Highspeed network appliances are often stateless to reduce the cost and DDoS-vulnerability associated with tracking and storing the state of connections.
Stateful processing offers dramatically increased capabilities by providing session context to make smarter and more adaptive decisions. The catch: it requires fast state memory management, which poses financial, technical and security challenges.
Enter Synogate HashCache: our patent-pending, fully hardware-implemented algorithm for carrier and enterprise session storage management using DRAM to offer previously unseen storage speed and capacity on a single device - the ideal solution for heavy-duty, internet exposed services with superior security requirements.
Synogate HashCache is a hardware implementation of a key-value store with cache-like storage management. hundreds of millions of requests per second with a particularly high insertion rate, using commodity DRAM with capacity for billions of concurrent connections, make Synogate HashCache the ideal state storage for stateful firewalls, network address translators, web or database caches, and other stateful network devices that must operate and perform in untrusted networks. Its sub microsecond latencies also make Synogate HashCache the storage solution of choice in all applications where latency matters, such as high speed trading. Last but not least, a novel eviction policy enables it to autonomously replace the oldest inactive entries for optimal Quality of Service.
Do you want to see Synogate HashCache in action?
Take a look at our
To book a demo, you can reach us directly by phone:
We speak English, German, Spanish, Portuguese, and French.
You are also invited to schedule a demo or meeting directly here:
- Stateful firewalls
- Network intrusion detection systems (NIDS)
- Carrier-grade network address translation (NAT)
- Database acceleration
- High frequency trading
- Web-caches (CDN)
- MQTT Broker
- High bandwidth, high connection count hardware TCP server
- High read throughput
- Superior insertion rate
- Integrated eviction policy offering guarantees on retention time
- Low latency, as low as 200 nano-seconds
- Internal or external storage including DRAM support
- Energy consumption < 1 micro-joule per request
- Low storage overhead
- Stateful network processing at present and future line rates
- Resilient to DDoS with crafted traffic
- Reliably high throughput, even in write/update-heavy use cases and situations
- Fast, granular control for best user experience
- Low storage overhead resulting in more available storage space
- Running on highly available and affordable hardware
- Significant power savings resulting in reduction of Total Cost of Ownership (TCO)
The massive growth in network bandwidth of 50% per year (Nielsen’s Law) and the lack of growth in computing capabilities (Moore’s Law) pose high demands on network appliances, especially those that need to hold and manage state. Stateful network devices, such as stateful firewalls or network address translators (NATs), must store and subsequently retrieve information of previous decisions to act coherently. This retrieval, update, and potential replacement of old entries must keep pace with the throughput of the network device.
A single 100 GiB/s Ethernet connection can transfer more than 209 million packets per second in each direction. Depending on the application scenario, the rate of requests to a network device’s state storage may be the same. What makes matters even more challenging is the exposure of such network devices to untrusted networks. In these environments, a malicious attacker can craft specific traffic to trigger a state storage’s worst-case behavior on purpose in an attempt to mount a DoS attack.
Synogate HashCache, a key-value store for FPGA and ASIC designs, solves these issues. Synogate HashCache scales to hundreds of millions of requests per second, perfectly capable of 100G Ethernet and more on modern FPGAs. A stateful network device that employs Synogate HashCache for its state storage also benefits from Synogate HashCache’s high write throughput and entry retention guarantees. Attackers attempting to mount a (D)DoS attack against the device with traffic that triggers large amounts of writes and new states, commonly a worst-case scenario for key-value stores, will find that Synogate HashCache is more than happy to service the requests while maintaining high throughput.
Synogate HashCache is the ideal key-value store for all network appliances that handle large amounts of state, especially if the state needs to be modified or created at high rate. Its high read throughput and low latency also make it an excellent choice in more read-dominated caching use cases such as web-caches, database acceleration, and high frequency trading.
To demonstrate the throughput, we consider the use case of a stateful firewall. Synogate HashCache is fielded using QDR2-SRAM and single channel DDR4-SDRAM, both variations implemented on an Arria 10 device. We compare against a single core linux eBPF implementation as well as a multi-core implementation with a supporting SmartNIC running on two memory channels of the same memory type.
The traffic is sourced from the CAIDA real world dataset, mixed with increasing amounts of attack traffic to simulate a DDoS.
The software implementations, even with SmartNIC support, are orders of magnitude too slow to handle 100G or even 40G. Synogate HashCache on the other hand can easily handle 100G line rate. Under full attack, even with the slower single channel DDR4-DRAM it can sustain 40G line rate. Since Synogate HashCache scales almost linearly with the number of memory channels, 100G line rate is attainable even with DDR4-DRAM by scaling to four channels.
In the same stateful firewall use case, we measure the latency of HashCache for different storage options and traffic patterns. The latency is expressed as the probability of a request being performed within a time frame.
For QDR2-SRAM storage, requests are performed in well under one micro-second. In caching scenarios where attack patterns are not an issue, such as high frequency trading, this latency can drop to below 200 nano-seconds.