How F5 Networks Uses SmartNICs to Ease Transition to Software

eWEEK NETWORKING ANALYSIS: F5 customers will see a performance boost and cost savings by shifting security capabilities to SmartNICs.


Application delivery controller (ADC) market leader F5 Networks this week revealed a unique offering that uses SmartNICs to improve the performance of the security capabilities in its virtual product. This is a turnkey solution that consists of a BIG-IP AFM Virtual Edition (VE) integrated with an Intel FPGA PAC N3000 SmartNIC (network interface card). The combined offering gives the virtual solution a performance boost and makes it easier for customers to transition to a software model without worrying about performance degradation. 

F5 has had a virtual version of its flagship product, BIG-IP, for years. Adoption has been steady but has yet to see the accelerated adoption one would expect as the world has gone gaga over software. 

One of the issues for VE is maintaining performance when compared to the appliance-based version of BIG-IP. This has nothing to do with the software, because BIG-IP VE is at feature parity with the appliance. Performance problems arise because off-the-shelf servers often don’t have the processing capabilities required to power ADC functions. It might be fine for basic load balancing, but advanced capabilities such as SSL offload or distributed denial of services (DDoS) can often bring a white box server to its knees. Heck, many firewalls crumble when multiple services are turned on. 

Software-only ADCs provide higher agility, but performance can be in issue 

I’ve talked to many customers who like the agility of BIG-IP VE but need the performance of an appliance. ADCs sit between the applications and the network and play a key role in ensuring app performance remains high and is secure. We live in the customer-experience era in which even a single bad experience can drive customers to a competitor. This is why most companies still run front-end critical applications with dedicated appliances. 

SmartNICs to the rescue 

The new solution helps with that, because it leverages the processing capabilities of SmartNIC. Network interface cards have evolved greatly over the years. Initially they were relatively dumb devices that connected servers, computers and other connected endpoints to Ethernet networks. Years ago, offload NICs were created --as the name suggests--to offload processor intensive tasks from the CPU on the server to the card. 

For example, a TOE (TCP offload engine) moved the entire TCP/IP processing stack to the NIC. These serve a single purpose but are not programmable, so they can’t be changed. SmartNICs are relatively new and include programmable silicon such as NPUs, SoCs or FPGAs. This makes them programmable, so vendors like F5 can use them. The Intel-based one used by F5 uses an FPGA (field programmable gate array) and is being deployed by a handful of leading companies, including Microsoft for its Azure cloud. 

With this release, F5 has moved DDoS detection and mitigation to the SmartNIC. The card will process more than 100 DoS vectors as well as SYN cookies, white listing and BDoS. All of these capabilities will be handled in the FPGA, alleviating the burden from off the shelf server running BIG-IP VE. This has both a performance and cost benefit for the customer, because beefing up a server with the same level of processing capabilities in a general-purpose CPU would be extremely expensive. 

In a pre-briefing, F5 told me this configuration provides a 300x boost to DDoS mitigation--compared to software on a general-purpose server--while showing a 47% reduction in TCO. I can’t verify these numbers, but they certainly seem to be in the ballpark of what I would expect. 

When handling DDoS, it’s much more efficient to drop the packets as early as possible. The use of the SmartNIC ensures that the traffic isn’t carried all the way to the ADC so that other ADC functions aren’t impacted. 

F5 can leverage SmartNICs for a wide range of functions

It will be interesting to see what F5 does next with this. Its BIG-IP ADC has a very broad feature set, including firewall capabilities, SSL session mirroring, DNS firewalls, crypto offloading and much more. Conceivably all of these could be moved to a SmartNIC, depending on the use case. 

Businesses are becoming increasingly dynamic and distributed, and their IT strategy must be in alignment with this. By leveraging the SmartNIC, customers can perform critical functions wherever they make the most sense instead of being limited to a central location. 

I understand many businesses are turning to software to do this, but it’s the right mix of software, silicon and hardware that creates the best possible performance. This will enable customers to confidently move to software-only solutions without worrying about performance degradation. 

Zeus Kerravala is an eWEEK regular contributor and the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.