isolation

10. 10© 2018 Mellanox Technologies
Embedded
compute physical
function – override
host PF + VF config
VFs share hardware resources
SRIOV == 0
hypervisor
involvement
Host bypass
Data
protection
between
guests
Near bare
metal
performance
“host” physical function allocates VFs
as it normally would
SmartNIC Isolation

11. 11© 2018 Mellanox Technologies
Hardware offload
Data-plane Programming

12. 12© 2018 Mellanox Technologies
PEP
PDP
Additional
PEPs
Policy Enforcement Point
Data-plane Programming

13. 13© 2018 Mellanox Technologies
Data-plane Policy
1
2
3Miss in the
offloaded switch
Packet -> Software
Program flow into
switch

14. 14© 2018 Mellanox Technologies
Policy Enforcement

15. 15© 2018 Mellanox Technologies
Enforcing policy checklist…
Policy Management
 Authenticate the policy
 Program the flow tables
 Exchange information between SmartNICs
 Identify where applications are running
 Program packet engine software
 Create tunnels
 Track sessions/flows

16. 16© 2018 Mellanox Technologies
Programming for Solutions
 Major options
 Embedded compute as control plane (isolated modification of hardware NFV)
 OVS based solutions
 DPDK etc
 Appliance-in-the-wire (nginx, for example)
 Linux kernel networking config
 Or….
 Anything at all??
 Linux applications that free up host CPU cycles or require greater isolation

17. 17© 2018 Mellanox Technologies
Simple SmartNIC Firewall
ovs-vsctlshow
12ed5b74-1521-4ba9-8b0d-45f88fe25cc7
Bridge"br0"
Port"rep0-0"
Interface"rep0-0"
Port"enp3s0f0"
Interface"enp3s0f0"
Port"enp3s0f1"
Interface"enp3s0f1"
Port"rep1-0"
Interface"rep1-0"
Port"br0"
Interface"br0"
type:internal
ovs_version:"2.9.1"

18. 18© 2018 Mellanox Technologies
Simple SmartNIC Firewall
ovs-ofctldel-flowsbr0
wire=`ovs-vsctlget Interfaceenp3s0f0ofport`
host=`ovs-vsctlget Interfacerep0-0ofport`
ovs-ofctladd-flowbr0table=0,priority=1,action=drop
ovs-ofctladd-flowbr0table=0,priority=10,arp,action=normal
ovs-ofctladd-flowbr0table=0,priority=100,ip,ct_state=-trk,action="ct(table=1)"
ovs-ofctladd-flowbr0
priority=50,table=1,in_port=$host,udp,tcp_dst=53,ct_state=+trk+new,
action="ct(commit),normal"
ovs-ofctladd-flowbr0
priority=50,table=1,in_port=$wire,ip,ct_state=+trk+est,action=normal
ovs-ofctladd-flowbr0
priority=50,table=1,in_port=$host,ip,ct_state=+trk+est,action=normal
ovs-ofctladd-flowbr0priority=40,table=1,action=drop

19. 19© 2018 Mellanox Technologies
Simple SmartNIC Firewall
 Open SSH to host
 Allow outbound traffic
ovs-ofctladd-flowbr0
priority=50,table=1,in_port=$wire,tcp,tcp_dst=22,ct_state=+trk+new,
action="ct(commit),normal"
ovs-ofctladd-flowbr0
priority=50,table=1,in_port=$host,tcp,ct_state=+trk+new,
action="ct(commit),normal"
ovs-ofctladd-flowbr0
priority=50,table=1,in_port=$host,udp,ct_state=+trk+new,
action="ct(commit),normal"
ovs-ofctladd-flowbr0
priority=50,table=1,in_port=$host,icmp,ct_state=+trk+new,
action="ct(commit),normal"

20. 20© 2018 Mellanox Technologies
Isolated and Embedded Functions
 Use OVS to switch between host VFs,
physical ports, and embedded
applications
 Full use of flow table criteria and
software for matching
 Application can be anything!

21. 21© 2018 Mellanox Technologies
Isolated and Embedded Functions
iplink addveth1 typeveth peer name veth2
ovs-vsctladd-portbr0veth1
ovs-vsctlshow
12ed5b74-1521-4ba9-8b0d-45f88fe25cc7
Bridge"br0"
Port"rep0-0"
Interface"rep0-0"
Port"veth1"
Interface"veth1"
Port"enp3s0f0"
Interface"enp3s0f0"
Port"enp3s0f1"
Interface"enp3s0f1"
Port"rep1-0"
Interface"rep1-0"
Port"br0"
Interface"br0"
type:internal
ovs_version:"2.9.1"

22. 22© 2018 Mellanox Technologies
A Second Look…
 Use OVS + kernel networking stack to
build transparent IPsec tunnels
 (Transparent to the host, that is)
 Steps:
 Create OVS bridge
 Create veth pair for the tunnel & add to OVS
 Enable IP forwarding
 Add gw IP to veth tail
 Add OF rule to forward packets into the
tunnel
 Add linux route to forward from kernel to
veth
 IKE!
 Manage the tunnel…
How can we improve this…

23. 23© 2018 Mellanox Technologies
What if we had host information…
 SmartNIC is a PCIe device…it can access host memory
 …..all of it!
 Silence alarm bells for a moment
 SmartNIC has embedded compute to parse that memory…
 SmartNIC has accelerators to RDMA between two systems….
 Embedded compute and host are two systems!
 SmartNIC has processing accelerators on the embedded compute…
Let’s put it all together!

24. 24© 2018 Mellanox Technologies
Host introspection via SmartNIC
Hardware-based
accelerators used to
speed lookup and data
analysis (Regular
Expression, hardware
address translation, SHA)
Leverages hardware DMA
engines for secure
memory acquisition. No
dependence on runtime
software at host
Rapid interval based reads to
selective memory regions to
determine activity in real-time
Reconstruct data structures to
analyze process lists, vtable
modifications, and other
information
Analysis running in an isolated
trust domain
Network traffic
inspection

25. 25© 2018 Mellanox Technologies
Demo!

26. 26© 2018 Mellanox Technologies
Thank You