Re: [dpdk-dev] 2.3 Roadmap

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Matthew Hall <mhall@mhcomputing.net>
To: Bruce Richardson <bruce.richardson@intel.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] 2.3 Roadmap
Date: Wed, 2 Dec 2015 10:47:41 -0500	[thread overview]
Message-ID: <20151202154741.GA17618@mhcomputing.net> (raw)
In-Reply-To: <20151202123516.GA30204@bricha3-MOBL3>

On Wed, Dec 02, 2015 at 12:35:16PM +0000, Bruce Richardson wrote:
> Hi Matthew,
> 
> thanks for the info, but I'm not sure I understand it correctly. It seems to
> me that you are mostly referring to the depths/sizes of the tables being used,
> rather than to the "data-size" being stored in each entry, which was actually
> what I was asking about. Is that correct? If so, it seems that - looking initially
> at IPv4 LPM only - you are more looking for an increase in the number of tbl8's
> for lookup, rather than necessarily an increase the 8-bit user data being stored
> with each entry. [And assuming similar interest for v6] Am I right in 
> thinking this?
> 
> Thanks,
> /Bruce

This question is a result of a different way of looking at things between 
routing / networking and security. I actually need to increase the size of 
user data as I did in my patches.

1. There is an assumption, when LPM is used for routing, that many millions of 
inputs might map to a smaller number of outputs.

2. This assumption is not true in the security ecosystem. If I have several 
million CIDR blocks and bad IPs, I need a separate user data value output for 
each value input.

This is because, every time I have a bad IP, CIDR, Domain, URL, or Email, I 
create a security indicator tracking struct for each one of these. In the IP 
and CIDR case I find the struct using rte_hash (possibly for single IPs) and 
rte_lpm.

For Domain, URL, and Email, rte_hash cannot be used, because it mis-assumes 
all inputs are equal-length. So I had to use a different hash table.

4. The struct contains things such as a unique 64-bit unsigned integer for 
each separate IP or CIDR triggered, to allow looking up contextual data about 
the threat it represents. These IDs are defined by upstream threat databases, 
so I can't crunch them down to fit inside rte_lpm. They also include stats 
regarding how many times an indicator is seen, what kind of security threat it 
represents, etc. Without which you can't do any valuable security enrichment 
needed to respond to any events generated.

5. This means, if I want to support X million security indicators, regardless 
if they are IP, CIDR, Domain, URL, or Email, then I need X million distinct 
user data values to look up all the context that goes with them.

Matthew.

     prev parent reply	other threads:[~2015-12-02 15:47 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-30 20:50 O'Driscoll, Tim
2015-11-30 21:50 ` Thomas Monjalon
2015-11-30 22:19 ` Dave Neary
2015-12-01 11:57   ` O'Driscoll, Tim
2015-11-30 22:30 ` Hobywan Kenoby
2015-12-01 11:52   ` O'Driscoll, Tim
2015-11-30 22:53 ` Kyle Larose
2015-12-01  1:16   ` Stephen Hemminger
2015-12-01 10:03     ` Bruce Richardson
2015-12-01 11:26       ` Yoshinobu Inoue
2015-12-01 11:58         ` Bruce Richardson
2015-12-01 13:42           ` Matthew Hall
2015-12-01 14:45             ` Kyle Larose
2015-12-01 19:28               ` Matthew Hall
2015-12-02  0:53           ` Yoshinobu Inoue
2015-12-01 14:27       ` Panu Matilainen
2015-12-01 14:48         ` Vincent JARDIN
2015-12-01 14:58           ` Panu Matilainen
2015-12-01 15:16             ` Christian Ehrhardt
2015-12-01 15:19             ` Bruce Richardson
2015-12-01 15:31               ` Aaron Conole
2015-12-01 15:54                 ` Richardson, Bruce
2015-12-02  1:38                   ` Wiles, Keith
2015-12-02  2:42                     ` Matthew Hall
2015-12-01 19:32                 ` Matthew Hall
2015-12-02 11:24           ` Neil Horman
2015-12-01 12:59 ` Matthew Hall
2015-12-01 13:16   ` O'Driscoll, Tim
2015-12-01 13:44     ` Matthew Hall
2015-12-01 13:57       ` Bruce Richardson
2015-12-01 19:49         ` Matthew Hall
2015-12-02 12:35           ` Bruce Richardson
2015-12-02 15:47             ` Matthew Hall [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151202154741.GA17618@mhcomputing.net \
    --to=mhall@mhcomputing.net \
    --cc=bruce.richardson@intel.com \
    --cc=dev@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).