w00t! Show me the 10Gbps PF_RING love!

Many thanks to Luca Deri and Silicom USA for graciously supplying me with a shiny new dual-port Intel® X520-based 10 Gigabit PE210G2i9-T accelerated packet-capture card.

Now I have all of the proper network security implements of destruction to support wire-speed zero-copy DMA PF_RING deep-packet inspection at 10Gbps:

root@token:~# lspci | cut -d':' -f3 | grep Gigabit
 Intel Corporation 82579LM Gigabit Network Connection (rev 05)
 Intel Corporation I350 Gigabit Network Connection (rev 01)
 Intel Corporation I350 Gigabit Network Connection (rev 01)
 Intel Corporation 82599EB 10 Gigabit TN Network Connection (rev 01)
 Intel Corporation 82599EB 10 Gigabit TN Network Connection (rev 01)

root@token:~# dmesg | cut -d']' -f2 | grep NIC | grep dna
 igb: dna0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
 ixgbe 0000:05:00.0: dna1: NIC Link is Up 10 Gbps, Flow Control: RX/TX

Watch this space for more Ninja Master Packet Assassin™ goodness...

Security Garlic: A Preview of Coming Attractions

Upon discovering the wonders of PF_RING with DNA, OpenvSwitch L4-hashed port-mirroring, Intel® VT-d / SR-IOV, KVM with VirtIO, and Security Onion, I just knew that these incredibly powerful tools belonged together.

So I'd say this a very early Alpha-stage implementation of what I'm looking to accomplish and document, but I have high hopes for success. The goal is to use the PF_RING DNA drivers (and possibly vPF_RING) to perform transport-layer 5-tuple hashing and load-balancing in hardware, and then hand off the resulting pieces to a team of virtualized network inspection engines for deeper analysis. On the right hardware (modern higher-end Intel NICs), DNA and SR-IOV allow us to perform all this work using Zero-Copy Direct Memory Access, eliminating the need to burn CPU cycles simply to handle interrupts from your NIC. That means more horsepower to inspect all those packets.

UPDATE: I've discovered that OpenvSwitch's L4-hashing mechanism for load-balancing currently only works when LACP is enabled on a bonded link. LACP breaks the technique I'm employing here because it requires that all of the composite members of the port-channel be connected to the same endpoint device. I may have to write some patches for OpenvSwitch to get this working the way I'd like... in the meantime this is still doable with PF_RING.

UPDATE 2: I may have spoken too soon. Perhaps this has already been addressed: http://openvswitch.org/pipermail/dev/2011-May/008934.html

These Are a Few of My Favorite Things...

Rat's nests of CAT5, tracing with ping, these are a few of my favorite things... Especially when everything's all neatly connected to a single device that magically does everything I need. I'm still going to publish Part III of my guide on building Kenny, but in the meantime, I've found a fantastic replacement for a whole pile of old Linksys gear. I haven't named him yet, but I'm learning to love my new Mikrotik RouterBoard RB2011L, which I acquired for a quite reasonable $99 from r0c-n0c.com.

The user interface for this RouterOS-based device is awkward, non-intuitive, and very poorly documented. That said, this is an incredibly powerful device. I recommend that everyone buy one as soon as possible, before they stop making them. There are OpenWRT works-in-progress for other Mikrotik RouterBoard platforms, and I'm crossing my fingers that this one will be appearing on that list Real Soon Now.