Pensando Virtual Pipeline Sampler

Key Learning Outcomes

After completing this course, you will be able to:

• Install and operate each of the P4 pipelines in the two use cases
• Understand and articulate the flow-level stateful P4 coding pattern for uses cases requiring  tracking flow knowledge
• Understand and articulate the packet-level stateful P4 coding pattern for use cases requiring tracking packet knowledge over time
• Be comfortable in enhancing and extending the P4 coding patterns, presented in the course, to address new use cases
• Have a firm grasp on how Pensando technology could improve their organization’s SDN goals

Section 1: Virtual Infrastructure

This section introduces the principles and value of a virtualized x86 environment that seamlessly integrates Pensandotechnology into a comprehensive development framework. It summarizes the key concepts covered in the “PensandoVirtual Framework Training Course,” which is a prerequisite for this course.

The section details the hardware requirements, software bill of materials (BOM), installation methods (MOPs), and validation tests needed for successful deployment. It provides step-by-step guidance on the implementation process, enabling students to set up a fully operational P4 pipeline development environment within a single day.

The infrastructure of the environment is robust, featuring an Application Controller equipped with a Command-Line Interface (CLI), test traffic generation capabilities, pipeline telemetry integrated with a real-time database, and analytics visualized through an intuitive dashboard.

Upon completing this section, students will have established a powerful, cost-effective environment for learning and prototyping, utilizing standard x86 hardware. This environment is ideal for developing skills in P4 programming, SDN system design, system testing, telemetry data collection, and data visualization. It serves as the foundational platform on which application algorithms and P4 coding patterns in this course are constructed.

Technologies and Topics 

This Section introduces following technologies and topics: 

• Hardware and OS Requirements
• Pensando Simulator in Docker container
• Node.js Controller with CLI
• Pipeline telemetry captured with a Redis in-memory data store
• Real Time Pipeline Analytics Dashboard
• Traffic generation tool

Learning Outcomes 

After completing this section of the course, you will be able to: 

• Identify hardware and software requirements to implement the Framework
• Install the Pensando Simulation environment
• Install read-to-program “foundation” pipeline
• Install node.js based controller and configure GRPC interface to the Pensando simulation

Section 2: Volumetric DDoS Mitigation

This section introduces a P4 coding pattern designed to build a stateful Volumetric Flow Table, capable of managing millions of entries. This pattern addresses a significant security challenge: Volumetric Distributed Denial of Service (DDoS) Attacks.

We implement a bump-in-the-wire algorithm to mitigate SYN Flood attacks. This algorithm constructs a Flow Table that tracks SYN requests over the past few seconds for each destination IP address under surveillance.

• Tracking SYN Requests: When a SYN request targets a destination IP already listed in the Volumetric Flow Table, the algorithm updates the SYN count and forwards the packet back into the network.
• Learning New Entries: If a SYN request targets a destination IP not found in the Flow Table, the algorithm triggers a “learning” function. This function, executed as an extension of the data plane management software running on Pensando’s ARM cores, extracts the destination IP from the SYN packet and creates a new match/action entry in the P4 Flow Table. The packet is then forwarded back into the network.

The solution’s mitigation phase employs a threshold-based algorithm. If the number of SYN packets exceeds a predefined limit within a given timeframe, the packet is dropped. This mechanism protects downstream devices from being overwhelmed by the attack, minimizing network disruption by enforcing mitigation at the individual device level. As a result, this algorithm provides effective protection against volumetric DDoS attacks with minimal impact on network operations.

This application demonstrates best practices for designing ‘packet counting’ algorithms using Pensando technology. The concepts and code provided here have broad applicability across the telecommunications and intelligence sectors.

Technologies and Topics 

This Section introduces following technologies and topics: 

• Pipeline tables for Volumetric DDOS  algorithm
• ARM core hosted C++ data plane manager algorithm
• DDoS  Application Controller with CLI
• Pipeline traffic counts. Bytes and packets
• Traffic Generator configured  for SYN Flood attack traffic
• Redis in-memory database for pipeline telemetry  and analytics
• Real-time Pipeline Analytics Dashboard

Learning Outcomes 

After completing this section of the course, you will be able to: 

• Install, configure and test the Volumetric DDoS Application source code
• Craft new dynamic Pensando pipeline for large scale (millions of rows) “counting” algorithms that can operate at terabit speeds
• Install ARM core hosted Flow Table Controller
• Enhance the Controller code to handle new pipelines
• Modify traffic generation for any new algorithms
• Modify Redis database to gather telemetry for new algorithm
• Modify real-time Analytics Dashboard for new algorithm

Section 3: Encapsulation remove, save and restore (SRv6 Proxy)

This section introduces a P4 coding pattern specifically designed to construct a stateful in-flight proxy table capable of storing the encapsulation hearers for millions of in-flight packets. This pattern acts as a proxy for application devices, such as security tools, that cannot process routing headers like SRv6.

In this use case, SRv6-encapsulated packets arrive at the proxy interface, where the SRv6 header is stripped and stored. The packet is then forwarded to an application service, such as a firewall. After the service processes the packet, its original SRv6 header is restored, updated, and the packet is routed to its next SRv6 destination.

The P4 code pattern presented in this course employs a P4 table in an innovative manner. Traditionally, a P4 table stores match/action entries. However, in this solution, the main P4 table functions as a data store for SRv6 headers of all in-flight packets – those whose SRv6 headers have been removed and are currently being processed by an application service.

This P4 code pattern leverages a P4 index table in conjunction with Pensando’s “writeback” feature to create a stateful, flow-based table. The state represents the SRv6 header’s position (index key) within the table for each in-flight packet. This index key is embedded in the packet (usually within the MAC address) before it is forwarded to the service. This mechanism links the SRv6 headers in the data store with the in-flight packets being processed, allowing the headers to be seamlessly reintegrated when the packet returns.

Telemetry and visualization algorithms for monitoring “in-flight” packet statistics are also provided, and the source code is integrated into the solution. Additionally, a Python-based Node.js application controller is presented, with the source code integrated into the environment.

This application exemplifies best practices for designing proxy algorithms using Pensando technology, and the concepts and code presented here have broad applicability across the telecommunications and intelligence sectors.

Technologies and Topics 

This Section introduces following technologies and topics: 

• Write back Pensando table functionality
• The encapsulation “tag-pop-store / match-retrieve-push” algorithm
• Encapsulation header removal and storge for mullions of “in-flight” packets
• Match returning “in-flight” packets. retrive and restore  encapsulation
• Update encapsulation header information if required

Learning Outcomes 

After completing this section of the course, you will be able to: 

• Install, configure and test the “Encapsulation remove, save and restore (SRv6 Proxy)” application source code
• Craft new dynamic Pensando pipeline for large scale (millions of rows)  stateful value store
• Modify traffic generation for new algorithms
• Modify Redis database to gather telemetry for new algorithm
• Modify real-time Analytics Dashboard for new algorithm