Editor Note: This post was originally written by Suresh Krishnan for Kaloom’s website. We are re-publishing it here (with permission) as it nicely outlines how Kaloom is using P4 in their security and networking slicing solutions.
For the last few decades, network engineers have had to choose between performance (using purpose-built ASICs) and flexibility (VMs running on CPUs), or a third option based on network processors (NPUs) trying to find some sort of middle ground. Recently P4, a language specifically developed for programming the data plane of network devices, has succeeded in enabling packet processing devices that offer programmability without penalty on performance. Now, this technology is being made applicable to nearly all networking-related hardware, not just high-performance Ethernet ASICs but also FPGAs and general-purpose CPUs.
P4 opens the possibility of future-proof solutions, empowering developers to write new, P4-programmable code, allowing customers to drive the innovations they require for their network. For example, engineers can add new features and services to their network devices at runtime. Further, network administrators can avoid vendor lock-in by eliminating the need to wait several years for new features in silicon upgrades.
Measure Twice, Code Once
For Kaloom, P4 enables the same code to be compiled and then optimized depending on the requirements of the hardware, which is chosen to meet the needs of the clients’ environments. This is what Kaloom is doing in the context of its 5G user plane function (UPF), a fundamental component of 3GPP 5G architecture. UPF facilitates disaggregation of the control and data planes to deliver functionality such as network slicing and cloud-native capabilities for service-based architectures.
Specifically, P4 code is written and exhaustively verified once, and then deployed on the right hardware for the applications’ environment. This allows the use of “best of breed” hardware for a given set of required features, characteristics, and functionalities. For example, Kaloom can optimize its P4 software to run in a low-touch environment using Ethernet ASICs such as Intel® Tofino and deliver multi-Tbps capacity. It can also be implemented in a medium-touch deployment by utilizing FPGAs and SmartNICs. In particular, running the same 5G UPF data plane P4 code from Tofino on an FPGA, such as Intel® Stratix® 10, empowered Kaloom to dramatically scale its solution from supporting hundreds of thousands of sessions to millions. Similarly, the P4 code can be instantiated for a high-touch environment (e.g. DPI) on general purpose CPUs such as Intel® Xeon® Processors.
Security and Network Slicing
Being based on well-established core underlying technologies, Kaloom’s solutions can deliver military-grade security by utilizing Security-Enhanced Linux (SELinux), a security architecture initially designed by the National Security Agency (NSA). Kaloom also leverages cgroups, a Linux kernel feature that limits, accounts for, and isolates the resource usage of a collection of processes such as CPU time, system memory, network bandwidth, or combinations of these resources. Users can monitor the cgroups they configure, deny cgroups access to certain resources, and even reconfigure cgroups dynamically during runtime. Further, Kaloom uses network namespaces, as well as other containerization technologies provided by the Linux kernel, as lightweight mechanisms for resource isolation. Together, all of these make cloud native and P4-based solutions highly secure.
Kaloom solutions enable fully virtualizable fabric slicing with its vFabric capabilities. vFabric delivers a fully elastic and isolated network domain that is provisioned in software to deliver integrated network services. Further, each domain can be assigned different qualities for varying use cases or to meet unique SLAs. For example, they can be part of a virtual data center (vDC) for operators to offer various cloud services and each vFabric can simultaneously host millions of cloud service users (e.g., tenants). The use of a P4-based programmable fabric and networking functions can also greatly reduce the attack surface.
P4 – Hitting its Hetereogeneous Stride
The good news is the industry is embracing P4 as the domain specific language for networking. P4.org has well over 100 members including vendors, networking industry giants, and academia. Last year, P4.org merged with the Open Networking Foundation (ONF) and is now being utilized by several other open source projects under ONF’s umbrella. P4 is also being leveraged by leading networking equipment vendors through the use of either P4-programmable merchant or in-house silicon.
The Kaloom data plane can execute on any of the Tofino-based ODM platforms from Accton/Edgecore, Delta Networks, Inc./DNI, Foxconn/UfiSpace, Interface Masters Technologies, to Inventec and STORDIS. These varying platforms illustrate Kaloom’s heterogeneous device strategy, as we want our customers to run their networks on the equipment that best meets their needs. An open, diversified hardware strategy is a key component of true open source systems, which enables service providers to enjoy more control and flexibility, allowing them to drive a more rapid pace of innovation.
Getting it Right the First Time…
There is little doubt that everybody else will join the P4 party in due course, with full embrace of the open source, domain-specific language of P4. The need for programmability is more evident than ever, even with earlier cynics now adopting it with their own proprietary derivatives of P4, which are not accessible to end-users. Kaloom’s offerings fully encompass the open P4 ecosystem, enabling our customers to have full control of their network.
The bottom line? In choosing P4, we believe we made the right strategic choice to start with, and it will remain the foundation of our software-based networking platform. We count on it to provide the highest degree of flexibility that our customers require!