Accelerating the Suricata IDS/IPS with NVIDIA BlueField DPUs

• DPI can become a bottleneck, as CPU availability is limited.
• BlueField DPU can accelerate centralized and distributed inspection, enabling higher security levels.
• DOCA Flow API can be used to offload a Suricata bypass, reducing host CPU utilization.
• Running Suricata on the onboard Arm subsystem achieves line-rate traffic redirection and inspection.
• DPU-accelerated and potentially distributed solution improves network performance and x86 CPU utilization compared to traditional software solution.

Offloading a Suricata bypass with BlueField and NVIDIA DOCA

• Suricata v3.2 introduced a bypass feature for inspecting specific flows.
• BlueField DPU's line-rate steering module in the SmartNIC subsystem can be configured to redirect traffic to the Arm subsystem or host.
• DOCA Flow API enables bypassed flows to be inspected on the Arm core with no CPU load on the x86 host.
• Suricata engine uses DOCA Flow API instead of kernel bypass for bypassed flows, achieving a 400G device bidirectional line rate and several Gbps of inspected flows.
• DPU-accelerated solution improves network performance and x86 CPU utilization compared to traditional software solution.