BlueField-3 (BF3)
The NVIDIA BlueField-3 (BF3) DPU provides hardware-enforced security and control plane offloading for Bridge-managed servers. When deployed in DPU mode (Zero Trust), BF3 acts as an independent control plane — the host server is provisioned and managed exclusively through the DPU, removing the need to trust the host's main board for security-sensitive operations.
DPU Mode vs. NIC Mode
| Aspect | DPU Mode (Zero Trust) | NIC Mode (SuperNIC) |
|---|---|---|
| Control plane | Runs on DPU | Runs on host |
| Host provisioning | Via DPU over OOB | Via MaaS/BCM |
| Network feature set | HBN, VRF, VTEP | Spectrum-X, RoCE |
| Security model | Hardware root of trust | DOCA DMS service |
| Primary use case | Bare metal, VM, HBN | Spectrum-X GPU networking |
Zero Trust DPF Provisioning Flow
Bridge provisions BF3 DPUs in Zero Trust mode using the NVIDIA DPU Fabric (DPF) framework:
- Bridge configures the BF3 into Zero Trust DPU mode and reboots the server.
- Bridge provisions the DPU over the OOB network (1 GbE).
- Bridge provisions the host OS over OOB and in-band network — no tenant access is granted at this stage.
- The DPU is added as a worker node to the DPF control plane hosted on Bridge.
- Bridge orchestrates Host-Based Networking (HBN) to the DPU.
- Bridge configures isolated L3 networks on the DPU and the inband switch fabric (200 GbE converged network).
- Tenant access is provided via the gateway over the isolated L3 networks.
No tenant traffic reaches the host until all isolation and networking steps are complete.
DOCA HBN Controller
After DPU provisioning, Bridge's Cumulus controller is extended with HBN functionality that interfaces with DOCA HBN over the OOB network.
Switch fabric configuration:
- Configures BGP underlay across the Ethernet switch fabric.
- Creates per-tenant L2/L3 overlay networks (VRFs, VXLANs) on the switches.
DPU-level configuration applied via Ansible:
| Configuration | Purpose |
|---|---|
| VRFs per tenant on DPU | Enforce L3 tenant isolation at the DPU |
| VTEP on DPU | VxLAN tunnel endpoint, enabling VxLAN overlay termination on DPU |
| VF-to-representor mapping | SR-IOV passthrough for VMs and containers |
With DOCA HBN, the switch fabric maintains a single underlay VRF while tenant isolation is enforced at the DPU — overcoming per-switch VLAN and VRF scale limits.
For InfiniBand fabrics, Bridge creates PKeys and PKey-to-VF associations instead of VRFs and VTEPs.
DPF for Kubernetes Deployments
Bridge hosts both a host control plane and a DPU control plane using the DPF framework, enabling automated DPU lifecycle management for Kubernetes-based deployments:
- Bridge hosts the control plane for host Kubernetes nodes.
- Bridge hosts a separate control plane for DPU nodes.
- DPU provisioning is triggered via the DOCA Management Kubernetes service on the host.
- DPF operators on both control planes enable Bridge to:
- Provision DPUs
- Deploy DOCA services
- Configure service chaining
- Apply HBN configuration
This architecture enables advanced Day N use cases including distributed gateway and distributed firewall enforcement at the DPU.
Control Plane Security Offloading
By running the control plane on BF3 rather than the host main board, Bridge achieves the following security properties:
| Feature | Bridge + BF3 |
|---|---|
| Hardware root of trust | Secure and measured boot with digitally signed and encrypted firmware and OS images |
| Authentication offload | Authentication, access control, and encryption accelerated on DPU |
| Microsegmentation | Policies defining access to assets and data enforced on DPU |
| Data encryption | Encryption of data in transit at 200 Gb/s, including East-West traffic |
| Network telemetry | DOCA Telemetry Service for collecting and analyzing network traffic metrics |
BF3 provides hardware root of trust for the DPU itself, not the server's main board. Bridge leverages BF3's security capabilities for DPU-side control plane security and tenant isolation.