A timely debut: how DPI engine R&S®vPACE is set to power VPP cloud platforms

by Tobias Roeder
published on: 29.09.2022

Reading time: ( words)

Categories: DPI technology and use cases, Cloud visibility

#cloud security, #CASB, #ztna, #SWG, #network performance

A cloud made of cotton balls, paper clips, and gears on a blue background representing VPP cloud platforms

By 2025, the global datasphere is expected to reach a size of over 175 zettabytes (175 trillion gigabytes), with 49% of all that data being stored in public clouds.¹ Revenues in this space are already at unprecedented levels. Amazon, via its AWS platform, registered over $35 billion in 2021, marking a whopping 35% annual growth rate. Over the next two years, the company is spending over $12 billion on 5 new data centers in the US and $1.8 billion on data centers in the UK.² Other hyperscalers such as Microsoft via its Azure platform, raked in $19 billion last year, while Google via Google Cloud made $6 billion with an annual growth rate of over 63 %.³

Transforming generic machines into super processors

That is why it is not surprising to see today’s cloud platforms spearheading the latest advancements in the IT space. The adoption of vector packet processing (VPP) makes a good example. Created by FD.io, vector packet processing is an extensible framework that provides out-of-the-box switch and router functionality⁴ for generic servers. VPP uses the data plane development kit (DPDK) for the server host OS kernel bypass, leveraging DPDK’s libraries, features and drivers to perform packet processing in the user space. This covers features such as header decapsulation, policy-based routing, tethering and packet tunneling.

Host OS kernel bypass delivers greater efficiencies for packet processing as it avoids kernel interrupts which halt packet processing every time a new packet hits the server’s network interface card (NIC). These efficiencies are further compounded by grouping packets in batches, known as vectors, and forwarding them through a dynamically instituted graph of nodes. VPP uses cache memory to locally retain instructions fetched from the main memory, leading to higher throughput and lower consumption of computing resources and power.

VPP: cloud’s next BFF

VPP deployment in the cloud involves the use of DPDK forwarding in the hypervisor/container engine and DPDK implementation in the VMs and containers. Binding vNICs to the underlying hypervisor/container engine fast-tracks north-south traffic movement. In some cases, vNICs are bound directly to virtualized physical NICs. VPP software is then installed in the guest OS user space of VMs and containers, speeding up packet processing for the relevant VNFs and CNFs, respectively.

Monitoring everything at once

Application classification information from R&S^®PACE 2 powers CASB with real-time insights on Cloud and SaaS application usage. This includes information on the applications being accessed, the type of services being used, total sessions and frequency of access, source URL, user location and the application's performance in terms of bandwidth, speeds, latency and jitter. With frequently updated signatures, R&S^®PACE 2 is able to pinpoint the unofficial use of applications such as Slack, Zoom or Jira among employees by tracking traffic flows originating from the enterprise network.
R&S^®PACE 2 equips SWG with insights on the use of on-premises applications and resources. It provides real-time information on the number of external users with access to the enterprise network and the consumption of network resources by different data centers, servers and applications.

How does R&S®vPACE enhance VPP-enabled clouds?

R&S®vPACE is ipoque’s VPP-based DPI engine. Available as a software module, R&S®vPACE can be installed in any cloud environment, either as a VNF or CNF. As a VPP-based module, R&S®vPACE is optimized to cater to the speeds and traffic processing capacity in cloud computing environments enhanced with VPP. It delivers speeds that are at least 3 times faster compared to its popular, scalar packet processing-based sister solution, R&S^®PACE 2, and boasts a low memory footprint of less than 450 bytes per 5-tuple connection.

Seamless in the cloud

An essential component of cloud management is performance monitoring. Whether it is an IaaS or a PaaS platform, managing cloud performance requires observability tools such as R&S®vPACE to identify and log packet flows. This way, information such as bandwidth consumed, speeds, jitter, latency and round-trip time is readily available not just by each microservice, container and VM, but also by specific VNF, CNF and application.

Such granularity enables deep visibility into the cloud and allows issues such as congestion and bottlenecks to be identified in time. Computing-intensive applications such as cloud gaming, AV/VR and autonomous driving can be massively impacted by the smallest lags in any one layer of the cloud – from codes, libraries and the guest OSs down to the hypervisor and the underlying hardware. As a plugin compiled for VPP, R&S®vPACE minimizes latencies associated with traffic monitoring. This ensures latency-sensitive applications and high throughput VNFs and CNFs continue to enjoy low latencies and high speeds, while performance monitoring takes place seamlessly in the background.

Visibility and intelligence for VNFs and CNFs

In high-capacity networks such as operator networks, implementing network policies hinges on application classification information and traffic analysis reaching VNFs and CNFs in the shortest time possible. Deployed inline or via port mirroring for out-of-band inspection in a virtualized or containerized architecture, a DPI engine such as R&S®vPACE identifies and logs application and protocol classification data using its comprehensive, frequently updated signature library, and does so by swiftly leveraging VPP-based processing. As such, R&S®vPACE is able to power VNFs and CNFs with real-time traffic and application visibility for any level of traffic throughput and speed.

This powers a range of cloud functionalities such as content caching and compression, policy control, content filtering and load balancing functionalities. It also enables dynamic provisioning of computing resources in virtualized architectures such as Openstack and Apache Cloudstack as well as container implementations such as Kubernetes and Docker.

One too many cloud breaches

Security has always been a prime concern for cloud providers given the vulnerabilities created via the extensive use of APIs, open source software and a plethora of third-party applications. In 2017, an AWS S3 storage bucket breach lead to the exposure of sensitive data belonging to Accenture, which included authentication information, API data and digital certificates. A total of 137GB of internal data was accessible to the public.⁵ In early 2020, 250 million entries of email addresses, IP addresses and support case details were exposed following the breach of Microsoft’s cloud databases. A misconfigured network server was found to be the cause.⁶

The challenge of securing every microservice and every code in hyperscale environments is a task that befits R&S®vPACE. R&S®vPACE can identify traffic irregularities in real time, at high speeds, even for encrypted, obfuscated and anonymized traffic. It can reveal malicious and suspicious traffic patterns in demanding environments and can be used to support a number of security VNFs such as virtual firewalls, virtual anti-DDoS and virtual anti-virus solutions.

Simplifying the cloud with automation

With rapid growth rates, cloud providers often grapple with the continuous reconfiguration of network services against increasing pressure on performance and cost. That is why cloud providers are turning to AI-based automation, leveraging big data analytics and machine learning and deep learning techniques to manage cloud services. R&S®vPACE can play a big role in enabling this. Its traffic classification capabilities, which go down to nanoseconds along with a 100% classification accuracy, can be used to invoke instantaneous and automated policy responses that are both application‑aware and network‑aware. Such capabilities make R&S®vPACE an optimal visibility tool even for the most demanding cloud environments such as edge clouds which often process data-intensive, ultra-low latency applications. Its comprehensive data logs, additionally, can be fed into the cloud AI systems to deliver enhanced algorithms.

In short, just as cloud providers begin their VPP journey, they now have a VPP-ready tool to form the full artillery needed to manage, monitor and secure their new, high-capacity computing environments. The arrival of R&S®vPACE could not have come at a better time.

Sources

[1] https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf
[2] https://www.techradar.com/sg/news/aws-is-spending-billions-on-five-new-data-centers
[3] https://www.gartner.com/en/newsroom/press-releases/2022-06-02-gartner-says-worldwide-iaas-public-cloud-services-market-grew-41-percent-in-2021
[4] https://discuss.linuxcontainers.org/t/vector-packet-processing-vpp-works-with-lxd-an-extensible-framework-providing-out-of-the-box-production-quality-switch-router-functionality/5961
[5] https://www.makeuseof.com/top-recent-cloud-security-breaches
[6] https://www.triskelelabs.com/blog/cloud-cyber-attacks-the-latest-cloud-computing-security-issues

Tobias Roeder

Tobias holds a degree in electrical engineering and has more than eight years of experience in product development. For a number of years, Tobias has been working as an application engineer for the deep packet inspection (DPI) software R&S®PACE 2 at ipoque, a subsidiary of the Rohde & Schwarz company. Tobias provides engineering services from the packet processing level up to the application level. In customer consulting, he identifies the optimal implementation to fulfill customer requirements and assists with the architectural decisions that go along with embedding DPI into network solutions. When he’s not at work, Tobias plays disc golf and enjoys doing CrossFit.