Demo List

Supercomputing

Building Cost-Effective 100-Gbps Firewalls for HPC

Overview

The continuous growth of the NASA Center for Climate Simulation (NCCS) requires providing high-performance security tools and enhancing the network capacity. In order to support the requirements of emerging services, including the Advanced Data Analytics Platform (ADAPT) private cloud, the NCCS security team has proposed an architecture to provide extremely cost-effective 100-gigabit-per-second (Gbps) firewalls.

Project Details

The aim of this project is to create a commodity-based platform that can process enough packets per second (pps) to sustain a 100-Gbps workload within the NCCS computational environment. The test domain consists of several existing systems within the NCCS, including switches (Dell S4084), routers (Dell R530s), servers (Dell R420s, and C6100s), and host card adapters (10-Gbps Mellanox ConnectX2 and Intel 8259 x Ethernet cards).

Previous NCCS work testing the FreeBSD operating system for high-performance routing reached a maximum of 4 million pps. Building on this work, we are comparing FreeBSD-11.0 and FreeBSD-Current along with implementing the netmap-fwd Application Programming Interface (API) and tuning the 10-gigabit Ethernet cards. We used the tools iperf3, nuttcp, and netperf to monitor the performance of the maximum bandwidth through the cards. Additional testing has involved enabling the Common Address Redundancy Protocol (CARP) to achieve an active/active architecture.

Results and Impact

The testing has shown that the pps will rise as newer versions of the operating systems are deployed. We established a pps baseline using FreeBSD-10.3 and discovered several interesting features of the packet-filtering environment:

FreeBSD was able to send more pps as a client than Centos 6.

The choice of network card can have a significant impact on pps, tuning, and netmap support.

Netmap-fwd increased the pps rate significantly.

The tests have shown that at the optimally tuned and configured FreeBSD system, it is possible to create a system that can manage the huge amounts of pps needed to create a 100-Gbps firewall with commodity components.

Why HPC Matters

As the demand for more compute and data resources increase, high-performance computing (HPC) environments like the NCCS will always require higher-speed security tools and networks. The ability to deploy security services (e.g., firewalls) without affecting performance opens the possibility of deploying more capable systems for science without compromising security. The development and deployment of these tools will enable scientists to efficiently and securely push their research further without having to overcome potentially huge obstacles from the lack of high-speed packet filtering.

What's Next

Further tests will continue verifying the above results with even more capable systems-such as 40-gigabit and 100-gigabit Ethernet cards-to achieve even higher performance. In addition to hardware improvements, updates to the network capabilities in the FreeBSD-Current version will be closely monitored and applied as appropriate. The final result will be a reference architecture with representative hardware and software that will enable the NCCS to build, deploy, and efficiently maintain extremely cost-effective 100-Gbps firewalls.

Jordan A. Caraballo-Vega, NASA Goddard Space Flight Center

jordan.a.caraballo-vega@nasa.gov

John E. Jasen, NASA Goddard Space Flight Center

john.e.jasen@nasa.gov