Pigasus: Achieving 100Gbps Intrusion Prevention on a Single Server, Zhipeng Zhao (CMU)

Monday, November 16, 2020
Location: Zoom
Time: 1:30PM-2:30PM

Intrusion Detection and Prevention Systems (ID/PS) are among the most demanding stateful network functions. Today's network operators are faced with securing 100Gbps networks with 100K+ concurrent connections by deploying ID/PSes to search for 10K+ rules concurrently. In this project, we set an ambitious goal: Can we do all of the above in a single server? Through the Pigasus ID/PS, we show that this goal is achievable, perhaps for the first time, by building on recent advances in FPGA-capable SmartNICs. Pigasus' design takes an FPGA-first approach, where the majority of processing, and all state and control flow are managed on the FPGA. However, doing so requires careful design of algorithms and data structures to ensure fast common-case performance while densely utilizing system memory resources. Our experiments with a variety of traces show that Pigasus can support 100Gbps using an average of 5 cores and 1 FPGA, using 38x less wattage than a CPU-only approach.

Zhipeng Zhao is a PhD candidate in the ECE department at Carnegie Mellon University, where he is advised by James Hoe and works closely with Justine Sherry and Vyas Sekar. His research interests lie at the intersection of FPGA and networking. Prior to joining CMU, he received his B.S. and M.S. degrees both in Electrical Engineering from Beihang University, China.