A 40 Gbit/s Bump-in-the-Wire

Feb. 7, 2011

Cavium Networks Nitrox DPI II is designed to be just a small bump in the 40 Gbit/s wire providing deep packet inspection at line speeds.

William G. Wong

1 of Enlarge image

Nitrox DPI II architecture

DPI automata comparison

Nitrox DPI II operating modes

Nitrox DPI II inline mode

Cavium Networks is well known for their network security processor and multicore network processors (see Multicore Chip Handles Broadband Packet Processing). Their new Nitrox DPI II (Fig. 1) is designed to be just a small bump in the 40 Gbit/s wire. It provides deep packet inspection (DPI) at line speeds.

The Nitrox DPI II handles incoming and outgoing network flows itself. The flow and inspection managers can handle conventional filtering operations but the heavy lifting for DPI is done using the hyper finite automata (HFA) engines. HFA provides better performance (Fig. 2) than the alternatives: deterministic finite automata (DFI) and non-deterministic automata (NFA). Some of Cavium's earlier products used these techniques but the last and latest platforms use HFA exclusively.

The HFA compiler transforms regular expressions normally used to define the DPI process into a system that is stored in the Nitrox DPI II's memory. This is used when scanning the stream of incoming packets. It can handle protocols, viruses and other information that requires over half a dozen packets to be scanned. DFI and NFA tend to slow down as the scanning depth increases and the number of rules increases.

The Nitrox DPI II has three operating modes (Fig. 3). It can be used as a coprocessor where the host handles all network traffic passing off packets to be processed by the chip. It can also be used as a NIC (network interface card) where the Nitrox DPI II handles incoming and outgoing traffic but packets are handed off to the host. This allows the chip to be an augmented NIC providing packet inspection as necessary. Finally there is a standalone inline mode (Fig. 4). In this case, the chip passed packets through performing packet inspection as necessary. A host processor typically configures the system or it can be done during the boot process. It can also be configured using the network interface as well.

Deep packet inspection is becoming a requirement addressing real time flows to detect protocols, viruses and other information. Its performance means the Nitrox DPI II will not be a bottleneck but rather just a small bump in the road.

Cavium Networks

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form.

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below.

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence.