DPDK Acceleration Challenges and Exploring PF_RING ZC as a Superior Alternative

Introduction

In most scenarios requiring high-speed traffic processing today, DPDK acceleration is primarily used for efficient packet handling. Despite being open-source and free, DPDK’s API is quite simple, which makes development very complex, time-consuming, and difficult to implement. Consequently, many are looking for alternatives, such as the HONGKONG PF_RING ZC.

DPDK acceleration >

Detailed Comparison

DPDK

If you are an experienced developer (unfortunately, the DPDK API is very simple), you need to write your application from scratch. You can use all DPDK API calls to allocate/manage packets. You must be familiar with the NIC you are using.

For instance: Suppose you are using Intel X710/XL710, Intel’s current flagship 10/40 Gbit adapter. When you enable jumbo frames, the NIC returns 2K long RX packets (for example, if you have an incoming 5k packet, you receive part of 2 x 2K buffers and the remaining 1k buffer). If you wish to send a packet, its size is 9K (you, therefore, need to send 1x8K partial buffer and the remainder in the subsequent buffer). Essentially, developers must know this, be prepared to handle these issues with their applications, and ensure that when you switch to another NIC that does not work this way (e.g., Intel X520/X540), you can handle jumbo frames.

PF_RING ZC

In contrast, in PF_RING ZC, memory buffers are allocated by the library according to MTU. No matter what network card you use, the library will always return complete packets (i.e., these packet segments in the buffer are never exposed to the user, and the developer’s only responsibility is to ensure that their application can handle jumbo packets. Using the PF_RING ZC API, developers do not need to remember the hardware details of the NIC, nor do they need to change a line of code. Simply change the device name from:

Code language: javascriptCopy

-i eth1

to

Code language: javascriptCopy

 -i zc:eth13

to transfer applications across different hardware devices.

Comparison

  1. ZC requires a small license fee, while DPDK is free;
  2. The performance of DPDK and ZC is generally on par;
  3. ZC provides an easy-to-use application layer API, making development significantly less complex than with DPDK;

API Provided by PF_RING ZC

PF_RING™ ZC comes with a simple API that allows the creation of a complex application with just a few lines of code. The example below demonstrates how to create an aggregator + load balancer application in 6 lines of code.

DPDK acceleration >

PF_RING ZC Accelerates Zeek

Zeek is an open-source network traffic analyzer. Many users employ Zeek as a Network Security Monitor (NSM) to assist in the investigation of suspicious or malicious activities. Zeek also supports a variety of traffic analysis tasks beyond the security domain, including performance evaluation and troubleshooting. Using the PF_RING ZC (zero copy) driver provides extremely high-speed packet capture/transmission, significantly enhancing Zeek’s traffic processing capability.

Using Suricata with PF_RING

Suricata is a free, open-source, mature, fast, robust network threat detection engine. The Suricata engine can conduct real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing. Suricata uses a powerful and comprehensive rules and signature language to inspect network traffic, making it highly versatile. Using PF_RING ZC allows you to use Suricata at high speeds in IDS and IPS modes.

High-Speed Data Acquisition with Snort

Many users are also benefiting from PF_RING™ ZC’s speed when using Snort, one of the most popular IDS/IPS. The PF_RING™ ZC (Snort Data Acquisition) library increases speed by 20% to 50% compared to the standard PF_RING™. It can operate in both IPS and IDS modes.