Mellanox is very excited to introduce ConnectX-6 Dx and BlueField-2 SmartNICs and I/O Processing Unit (IPU) solutions, enabling the next generation of clouds, secure datacenters and storage platforms. ConnectX-6 Dx and BlueField-2, with their cutting-edge hardware acceleration engines powered by best-in-class software programmability, are set to revolutionize the way hyperscale giants, enterprises, and telecom providers build secure and highly efficient cloud data-centers. The new Mellanox SmartNICs will become available in the market later this year.
This is a first of a series of blogs supporting the launch, which focuses on key security offerings of ConnectX-6 Dx SmartNICs and BlueField-2 IPU-based programmable SmartNICs.
How ConnectX-6 Dx and BlueField-2 SmartNICs Make Secure Cloud Possible
Security has become an immense challenge in cloud data-centers. The perimeters around data, scattered across the enterprise data-center and multiple service providers, are often broken. Factor in the added complexities of infrastructure virtualization and levels of attacks, and you get an enterprise that is extremely vulnerable to multiple attack vectors and potential breaches. Finally, the lack of visibility and control is error-prone, posing limitations on service providers and enterprises to implement effective security strategies.
Mellanox ConnectX-6 Dx and BlueField-2 SmartNICs transform data-center security by introducing innovative hardware engines that enable cybersecurity solutions including scalable crypto, resilient next-generation firewalls, and more. The following illustration describes the security engines in ConnectX-6 Dx SmartNICs.
ConnectX-6 Dx SmartNICs deliver a wide range of security engines for accelerating cloud data-centers. These provide the highest performance by offloading network processing from the CPU, freeing it up for money-making applications. ConnectX-6 Dx SmartNICs enable secure cloud use cases that previously were either impossible or too expensive to consider using conventional NIC solutions. As the best price/performance SmartNIC solution in the industry, ConnectX-6 Dx offers the perfect balance of purpose-built hardware acceleration, software programmability and advanced functionality.
The following illustration describes the security engines in BlueField-2 IPU-based programmable SmartNICs:
Mellanox BlueField-2’s IPU-based programmable SmartNICs combine 64-bit Arm multi-core processing power with ConnectX-6 Dx advanced network and security offloads to accelerate a multitude of security applications at speeds of up to 200Gb/s Ethernet or InfiniBand. BlueField-2 offers high-performance, software programmable, networking capabilities for customizing and optimizing both control and data path operations.
BlueField-2 SmartNICs also take bare-metal clouds to new levels of functionality previously unseen in the market, including software-defined networking capabilities, storage disaggregation and enhanced security.
Welcome to the Encrypted Data-Center
Following the paths of hyper-scale cloud giants Google and Facebook, Mellanox recognizes that encryption is a prominent approach used in securing data-center connectivity, and in turn, customer data and privacy. At times when east-west communications dwarf the amount of data going in and out of data-centers, doing encryption inside the data-center feels like an impossible mission, since applying encryption would make performance and customer experiences take a massive hit. Introducing purpose-built hardware accelerators for IPsec and TLS data-in-motion encryption, and XTS-AES data-at-rest encryption – Mellanox ConnectX-6 Dx and BlueField-2 SmartNICs make the impossible possible! Unlocking unmatched network performance and efficiency for securing data-center connectivity, web application delivery, and data storage systems, these new hardware engines offload the crypto operations for encryption/decryption from the host’s CPU to the SmartNIC.
Let’s take a closer look into the advanced crypto acceleration engines: IPsec and TLS inline encryption offloads address various communication encryption use-cases. As inline offloads, IPsec and TLS can be leveraged in conjunction with additional SmartNIC offload capabilities. Some notable examples for this type of application is deploying encrypted RoCE communication for secure node access to an NVMe storage device, and secure AI training operations. Both ConnectX-6 Dx and BlueField-2 outperform competing solutions by offering inline accelerated IPsec and TLS combined with best-in-class RoCE performance.
Another interesting use-case is deploying encryption in transparent IPsec mode. In this scenario the host sends/receives clear packets to/from the network, while the BlueField-2 SmartNICs add the encryption/ decryption pieces, establishing a secure and high-performance IPsec tunnel that connects the host to the network. For clarity, transparent IPsec mode means the host is completely unaware of the added encryption, as its wholly implemented in the SmartNIC. Transparent IPsec is ideally positioned for both bare-metal clouds where the host is not controlled by the cloud operator, and legacy environments that require encryption – deploying BlueField-2 SmartNICs in those environments enables secure cloud connectivity with minimal impact on workloads and service availability.
Finally, BlueField-2 IPU-based programmable SmartNICs provide a complete set of encryption and key infrastructure engines in hardware, including a true random number generator (TRNG), built-in PKI engine, and a secure key store that holds sessions keys’ encrypted in memory, that are only accessible to the hardware crypto engine. The PKI engine accelerates public-key operations that are used by OpenSSL and similar open-source libraries. The solution may be integrated with a central key manager to generate, store and rotate encryption keys, for improving scalability and operational agility
Redefining Next-Generation Firewalls
In the age of cloud computing and software-defined everything (SDx), security functions, having undergone a transformation, are being deployed at every host to provide visibility into, and enforcement of, a strict policy. This transformation calls for network solutions that deliver the maximum in speed and agility.
ConnectX-6 Dx and BlueField-2 SmartNICs best address this challenge, by delivering the latest generation of Mellanox ASAP2 – accelerated switching and packet processing technology. At the heart of ASAP2 is the “eSwitch” – an embedded switch built into Mellanox SmartNICs. The beauty of the eSwitch lies in how it allows the SmartNICs to handle a large portion of the packet processing operations in hardware, freeing up the host’s CPU, and providing high-throughput connectivity for virtual machines/containers. ASAP2 technology supports a range of network offload capabilities for Openvswitch (OVS) datapath and Linux Kernel TC, among network stacks.
Leveraging the Mellanox SmartNICs, the hardware-based eSwitch can be programmed to classify packets according to key fields (IPv4, IPv6, TCP, UDP, VXLAN and more), and perform actions like allow, deny, sample, etc., at full wire-speed! The following diagram illustrates the eSwitch flow-based classification and action model.
An important enhancement to the Linux kernel was made recently for offloading the tracking of TCP connection states to the SmartNIC hardware. The connection tracking (CT) offload capability enables stateful connection-based filtering. This on top of the existing ASAP2 offload capabilities of L3/L4 packet filtering in hardware presents breakthrough functionality for our customers and partners, allowing them to implement next-generation firewalls by leveraging the Mellanox SmartNICs to achieve unmatched performance, scale and efficiency.
Moreover, ConnectX-6 Dx and BlueField-2 maintain full backward compatibility while leveraging existing ASAP2 implementations, allowing customers and partners to benefit from enhanced capabilities, with a smooth transition path from previous ConnectX and BlueField generations.
BlueField-2 Programmable SmartNICs Turn Zero-Trust to Hero-Trust
There is a saying in cybersecurity: “There are two types of organizations: Those that know they’ve been hacked, and those that don’t know it yet…”
By focusing on the security side of things, how can one protect the host from compromise if the potential attacker, protected data, and security function all share the same trust domain (the host)?! As zero-trust takes ground as a prominent cloud security model, enterprises and cloud service providers need to adapt their infrastructures to separate the security functions from the host to realize the full potential of zero-trust in the data-center.
Due to its unique form factor and features, a BlueField-2 SmartNIC installed in a host can act as a “computer-in-front-of-a-computer,” enabling security functions to run on its Arm cores, fully isolated from the host’s CPU and operating-system. This isolation is key in making BlueField-2 work best for zero-trust security solutions, as it delivers the needed separation of the security functions from the host, while delivering unmatched performance. In the event a host has been compromised, the separation between the security functions and the compromised host helps stop the attack from spreading further throughout the data.
Mellanox BlueField-2 also is the perfect solution for enterprises that are reluctant to deploy security functions and/or agents directly on their computing infrastructures. Enterprises want and need visibility into workloads and to enforce their security policies in the data-center. However, the presence of legacy applications, compliance regulations and DevOps processes, often do not permit the deployment of agents. The resultant lack of visibility leaves enterprises with infrastructure silos where security policy enforcement cannot be applied. In these scenarios, the deployment of security agents onto BlueField-2, fully isolated from the host system, enables enterprises to gain visibility as well as enforce a consistent security policy across their infrastructures. In addition, the BlueField-2 programmable SmartNIC also features a dedicated out-of-band management port for empowering security management tools to deploy and orchestrate security agents on the device over an isolated network. Deploying agents on BlueField also unlocks server performance and is ideal in bare-metal and Kubernetes environments.
Continuing Mellanox’s innovation in high-performance cloud fabrics, ConnectX-6 Dx and BlueField-2 make the impossible possible by bringing cutting-edge hardware acceleration engines with best-in-class software programmability, for enabling next generation of clouds, secure datacenters and storage platforms. Stay tuned as we continue to bring new products to market in 2019 and beyond.
Thanks to Ariel Kit and Barbara Claman for their great contribution in drafting this blog.
To learn more about ConnectX-6 Dx and BlueField-2 SmartNICs and IPU solutions, check out these supporting resources:
- Mellanox’s press release
- Video – Introducing Mellanox ConnectX-6 Dx SmartNICs
- Video – Introducing BlueField-2 IPU and Programmable SmartNIC Solutions
- Mellanox ConnectX-6 Dx product page
- Mellanox BlueField-2 IPU product page
- Eye on Mellanox: How Mellanox BlueField SmartNICs Transforms Bare-Metal Clouds
Visit Mellanox at booth #1463 at VMworld 2019, San Francisco, CA on August 25-28 where you can learn more about the benefits of the Mellanox ConnectX-6 Dx and BlueField-2, the industry’s most advanced secure cloud SmartNICs.