Accelerating the Suricata IDS/IPS with NVIDIA BlueField DPUs

Originally published at: https://developer.nvidia.com/blog/accelerating-the-suricata-ids-ips-with-nvidia-bluefield-dpus/

Deep packet inspection (DPI) is a critical technology for network security that enables the inspection and analysis of data packets as they travel across a network. By examining the content of these packets, DPI can identify potential security threats such as malware, viruses, and malicious traffic, and prevent them from infiltrating the network. However, the…

Are you interested in developing solutions for Suricata or have any questions? If so, drop a note below.

Hi @mgonen,
Thanks for the article; it was very interesting to read. I have some questions.

You mention in your post that if we have Bluefield-3 with an ARM subsystem of 8/16 cores, we can also run Suricata on the SmartNIC itself.

  1. Is there any specific (hardware-related) reason why you say Bluefield-3 only? Bluefield-2 already has an ARM subsystem with eight cores and 16GB of RAM.
  2. Do you have any figures for the case when Suricata is running on the Bluefield? Or Fig. 2. is already for that? Sorry, I could not convince myself whether Suricata is running on the host or on the bluefield.
  3. If Suricata is running on the Bluefield, can we still utilize the line-rate steering module to alleviate the load on the ARM cores (for certain traffic that we want to bypass Suricata)?
  4. In the summary, you mention further use cases wherein Bluefield could accelerate packet processing (e.g., IPsec, TLS acceleration). Do you have any pointers for those writeups (if they exist)?

Thanks

Hi @cs.lev
I’m glad too see you find interest in my work.

  1. Suricata can be offloaded to both BF2 and BF3. Of course there will be a performance difference between the 2 DPUs due to the compute power of the ARM subsystem, as BF2 has 8 Armv8 A72 cores and BF3 have 16 Armv8.2+ A78 Hercules cores.
  2. The testing I have done that are published in this paper are for running Suricata on the ARM subsystem of the Bluefield DPU (and not on the host).
  3. Hardware offload for bypassed flows is one of the points address in this whitepaper. Suricata was running on the ARM subsystem of the Bliefield DPU and it accelerated and offloaded bypassed flows to the hardware steering module of the Bluefield, using DOCA Flow API, instead of using the SW kernel based firewall Suricata offers. This way we could achieve line rate for bypassed flows.
  4. Yes, Bluefield 2 and Bluefield 3 offer GA IPsec offload and TLS hardware accelerated offload. you can read about them both on the DOCA SDK
    for IPsec - IPsec Programming Guide :: NVIDIA DOCA SDK Documentation
    for TLS - TLS Offload :: NVIDIA DOCA SDK Documentation

Feel free to reach out for any question

Thanks for getting back to me.

I am fine now, but I will probably have further questions in the near future, when I try to do the same thing that you did :)

Thanks again