NGC | Catalog
CatalogContainersDOCA URL Filter

DOCA URL Filter

Logo for DOCA URL Filter
Description
DOCA URL Filter application allows limiting access by comparing web traffic against a database to prevent users from different threats, malware and accessing harmful sites, by leveraging the hardware acceleration of the NVIDIA DPUs.
Publisher
NVIDIA
Latest Tag
2.0.2
Modified
April 1, 2024
Compressed Size
68.22 MB
Multinode Support
No
Multi-Arch Support
No
2.0.2 (Latest) Security Scan Results

Linux / arm64

Sorry, your browser does not support inline SVG.

What is DOCA?

Data Center Infrastructure-on-a-Chip Architecture

The NVIDIA® DOCA™ SDK (software development kit) enables developers to rapidly create applications and services on top of NVIDIA BlueField® data processing units (DPUs), leveraging industry-standard APIs.

DOCA URL Filter

NOTE: The DOCA URL Filter application container is deprecated and starting from DOCA 2.5.0 release will no longer be supported.

URL filtering limits access by comparing web traffic against a database to prevent users from different threats, malware and accessing harmful sites such as phishing pages.

Application Architecture

  1. Signatures are compiled by the DPI compiler and are then loaded to the DPI engine.
  2. Ingress traffic is identified and classified using the stateful table module in the DPDK libs which utilizes the connection tracking hardware offloads. This allows flow classifications to be done at the hardware level and forwarded to a hairpin queue without being processed by the software, which increases performance dramatically.
  3. Traffic is scanned against the DPI engine compiled signature DB.
  4. Post-processing is performed for match decision.
  5. Matched flows are identified and can be offloaded to the hardware to increase performance as not further inspection is needed.
  6. Flow termination is done by the aging timer (set in the SFT to 60 seconds). When a flow is offloaded it cannot be tracked and destroyed.
  7. Is it important to note that only sites that support non-encrypted HTTP traffic can be matched against signatures created by the URL filtering as it specifically targets the URI field in the HTTP request.

Installation and Getting Started

All preparation steps are listed under DOCA's Container Deployment User Guide.

Note: The DOCA Application container is configured for K8S-based deployment, hence the use of the docker pull command is discouraged.

Preparation steps for the DOCA Application

As explained in the application's documentation there are some resource allocation steps needed before the application can be executed:

# Allocate huge-pages, required by DPDK
echo 2048 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages

# Make sure the regex engine is active
systemctl status mlx-regex
# If the status is inactive (“Active: failed”), run
systemctl start mlx-regex

The application is meant to be used with Scalable Functions (SFs), hence they should be configured accordingly. An example illustration is shown in the application's system design section.

Once all SFs and OVS bridges are configured, we can continue on to the next step, in which we will notify the container about them.

Adjusting the .yaml configuration

The .yaml configuration for our container is doca_url_filter.yaml:

wget --content-disposition https://api.ngc.nvidia.com/v2/resources/nvidia/doca/doca_container_configs/versions/2.0.2v1/files/configs/2.0.2/doca_url_filter.yaml

The container doesn't require any update to the .yaml file and can simply be used "as-is".

Note: The file is also stored with the rest of the .yaml configurations as were pulled from NGC in the previous steps (See "Installation and Getting Started").

Spawning the container

Simply copy the doca_url_filter.yaml file to the /etc/kubelet.d directory. Kubelet will automatically pull the container image from NGC, and spawn a pod executing the container. The DOCA URL Filter application won't start executing right away, because it needs to be manually deployed and it starts with an empty URL database. Once the container is loaded you need to get its ID via:

# View currently active containers, and their IDs
crictl ps

And then run the following command to connect to it and run the app from within the container:

# Will run a bash in the container and gives you interactive control of it
sudo crictl exec -it /bin/bash

# Inside the containers bash, run the app using the same command listed in the DevZone.
cd /opt/mellanox/doca/examples/url_filter/bin
./doca_url_filter –-json url_filter_params.json

Please refer to the documentation for more information.

Documentation

The DOCA URL Filter developer guide is available here.

License & EULA

DOCA is licensed under the NVIDIA DOCA License. By pulling and using the container, you accept the terms and conditions of this license.

Technical Support

Use the NVIDIA Developers forum for questions regarding this Software.