GFTs, Hyperscaler Magic Pixie Dust

Recent experience has shown that Hyperscalers are gaga about Generic Flow Tables (GFT) because they appreciate the importance of improving latency by fast-tracking networking flows and understanding the hidden value of flow-tracking data. Then there's the underly element of control. Depending on your networking requirements, your need for a "Lite" versus a "Full-featured" set of GFTs can vary. On the surface, the difference between a GFT record size for a lite table versus a full-featured one could be on the order of 64 bytes, not much, honestly, but this is a problem of scale, and it will quickly translate into Gigabytes. For example, vendors commonly requested that GFTs track 16 million active flows per pair of 100 GbE links. Today, we're designing SmartNICs for 400 GbE, so tracking has to be scaled to support 64 million active flows. These numbers are table stakes and commonly accepted throughout the industry. Multiply that by an additional 64 bytes per flow, and we're talking about another four Gigabytes of additional very-fast memory to house the GFTs. So what constitutes a lite versus a Full-featured table?

Like a traffic cop at a busy intersection, a GFT with lite table records, by definition, associates a specific flow to an action. The sole function of this table is extreme performance-based access control and routing. The GFT can quickly and easily fast-track subsequent packets for known flows by rapidly dropping, passing, or modifying them. Fast-tracking steers a packet to a direct memory access (DMA) ring for rapid transmission into host memory. Flows are defined by their five-tuple, a set of five values grouped. Typically this is the source and destination, address and port, and protocol for a given packet. Assuming the GFT supports IPv4 and IPv6, a lite GFT record could be packed into less than 64 bytes. Some might argue that mathematic tricks could further reduce the record size by sacrificing some accuracy. Still, those tricks cost clock cycles for each packet transiting the GFT pipeline stage, and time is one of the most precious assets when fast-tracking packets. Also, knowing how computers store and retrieve data, a case could be made to retain a record size of 64 bytes, as memory accesses using smaller, especially odder sizes, could prove significantly less efficient. A lite GFT record of 32 bytes would be ideal, but that is impractical as each of the two IPv6 addresses are 16 bytes, and we still have to include the ports, protocol, and action.??

By contrast, a full-featured GFT table record could retain and report all the flow data one would typically collect from enterprise-class network switches. This data, especially in a highly virtualized environment at the server level, can be of enormous value, especially to hyperscalers. Bumping the GFT record size up to 128 bytes is enough to provide this level of flow data reporting. Furthermore, if this flow table is stored in a high-speed memory subsystem like GDDR6, performance further benefits from these records being in multiples of 32 bytes.

So what are the benefits of a full-featured GFT with 128-byte flow records to hyperscalers or large enterprises:

• It would meet Cisco NetFlow class reporting standards and easily plug into hundreds of existing applications familiar with this data-gathering standard. This single feature alone could easily justify the cost of the SmartNIC in some environments.?
• All network virtualization could be easily managed and tracked from within the SmartNIC. Studies have shown that in highly virtualized environments, this could return 30% or more of the server's CPU cycles to production workloads.
• It could provide a stateful Next Generation Firewall in the SmartNIC. If a SmartNIC with a GFT is managed out-of-band utilizing a management network, this could substantially cut down on successful data exfiltration from an enterprise or hyperscaler. Every hacker knows that after escalating their privilege to root, the next step is to turn off the software firewall. Hardware firewalls, embedded deep within the SmartNIC and managed out-of-band, can create an invisible wall that hackers can not penetrate. Now imagine that every time a hacker touches that invisible wall, each touch, the outbound five-tuple, is reported to security. How quickly would it take your enterprise to respond to this class of alert????

Throughout this article, I talk about GFTs in the plural because some implementations might want to leverage more than one GFT within a SmartNIC—for example, ingress and egress GFTs with different attributes and features. There are several other use cases for multiple levels of GFTs, but for today, this is as far as we can go. Next, we'll discuss the access control use cases around a well-structured GFT. ???

If you're reading this and found the above interesting but are not planning to attend the?SmartNIC Summit?in San Jose in mid-June, you should rethink that decision. We will have a fantastic collection of professionals in the field of SmartNICs there holding talks, panels, and exhibiting the latest in technology. If this is your jam, I'd strongly recommend?registering?to attend.

?