vortiqa networking and security software - freescale

TMFreescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, C-Ware, mobileGT, PowerQUICC, StarCore, and Symphony are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. BeeKit, BeeStack, CoreNet, the Energy Efficient Solutions logo, Flexis, MXC, Platform in a Package, Processor Expert, QorIQ, QUICC Engine, SMARTMOS, TurboLinkand VortiQa are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © 2010 Freescale Semiconductor, Inc.

June, 2010

Komer PoodariSales Enablement Manager, NMG Software Products

VortiQa Networking and Security Software An Overview – Benefits, Functions, Business Model and Roadmap


Agenda

2

►Multicore processing - quick overview

►VortiQa software functional and architecture overview

►Solution-centric approach

►Business model

►Roadmap

►Summary

TMFreescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, C-Ware, mobileGT, PowerQUICC, StarCore, and Symphony are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. BeeKit, BeeStack, CoreNet, the Energy Efficient Solutions logo, Flexis, MXC, Platform in a Package, Processor Expert, QorIQ, QUICC Engine, SMARTMOS, TurboLinkand VortiQa are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © 2010 Freescale Semiconductor, Inc. 3

Quick OverviewMulticore Processing


The Software Challenges

4

Challenges:

► Migration of legacy applications

► Optimal utilization of hardware platform resources

► Adding new sophisticated applications to an already complex architecture

► Innovate faster and better

Impact on Product Development:

► Increased cost of development and ongoing product maintenance

► Increased risk on developing a competitive product that best uses all platform resources

► Inflexible architecture choices limit product line expansion

Simulation

SoftwareArchitecture

VirtualizationEnvironment

DiagnosticFramework

Legacy Apps

NewApps

ControlPlane

DataPlane

3rd PartySW


What is VortiQa Software?

► Production-ready software applications• Deliver integrated security and

networking functionality to next-generation networking products

► Software optimized to leverage the complete capabilities of our QorIQ and PowerQUICC multicore processors

► Integration of the talent and mature software product line acquired as part of Intoto Inc.

\vór · ti · ka\: A whirlwind of innovation

Accelerate product development and increase the pace of innovation

We do the work that helps make your multicoresolution development faster and better.

5


Functional and Architecture OverviewVortiQa Software


VortiQa Software Products OverviewDelivers integrated networking and security functionality

7

Freescale Silicon

Example Applications

Key Features

Software for Service Provider Equipment

QorIQ processors(P4080)

Multi-service edge routers, switches, wireless infrastructure, security gateway

Networking protocolsL2 or L3 stateful packet inspection, firewall, NATIPsec VPN + IKEv1 + IKEv2Stateful deep packet inspection:

• P2P filtering• Protocol anomaly• Traffic anomaly

QoS / traffic managementVirtual security gateways

Software for Enterprise Network Equipment

PowerQUICC III and QorIQ processors(MPC8377E, MPC8572E, P2020, P1020, P4080)

Enterprise UTM, security appliances, secured routers and switches

Networking protocolsL2 or L3 SPI firewall support IPsec enterprise VPN + IKEv + IKEv2Stateful deep packet inspection:

• P2P filtering• Protocol anomaly• Traffic anomaly

QoS / traffic managementAntivirus and anti-spamHA support

Software for Small Business Gateways

PowerQUICC III and QorIQ processors(MPC8377E, P1020)

Multi-service business gateways

Networking protocolsAdvanced IPsec VPN + IKE supportsSPI firewall + advanced NAT features + Dual WAN with “load

balancing / fail over”Optional service provider provisioningVirtualized container architecture based on KVM

Software for SOHO / Residential Gateways

PowerQUICC III and QorIQ processors(MPC8315E, MPC8314E, P1020)

xDSL, PON, FTTH, and other CPE devices

Networking protocolsSPI firewall + NAT + residential gatewayIPsec VPNOptional service provider provisioning

http://www.freescale.com/VortiQa


Service Provider/Datacenter Deployment

8

Server Farm

Aggregation SwitchesWith VortiQa Software Core Switches

With VortiQa Software

Internet

P4080E

Up to 1500 MHz 8 Cores; 1 MB L2, DDR2/3, PCI Express®, 10G/GbE, USB

DPAA, Security

P40X0 (DPAA equipped)

Up to 1500 MHz e500mc core; 1 MB L2, DDR2/3, PCI Express, 10G/GbE, USB

DPAA, Security


VortiQa Software for Service Provider EquipmentScalability Features

9

Highly suitable and optimized for scale, performance and better latency►Virtual Instances (VSG)

• Up to 4K virtual instances; multiple zones in each VSG; overlapping addresses supported across VSGs

• VLAN mapping to zone and virtual instance

►Large number of sessions and tunnels (based on memory) – highly scalable

• 1M session (firewall and IPS)• 50K tunnels (IPsec VPN)

►DP with session establishment offload• DP also does session establishment• Traditional fast path only offloads

packet processing


Architecture: VortiQa for Service Provider Equipment

Freescale QorIQ (P40XX – DPAA equipped)

(*) Under development

HW Accelerators

Dat

a Pl

ane

Databases

CP-DP replicated information(VSG, I/F, Routes, ARP Caches)

DP Monitor

Firewall IPSec

IPS IPDB

HA(*) Stateful Sync, Monitor

Event Manager, DispatcherDNS Cache

Packet Processing Engine

Firewall IPSec

ALGs QoS(*)

IPS(*) P2P(*)

Session Mgmt.

Management

Logger Trace

QoS – Policing & Shaping (*) IP Reassembly IP Fragmentation

Firewall IPsecSession Lookup

Fast Path

Light-Weight Executive (LWE)

Ethernet Interfaces, VLAN, Bridging

Con

trol

Pla

ne

User space daemons - Configuration Databases, VSG, Interfaces Linux Name Spaces ARP Helper

Event Manager:Dispatcher/Generator/Receiver CP-DP Communication Handler Interface Demux/Packet Announcer

Management

CLI UCM (*)

LDSV Engine Config Demux

Signaling/Misc

LOG IKE v1/v2/PKI

TRACE DNSRD

EVM-API

Linux/Other SMP OS

Management

Interface Helper

HA Monitor(*)DP State Monitor

Route UpdaterImage upgrade(*)


Enterprise Deployment

11

MALICIOUS HACKERS

ENTERPRISE NETWORK

Email Server

App Server

Web Server

Confidential Data

EDI Server

Other Internal Users

MARKETING SUBNETMarketing Users

Logging Console

Admin Console

FINANCE SUBNET

Finance Users

VortiQaSoftware

Trojan Attack

DoS AttacksAccess

Control Lists

HOMEOFFICE

TELECOMMUTER

Confidential Data

BRANCH OFFICE

Policies for individual security domainsPolicies for Individual usersPolicies for user groups

•Allow remote access•Allow access to web server•Deny access to finance server•Deny access to confidential data

Security Domain 1

Security Domain 2

Security Domain 3

Security Domain 4

Internet

MPC8572E

Up to 1500 MHz Dual- e500 core; 1 MB L2, 800 MHz DDR2/3, PCI Express, 4xGbE, USB

SRIO, Security

MPC8548

Up to 1500 MHz Single Core; 512 KB L2, DDR2/3, PCI Express, 4xGbE, USB

SRIO, Security

P4080EUp to 1500 MHz 8 Cores; 1 MB L2,

DDR2/3, PCI Express®, 10G/GbE, USBDPAA, Security

MPC8315

400 MHz2 x GbE (SGMII)PCI, PCI Express

USB, DDR1/2,Security

<2.0W @ 400 MHz


VortiQa for Enterprise Network EquipmentFeature Richness

12

Highly suitable for feature-rich UTM applications►Stateful packet inspection firewall►IPS / deep packet inspection ►IPsec VPN ►Anti-spam and antivirus►Extendable transparent proxy framework►High availability


Architecture: VortiQa for Enterprise Network Equipment

13

Ethernet, Bridging and WAN Protocols

Session Management and Packet processing

IPSec Packet Processing

Traffic Policing Traffic Shaping

Firewall Policy Mgmt

Transparent Proxy Support

Application Level

Gateway

Intrusion Detection/

Prevention EngineTCP/ IP

Drop-in Clustering

Kernel Space

Ethernet Controllers Crypto Acceleration Pattern Matching Acceleration

Hardware Layer

IPS Manager

CMS/Embedded Management: CLI, HTTP, LDSV, SYSLOG, EMAIL, SNMP

User Space

SSLVPN*

Portal

L2 Tunnel

Socks App Tunnel

Reverse Proxy

FTP Proxy

HTTP Proxy

POP3/s Proxy

SMTP/S Proxy

AV/AS

AVDB

ASDB Local

RADIUS Client

LDAP Client

AuthenticationServices

IRAS

IRAC

XAUTH, EAP

PKI (SCEP, OCSP, LDAP)

IKEv1/v2


Small Business Deployment

14

Internet

SMB Network

Branch Office

VPN Tunnel

Telecommuters & Road Warriors

VortiQa Software for SMB Networks

P2020

Dual e500 Cores, 800 - 1200 MHz512 KB L2 Cache

MPC8378E MPC8377E

400-667 MHz2 x GbE (SGMII)

PCI , PCI Express®USB, DDR1/2,

Security, SATA<5.0W @ 667 MHz

http://catalog.us.dell.com/CS1/cs1page2.aspx?br=7&c=us&cs=04&fm=10515&kc=6W300&l=en&s=bsd





VortiQa Software for Small Business Gateways

15

Highly suitable and optimized for small business gateway applications►Stateful packet inspection firewall, NAT and ALGs►IPsec VPN ►Dual WAN load balancing and failover►Service provider provisioning support with TR-069 and TR-098 protocols


Architecture: VortiQa for Small Business Gateways

16


SOHO/Residential Gateway Deployment

17

HOME OFFICE

INTERNET

Trojan Attack

DoS AttacksMalicious Hackers

FRIENDS ONLINE SCHOOL WORK

LAPTOP WITH WIRELESS LANCONNECTION 802.11A/B/G

FRIENDS ONLINE SCHOOL WORK

BANKINGSHOPPINGNEWS AND

ENTERTAINMENTTRAVEL AND LEISURE

BANKINGSHOPPING

NEWS AND ENTERTAINMENTTRAVEL AND LEISURE

UnauthorizedUsers

x

Confidential Data

Email Server

EDI Server

OFFICE VPN CONNECTIONVPN Firewall

Wireless Security

VoIP

URL Keyword Filtering

MPC8358E MPC8360E

e300 core with 400 -667 MHz and

QUICC Engine™ support


VortiQa Software for SOHO/Residential Gateways

18

Highly suitable and optimized for SOHO/ residential business gateway applications►Stateful packet inspection firewall►IPsec VPN ►Service provider provisioning support with TR-069 and TR-098 protocols►Intuitive GUI interface


Architecture: VortiQa for SOHO /Residential Gateways

19


VortiQa Software Delivers Architectural Flexibility

20

AMP, SMP or Hybrid AMP+SMP Architecture

►Architecture Benefits • Asymmetric multiprocessing (AMP) architecture

Simplifies legacy migration by minimizing changes to existing softwareEfficient use of individual core cache

• Symmetric multiprocessing (SMP) architectureBetter utilization of processing capacity Cores are not reserved for specific functionsImproves latency by eliminating issues with pipelining

• Hybrid architectureProvides functional scalability by taking advantage of both SMP and AMP architecturesProvides optimal solution for pipelining and latency issues


Benefits of VortiQa Software

21

►Simplifies migration to multicore processors►Delivers optimized performance

• Crypto acceleration• Datapath acceleration • Frame managers• Pattern matching acceleration

►Delivers architectural flexibility and choice • Ability to create differentiated products• Ability to add new applications and services• Ability to expand product line

►Speeds time to market• Shortens product development cycle on custom features• Provides off the shelf functionality• Provides a stable software framework

►Better return on investment


Solutions-Centric Approach


What is Freescale’s Solutions-Centric Approach?

23

► Combination of:• PowerQUICC and QorIQ product

families• Four VortiQa software product lines• Expanded ecosystem of hardware

partners and ODMs, OS and tool vendors, ISVs and system integrators

► Customer benefits:• Better business value to technology

investment; faster return on investment• Enables ability to target market verticals• Provides more choices and flexibility to

create differentiated products


Example Solution for eNodeB

24

System Integration (Customer and/or SI partner)

eNodeB

COTS or Custom hardware platform (based on QorIQ processors)

Base station3rd Party OS

Services

Light Weight Executive

Data Plane Control Plane

Linux Linux

AMP

(Light RTOS)

SMPAMP

Power Architecture™Core

D-Cache I-Cache

L2 Cache


D-Cache I-Cache

L2 Cache


D-Cache I-Cache

L2 Cache


D-Cache I-Cache

L2 Cache


D-Cache I-Cache

L2 Cache


D-Cache I-Cache

L2 Cache


D-Cache I-Cache

L2 Cache


D-Cache I-Cache

L2 Cache

This is a simple representation of a complex solution.

ETHERNET OAMF1z

Routing

IPsec

TP / TS

X1-AD

IKEv2

GTP

RRC

F2

F3

Fn

Functions from FSL Functions from Ecosystem Partner/CustomerDiagram Key:


Example Solution for Secure Storage Server

25

System Integration (Customer, SI partner, or Hardware ODM)

File server Networking Protocols

SecureStorage

Server

COTS or Custom H/W platform (based on PowerQUICC / QorIQ processors)

Network AttachedStorage Linux or 3rd Party OS from OS Partners

MPC 83xx or MPC 85xxThis is a simple representation

of a complex solution.

QoS

Access Control and Authentication

SSLVPN

Configuration, management and logging

Backup management (cloud agent)

Media server and sharing

Open services for 3rd party apps

Configuration, management and logging

Functions from FSL Functions from Ecosystem Partner/CustomerDiagram Key:


Hardware Partners and ODMs

RTOS and Tools and Development

Independent Software Vendors

System Integrators

Software Design and Development

Integration, Testing, Support and Maintenance

Hardware Design and Development

26

Third-Party Partners

Optimal Use of Processor Resources

http://www.siliconturnkey.com/index.html

http://www.bitdefender.com/


Expanded Ecosystem

Provides flexibility and choice of vertical market solutions

27

Complex NetworkingApplications

and Equipment

VortiQa Software

Example verticals:-UTM appliances-Secured routers-Small business gateways-Residential gateways

OPEN SOURCE Software

Example verticals:-PBX-NAS/storage

Independent Software Vendors

Example verticals:-LTE/4G wireless-NAS/storage-Unified communications-Small business gateways-Video conferencing-Triple play


Why Our Approach is Better

28

►Freescale is tackling the multicore software problem head-on

►Ecosystems are required when it comes to embedded multicore and most include software, and Freescale pairs production-ready software with a world-class ecosystem

►We believe that the best way to help customers get up and running quickly on multicore technology is to provide off-the-shelf, pre-parallelized application software that is optimized for our specific communications platforms


Business Model


Software Business Model

Terms and Deliverables

30

LICENSING DELIVERABLES SUPPORTDevelopment license •Source license•Terms: ability to modify, enhance, make derivatives

Run-time distribution license•License to sublicense only in binary form as included with FSL silicon based hardware product

Term•Five years with automatic annual extensions thereafter

Indemnity•Covered for software delivered by Freescale

Warranty•30 days initial warranty•Thereafter, defects are covered under support agreement

Toolkit libraries• Library files required to complete

integration and link with customer application modules

• Complete source code and make files for customer to modify the product, integrate and link with other application modules

Other deliverables•Release notes•Image on target platform

To jumpstart the usage of the product by development team

•API documentation•User/Admin guide for GUI/CLI where applicable•Test documents including test reports, test plans and test cases

Term of support• Minimum of 2 years subject to

support payments• Support provided for current

release and most-recent previous release

Training• Fee based training either onsite

or Freescale location

Modes of support• Telephone• Email• Instant messaging• Web-based defect tracking

system


Roadmap


Roadmap

VortiQaProduct

Line

VortiQa for Service Provider

Equipment

VortiQa for Enterprise Network

Equipment

VortiQa for Small Business

Gateways

VortiQa for SOHO/

Residential Gateways

Roadmap IPv6 FirewallIPv6 VPNIPv6 IPS

IPv6 Firewall IPv6 VPNIPv6 IPSIPv6 AntivirusIPv6 Anti-spamWAN Optimization

TR-098 FirewallTR-098 VPN TR-104 VoIP

TR-098 FirewallTR-098 VPN


Summary


Summary

34

►VortiQa software on QorIQ and PowerQUICC processors• Answer to challenges faced by the network equipment vendors

Functionality including networking and security functionsHighly optimized and performance tuned solution to get the most out of Freescale silicon capabilitiesCost-effective mechanisms to go to marketCost-effective mechanisms to maintain the productAccelerate time to market with a comprehensive system solution –not just silicon or softwareSupport from the developers who have experience with silicon and software

• Expanded ecosystem working with independent vendors


Optimization Techniques

► Run to completion• All cores run all software pieces• No pipe lining (traffic patterns are different and

difficult to divide the work evenly)

► Usage of OS/hardware specific locks to protect critical sections.

• Read and write locks • Thread semaphores• RCUs for lookup tables and configuration structures

► Session parallelization• Maintain FIFO order of packets within a session,

tunnel• Eliminate the locks in packet processing

► Packet ordering capability to reduce duplicate session/tunnel creation

• Wherever possible takes advantage of hardware features

► Avoiding garbage collection of run time entries• No timer based garbage collection (if timer is small,

may lead to system instabilities; if timer is high, may lead to memory exhaustion)

• One timer per session

► Usage of software directed pre-fetching capabilities:• Prefetch session entry, tunnel entry while doing some

operations

► Statistics • Maintained on per core basis for sessions/SAs• Consolidated as part of management API• Global statistics using decorated storage (no locks

necessary)

► Memory pools• Maintained on per core basis

► Cache optimizations• Keep the relevant members together• Code related to common processing functionality

together (via likely/unlikely compiler directives)• Asynchronous usage of hardware accelerators

IPsec offload accelerator Pattern matching accelerator (used by IPS, application detection modules)

► Hardware cache stashing • P4080 capability to stash the cache with user defined

memory location and also some part of packet buffer

► Reuses hash generated by hardware (avoid calculation of hash for lookup tables)

► Leverage:• Hardware field extraction• BMAN for packet buffer allocation and free• QMAN for inter core queuing


VortiQa for Enterprise on SMP OS – Ex: Linux®

Memory API

TCP/IP API(Route lookup,

IP Address,Transmit Pkt)

Synchronization Locks

Tasklet API

Pkt Reception(NetFilter Hooks)

VortQa(Kernel Space)

VortiQa(User Space)

TCP/IP OS

Char Driver (For Configuration)

Libc functionsSocket library

Pthread libraryOpenssl Library

Kernel Space

User Space

► Architecture Overview• For every OS related function, VortiQa

defines a wrapper function

• VortiQa modules never invoke any OS related functions directly. Rather they use wrapper functions. This allows portability of VortiQa modules across different OS

• Character device driver is used for communication between kernel space modules and user space applications

• Loopback sockets (or Unix domain sockets) are used to communicate between user space processes

• User processes: State machine oriented. Multiple threads may be present, but each thread handles multiple sessions (Eg. IKEv1/IKEv2, Proxies for AV/AS)


VortiQa Software for Enterprise Equipment

► Security architecture• VortiQa modules IPSEC-VPN, IPS,

traffic mgmt registers to firewall ecosystem

• VortiQa core security session management module – firewall captures packets from TCP/IP stack

• After firewall functionality (policy enforcement, attack verifications) done, session management ecosystem dispaches packets to registered modules in priority basis

• IPSEC-VPN, IPS may use their hardware ecosystem interface to utilize hardware accelerator services

• Each module may consume or return packets to firewall ecosystem

• Firewall ecosystem finally dispatches packets onto network

SSL - VPN Antivirus

Pkts OUT

Pkts IN

Pkts IN

Session Management

IPsec VPN

IPS

Traffic Mgmt

Ecosystem Infrastructure

Glue Layers

Hardware Accelerator SDK(DFA/Crypto,etc)

Packets OUT

Hardware Eco-System

Hardware Eco-System

TCP/IP Stack

Firewall


Functionality Differentiation Between Various Products – Recap

39

VortiQa software for Key Feature / Benefit

Service Provider Equipment

Enterprise Equipment

Small Business Gateway

SOHO / RG

Common Utilities and Network Access Function

DHCP server, client, relay, DNS relay, Dynamic DNS etc




Stateful Packet Inspection (SPI) Firewall and NAT

SPI Firewall, 1/1 & n/1 NAT, Application Filters, Multi-cast Firewall, Association Reservation, Fine grained configuration

SPI Firewall, 1/1 & n/1 NAT, Application Filters, Multi-cast Firewall, Association Reservation, Fine grained configuration

SPI Firewall, 1/1 & n/1 NAT, Medium grained configuration

SPI Firewall, n/1 NAT, Easy & intuitive configuration

IPS Deep Packet Inspection, P2P/IM detection

Deep Packet Inspection, P2P/IM detection

VPN IPSec, IKEv1, IKEv2 & PKI IPSec, IKEv1, IKEv2 & PKI IPSec, IKEv1 & PKI IPSec, IKEv1

Anti-X Anti-Virus, Anti-Spam

High Availability Active – Backup high-availability

Configuration Management Interfaces

Extensive CLI and Programmatic API

Extensive GUI, CLI and Programmatic API

Extensive CLI, GUI, Programmatic API and TR-069 & TR-098 support

Extensive CLI, GUI, Programmatic API and TR-069 & TR-098 support

QoS and Traffic Management

Layer 3 Traffic Shaping & Traffic Policing

Layer 3 Traffic Shaping & Traffic Policing

ToS based QoS ToS based QoS

Virtual Security Gateways

Multiple Virtual Security Gateways support


Example Business Model Template

VortiQa Software for SOHO/Residential Gateways

40

Source code Development License

Dollar amount

Per unit Run-time License Dollar amount

Annual Support & Maintenance (200 person-hour block)

Dollar amount

Professional Services (if applicable)

Based on effort

estimates

Option 1 Option 2

Source code Development License

Dollar amount

Per unit Run-time License% of

Invoice ASP

Annual Support & Maintenance

(200 person-hour block)

Dollar amount

Professional Services (if applicable)

Based on effort

estimates

vortiqa networking and security software - freescale

Documents