Comment by neopallium
9 years ago
I am interested in Snabb and other methods of doing high performance packet processing to help with developing DDOS protection methods that could be implemented without expensive hardware.
If DDOS filtering modules can be written in P4, then they could be used on software switches and maybe even compiled into packet filters that run before packets are processed by the Linux kernel (or compiled into a kernel-bypass module for embedding in an application).
I think we really need to have better support for low-level high performance packet filtering (i.e. before the packet gets to higher levels in the kernel).
With multi-gigabit networking becoming cheaper, we really should have better support for dropping bad traffic.
How about a switch layer that runs in the kernel? Physical NICs and virtual NICs could be handled by the switch layer (programmed using P4 or eBPF). The kernel would only have to handle packets it receives from the virtual NICs. This would allow packet filtering and even some routing to happen without having to go through the kernels network-stack. The software switch layer would work like a data-plane with the kernel as the control-plane (like a lot of hardware routers/switches). If the computer has specialized hardware (smart NICs, co-processors), then the switch logic (P4 code) could be handled in that hardware instead of on the CPU.
> How about a switch layer that runs in the kernel?
That's what openvswitch.ko is doing already. I agree that P4 is interesting also in this perspective: having the compiled P4 blob being ran either by the CPU or, if available, in hardware by a smart NIC.