Release of the Network Security Management Service

  • December 22, 2022
  • 3 min read

PUZZLE aims to deliver a holistic security framework targeting cloud native deployments in modern orchestration engines. It will deliver a programmable control plane and data plane that will ensure that several sophisticated security features can be provided seamlessly to the deployed application; i.e., without enriching the structure of the hosted application. One of the key aspects of security management of cloud native applications is the way network traffic is intercepted, processed, and handled.

The first operational assumption is that PUZZLE nodes will be supported by a network interface card offered by NVIDIA. This network interface card is called Data Processing Unit (a.k.a. DPU). NVIDIA DPU (Figure 1) provides innovative acceleration, security, and efficiency features based on its architecture and the supportive open tool-suite that is accompanied with. More specifically, DPUs contain a Bluefield, a multi-CPU engine for processing accelerations. Bluefield DPUs are supported by the Data-Center-on-a-chip (DOCA) software development kit framework to leverage all programmability features.

Figure 1 – Bluefield Smart NIC

Data-processing units (DPUs) promise greater data-center efficiency, but low-level programming requirements have hindered broad adoption. NVIDIA aimed to remove this obstacle using the DOCA framework, which abstracts the programming of BlueField DPUs. As precisely noted in, promising more-efficient data centers, DPUs add another element to the heterogeneous-processing mix. DPUs are important to data-center disaggregation, allowing server processors to perform only compute tasks while the DPU handles data movement between networked compute and storage.

Using DPUs, cloud-service providers can save server processor compute cycles for revenue-generating services. DPUs also handle network traffic more efficiently than a server processor, cutting data-center power. In storage systems, they can supplant a standard processor, handling the massive throughput of SSD arrays while consuming less power.

Figure 2 shows the DOCA 1.5 software, which includes drivers, libraries, services agents, and reference applications. Nvidia delivers the stack through the combination of a DOCA SDK for developers and DOCA runtime software for out-of-the-box deployment.

Together, DOCA and the BlueField DPU enable the development of applications that deliver breakthrough networking, security, and storage performance with a comprehensive, open development platform. BlueField isolates the infrastructure service domain from the workload domain to offer significant improvements in application and server performance, security, and efficiency, giving developers all the tools, they need to realize the optimal, secure, accelerated data center.

Figure 2 – DOCA 1.5 Software

DOCA software consists of an SDK and a runtime environment. The DOCA SDK provides industry-standard open APIs and frameworks, including Data Plane Development Kit (DPDK) and P4 for networking and security and the Storage Performance Development Kit (SPDK) for storage. The frameworks simplify application offload with integrated NVIDIA acceleration packages. The DOCA-based services are exposed in the compute nodes as industry-standard input/output (IO) interfaces, enabling infrastructure virtualization and isolation.

PUZZLE policies entail P4-inspired conditions and rules that must be enforced in the data plane.

Enforceable elements presume the usage of Flow API. DOCA flow is the most fundamental API for building generic execution pipes in hardware. The library provides an API for building a set of pipes, where each pipe consists of match criteria, monitoring, and a set of actions. Pipes can be chained so that after a pipe-defined action is executed, the packet may proceed to another pipe. Using DOCA flow API, it is easy to develop hardware-accelerated applications.

Author: Mellanox Technologies.
Featured Photo by TheDigitalArtist on Pixabay.