Professional Documents
Culture Documents
Pensando SSDK SDN Policy Offload User Guide
Pensando SSDK SDN Policy Offload User Guide
Reference Pipeline
User Guide
AMD Pensando Software-in-Silicon Development Kit
Chapter 2: Architecture...............................................................................................9
Overview.......................................................................................................................................9
SDN Policy Implementation..................................................................................................... 10
Topology for Testing SDN Policy Offload Reference Pipeline..............................................12
Chapter 1
Introduction
The AMD Pensando™ Software-in-Silicon Development Kit (SSDK) allows developers to port and
create custom implementations of networking and storage functions or services for the AMD
Pensando DPU.
This document provides an overview of the Software-Defined Networking (SDN) Policy Offload
reference pipeline and details the P4 program including a set of ready to deploy precompiled
libraries and ready to use code for RxDMA/TxDMA/SxDMA pipelines for routing, policy
evaluation, and flow aging. The P4 pipeline programmability provides flexible software-defined
constructs that allow you to:
The reference pipeline supplies P416 source code for P4I and P4E modules for protocol
processing and P416 based libraries in binary format for P4 RxDMA and P4 TxDMA that you can
access via APIs for handling message transfer with host and local CPU. This combination of
source code and libraries facilitates the implementation of the reference pipeline. The P4 binary
can be deployed along with your P4 code on the same DPU to integrate its functionality into
your system. This approach streamlines the implementation process and ensures seamless
compatibility.
The AMD Pensando DPU can offload and accelerate a wide range of SDN, security, and storage
features and capabilities. The SSDK makes it easy to develop and deploy solutions using its
flexible P4 programmable data path and rich APIs.
The traditional approach to selecting ASICs or CPUs for switches, security appliances and routers
is to consider the cost, table size, flexibility, and performance of each option. High-end ASICs are
the most expensive option, but they offer the best performance and can support large-scale
routing tables. Lower-end ASICs are less expensive but they may be constrained by routing table
size, buffer size and performance. ASICs are efficient at performing specific tasks it was designed
for but lack flexibility to add new features or services without a respin. CPUs are the least
expensive option, but they offer the worst performance and can only support small routing
tables, limited session scale and low connections per second scale, but offer flexibility as it
relates to adding new features in software.
An AMD Pensando DPU with a programmable P4 pipeline is a software-defined data plane that
can be programmed to perform various data plane functions in hardware to meet high-
performance and scale requirements. This means that new functions and services can be added
without having to redesign the hardware, which can save time and resources; this lets you keep
up with the pace of rapid new requirements to meet your product requirements without
sacrificing performance and scale.
• Flexibility: Software-defined data planes are highly programmable and can support new
functions and services with performance and scale. This makes them ideal for data centers
that need to adapt to change and require high performance.
• Agility: Software-defined data planes can be programmed quickly and easily, without having
to go through a lengthy design and manufacturing process. This makes it possible to quickly
deploy new features and services.
• Cost savings: Software-defined data planes can help to reduce costs by eliminating the need
to respin hardware when new functions are required.
Ready-to-Deploy Libraries
The SDN Policy Offload reference pipeline includes a robust list of functions and services to
jumpstart your development and accelerate your path to production deployments by including
ready to deploy libraries. The following is a list of services ready-to-deploy. You can move to
production with the included ready to deploy libraries and customize the other stages in the
pipeline.
○ APIs are exposed to programmers to use route-table config objects and APIs to initialize,
create, delete, and update.
○ Multi-tenancy: A Table ID is added to the LPM routing table implementation allowing the
lookup to be achieved by the key: table-id and DIP prefix/SIP prefix. The Table ID in this
case can be interpreted as the VRF. You can define the Table ID. An example is using the
VID in the VxLAN header as the Table ID.
○ Supports both IPv4 and IPv6 based route tables.
• SDN/Security Policy
○ 1K Rules and 256K source IP prefixes. 256K destination IP prefixes per policy supported
with reference pipeline.
○ Rule priority is supported.
○ Bi-directional policy enforcement (Ingress and Egress). A unique policy can be applied in
each direction.
○ Incremental rule add/delete.
○ APIs are exposed to programmers to use route-table config objects and APIs to initialize,
create, delete, and update.
○ Supports both IPv4 and IPv6 based policies.
○ Flow logging is not included in the reference pipeline but can be added.
• NAT: Inner IP header (Source IP, Destination IP, Source port and Destination Port).
The above list gets you started and below is a list of SDN services that can be implemented using
the SSDK on an AMD Pensando DPU:
○ Capable of supporting:
- Static 1:1 NAT
- Many to 1
- Source
- Destination
- Twice NAT
○ Ingress and egress NAT policy direction.
○ Virtual network subnets: User defined subnets, custom IPAM l2/l3 forwarding with default
gateway.
○ Network services: NACLs, firewall, security groups, load balancing, encryption, ERSPAN
(vTAP), QoS etc.
○ VPN services: IPsec and PSP encryption services.
○ Metering
• Traffic Engineering
○ Segment routing: SRv6 and SR-MPLS.
○ Local mapping.
○ Remote mapping.
○ Routing tables.
Contact your AMD sales team to discuss SSDK enhancement or custom solution requests.
Chapter 2
Architecture
The SDN Policy Offload reference pipeline implements a set of SDN policy and networking
services, ready to deploy. Similar to the other reference pipelines, it provides insight into P4 and
its capabilities to develop your own services. Despite its relatively simple structure, the SDN
reference pipeline showcases the power of P4, that can be used for building custom networking
and security services such as IPsec, or any other stateless or stateful networking services without
compromising the performance of the networking device the DPU resides in.
Overview
The SDN Policy Offload pipeline is a bump-in-the-wire (BITW) implementation ideal for a
SmartSwitch or an appliance form factor as shown in Figure 1: BITW Implementation for
SmartSwitch Appliances. When deployed inside a SmartSwitch as a top-of-rack device or in an
appliance, the DPU is not visible externally because it is integrated into the device providing
network service acceleration to any traffic ingressing and egressing the device. When the DPU is
deployed in an appliance for service aggregation in the data center or a colocation facility, it
connects to the network devices and performs network and security services for various
workloads and network traffic with the help of traffic redirection to the service appliance.
The DPU connects to a switching ASIC as a BITW to control packets to and from the wire and
send it back to the switching ASIC forwarded to its next hop or destination. A single DPU can
provide multiple networking services in parallel, but also multiple DPUs can be connected to
scale out performance or achieve high availability. The BITW approach includes an appliance
mode using an x86 system with DPUs deployed in the PCIe® slots.
DPU ×N
ASIC
Traffic Traffic
To/From To/From
Network Network
X28791-110623
The SDN Policy Offload pipeline can be easily enhanced to support a host-to-network
deployment with additional services, as shown in Figure 2: Host to Network Implementation.
DPU
Traffic
To/From
Network
X28792-110623
The P4 tables can be programmed using the generated C++ APIs that support Create, Read,
Update, Delete (CRUD) operations. Figure 3: SDN Policy Offload API Model shows the API
model.
API API
Packet Buffer
Traffic Manager
X28809-110823
The ready to deploy services can be deployed along with custom-developed P4 code on the
same DPU to achieve high performance to support very high session setup rate, high scale CPS
and large scale flow table with hardware-based flow aging. The P4 programs can be used to
enhance or design and develop stateless functions (not flow aware or session aware) or stateful
service by combining the AMD developed P4 libraries with the flow and session table placed in
P4I and P4E pipelines.
Routing and policies are implemented in P4 RxDMA and P4 TxDMA that are exercised for all flow
miss packets. A typical flow miss packet path is as follows:
On receiving a flow-miss packet containing metadata about LPM and security policy results that
the P4 accelerates, the Dp-App installs the flow with the corresponding policy and routing
information, and reinjects the packet into the P4 Ingress pipeline. The next packets for the flow
take the following flow-hit path and get forwarded in P4:
Figure 4: Packet Flow-Miss and Flow-Hit Paths shows the packet flow-miss and flow-hit paths.
DP-App
NOC
P4 TxDMA P4 RxDMA
Packet Buffer
RxDMA Traffic Manager
TxDMA
Closed
Session Tunnel LIF
Sessions
FLOW NACL Stats
Session KEY
Rewrite Next Hop
Track
P4 Egress P4 Ingress
X28811-110823
Figure 5: Single DSC Topology for Testing shows a single Distributed Services Card (DSC)
topology used for testing the architecture. The VXLAN packets are sent from workload-1 (WL-1),
which creates an initiator flow (iflow) for the inner IP and a responder flow (rflow) for the reverse
path from workload-2 (WL-2). An unencapsulated IP packet is returned so that the existing rflow
is hit and the packet is forwarded or dropped based on policy and route evaluation.
Elba DSC-1
WL-1 WL-2
X28814-110823
Figure 6: Dual DSC Topology for Testing shows a dual DSC topology. Two DSCs are connected
back-to-back using port Eth 1/2. The other uplink ports of DSC1 and DSC2 (Eth1/1) are
connected to Ixia traffic generator ports 1 and 2, respectively. The SDN Policy Offload reference
P4 program runs on both DSCs.
DSC-1 is based on a permitted security policy and route and route LPM lookup routes IP traffic
from port-1 to DSC-2 via port Eth1/2.
DSC-2 is based on a permitted security policy and LPM route evaluation forwards the IP packet
to Ixia port-2. For performance analysis, traffic should be started and run symmetrically from Ixia
port-1 and port-2 for testing bi-directional throughput.
IP Packet
Eth 1/1
Elba DSC-1
Eth 1/2
VXLAN
Encapsulated
Eth 1/2
Elba DSC-2
Eth 1/1
IP Packet
Chapter 3
Note: This chapter assumes you already have installed the developer environment. If not refer to the
following:
• The SSDK Quick Start Guide or Getting Started Guide for installation of the SSDK.
• The SSDK Getting Started Guide to setup your environment.
• A container image that constitutes the build environment and includes generic tools, such as
the Linaro Arm® cross-compile toolchain.
• A tarball with the source code of the reference pipelines and AMD-specific tools, such as the
P4 compiler and the Distributed Services Card (DSC) simulator.
• A tarball with documentation.
Directory Contents
/sw/nic SSDK main folder for build scripts
/sw/nic/rudra Relevant code and files for development
/sw/nic/rudra/src/pds-core Core Application, Environment Initialization, Starts services,
PDS Agent, gRPC Listener, PDS Layer API, and Common
Libraries
/sw/nic/rudra/src/lib Common code and files for all pipelines, LIFS, Memory Utils,
Debug, Tracing, and Interface Management
/sw/nic/rudra/src/<reference-pipeline> The reference pipelines
Directory Contents
/sw/nic/rudra/src/<reference-pipeline>/p4/ P4 Source Code for the specific pipeline
p4-16/
/sw/nic/rudra/src/conf Platform, Pipeline, and Infrastructure configuration files
/sw/nic/rudra/src/<reference-pipeline>/dp Dataplane and Pipeline specific DP application
/sw/nic/tools The developer tools
Note: This container can be used to build both x86 and Arm images.
# tools/build.sh --help
ARCH=<architecture> --p4_program <p4_program> [--clean] [--create-sim-
target]
Architectures: aarch64
x86_64 (default)
--p4_program: hello_world
flow_offload
classic_host_offload
classic_rtr flow_offload
flow_ha
sdn_policy_offload
sdn_policy_offload
--clean: cleaning target and build directories (optional)
--create-sim-target: build the rudra target sim
At this point both the ASIC simulator and core application are running, and the two uplink
interfaces (uplink0 and uplink1) are exposed to Linux® as tap interfaces (Eth1-1 and Eth1-2).
Validate this by running show commands such as the following:
As a part of the simulator startup, the dp-app process is started, which reads the file /sw/nic/
rudra/src/conf/sdn_policy_offload/config.json. This file contains instructions to
create the flow with policy and route results, and to populate specific entries into the tables. To
view the file, run the command:
cat /sw/nic/rudra/src/conf/sdn_policy_offload/config.json
If desired you can expose the uplink interfaces outside the container, so you can run traffic tools
from outside to inject packets to the uplinks, To do so, run the following commands on the host
of the container:
cd $TTOP/src/github.com/pensando/sw/nic/
DSC_INSTANCE=<ssdk-dev-container-name> ./rudra/test/tools/setup-uplink-
interfaces.sh
To stop the simulator environment, execute the dsc-sim-stop.sh script. This kills the
processes including the ASIC simulator and pds core application:
./tools/dsc-sim-stop.sh
To restart the simulation environment, execute the dsc-sim-restart.sh script. This restarts
all the processes including the ASIC simulator and pds core application, which is useful in
recovering from scenarios such as a process crashing:
This creates an image for the DSC/DPU as a tarball in the /sw/nic directory, for example
dsc_fw_elba_.tar.
4. List the built DSC firmware image:
ls /sw/nic/dsc_fw_elba_.tar
3. Confirm the DSC enumerates as a PCIe® device, and note the PCIe address of its
management controller:
# lspci -d 1dd8:
12:00.0 PCI bridge: Pensando Systems Inc Device 0002
13:00.0 PCI bridge: Pensando Systems Inc DSC Virtual Downstream Port
13:01.0 PCI bridge: Pensando Systems Inc DSC Virtual Downstream Port
13:02.0 PCI bridge: Pensando Systems Inc DSC Virtual Downstream Port
14:00.0 Ethernet controller: Pensando Systems Inc DSC Ethernet Controller
15:00.0 Ethernet controller: Pensando Systems Inc DSC Ethernet Controller
16:00.0 Ethernet controller: Pensando Systems Inc DSC Management
Controller
The final line shows that the driver is using is using the eth1 interface for the DSC
management controller.
6. Configure an IP address for this interface:
# ifconfig eth1 169.254.<mgmt_ctlr_pcie_bus_number>.2/24 up
where:
• <mgmt_ctlr_pcie_bus_number> is the first component of the PCIe address for the
management controller from step 3, converted from hexadecimal to decimal.
In this example, the PCIe address is 16:00.0, so the bus address is 0x16 which converts
to 22 decimal.
The command corresponding to the example output shown in step 3 is therefore:
# ifconfig eth1 169.254.22.2/24 up
8. Verify that you can ping the DSC from the host:
Note: The internal management NIC for the DSC has a default IP address of 169.254.22.1.
# ping 169.254.22.1 -c 3
PING 169.254.22.1 (169.254.22.1) 56(84) bytes of data.
64 bytes from 169.254.22.1: icmp_seq=1 ttl=64 time=0.205 ms
64 bytes from 169.254.22.1: icmp_seq=2 ttl=64 time=0.091 ms
64 bytes from 169.254.22.1: icmp_seq=3 ttl=64 time=0.085 ms
9. SSH to the DSC from the host as root with a password of pen123 :
# ssh -lroot 169.254.22.1
The authenticity of host '169.254.22.1 (169.254.22.1)' can't be
established.
ECDSA key fingerprint is SHA256:AoU0vi8BifouUOfqSg78t08JgaH7vHHBZfK58CnS
+EI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '169.254.22.1' (ECDSA) to the list of known
hosts.
root@169.254.22.1's password:
10. Confirm the IP address for the internal Management NIC (MNIC) interface on the DSC is
169.254.<pcie_bus_number>.1:
Note: The int_mnic0 interface is the internal MNIC net device on the DSC that is created by default.
# ifconfig int_mnic0
int_mnic0 Link encap:Ethernet HWaddr 00:AE:CD:01:C6:C4
inet addr:169.254.22.1 Bcast:169.254.22.255 Mask:255.255.255.0
inet6 addr: fe80::2ae:cdff:fe01:c6c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41 errors:0 dropped:0 overruns:0 frame:0
TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5351 (5.2 KiB) TX bytes:10066 (9.8 KiB)
11. Use scp to copy the image over the internal management NIC interface from the host
(specified by the IP address that you set in step 6) to the /data/ directory on the card:
$ scp <user>@<host_ip_address>:<SSDK_dir>/src/github.com/pensando/sw/nic/
dsc_fw_elba_.tar /data/
For example:
$ scp jdoe@169.1.22.2:/home/jdoe/ssdk/src/github.com/pensando/sw/nic/
dsc_fw_elba_.tar /data/
In this example the PCIe addresses are 13:00.0 and 16:00.0, respectively.
4. Compile the memtun binary for the host using the code from $sw/platform/src/app/
memtun.
5. Start the memtun binary on the host:
# ./memtun -s <downstream_port_pcie_address>
169.1.<mgmt_ctlr_pcie_bus_number>.2 &
where:
• <downstream_port_pcie_address> is the PCIe address of the virtual downstream
port from step 3.
In this example it is 13:00.0.
• <mgmt_ctlr_pcie_bus_number> is the first component of the PCIe address for the
management controller from step 3, converted from hexadecimal to decimal.
In this example, the PCIe address is 16:00.0, so the bus address is 0x16 which converts
to 22 decimal.
The command corresponding to the example output shown in step 3 is therefore:
# ./memtun -s 13:00.0 169.1.22.2 &
The memtun utility is started by default on DSCs running goldfw or ssdk firmware. When
memtun starts on the host it establishes a connection with the DSC and creates a tun device
visible in ifconfig on both the host and the DSC.
6. Confirm the IP address has been set:
# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.1.22.2 P-t-P:169.1.22.3
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:96 (96.0 B) TX bytes:96 (96.0 B)
7. Verify that you can ping the DSC from the host:
Note: The tun device for the DSC has a default IP address of 169.254.22.3.
# ping 169.254.22.3 -c 3
PING 169.254.22.3 (169.254.22.3) 56(84) bytes of data.
64 bytes from 169.254.22.3: icmp_seq=1 ttl=64 time=0.205 ms
64 bytes from 169.254.22.3: icmp_seq=2 ttl=64 time=0.091 ms
64 bytes from 169.254.22.3: icmp_seq=3 ttl=64 time=0.085 ms
8. SSH to the DSC from the host as root with a password of pen123 :
# ssh -lroot 169.254.22.1
The authenticity of host '169.254.22.1 (169.254.22.1)' can't be
established.
ECDSA key fingerprint is SHA256:AoU0vi8BifouUOfqSg78t08JgaH7vHHBZfK58CnS
+EI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '169.254.22.1' (ECDSA) to the list of known
hosts.
root@169.254.22.1's password:
9. Confirm the IP address for the tun0 interface on the DSC is 169.254.<pcie_bus_number>.3:
Note: The tun0 interface is the memtun device on the DSC that is created by default.
# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.1.22.3 P-t-P:169.1.22.2
Mask:255.255.255.255
inet6 addr: fe80::b1a3:b97a:c6a3:3b12/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:96 (96.0 B) TX bytes:96 (96.0 B)
10. Use scp to copy the image over the memtun interface from the host (specified by the IP
address that you set in step 5) to the /data/ directory on the card:
$ scp <user>@<host_ip_address>:<SSDK_dir>/src/github.com/pensando/sw/nic/
dsc_fw_elba_.tar /data/
For example:
$ scp jdoe@169.1.22.2:/home/jdoe/ssdk/src/github.com/pensando/sw/nic/
dsc_fw_elba_.tar /data/
Loading an Image
To load an image you have copied to the DSC, do the following on the DSC:
Note: You can also use the table access tools (p4ctl or, if one of the reference pipelines had been
used to create the image, pdsctl) to verify that the correct software is executed.
To do so:
• To use a different config file specify it with the -c option. For example:
start-dp-app.sh -c /nic/config/config_scale.json
To do so:
/sw/nic/rudra/docs/sdn_policy_offload/quickstart.md#sim-packet-test
Troubleshooting
The following files in the container are useful for troubleshooting:
Appendix A
The AMD Documentation Hub is an online tool that provides robust search and navigation for
documentation using your web browser. To access the Documentation Hub, go to https://
www.amd.com/en/search/documentation/hub.html.
Support Resources
For support resources such as Answers, Documentation, Downloads, and Forums, see Support.
References
Pensando Documents
Revision History
The following table shows the revision history for this document.
Copyright
© Copyright 2023 Advanced Micro Devices, Inc. AMD, the AMD Arrow logo, Pensando, and
combinations thereof are trademarks of Advanced Micro Devices, Inc. AMBA, AMBA Designer,
Arm, ARM1176JZ-S, CoreSight, Cortex, PrimeCell, Mali, and MPCore are trademarks of Arm
Limited in the US and/or elsewhere. PCI, PCIe, and PCI Express are trademarks of PCI-SIG and
used under license. Other product names used in this publication are for identification purposes
only and may be trademarks of their respective companies.